Small and medium businesses around the world are increasingly at risk for payment data theft. Nearly half of cyberattacks worldwide in 2015 were against businesses with less than 250 workers, according to cybersecurity firm Symantec. In order to help these companies protect themselves and their customers, the PCI Security Standards Council (PCI SSC) Small Merchant Taskforce has developed a set of payment protection resources for small businesses. In this series, we highlight security basics from the Guide to Safe Payments for protecting against payment data theft.
Are you leaving the door open for hackers? If your vendors are accessing your business remotely to provide support, the answer could be yes.
Point-of-sale (POS) vendors will often support or troubleshoot your payment system from their office and not from your business location. They do this using the Internet and what’s called “remote access” software, which can put you at risk. Hackers know that these vendors often use the same remote access login information for all of their customers, and keep this software running all the time, even when it’s not needed, leaving the door to your business wide open.
Don’t let hackers get a foot in the door, lock down your remote access. Here are a few tips to keep in mind:
Ask your vendors if they use remote access: Does your POS vendor or service provider use remote access to support or access your business? VNC and LogMeIn are examples of products they might use to support your remotely.
Turn it off: Many remote access programs are always on by default. Reduce your risk – ask your POS vendor how to turn off remote access when not needed, and how to enable it when your vendor or service provider specifically requests it. Then make sure to turn it off again as soon as they are done.
Insist on security: If you must allow remote access by your vendor, insist that they use more than one method or factor to prove who they are. These factors could be something the user has (such as a smart card or dongle), something the user knows (such as a password, passphrase, or PIN) or something the user is or does (such as fingerprints, other forms of biometrics, etc.). Also, ask them to set up remote access credentials that are unique to your business and not used for any other customer.