Recent attack trends show that hackers are beginning to move their focus to smaller merchants that have improperly configured remote access systems. Generally, hackers are not targeting a specific merchant, rather, the hacker will scan the Internet for vulnerable remote access systems and attempt to compromise them, regardless of the merchant size or type.*
Point-of-sale (POS) vendors will often support or troubleshoot merchant payment system from their office and not from the business location. They do this using the Internet and remote access software. Hackers know that these vendors often use the same remote access login information for all of their customers, and keep this software running all the time, even when it’s not needed, leaving businesses open to attack.
To minimize the risk of being breached, businesses should make sure remote access to their systems is only turned on when needed, and that vendors are using multi-factor authentication with a different username and password for each customer they access remotely.
The PCI SSC Questions to Ask Your Vendors resource can help businesses get the information they need from their third party vendors. Additionally, merchants can refer to the PCI Qualified Integrators and Resellers list for companies and individuals that have been trained by PCI SSC on secure remote access and other payment data security essentials.