An analysis of account data compromises found that insecure remote access is the #1 point of entry for attacks against brick-and-mortar merchants. Gill Woodcock, Senior Director of Certification Programs for PCI Security Standards Council discusses weaknesses with remote access programs and what merchants should do to better protect their customers' payment card data.
I’ve heard that merchants don’t always know that they have remote access present on their systems? Why is it there?
Gill Woodcock: Remote access is frequently used by merchants' vendors (like those that provide their payment terminals) to provide support and trouble-shooting for their payment (and other IT) systems. It can be a convenient and cost-effective way of having third-party suppliers access systems and make changes or fix problems quickly, eliminating the time and cost of onsite support. For merchants, having quick support available can make the difference between being able to carry on business and serve their customers and having to close the doors, so remote support is a very attractive option.
Why do remote access programs make merchants vulnerable to hackers?
Gill Woodcock: Remote access is one of the most common attack methods used by criminal hackers and is often used in combination with other attacks such as malware. For example, remote access may be used to get into a merchant’s payment system (by using a commonly known vendor default password like “password” or “123456”). Once in, the hackers place malware on a merchant system and use it to capture data. The hackers then use remote access to move that data to the attacker’s site. All remote access uses the internet and merchants typically have no control over the way their suppliers provide support. These suppliers may use the same password for many different merchants or sites, so an attacker can access multiple different merchant or merchant sites by knowing only that one password. Merchants may not even know that remote access software is present or when the remote access is being used, especially if that remote access is left permanently switched on and not monitored.
What can merchants do to secure their remote access channels?
Gill Woodcock: Firstly, merchants should identify if they have any remote access software on their systems, and if so, where and how remote access is being used. If you aren’t sure where to start, the Questions to Ask Your Vendors resource on the PCI SSC website is a good place to begin.
Secondly, merchants should talk with their vendors to make sure remote access is only turned on when needed, monitored when it is active and that multi-factor authentication (MFA) is in use. MFA can be a complex topic so check out the guidance document on the PCI SSC website for more information. If a vendor can’t answer the questions or adhere to these controls merchants should consider choosing another vendor or solution.
What advice do you have for merchants looking to hire third parties to help with installing and securing their payment applications?
Gill Woodcock: Qualified Integrators and Resellers receive training directly from PCI SSC on critical security controls including remote access, so where possible I’d recommend merchants choose a QIR to help with installing and securing payment applications. All QIRs can be verified from the listing on the PCI SSC website. As part of their work, QIRs provide merchants with an Implementation Statement which confirms how controls have been put in place to secure cardholder data. Even if the third party isn’t a QIR the Implementation Statement is a useful checklist of questions that merchants can use.
What else should merchants do to better protect their customers’ payment card data?
Gill Woodcock: Merchants should take advantage of the resources put together by PCI SSC to help them. Smaller merchants can use the Payment Protection Resources for Small Merchants. Larger merchants with more complex environments should consider having their staff take Payment Card Industry Professional (PCIP) or Internal Security Assessor (ISA) training. Knowledge of PCI DSS controls and how to apply them helps merchants know what it is they need to protect and how to go about applying that protection. There are products and programs which can help but merchants need some knowledge to be able to help themselves. My overall message is, don’t ignore payment security, it won’t go away and preventing a breach is a lot better than picking up the pieces afterwards.