October is Cybersecurity Awareness Month, which makes it a good time to check whether you and your merchants are following best practices for POS and payment security.
The PCI DSS (Data Security Standard) set forth by the PCI Council is based on six goals you should always keep in mind:
- Build and maintain a secure network
- Protect cardholder data
- Maintain a vulnerability management program
- Implement strong access control measures
- Regularly monitor and test networks
- Maintain an information security policy
Apart from offering secure and compliant payment devices, the PCI Council also provides a list of payment security best practices
, which we've expanded on below.
15 steps for ensuring payment security:
- Change default admin usernames and passwords before your POS and payment systems go live.
- Disable remote admin access to POS software and IP-enabled devices if you aren't going to use the functionality.
- Use remote access usernames and passwords that are unique to each customer. If you or one of your customers are breached, the credentials can't be used to access other customers.
- For each merchant, assign a unique username and password to each employee with POS or computer access.
- Ensure your POS and payment systems are on their own network segment. If a breach occurs, only devices on the segment will be impacted and data stored in other networks will remain secure.
- Place POS and payment devices behind a firewall, then set rules that limit communication to and from the POS and payment devices. For example, only open ports to the outside world that are necessary for the solution to function.
- Identify what data each of your merchants collects and take steps to ensure it's protected and backed up. This applies to critical private customer information, shopping histories and more. If a cloud software provider claims they back up data, double-check their methods and consider backing up the data locally for an additional layer of security.
- Ensure any locally backed up data is encrypted and securely stored.
- Update hardware and software with the latest patches. Even if updates don't provide exciting new customer-facing functionality, they might contain important bug fixes and security enhancements. If possible, automate updates with patch management tools so you can easily test and then deploy patches quickly and safely.
- Enable encrypted communications within all hardware and software if provided the option.
- Install antivirus software on all possible devices or servers. Even cloud-based POS software can be affected indirectly by malware, leading to negative customer experiences or service interruptions.
- Don't rely on device manufacturers for security. By all means, make use of whatever security is put in place, but take your own steps as well.
- Don't leave IT assets physically unsecured. Servers, network switches and other devices should be unavailable to unauthorized personnel.
- Ensure that stolen or misplaced mobile technology can be remotely deactivated or wiped.
- Regularly test security systems and processes.
Despite Cybersecurity Awareness Month only lasting through October, the above best practices must be followed daily and in perpetuity.
Ingram Micro offers a variety of solutions and service to help you including firewalls, malware protection, intrusion detection and prevention, penetration testing and more. For assistance in securing your POS and payment systems, the following resource are available: