Unfortunately, almost every day there’s another security breach that’s occurred from a lack of security controls. However, by knowing what vulnerabilities to look for and taking a few precautionary steps, you can greatly reduce your risk of a breach. To get started, educate yourself and your employees on the top security protection tips to avoid the three most common security threats faced by businesses.
1. Unsecure Third-Party Vendors
One of the most common vulnerabilities that directly impacts the security of your business' environment is the use of unsecure third-party vendors. These vendors provide businesses with payment processing services, but not in a secure manner.
Data thieves have learned they can exploit unsafe vendors to reach several customers and compromise their clients' credit card information. One common example involves vendors utilizing remote access to the customer's processing environment for routine maintenance. The data thieves leverage default passwords or phishing scams to obtain the vendor’s credentials that grant them access into a business' environment. Once there, the data thieves can deploy malware, ultimately leading to card data being compromised.
“Ensure you know all of the third-party vendors that are involved with your credit card environment, and know their roles in that environment," advises Stacy Hughes, SVP External Compliance and IT Risk at Global Payments. “You should know if those vendors are PCI DSS compliant and if they are implementing their processes securely."
In addition, verify what security functions your payment provider uses such as encryption, tokenization and 3D Secure to reduce your customer data and fraud risk. Your payment provider's security products can greatly protect you, and reduce your chances of becoming the victim of a data breach.
2. Security Patches
Another common vulnerability involves security patches. In many cases, customers are not aware that their firewalls or antivirus software is out of date because they have failed to install routine security patches. Data thieves attack these solutions specifically looking for entities that have not addressed the necessary security updates.
"You should always ensure you complete every necessary security patch on all systems that are linked to your processing environment,” says Hughes. “You can schedule these routinely, so you don’t have to worry about missing any necessary changes.
3. Weak or Stolen Passwords
According to the Payment Card Industry Security Standards Council (PCI SSC), more than 80% of hacking-related compromises involve weak or stolen passwords. Typically, weak passwords are the result of using default passwords, such as “password,” “welcome,” “12345,” etc.” from third-party vendors. In many cases, account holders forget or fail to change the password that was assigned arbitrarily from a third-party vendor to gain first-time entry. The end result? Hackers exploiting this vulnerability.
“It’s imperative that you create unique passwords associated with your computer systems, internet access and payment environment,” Hughes says. “Use strong passwords that include at least seven characters with numbers, symbols and letters – at least one capitalized. And change it frequently, preferably every three months.”
Stolen passwords are easily obtained by hackers through phishing attacks, from social media or other websites. Hackers pretend to be a legitimate contact (for example, part of the IT team) and reach out to your employees trying to trick them into providing their password.
“It’s crucial to train your employees on how to protect themselves from phishing attacks, as well as on company security policies. For instance, employees should know to never give out their passwords or login credentials and to be suspicious of emails requesting them,” Hughes says.
To help you protect your business, we created the Merchant Protection Program to assist you with securing your processing environment and achieving PCI DSS compliance. Another helpful resource is the PCI SSC Merchants Microsite, which has many useful guides including Questions to Ask Your Vendors and patching resources to help with outdated software.