The news of data breaches is a regular occurrence, raising concerns not only among consumers but among businesses that process credit cards. The Identity Theft Resource Center reports that there were 1,138 total data breaches in 2018 as of December 5, with 122 exposing banking or credit card information. Some notable credit card breaches include the TJ Maxx breach of 2007 and the Target Breach of 2013. More recent credit card data breaches involved big names like Sears, Saks Fifth Avenue, and Forever 21.
Protecting your business from a data breach takes a comprehensive approach. You can avoid the biggest vulnerabilities by achieving PCI compliance and by following these tips.
Make your passwords difficult to crack.
The systems that today’s cyber criminals use can easily crack most passwords that you create, especially if you make it simple for them. Using vendor supplied, default passwords or repetitive and predictable patterns for creating passwords leaves your organization extremely vulnerable for a breach. The Target data breach of 2013, for instance, was caused in part by a vendor supplied, default password that was never changed. Services like LastPass, KeePass, and Bitwarden generate random passwords that are difficult to crack. With these services, you create one really strong master password and the software generates and manages highly secure passwords for all of your websites and systems.
Don’t store credit card data, including CVV numbers.
Even if you are encrypting or tokenizing the actual credit card number, you don’t want to store CVV numbers. The purpose of the CVV number is to prove that the card holder has the card in hand. The card holder should be able to give the CVV number to the retailer every time they place an order. Make sure that the CVV number isn’t held, even encrypted, on any logs or anywhere in storage.
Maintain security patches.
Viruses and malware often enter systems at the application layer and secondarily through the operating system. It is vital to make sure your systems are always current with updates and security patches. If you are using applications or an operating system that is no longer being maintained and patched by the publisher, then your systems become extremely vulnerable. All aspects of your IT environment impact your security, whether it be your ERP software, your operating system, or Internet protocol. For instance, if you are using a version of Dynamics NAV that is no longer supported by Microsoft, then your systems could be vulnerable. 2018 was the year of TLS v1.2, which allows devices like phones and computers to communicate securely over the internet and protects your credit card data when making purchases or transferring funds online. The PCI Security Standards Council (PCI SSC) has mandated the use of TLS v1.2 as of June 30, 2018 for any party involved in payment processing. Addressing your system from a holistic standpoint will increase your ability to securely maintain your data.
Tokenize Payment Data
Tokenization involves disguising sensitive data, like credit card numbers, as random number combinations that are algorithmically generated. These random numbers, called tokens, are processed as payment information so that the actual credit card number can remain secure. If tokenized data is leaked, there is no risk to the cardholder because the random string of tokens cannot be reversed. Tokenized data is not considered sensitive information and is safe to store, according to PCI compliance guidelines, because there is no link back to the original card number.
Eliminate servers and services that you don’t need.
When you purchase a server or services, like a wireless access point, they often come with features already activated that you don’t need. Every active feature makes the attack surface larger and the goal is to have the smallest active attack surface. The more services that you have on a server, the more vulnerable that server or service becomes. Only run the services that are required for you to meet your business needs in order to limit your exposure to an attack. Don’t just run the defaults.
Protecting credit card data requires a comprehensive plan and regular maintenance. Achieving and maintaining PCI compliance is a paramount step to avoiding a credit card data breach. For more information on PCI compliance, visit https://www.pcisecuritystandards.org/. For information on PCI-validated credit card processing software for Microsoft Dynamics NAV or Dynamics 365 Business Central, visit www.chargelogic.com.