We recently received information from the Financial Services Information Sharing and Analysis Center, the Retail Cyber Intelligence Sharing Center and the United States Secret Service warning that criminals are targeting merchants who have not upgraded their gas pumps to accommodate EMV. Fuel pump owners should also take steps to protect their customer’s data from credit card skimming devices and other cyber security breaches.
It isn’t just fuel pump owners who should be concerned about fraud and the need to protect customer data. All merchants should be alert to potential attacks on e-commerce shopping carts, and the need for multi-factor authentication and implementation of up-to-date security patches.
Below is a link to the release warning of increased fraudulent activity on merchant terminals. And also have included a number of techniques, below, that you can use to protect your business and your customers.
Simple Tools to give Small Merchants Better Customer Data Protection
- Reset default passwords for vendor supplied equipment.
- Require regular password changes (at least every 90 days) and change all passwords if you observe any suspicious activity.
- Enforce strong passwords (i.e. at least seven characters in length with both numeric and alpha characters).
- Inform employees to be on the lookout for skimmers, USB sticks or other devices connected to POS systems. Check all POS systems for connected devices on a regular basis (multiple times daily is recommended), especially ahead of the holiday season.
- Segregate your POS system from other computers on the network. Do not use POS terminals for Internet surfing, checking email or accessing social media.
- If a POS terminal must be used for legitimate non-POS functions, implement a commercial or open source web protection tool on the POS terminal to limit access to harmful and inappropriate websites.
- If POS services operate on an older operating system, update them immediately and configure auto-updates.
- Update all AV signatures and software on a POS terminal daily.
- Implement multi-factor authentication for all remote access operations.
- Implement a unified threat management (UTM) device.
- This is a device that “allows an administrator to monitor and manage a wide variety of security-related applications and infrastructure components through a single management console.” This simplifies the cybersecurity management process for any small and medium-size business owner.
- UTMs are typically purchased as cloud services or network appliances, provide firewall, intrusion detection, antimalware, spam and content filtering and VPN capabilities in one integrated package that can be installed and updated easily.
- If possible, hire an independent third-party to assess your security needs. After this inspection, consider hiring a monthly managed security service provider (MSSP) to manage based on the inspection results. MSSPs are out sourced services that manage network defenses such as firewalls and can typically be hired inexpensively. Below is a list of questions that the SANS cyber research institute has published for businesses evaluating a potential MSSP.