Tips for Security

  Do data thieves know something about your business that you don't? These days, organized data thieves increasingly are aware of potential vulnerabilities and have become relentless in exploiting them. Meanwhile, cardholder awareness of card-security issues has never been higher, potentially affecting spending at the checkout counter.
  With so much riding on their systems, business owners are recognizing the need to focus on data security. Visa USA and the U.S. Chamber of Commerce recently fielded a survey that found more than 64% of businesses had taken action within the past 12 months to better protect customer financial information. At the same time, 63% said they rarely, if at all, worry about securing cardholder data.
  Some businesses discover the hard way that the loss of consumer goodwill, liability for fraud and other losses, and fines are the unwelcome results of a data compromise. As painful as these incidents can be, data breaches provide important insights into how hackers operate and how to avoid security vulnerabilities.
  To help businesses identify and take action against the leading causes of card-related data compromises, Visa and the U.S. Chamber recently teamed up to issue a security alert to their respective members. It provides practical recommendations for avoiding the most frequent types of data attacks.
  The most common cause of data breaches occurs when a merchant or service provider stores sensitive information encoded on the payment card's magnetic stripe in violation of the Payment Card Industry Data Security Standard. This can occur because some point-of-sale systems improperly store this data, and the merchant may not be aware of it. A discussion with your POS vendor can help ensure your application does not store track data or other sensitive information, such as PINs, subsequent to card authorizations.
  A number of hackers have successfully penetrated a system because up-to-date security patches were not in place. The timely application of security patches is key to managing this vulnerability. Also, businesses often receive POS hardware or software from outside vendors who install them using default settings and passwords. Many of these passwords are widely known among criminals, while others are easy to guess. Any default or blank settings and passwords should be changed before deployment into production. Default IDs should be renamed, and default port numbers should be changed, where possible.
  Using a technique known as "SQL injection," criminals exploit vulnerabilities in Web-based applications to attack shopping carts and other e-commerce applications. Businesses can reduce this risk by validating client input into the database and testing applications for vulnerabilities. Businesses also should ask vendors to confirm that their payment application conforms to secure coding standards and employs patches to guard against potential weaknesses.
  Additionally, vendors often ship servers with unnecessary services and applications that are enabled, although the user may not be aware of it. Subsequently, security patches and upgrades may be ignored and the merchant's system exposed to attack. All necessary services or applications should be patched and secured, and any unused services or applications should be disabled or removed.
  Of course, the single most effective weapon in the battle against data theft is education. By becoming more aware of common security vulnerabilities and taking relatively simple steps to avoid potential areas of weakness, any business can significantly reduce its risk of a data compromise.
  Michael E. Smith is senior vice president of Enterprise Risk and Compliance at Visa USA. He can be reached at mesmith visa.com.
  Sean Heather is executive director, U.S. Chamber of Commerce. The two companies recently completed their second nationwide town hall tour of small to mid-sized businesses on data security. He can be reached at sheather uschamber.com
  (c) 2006 Cards&Payments and SourceMedia, Inc. All Rights Reserved.
  http://www.cardforum.com http://www.sourcemedia.com