Nothing frightens me more than walking into a local business and watching them swipe my credit card through a card reader connected to a desktop or laptop computer. Unprotected cables lay exposed between the card reader, system, and other network or peripheral devices. So many attack vectors -- all low-hanging fruit for an enterprising criminal targeting payment card data.
Based on my experience investigating payment card data theft, a number of questions immediately come to mind:
I’m not worried about my own card being compromised. I know that as long as I’m using a major brand, and not a debit card connected to my checking account, that I’ll have little to no liability. I am however, concerned for the vendor. In the nine years I’ve performed incident response investigations, I’ve spoken with dozens of compromised small business owners. Time and time again, they have told me they cannot afford to decline payment card transactions, nor can they pay for an investigation that may cost thousands or tens-of-thousands of dollars.
The good news is that small businesses have the advantage of being, well -- small.
With fewer terminals and backend systems, small businesses are not as dependent upon a large and complex POS or back office system. The lack of a complex POS or back office system would allow a small business owner to move to newer and more secure platforms and/or outsource and transfer the risk and costs associated with data theft to the service provider. Moving to a more secure platform and/or reducing the size of the environment through outsourcing would reduce the likelihood that a small business will be the source of card data theft and be required to finance a costly investigation.
Here are some recommendations to follow that will help reduce your small business’s exposure to payment card data theft:
Do not maintain a Payment Card Industry (PCI) environment or maintain the smallest PCI environment possible.
If you must process transactions using a traditional Point of Sale (POS) system:
Important best practices for all systems:
What about small businesses that conduct business online? In my experience, self-hosted solutions, whether reliant on internally developed or commercial off the shelf (COTS) software, are a significant risk. Attackers are adept at exploiting vulnerabilities in internet-facing applications used to process PCI data.
Small business owners should consider using a PCI DSS compliant provider when handling online transactions. This process can be made transparent to the customer. It transfers the risks and costs associated with data theft to the service provider.
Following these recommendations will not magically solve the problem of cardholder data theft. After all, small businesses aren’t the only targets. We’ve seen plenty of large retailers, banks, and payment processors fall victim to attacks. However, these steps will transfer risk away from small businesses that cannot (and should not) bear the burden of operating a secure PCI environment.
While some of these solutions may increase transaction costs, it’s likely that some or all of the cost will be offset by the reduced cost of managing systems, networks, and by the reduced risk of having to conduct a costly investigation.
Chris Nutt is the Director of Incident Response and Malware of Mandiant. He has nine years of experience in enterprise incident response, working with the federal government, defense industrial base, and Fortune 100 companies. He has extensive experience in incident ... View Full Bio