Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:07 AM

SMB Retailers Should Remember PCI This Black Friday

PCI Council suggests hiring a certified pro to help avoid common SMB PCI pitfalls

As SMB retailers gear up for the excitement of Black Friday, they've undoubtedly checked and double-checked to make sure their payment-card acceptance technology works and is ready for the spending deluge. But have they taken the same level of due diligence to make sure that technology is secure and PCI-compliant? If not, they could be putting their customers' credit card details at risk and potentially run afoul of the payment card brands that enforce their PCI regulations.

In honor of the Black Friday bonanza, Dark Reading recently sat down to talk about SMB PCI pitfalls with the experts who help drive the evolution of the regulatory standard at the PCI Security Standards Council -- Bob Russo, general manager for the council, and Troy Leach, CTO for the group. Russo says that first and foremost, SMBs have to recognize that just because they're small doesn't mean they necessarily have a small amount of risk. For example, some merchants -- especially online -- may only push through small transactions, but at extremely high volumes.

[Learn the fundamentals behind a more secure e-tailing environment. See 10 Ways To Secure Web Data.]

"SMB is kind of a misnomer," Russo says. "It's kind of a catch-all for anyone who's not a Level One merchant."

But some small-staff SMBs may well be pushing into larger merchant volumes, and when that happens, trouble could lurk if they fall into what Russo describes as the brother-in-law syndrome. There are plenty of high-volume shoestring operations out there, and the truth is they don't have the manpower or the technical expertise of their more heavily staffed competitors. When that happens, they may default to letting their brother-in-law or the college intern administer their systems, install their payment applications for them, and generally keep the LEDs on.

Even when the smaller business is aware of PCI regulations and has looked for payment applications that are Payment Application DSS (PA DSS) compliant, they end up still insecure and potentially noncompliant if the application itself isn't properly installed.

"They'll say, 'I'll just buy a PCI-compliant solution or a PA DSS-compliant application, and that will make me PCI-compliant.' Of course, that's not the case," Russo says. "They've done a good thing by looking to buy a PA DSS application, but now they're going to have this thing installed by someone who may not have the wherewithal to install it in a secure manner."

Some of the frequent mistakes made by the proverbial brother-in-law include systems installed with default passwords, remote access settings left on permanently for the administrator's convenience, and root access given to clerks who ring up purchase. Even if those things are installed correctly, installing one piece of hardware could bring everything into a state of noncompliance. For example, take the mobile payment dongles that are sweeping across the SMB nation for their convenience. Many of those are not yet PCI-compliant, and yet they're being used in concert with solutions that claim to be.

"When you look past the marketing slick and you start to talk with their technology folks to start to understand the process, you'll see that the dongle that snaps into your mobile phone is not PCI-compliant yet," Leach says. "Once the vendor receives your information at their servers, that server-side acceptance of your payment card is PCI-compliant, but the initiation point that is at risk for small to medium-sized businesses may not be validated as PCI-compliant."

It's situations like these that have driven the PCI Council to not only get the word out to SMBs about their responsibility to comply with its PCI mandates, but to also make it easy for them to assess and install payment technology without becoming security experts.

This is the big driver in the council's most recent push to encourage SMBs to look to resellers certified as Qualified Integrators and Resellers (QIR) for validation that they can act as a trusted adviser in the process of installing payment applications in a secure manner. Essentially, Russo and BLANK want SMBs to say good-bye to the brother-in-law and hello to the QIR.

"Small merchants are now realizing that even though they buy these solutions, there are basic changes that have to be made in order for it to be a PA DSS recognized implementation of the payment application," Leach says. "A QIR will be trained through our program to make sure it is installed in a secure environment."

It's a useful measuring stick because no matter who the SMB chooses to outsource to, they can't transfer all of their data loss and PCI compliance risk over to a third party. Ultimately, it is the business that is on the hook for the customer data.

"The data is still theirs regardless of whether or not you've farmed it out to someone else to process and someone else to create your Web page and host your Web page," Russo says. "If they get breached, you're the guy that's going to get called to the carpet because it's your data."

Not only can a QIR help install things correctly, they may well be able to help an SMB decipher the baloney delivered up in healthy helpings by marketing slicks emblazoned with "PCI compliant" claims.

"Especially with cloud and mobile, everyone wants to migrate because of cost savings and the new payment acceptance channels, but you have to be very cautious as to what they're promoting when they say they are PCI-compliant," Leach says. "It typically is much less than what you'd expect as a merchant."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-17
The overlayfs implementation in the linux kernel did not properly validate with respect to user namespaces the setting of file capabilities on files in an underlying file system. Due to the combination of unprivileged user namespaces along with a patch carried in the Ubuntu kernel to allow unprivile...
PUBLISHED: 2021-04-17
Shiftfs, an out-of-tree stacking file system included in Ubuntu Linux kernels, did not properly handle faults occurring during copy_from_user() correctly. These could lead to either a double-free situation or memory not being freed at all. An attacker could use this to cause a denial of service (ker...
PUBLISHED: 2021-04-17
A command injection vulnerability has been reported to affect QTS and QuTS hero. If exploited, this vulnerability allows attackers to execute arbitrary commands in a compromised application. We have already fixed this vulnerability in the following versions: QTS Build 20210202 and later Q...
PUBLISHED: 2021-04-17
An SQL injection vulnerability has been reported to affect QNAP NAS running Multimedia Console or the Media Streaming add-on. If exploited, the vulnerability allows remote attackers to obtain application information. QNAP has already fixed this vulnerability in the following versions of Multimedia C...
PUBLISHED: 2021-04-16
jose-node-esm-runtime is an npm package which provides a number of cryptographic functions. In versions prior to 3.11.4 the AES_CBC_HMAC_SHA2 Algorithm (A128CBC-HS256, A192CBC-HS384, A256CBC-HS512) decryption would always execute both HMAC tag verification and CBC decryption, if either failed `JWEDe...