Data Security Essentials Every Franchisee Should Know
Exploiting weak and default passwords continue to be successful strategies for criminals.
First, a few facts. Did you know that franchises remain among the most highly targeted business type? According to Visa data, franchises remain a large target for cyber-criminals. This year 74 percent of Visa-investigated data breach cases involved multi-location businesses.
We also found in most cases that those attacks were preventable and common vulnerabilities appeared across many of the breaches. Specifically, we see three steps that franchisees can take to significantly reduce their security vulnerabilities:
1. Change Default Credentials and Passwords
It’s common sense advice that you’ve heard countless times, but the reality is that exploiting weak and default passwords continue to be successful strategies for criminals. Factory default passwords are not secret. In fact, it’s common for default setup credentials of popular off-the-shelf software applications, including payment applications, to be searchable online.
To guard against this vulnerability, make a list of the default IDs and passwords for all your payment devices and software. You can look these up in the vendor manual or call your vendor. Change these default settings immediately to IDs and passwords that include a mix of numbers, letters and special characters and that are hard to guess. If you own multiple franchise locations, create distinct log-in credentials and passwords for each location. In addition, all businesses should have a strong password policy in place, requiring user passwords to be changed at a minimum every 90 days and requiring strength criteria such as minimum password lengths.
2. Secure Your Remote Management Applications
Some franchisors or multi-location franchise owners, point-of-sale vendors, resellers or integrators may choose to use a remote management application to manage the payment application systems across multiple locations. If you choose to use an RMA, make sure you’re not leaving the back door of your payment network “unlocked.”
When setting up your RMA, create unique user IDs and strong passwords for each location. While covered in the section above, it is worth repeating since leaving the default settings for your RMA unchanged presents a big security risk to all the locations that are connected through the application. It’s important not to assume the default password has been changed; ask your service provider or verify it yourself.
If your business has an outward-facing Internet provider address (these are Internet-facing entry points to your network), it is essential to implement a firewall. This is an added layer of security to keep unauthorized users out of your network. As added protection, you can configure your service to restrict connections to known devices.
Lastly, ensure your RMA remains turned off except those times when it is needed to access franchisors or payment vendors. After all, if it’s not needed, why run the risk?
3. When working with a third-party payment application integrator or reseller, ask questions
Third-party integrators and resellers exist to make a business owners’ life easier by selling, installing and assisting in the maintenance of the business’ payment applications. But, improper installation could lead to significant security weaknesses and it’s the business owner, not the vendor, who is ultimately responsible for ensuring its payment environment is secure.
Make sure that the third party you’re working with is providing software that is compliant with the Payment Application Data Security Standard.
Don’t be afraid to ask questions, and make sure you have a basic understanding of how your payment system was installed. Here are five important questions to ask your vendor:
1. Does the payment application I’m using store cardholder data?
2. Does my network have a firewall installed to protect my point-of-sale system from unauthorized access?
3. Can you confirm that you did not use common or default passwords for my system?
4. Have all unnecessary and insecure services been removed from the systems and databases that are part of my point-of-sale system?
5. Does my payment application receive software updates in a secure manner? n
Tia D. Ilori is business leader, Americas payment system security, Visa Inc. She can be reached at email@example.com.