The “Bumper-to-Bumper” Security Solution of POS Systems?

    November 01, 2017

    When Point-to-point encryption (P2PE) was standardized by the PCI Security Standards Council, many thought it would become the be-all end-all security solution they needed. It would protect customer data and relieve some of the burden of PCI compliance on the merchant.

    As with anything that sounds too good to be true, proceed with caution.

    P2PE is a PCI security standard that requires credit card information be encrypted from the point-of-sale (POS) to a secure point-of-decryption. This makes the card account information unreadable while it is being transmitted; therefore, difficult for hackers to extract sensitive data.

    So far, so good. Customer credit card data is now protected from “bumper-to-bumper” as it transmits…However:
    1. What happens prior to encryption?
    2. What happens when the data is decrypted?
    3. Who has access to the data?
    4. Where is the data stored?
    5. How secure is the endpoint?
    6. What about a third-party breach?
    7. What about the data and systems outside the cardholder data environment?
    When new cybersecurity features hit the market, many want to believe the “new and improved” model will protect them against every threat. Then they may decide not to continue updating older features, like anti-virus or firewalls, thinking they are no longer needed. But cybersecurity solutions work best when combined. You can never be too secure.

    As an analogy, when airbags were added to vehicles, some may have felt the seatbelt wasn’t necessary anymore (yet they were designed to work together). Seatbelts are a foundation of vehicle safety. Airbags were designed to protect further from other impact injury possibilities, but airbags can be deadly without a seatbelt and in other circumstances, like with children. By using both features correctly, the survival rate increases dramatically in a head-on collision for adults. Human error is all around us on the road and sometimes we cannot prevent an accident, so we prepare ourselves with layers of safety for the best possible outcome if worse comes to worst.

    A PCI-validated P2PE solution shouldn’t be a merchant’s only source of protection against cybercrime. Nothing by itself will stop every form of cyberattack. One never knows when, where, or how the next attack will occur, so merchants need a multi-layered security solution. And, when possible, a third-party to manage or co-manage that plan and the solutions used.

    Know before you buy

    Before you buy a new car, you might want to shop around for the best price, best safety features, take it for a test drive, maybe even kick the tires. Before purchasing a cybersecurity solution, know what you need, shop around, and understand what you’re getting.

    Here are some of the questions the PCI Security Standards Council recommends when shopping for a cybersecurity vendor:
    1. Does your solution/product ensure the secure capture and transmission of cardholder data?
    2. Does our agreement with you include clauses that state that you will maintain PCI DSS compliance for your product/service?
    3. Does your product/solution store payment card information locally?
    4. Does your product/solution protect payment card information with strong encryption?
    5. How secure is the installation of my product?
    6. Do you provide me with ongoing support and maintenance?
    7. What happens if there is a data breach?
    To set up an effective network security plan, you will need to go above and beyond PCI DSS compliance and assess:
    1. What are your network vulnerabilities?
    2. What security measures do you have in place?
    3. What security measures do you still need?
    4. What is your budget?
    5. What staff do you have in place?
    6. Have you conducted cybersecurity training of all staff?
    It’s never too late to start preparing for the next cybersecurity threat. Kick the tires now, before it’s too late, with a Free Security Consultation. Gauge your risk with this quick Risk Assessment.

    Comments
    Blog post currently doesn't have any comments.