Sustaining Security

Now that retailers have reached PCI DSS 2.0 compliance, it’s important to continue monitoring people, processes and technology to protect against breaches. 

By Erin Rigik, Associate Editor
If your chain is among those who diligently worked to achieve PCI DSS 2.0 compliance by the Jan. 1, 2012 deadline, you probably think your stores are safe from breaches, but experts warn that true security requires consistent awareness, even between deadlines.
Even after meeting PCI standards deadlines, a few key areas remain where retailers repeatedly struggle, which ultimately leads to breaches, noted Bob Russo, general manager, PCI Security Standards Council (SSC).
• Change the standard password that comes with your POS interface. “Don’t use the admin password,” Russo cautioned. “Make sure if you have a firewall—and you should have a firewall—that you have the settings properly in place.”
• Make sure you’re picking an application that’s on the PCI SSC list of applications that have been tested and certified by the council.
• Train your talk to your employees so they’re aware of issues like skimming, and make sure they understand the way equipment should work and look. PCI SSC has offers a downloadable document on its Website with simple information and lots of pictures to convey simple common sense things employees can watch out for.
•Make sure employees know how the equipment should look.  “When you first get your POS device in your store, take a photo of it and put it in the file cabinet and pull it out once a month and compare it to the device,” Russo suggested. “Make sure it looks the same. Does it have a false front on it now? Are there different colors? Are there more wires coming out of it now than when you first got it. Were the wires curly and now they’re straight?”
Another quick check that can save millions in preventing a breach is to have employees run their fingers over the security label on the back of a POS system. If the label feels raised, someone may have opened the device.  For companies who want to further train employees to help with security, PCI SSC offers a training course called ISA (Internal Security Assessor.)
“It’s really about dressing in layers,” Russo said. “The more layers of security, the better equipped you’re going to be to prevent areas where a possible breach could occur.”
For more on the PCI DSS 2.0 deadline, see the January issue of Convenience Store Decisions.