Recently at a local establishment while enjoying a frosty beverage, I thought I would check out some new mobile apps that I found. These apps are designed to assist IT Auditors and Security Assessors to perform discovery of devices on a network. The establishment in question has an open WiFi that allow the general public to connect in order to access the Internet. When I launched the tool, I was surprised to see several business systems in the list of devices. Of most concern were their Point of Sale (POS) systems clearly named as a POS system.
If cardholder data is stolen – and it’s your fault – you could incur fines, penalties, even termination of the right to accept payment cards!
I have performed PCI-DSS audits as an Internal Auditor and became more familiar with PCI-DSS regulations than I have ever wanted. So while I reviewed the list of devices on the network, my spidey senses were tingling. PCI-DSS requires that merchants protect card holder data by implementing several security controls. Isolating systems that accept credit cards from unsecured anonymous WiFi would be a fairly simple control to implement. Then I was wondering if there were exceptions for small businesses. Being fully PCI-DSS compliant is expensive and for a small business could be an unexpected large expense that could put a dent in profits.
The PCI Security Standards Council (PCI SSC) has a web page for small merchants. In large bold letters on the site it says; “You must secure cardholder data to meet Payment Card Industry rules!” Well, I guess my question was answered. Small merchants are responsible for PCI-DSS. “If cardholder data is stolen – and it’s your fault – you could incur fines, penalties, even termination of the right to accept payment cards!” This makes sense, since small merchants, especially establishments that offer free public WiFi for their customers are prime targets for attackers. Not only are they vulnerable for compromising customer credit card data, they are also at risk of being used by attackers to perform malicious misdeeds on the Internet.
So how can small merchants protect themselves? Obviously the easiest thing to to is call me! All kidding aside, there a few simple controls small merchants can implement that are low cost. The goal is to mitigate risk, so going after the low hanging fruit provides the largest bang for the buck. First thing to do, especially if your business provides free WiFi, is to isolate your business systems from the guest WiFi. A small business wireless router firewall that can provide mutiple SSID‘s, separate VLAN’s and an easy to configure interface will provide a reasonable level of assurance that PCI-DSS requirements can be met, and will protect card holder data. The Cisco RV110W-A-NA-K9 Small Business RV110W Wireless N VPN Firewall Router support separate virtual networks, enables you to control access to sensitive information and to set up highly secure wireless guest access. This device costs less than $100 and could save your business hefty fines and potentially save you from having your merchant agreement terminated. It boils down to, how much is your data and your customers data worth to protect? Not only is data at risk, but so is your reputation. Customers want to know that their data is safe, if the word gets around that they could face possible identity theft by visiting your establishment, they will likely go elsewhere. Be smart, invest in your security and save yourself unnecessary headaches.