RSA Conference is over, but that just means that all of those side conversations and meetings that we had will start to make themselves into blog posts! One that is a biggie for me is the top five mistakes that merchants make that lead to a compromise. I often get questions from small merchants asking for the top three to five things they should do to make sure they do not suffer a breach, specifically after they are overwhelmed by SAQ-D. While there is no substitution for complying fully with PCI DSS, there are a few common themes in breaches that businesses should address to avoid one.

Bang!, by ToastyKen

Keep in mind, while this applies to all setups, the ones getting hit most often today are integrated point of sale systems. An integrated POS basically looks like a computer screen with the credit card reader built-in to the setup. For an example, go to your nearest bar or restaurant and watch them process your payment.

So if you have an integrated POS, watch out for these things:

  1. Remote access available via the Internet. This one is somewhat related to item number three below, but the POS systems that are compromised aren’t done on-site. They are done remotely via an internet connection. Allowing remote access to these systems opens you up for all kinds of risk. And if you are not segmenting (item five), it may not matter what your remote access is for. If someone can jump around inside your network once they gain access, you can bet they will go after any system with a perceived value.
  2. Blank or default administrative credentials (3rd party included). This one is pretty sad. The only thing worse than a blank password is a default password. Why? Because people think that any password is better than no password, thus they feel secure even though Google will quickly reveal the default password for the device they are looking for. Even worse, some third parties use a shared password for their own access so that any of their technicians can use this basic password to get to any of their customers. If I figure out that password, I can then just look at their website to figure out who their other customers are and use that same password to compromise them. Be sure you have set a password, it is unique to you, and you change it on a periodic basis. This doesn’t just mean a blank administrator password, but also blank “sa” passwords and other database administrator passwords.
  3. No firewalls protecting POS from ingress/egress. It’s 2012, isn’t a firewall part of a standard deployment nowadays? Apparently not. The number of POS devices sitting outside of firewalls is pretty alarming, and gives the bad guys something juicy to attack. Small businesses shouldn’t assume that their broadband router has a firewall built into it. That doesn’t mean they will need to buy lots of additional equipment, they just need to fully implement and deploy these features on their existing setup. It requires a little bit of vigilance or outsourcing with the proper contract liability.
  4. Malware for real-time theft. I remember many conversations back in the 2005-2007 time frame where software engineers would VEHEMENTLY object to encryption controls in their applications. They would leave things unencrypted in memory (including encryption keys) and say things like, “Wow, it’s virtually impossible to grab this data,” or “Nobody is going to spend time trying to capture things from RAM while they reside there for a few microseconds.” Well, the bad guys have a number of methods for capturing this data including making the entire integrated POS software run inside a debugger, transparently to the user.
  5. Lack of segmentation. Remember, segmentation IS NOT a PCI DSS requirement, and never has been. It is strongly suggested, and for most large merchants its the only way they will be able to comply in a cost effective manner. But small merchants with just a few computers don’t want to spend the extra money to segment these networks, thus it gives the bad guys a stupidly easy way in. Compromise the back office PC with malware and jump over to the POS network.

In addition, some basic commonalities among many small merchants make them more susceptible to a breach. Those are:

  • Common credentials used by the integrator/reseller or POS software vendor
  • Common ports for remote services like using port 3389 for RDP (hint, it’s the default)
  • SMB null sessions which allow the unauthenticated mounting of certain file systems (whereby credit card data stored there is easily stolen)

So, while I won’t say you shouldn’t comply with PCI DSS if you are required to do so, I will say that tackling the items in this blog post will go a long way to preventing a breach if you do not fully comply with PCI DSS.

This post originally appeared on

Possibly Related Posts: