Multi-Unit Franchisee Magazine Issue II, 2011 | Page 82

security
By DavID ellIs

is Your Data secure?

One misstep can hand a hacker a master key to your network

i

n case you haven’t heard, franchises hold a place of
honor in the world of data thieves. In fact, chains are the
favorite target of hackers trying to steal payment card information. The most recent figures from Visa indicate that
up to 97 percent of data compromises are suffered by smaller
merchants and “specifically franchisees”—particularly those in
the restaurant, clothing, sporting goods, and hotel industries.
The reason so many attacks are mounted against franchise
operations is simple: a hacker who can penetrate one franchisee’s
computer systems can frequently infiltrate the entire network
with little extra effort. Having this kind of “master key” to a
larger enterprise is far more efficient—and lucrative—than trying to attack scores of smaller companies that have fewer cards
to pilfer, as well as disparate security systems to break and enter.
Franchise systems at risk

A 2008 security breach at a major hotel chain illustrates the
payoff for a franchise system breach. In that case, after hackers
penetrated one hotel’s computer system, they were able to access information from more than three dozen other properties
through the chain’s computer network. Not only were guest
names, card numbers, and expiration dates theirs for the taking,
but so was the magnetic stripe data that made the information
even more valuable on the black market because it provided the
ability to replicate the physical credit card for each stolen data set.
This franchisee-first attack is a common scenario. Frequently,
the first successful breach occurs at a franchise location and then
spreads to the corporate network. Visa is so concerned about
the number of attacks directed at franchises that it has created
special rules to address the franchise environment. Recently,
for example, Visa expanded its security requirements to include
the integrators and value-added resellers (VARs) who supply
payment-processing hardware and related services to franchisors and franchisees.
For these corporate franchise servicers, as well as franchisors and their franchisees, compliance with the Payment Card
Industry Data Security Standard (PCI DSS) is not only the best
defense against card fraud, it is also mandatory. Adhering to PCI
controls and processes will help plug the security holes that allow
criminals to pocket your customers’ card data—or even your own.
cracking the code

For a determined hacker, there are multiple roads to successfully bypassing a merchant’s perimeter security. Attacks can be
launched against the organization’s computer network, point-ofsale (POS) software, or the POS terminals themselves. Within
each of these categories, data thieves can exploit a variety of
security weaknesses.
In the first six months of 2010, for example, four attacks
out of 10 involved unauthorized users gaining remote access
to computer systems because of issues such as lack of adequate
password protection. In a franchise business, that kind of prob-

80

Multi-unit Franchisee Is s ue II, 2011

lem typically is related to the remote management applications
used to disseminate business downloads, conduct sales polls, and/
or manage inventory within a particular franchise community.
Nonexistent or improperly configured firewalls (the equivalent of leaving a store physically unlocked after business hours)
and unencrypted credit card data stored by the organization are
other danger zones. So are oversights such as a failure to segregate day-to-day business and Internet traffic from payment data
(leaving the entire network open to an attacker once they’re in
the door), and a failure to replace the vendor-supplied default
passwords that come with POS systems and other network devices with complex, individualized passwords.
the Pci cure

The PCI DSS prescribes detailed safeguards in each of these areas and many more, providing a road map for keeping card data
off-limits to interlopers. The rules require merchants to follow
procedures such as:
• Configuring firewalls to deny all traffic from untrusted networks and hosts, blocking a key entry point that cyber-criminals
use to access payment systems.
• Using two means of identification to authenticate remote
users to the network—including a device such as a token, smart
card, or biometric—to prevent hackers from using a password
alone to gain network access.
• Changing vendor-supplied default settings on firewalls and
other network devices to eliminate easily guessed passwords such
as “1234” and “admin.”
• Encrypting transmission of cardholder data across public
networks, so that any intercepted data cannot be interpreted.
• Using and regularly updating antivirus software or programs
to minimize the risk that malicious software that can extract card
data (like keyloggers that record each keystroke) will be installed
on servers and other vulnerable systems.
Visa guidance

While full compliance