This is my first post as part of a class in Information Security at Bellevue University. I am taking this class as one requirement of a Master of Science degree in Management Information Systems. I have over 27 years of experience in information technology and security issues have been a constant concern during this time. As the information technology industry has expanded, and especially with the explosive growth of the internet, security issues have increased on an exponential scale. This is of special concern in my professional life as I work in the electronic payments industry. For many years electronic payments were hosted on private networks that were tightly controlled with a limited number of known users. Security breaches were generally of the "inside job" category where someone who had access to these payments processing systems for a valid reason took advantage of this and used this access for nefarious purposes. More recently, devices within a network used for payments processing have been corrupted to allow illegal access to payment information and created potential losses due to fraudulent activity not to mention actual losses as companies have had to reissue new payment methods to protect their customers. Electronic payment processors and entities who accept electronic payments have a number compliance standards that they are required to meet in order to continue operations. An example would be the standards defined by the Payments Card Industry (PCI). However, compliance with these standards is not enough to ensure that payment transactions are secure. Additional steps must be taken to keep these networks safe along with constant vigilance of the responsible security administrators in identifying new threats and protecting against them. My goal for this blog is to review online information security resources each week during the 12 week class term and report on security related topics related to the electronic payments industry.
My first find this week is from the SANS Internet Storm Center. As has been mentioned in the media, many point of sale (POS) terminals are PCs that still make use of Windows XP. This operating system is no longer supported by Microsoft and there are no further security updates being created. The article titled "Point of Sale Terminal Protection - Fortress PCI at the Mall" covers a number of configuration and physical security measures that should be taken while these older devices, and operating system, are continued to be used. Suggestions include restricting access to the POS application, turning off USB ports, use of network protections to limit where the PC can access (IP restrictions), endpoint protection using third-party applications, and of course the use of password security. While some of these require an expenditure to implement, password protection and the creation of identifiable users is something basic that should be enforced at every POS terminal. Creating accountability is a huge step in providing information security.
