We have covered this before, but every now and again I run into a new slant on who bears responsibility for online transaction safety. Bank? Individual? If both, where do the responsibilities begin and end?
Over the last year a few friends, ejected from longtime professions due to the current economic depression, have started online businesses. A couple of these individuals did not even know what HTML was last year – but now they are building web sites, starting blogs and … taking credit cards online. It came as a surprise to several of these folks when their payment processors fined them, or disrupted service entirely because they had failed a remote security audit.
It seems that the web site itself passed its audit with a handful of cautionary notices that the auditor recommended they address. What failed was the management terminal – their home computer, used to dial into the account, had several severe issues. What made my friend aware that there was a problem at all was extra charges on his bill for, in essence, having crappy security. What a novel idea to raise awareness and motivate merchants! I applaud providing the resources to the merchants to help secure their environments. I also worry that this is a method for payment processors to “pass the buck” and lower their own security obligations. That’s probably because I am a cynic by nature, which is why I ended up in security, but that’s a different story.
Not having started a small business that takes credit cards online, I was ignorant of many measures payment processors are taking to raise the bar for security on end-user systems. They are sending out guidance on the basic security measures, conducting assessments, providing results, and suggesting additional security measures. In fact, the list of suggested security improvements that the processor – or processor’s service provider – suggested looks a lot like what is covered in a PCI self assessment questionnaire. Firewall rules, use of admin accounts, egress filtering, and so on. I thought this was pretty cool! But on the other side of the equation, all the credit card billing is happening on the web site, without them ever collecting credit card numbers. Good idea? Overkill?
These precautions are absolutely overwhelming for most people. Especially like one-person shops like my friends operate. They have absolutely no idea what a TCP reset is, or why they failed the test for it. They have never heard of egress filtering. But they are looking into home office security measures just like large retail merchants. Part of me thinks they need to have this basic understanding if they are going to conduct commerce online. Another part of me thinks they are being set up for failure.
I spent about 40 minutes on the phone today, giving one friend some guidance. My first piece of advice was to get a virtual environment set up and make sure he used it for banking and banking only. Then I focused on how to pass the audit. My goal was in this conversation was:
- Not overwhelm him with technical jargon and concepts that he simply did not, and would not, understand.
- Get him to pass the next audit with minimum effort on his part, and without having to buy any new hardware or software.
- Call his ISP, bank, and payment processor and wring out of them any tools and assistance they could provide.
- Turn on the basic Windows firewall and basic router security.
Honestly, the second item was the most important. Despite this person being really smart, I did not have any faith that he could set things up correctly – certainly not the first time, and perhaps not ever. So I, like many, just got him to where he could “check the box”. I just advised someone to do the minimum to pass a pseudo-PCI audit. sigh I’ll be performing penance for the rest of the week.
Reader interactions
4 Replies to “Home Business Payment Security”
@Ben – It was a straight plug-in for the web site. But as I understand it, merchant account management is under purview of their scan as well. That is one aspect that surprised me. One story I heard consistently was customers will just call, or email a credit card number to the merchant with a note about what they want, and not check out on the web site. The merchant ends up with CC#s so they run the transaction. I guess refunds would be another need for the small merchant as well, so this kinda makes sense.
@Mike – They may not be able to justify the cost, but hey, they make the rules.
@Zac – Thanks for the advice. Email me if you have specific providers you like.
I’m looking at doing a [side] business that will take online purchases. So, instead of doing the payment processing myself I am looking at using the “business” features of the web hosting service… at least until it proves it’s worth doing it myself.
It is a lot cheaper (not to mention easier) for a start-up like your friends to use such a service – they don’t have to hold any of the data that needs protecting, or process it. And the fee structure offered by most of the web hosting services is reasonable.
Also, the web hosting service provider usually offers a wide variety of payment methods to present to customers… more that a one-man/small business can conveniently set up themselves.
Not clear to me why a payment processor could justify higher fees because of weak security on a device used to access the application. That sounds like gouging to me. To be honest, I haven’t looked at the T&C of my processor (for http://pragmaticcso.com) since I signed up for the merchant account over 3 years ago. This may be common practice.
Is it overkill? Maybe. But the reality is if the bad guys get the login credentials to a merchant account, it’s game over. They then have a quick mechanism to process money by using stolen credit cards and changing the bank account target for settlement. So if there is a key logger or some other Trojan on the device, that’s problematic. Are firewall rules and egress filtering realistic defenses? It can ‘t hurt, I guess.
Though Adrian, you will be burning in hell fires for just helping your buds pass the “audit.” 😉
What I have to wonder is, why oh why did these people decide to setup a payment terminal at home instead of using the straightforward web site plugins or redirects?
One thing I’ve noted this year is the increased push for Level 3 & 4 merchants to “get secure.” I’ve spoken to at least a couple in the last month who were freaked out as the deadlines approached (or passed) for “full compliance.” Asking a small business like you’ve described to somehow achieve full PCI compliance is completely unreasonable unless you can remove all that data from their environment.