February 4, 2015 • Published by Jonpaul Leskie
Internet of Things • Malware • Point of Sale
The rapid growth and infusion of the Internet of Things (IoT) in everyday life has correspondingly seeped into the workings of everyday business.
Security cameras, energy management systems, digital menu boards, kiosks, LED light bulbs, thermostats, medical devices, etc., are examples of Internet-connected components that, when connected to a business network, become points of vulnerability (PoVs) and therefore must be securely managed.
With multiple locations, you can multiply these potential points of failure—not just by the number of sites, but the connections between sites. That said, the more sites you have the more PoVs you have; however, it only takes one site to get breached to affect the entire organization and its brand.
Most small to medium-sized businesses do not employ an IT network security expert, nor have they allocated time to learn and maintain compliance. SMBs have a business to run! As a result, these business owners typically rely on the vendors who installed their system and network components; and that, my friend, is the major crux of the problem.
If I heard it once, I heard it a thousand times: “My vendor told me the product(s) they sold me are PA-DSS compliant and now you’re telling me I am not PCI compliant or secure! Am I confused?” This is where the term PCI-DSS compliant is a misnomer. Most business owners assume that if their IoTs on the network are PA-DSS certified or approved then their business meets PCI compliance standards.
Vendors of POS systems, firewalls, payment terminals, payment applications, DSL, cable, security and the like will state that the PCI Security Standards Council has approved their product. You can validate your vendors’ certification by visiting the Council’s Approved Companies and Providers page. But beware, because standalone independent products and IoTs may be approved and certified, but when the products are integrated or added to an existing system/enterprise network, that doesn’t mean it meets PCI-DSS compliance for your business or that your business is secure.
Merchants often assume the technology product vendors are the experts. I recently overheard a conversation between a POS vendor and one of their clients where the merchant’s side went something like this:
You sold me a PA-DSS compliant POS; you are the expert and will handle all my issues. As a customer/merchant, I want to be protected, but I also want total access to the Internet. I want to have easy access to my email, but I don’t want anyone else to have it. I want to use it anytime, anywhere from any device, but please don’t ask me to remember a gazillion different numbers, or change passwords, or make it harder to use, or make me or my managers change our behavior or processes. And by the way, I like value. I’m willing to make trade-offs, but it needs to be obvious that it’s worth it.
The majority of companies’ sales forces are trained to sell their products, and they will say anything to get the sale. How many times have you received a call from a credit card processor stating, “We can lower your rates, just send me a copy of your last two statements, and if you sign-up with us we will also include a new credit card terminal that is PCI approved? No installation required, just plug it into your network.”
Then there’s the security camera company that wants to sell you latest security system which will allow you to monitor your business remotely: “The system is PCI approved so all you need to do is plug our system into your DSL network and you’re up and running.”
Most third party companies that provide products that support the Payment Card Industry are like the merchants—they truly don’t understand the complexities of security compliance and the on-going administration and support needed to keep your business secure and your customers protected. The United States is a massively diverse payment ecosystem unlike any other. We can’t do anything in a “one-size-fits-all” approach. If we try, opportunity arises for something to fill the gaps—whether it’s an innovator with a new idea, or a hacker trying to break into the system through the hole that isn’t protected.
Within 5 years, 90% of every electronic device, appliance, vehicle, etc., will be connected to the Internet. Every one of these IOTs in your home or business will be a PoV. So, if there is one take away from this post it is that with IoTs come PoVs.
It’s sad and confusing. But I’d like to hope that there are some teachings we take away from this that aren’t all about selling a product or solution. Plato’s phrase Necessity is the mother of invention seems somehow appropriate for the situation, because while this has been a difficult experience for many merchants, there are Managed Networked Security Service Providers that have taken the opportunity to once again differentiate and demonstrate that they can rise above the chaos and confusion to do what they do best—provide the highest level of technical and operational support.