Merchants and payment vendors who never bother to change the default password in sensitive systems are getting fresh attention from the Payment Card Industry Security Standards Council.

The council, which maintains the PCI data security standards, officially released version 3.0 of its data security standards last week, concluding the organization’s current three-year cycle for revising standards.

The new standards take effect next year. (Related article on page 25.)

But how do the new standars differ from the old?

The newly released standards stress a stronger focus on education, awareness and security as a shared responsibility for each organization, says Bob Russo, PCI council general manager.

The rules have undergone only minor changes from previous versions, Russo tells ISO&Agent Weekly.

“As luck would have it, not many tweaks were needed,” Russo says.

The latest version provides specific recommendations of best practices for complying with PCI, and it provides enhanced testing to clarify compliance validation.

But opening the door to fraud because of merchants’ disregard for system passwords remains a widespread industry problem, according to Troy Leach, who serves as the council’s chief technology officer.

“If we can eradicate default passwords, we would eliminate a lot of fraud,” Leach maintains.

The PCI standards emphasize targeted training for anyone responsible for hardware and software system components in which default passwords are used, Leach says.

It remains all too easy for hackers to gain entry to payments systems, knowing that most default passwords are generally a sequence of numbers as simple as 1-2-3-4-5-6, says Chris Bucolo, senior manager of security consulting services for ControlScan.

With that password and other simple combinations of letters and numbers, fraudsters have changed settings on ATMs to trick the machines into behaving as though they were stocked with $1 bills instead of $20 bills.

As a result, ATMs dispensed 20 times as much cash as they were supposed to for each withdrawal.

In a 2007 incident, fraudsters used that tactic to withdraw $1,540 in two visits to a compromised ATM before they were detected.

“The challenge for PCI is, why aren’t people getting the word about the dangers of default passwords?” Bucolo tells ISO&Agent Weekly. “People think fraud can’t happen to them, but they don’t understand how technology works and how fraudsters get in.”

The council also focuses on physical attacks in its standards, addressing what many consider a growing problem, Bucolo says.

Many high-profile breaches occur because criminals place skimmers or scanners on equipment, he says.

PCI recommends that by July 2015, merchants and payments vendors set up systems to provide more scrutiny of work environments that use equipment for cardholder data activity, Bucolo says.

“The physical aspects are big because criminals will infiltrate a business and wait for three months to strike,” Bucolo says. “Inside fraud is definitely on the rise.”

In the future, PCI will likely focus on minimizing fraud attacks that come through Web applications, Bucolo says. It will also provide education on what PCI scope entails, he says.

Too many companies feel that if they are not storing card data on their systems, then they are clear of PCI compliance concerns. In reality, systems may still be in PCI scope if they process and transport data, Bucolo says.

Fraudsters will attack those applications, he says. “All it takes is one hole or one gap in the system for a problem to occur,” Bucolo notes.

Sometimes a merchant or vendor assumes that cardholder data is stored separately from non-payment customer data such as e-mail addresses or shipping addresses, PCI’s Leach says. Unfortunately, that is not always the case.

“One of the new standards calls for tests to verify that the card environment is indeed segmented from the rest of the network,” Leach says.

The new standards take effect in January, but merchants have an entire year to implement them.

“Don’t wait if you don’t have to,” Russo advises ISOs, agents and their merchants. “But there is quite a bit of time, especially to look at the best practices, back your way into it and get feedback.”

Subscribe Now

Authoritative analysis and perspective for every segment of the payments industry

14-Day Free Trial

Authoritative analysis and perspective for every segment of the industry