Townsend Security Data Privacy Blog

If your company is an ISV, VAR, or OEM providing software or hardware to businesses who must meet data security compliance regulations (PCI, HIPAA/HITECH, GLBA/FFIEC, etc.), finding the right technology partners to offer your customers the best security available can be a difficult task.

Technology partnerships have a reputation for being difficult and risky. Legal agreements, licensing models, and product performance are just a few examples of serious barriers. Unfortunately in today’s technology climate, there are many examples of technology partnerships that have reinforced this reputation.

When it comes to protecting sensitive information and meeting security compliance regulations, we don’t believe anything should get in the way of offering your customers the best data security tools available. Townsend Security helps businesses of all sizes protect sensitive data with powerful encryption and encryption key management that not only helps companies meet compliance requirements, but will protect them in the event of a data breach.

Here’s how Townsend Security makes partnering with a technology company easier than ever:

1. Reduced Complexity to Lower Costs - Your technology partner’s product shouldn’t be so complicated that it takes outside consultants, drawn-out projects, and extra time and money to implement. In our eyes, a good partner works hard to make sure their product integrates seamlessly into your existing technology infrastructure. Townsend Security is able to accomplish this quickly and at a lower cost by having the capacity and functionality to specialize our solutions to meet our partners’ needs. We also ease the burden of implementation by providing our customers with a simple and cost-effective licensing model.
2. Provide Powerful Products - With the staggering number of data breaches that happen every month, there is no excuse to using sub-standard encryption to protect sensitive data. Many companies try to cut corners or meet the minimum standard by using “home-grown” encryption and key management or cheap solutions that don’t adequately protect data. However, when businesses use these solutions, many end up having to re-do their encryption and key management projects in order to comply with data security regulations (which are always becoming more stringent), or even worse, they experience a data breach and realize they can no longer skate by with weak data security. Townsend Security offers powerful, NIST-certified encryption and FIPS 140-2 encryption key management for all legacy platforms and the cloud to help you exceed standards and prevent data loss.
3. Excellent Back End Support - When it comes to back end support, the people you deal with on a day-to-day basis can make or break a partnership. Townsend Security works closely with our partners to ensure their success. We provide our partners with training, marketing materials, OEM options, as well as easy and cost effective licensing models to get our powerful solutions protecting your customers as soon as possible.

At the end of the day, the technology partner you choose should leverage your existing solutions by making them more powerful. It’s easy to secure data poorly, and it can be difficult to do it well, but Townsend Security has developed and scaled our encryption and encryption key management to eliminate the pains and obstacles of doing data security the right way.

Over the past two years the IBM i 7.1 (V7R1) has come to be known as a powerful, reliable, and highly scalable solution for businesses. IBM i V7R1 supports total integration and virtualization with new encryption capabilities that are appealing to many companies who must comply with data security regulations such as PCI and GLBA/FFIEC. This new exit-point feature, called field procedures (FIELDPROC), helps businesses to encrypt their sensitive data at column level without any application changes in order to meet compliance regulations and protect data from hackers.

This is great news since data breaches have become painfully common. Despite the staggering amount of data breaches that happen every month, a new study has shown that nearly 70% of data breaches could have been avoided had the proper security measures been implemented.

Patrick Botz of Botz and Associates recently joined our founder and CEO, Patrick Townsend, in an interactive webinar that focused on security tips both he and Patrick recommend. Patrick Botz is an expert on data security and data breach prevention. He held the position of lead security architect at IBM and was the founder of the IBM Lab Services security consulting team.

Here are the top three security tips for users securing sensitive data in IBM i V7R1 and meeting data security regulations according to Patrick Botz and Patrick Townsend:

1. Use Encryption & Encryption Key Management Best Practices - Encryption is the tool that protects your data. If you do your encryption poorly, there’s really no point in doing it at all.  In order to do encryption well you must follow best practices for encrypting data and managing the encryption keys. These best practices include: using AES encryption certified by the National Institute of Standards and Technology (NIST) and key management certified under the FIPS 140-2 standard; and using key management that utilizes controls such as separation of duties and dual control. Your encryption is only as good as your key management. If you follow best practices for encryption and encryption key management, you are also more likely to avoid having to report a data breach and deal with the severe costs.

2. Use Password Best Practices - Password management is often the downfall of many companies who suffer a data breach, especially a data breach that happens internally or by mistake. Patrick Botz specialized in password management and has enabled IBM i users to manage their passwords more securely with his Single SignOn (SSO) service, SSO Stat! Using a program called Kerberos, SSO works with both Windows and IBM i domains to streamline password use in a secured environment.

3. Monitor Your IBM i with System Logging - A crucial step to achieving good data security, receiving important system logs in real time and using a SIEM solution can help a database administrator prevent or catch a system breach as soon as it happens. System logging is also a critical part of meeting most compliance regulations. One challenge around system logging on the IBM i, however, is that security audit journal, QAUDJRN, is in a proprietary IBM format. In order for these logs to be centralized and correlated with other logs in your server environment, these IBM logs must be translated into a useable format.  File integrity monitoring (FIM) is also important to monitor configuration changes. Townsend Security’s Alliance LogAgent provides file integrity monitoring and translates all of your logs into a single usable format that can be read by your SIEM provider.

Encryption, encryption key management, password management, Secure System Logging and File Integrity Monitoring are all absolute necessities for a business to safely store their data, and avoid legal complications due to negligence.

Please check out our resources tab to find out more information. You can find us on Facebook, Twitter and LinkedIn as well as our website, www.townsendsecurity.com. Start better security today!

What exactly is data security and encryption & key management, and why care about it? 

Interesting conversation this morning as I walked from the parking lot to my office building.  Another person from one of the eight companies that occupy this building and I walked in together and chatted... first it was just “looks like the weather is getting better”... then it moved to “what floor are you on?  what company?” and when I told her ‘Townsend Security’, she said “oh, I’ve always wondered what you folks do”...

As the newest staff member, I wasn’t sure I had perfected my 30 second elevator pitch, but I told her that we were a data encryption company and design the software (and provide hardware) that almost everyone needs to protect themselves from a data breach. At first her response was “oh, we don’t need that, we have a guy that takes care of our computers”. Then we talked about how high the statistics are for people who would experience a data breach ("In 2010, if you received a data breach notification, your odds of being a fraud victim were one in nine. Last year, that jumped to one in four."), and after asking if they had a database and if they kept any records that held personally identifiable information (PII) or credit cards, it quickly became “I think we need that!”.

It reminded me that when I started working here, I wasn’t fully aware of many of the reasons or regulations that make data encryption so important.  I’m not sure I will ever have a complete technical understanding of all the nuances, but I’m working on it... Luckily I work with incredibly brilliant people who daily do all of the hard programming work and are very passionate about encryption.

I am lucky enough to be working with a company that I believe in, doing work that I know is important and can really make a difference in peoples lives. One of the main reasons I love this job... all the wonderful people that I work with, people so passionate about data security and the positive impact we can have on other people’s lives!

The founder, Patrick Townsend, impressed me so much at our last staff meeting when he reminded everyone to really think about why we are here, why we do what we do.  “It isn’t about selling a product.  It isn’t about the bottom line.  It is about protecting people from the devastation that a data breach can have on their individual lives.  It is about making sure we help companies protect their customers and clients.  It is about stopping the bad guys from wrecking havoc by making it impossible for them to get what they are after.  That is why we are here, remember that”.

Think about what your company does with the data you collect.  Is it encrypted and secure when it is “data at rest” (just sitting on your server)? How about when it is “data in motion” (being transferred to someone else)?  Look into what is happening with your information, and if you depend on someone else to take care of it, make sure they are doing it right.

Data gets out. Period. Either by accident or by design (someone hacking into your information). Make sure that when it does get out (and unfortunately it is “when”, not “if”) that it can’t be read.  You can make that data useless by encrypting it.   Remember to keep the encryption key stored in a different location than the data (encryption key management 101) because you wouldn’t lock up your house and then tape the key to the front door or leave it under the welcome mat!...  Would you?

If you aren’t sure what encryption or key management is all about.  We have a wonderful resource section on our website, and I’ve gathered a collection of some great Key Management resources right here.

Check out the information we have on data security and encryption key management and then contact us with questions, we are here to help!

What Standards for PCI Encryption You Need To Know and Why They Matter

Payment Card Industry - Data Security Standards (PCI-DSS) require you to encrypt credit card account numbers stored in your database and ensure data stays secure when transferred outside your company.

In order to understand these PCI encryption requirements, we first should know the source of industry best practices for encryption key management. Here in the US, the National Institute for Standards and Technology (NIST) is the most common source for guidance on best practices. The NIST special publication SP-800-57 provides specific pointers on how best practices for both procedurally managing encryption keys, and what to look for in key management systems. In these documents you will find the genesis of most standards regarding encryption key management, including the following concepts in PCI DSS 2.0 Section 3.  Next, it is important to understand the security best practices concepts of Dual Control, Separation of Duties, and Split Knowledge. I’ll simplify them here from the point of view of encryption key management:

1. Dual Control means that no one person alone should be able to manage your encryption keys. Creating, distributing, and defining access controls should require at least two individuals working together to accomplish the task.
    
2. Separation of Duties means that different people should control different aspects of your data protection strategy. This is the old adage “don’t put your eggs in one basket”. The person who creates and manages the keys should not have access to the data they protect. And, the person with access to protected data, should not be able to manage encryption keys.
    
3. Split Knowledge applies to the manual generation of encryption keys, or at any point where encryption keys are available in the clear. More than one person should be required to constitute or re-constitute a key in this situation.

In order to meet standards for PCI encryption, you need to make sure you protect these three things properly:

1. Protect your data at rest with AES Encryption
   Advanced Encryption Standard (AES) has been adopted as a format standard (FIPS -197) by the US government and many state and local agencies when it comes to encrypting data in a database. AES is the recommended encryption method for PCI-DSS, HIPAA/HITECH, GLBA/FFIEC and individual state privacy regulations. Encryption methods approved and certified by the National Institute of Standards and Technology (NIST) provide assurance that your data is secured to the highest standards.  
    
2. Protect your data in motion with PGP Encryption
   PGP encryption is the standard when it comes to encrypting files that need to be transferred.  Pretty Good Privacy (PGP) is the standard for encrypted file exchange among the world’s largest retail, finance, medical, industrial, and services companies.  Also know that when encrypting a file with PGP, you may be using AES encryption.  Transmit sensitive files over the internet using trusted encryption technologies. (AES, SSH, SSL, and PGP). Encryption solutions work together to ensure that all your sensitive data is secure even after the transmission is complete.  AES will protect data at rest within your organization and PGP keeps it secure when it is sent outside your company.
    
3. Protect your encryption keys and your data by keeping them apart!
   Leaving your encrypted data and keys in the same place is like leaving the key to your house under your welcome mat.  Security best practices require that you store encryption keys separately from your encrypted data and managed with an encryption key manager. It is also important to note that. In regards to the cloud, PCI SSC recently offered this guidance:
   In a public cloud environment, one Customer’s data is typically stored with data belonging to multiple other Customers. This makes a public cloud an attractive target for attackers, as the potential gain may be greater than that to be attained from attacking a number of organizations individually. Strong data-level encryption should be enforced on all sensitive or potentially sensitive data stored in a public cloud. Because compromise of a Provider could result in unauthorized access to multiple data stores, it is recommended that cryptographic keys used to encrypt/decrypt sensitive data be stored and managed independently from the cloud service where the data is located.

Download the whitepaper Meet the Challenges of PCI Compliance and learn more about protecting sensitive data to meet PCI compliance requirements.

At Townsend Security, we ensure our customers data is secured to the highest level for compliance. Our AES encryption solutions are NIST validated and our encryption key management solutions are FIPS 140-2 certified.  Our HSM appliances integrate seamlessly with Windows, Linux, UNIX, IBM Power Systems and Microsoft SQL Server 2008/2012 (enterprise edition) and can also work with earlier/non-enterprise editions of SQL Server.

As always, if you have comments or questions about PCI encryption, please list them here

In the world of PGP encryption, we often hear from users who tell us, “My trading partner says they need my private key for encryption. Is it ok to send it to them?” The simple answer to this question is no. Your private key is aptly named “private” because it should never be shared with others. The key intended for distribution is also aptly named as the “public” key.

The longer and more technical explanation of why you shouldn’t give out your private key is a little more confusing.

The PGP process requires that encryption be performed with a public key that your trading partner gives to you to use, if you are going to send encrypted data to them. You cannot encrypt the data with a private key. If your partner requires that the file be signed as a part of the process, then you will use your private key as a signature. In order to read that signature you must give your trading partner your matching public key to your private key. You should never give them your private key.

On the other hand, if someone wishes to send encrypted data to you, you must provide them with your public key in order for them to send you files. Your system should automatically recognize the key that was used to encrypt the file and will select the appropriate private key for the decryption process. You only need to provide the passphrase for the key to validate that you are authorized to the unencrypted data.

Here’s an example: XYZ Productions uses the services of ABC Personnel Services for payroll management. Each month YXZ sends payroll files to ABC for processing. Due to the confidential nature of the information in the file, XYZ and ABC have agreed to use PGP encryption to protect the data. Both companies export their public keys and send them to one another. As the originator of the file, XYZ uses the ABC public key to encrypt the file before sending it.  By doing so, the file can only be decrypted by the holder of the private key. XYZ then uses their private key to sign the file as a means of verifying the origin of the encrypted file. When the file is received by ABC, they validate the signature by comparing it to the XYC public key they have been given, then use their private key to decrypt the file for processing.

The safety of the confidential data in the example is protected because the encrypted files can only be read using the private key, which has never left the trust of the key generator.      

Remember, when exporting a key to send to a customer, one should always remember that the key type identifies if the key should be shared. Public keys are for sharing; whereas a private key should always be kept close to home.

The way organizations are managing encryption keys is falling under more scrutiny by Payment Card Industry (PCI) Qualified Security Assessor (QSA) auditors.  Companies must demonstrate they are enforcing dual control and separation of duties in order to protect sensitive data. 

Here are the answers to three of our most frequently asked questions about encryption key management on the IBM i:

Is it still effective to use an integrated key management solution that stores encryption keys in the same partition as the encrypted data?  
The short and simple answer is No. There are many reasons why storing an encryption key on the same server that contains protected data is not advisable. This is not just an IBM i issue - it spans all of the current major operating systems. Let's explore this a bit more in the following sections.

How do IBM i users manage encryption keys according to PCI requirements with an encryption key manager?
Payment Card Industry - Data Security Standards (PCI DSS) requirement states the following requirements for encryption key management:

• Dual Control means that at least two people should be required to authenticate before performing critical key management tasks.

• Separation of Duties means that the individuals managing encryption keys should not have access to protected data such as credit cards, and those that have access to protected data should not have the authority to manage encryption keys.

How are the “dual control” and “separation of duties” requirements achieved on IBM i?
On the IBM i you simply can't achieve these PCI requirements if you store the encryption key in the same partition as the protected data.  

The QSECOFR user profile (and any user profile with *ALLOBJ authority) will always have complete access to every asset on the system.  An *ALLOBJ  user can circumvent controls by changing another user's password, replacing master keys and key encryption keys, changing and/or 
deleting system logs, managing validation lists, and directly accessing database files that contain encrypted data.  

From the perspective of PCI, an integrated key management system puts too much control into the hands of any one single individual.
The only way to comply with PCI requirements for key management is to store the encryption keys off of the IBM i.  Take users with *ALLOBJ authority out of the picture completely.  When you use a separate appliance to manage encryption keys you can grant a user access to the protected data on the IBM i and deny that same user access to the key manager.  Now you have enforced separation of duties.  And with the right key management appliance you can require TWO users to authenticate before keys can be managed, and have dual control of encryption keys.

Now it’s time to ask yourself a few questions!

• Is your organization encrypting data on IBM i?  

• If so, how are you managing the encryption keys?

• If you store the keys on a separate partition, have you had a recent PCI audit?  

• What did your auditor say?

If you aren’t sure of the answers, or if this still seems foreign to you, take a few minutes to download our eBook "Encryption Key Management Simplified”.

Whether you are an IT administrator or a business executive, this resource will help you learn the fundamentals of:

• What is encryption key management

• Key management best practices

• How to meet compliance regulations (PCI-DSS, HIPAA/HITECH, GLBA/FFIEC, etc.) with encryption key management

• How encryption key management works on every platform including Microsoft SQL Server '08/'12, Oracle, and IBM i

  As always, we welcome your comments and suggestions!  Let us know what you think of the eBook! 

Going Beyond Compliance Requirements with Encryption Key Management

If you are new at protecting data in Microsoft SQL Server environments, generally compliance regulations are what drive an encryption project.   In the past, encryption has had a reputation for being difficult to do, complex, and  time consuming, we hope to show you how that has changed.  

To start us off, here are a few definitions and acronyms that may help:

• AES – Advanced Encryption Standard – this is the most common standards based encryption that is used to protect data whether that is in SQL Server or any other environment where data-at-rest is protected.
• EKM – Extensible Key Management – within the Microsoft SQL Server environment EKM is a part of the Enterprise edition 2008/2012 and higher
• HSM – Hardware Security Module – the Townsend Security HSM encryption key management product is Alliance Key Manager
• FIPS – Federal Information Processing Standard
• NIST – National Institute of Standards in Technology

Since it wasn’t thought of as something that improved the “Bottom line” by increasing revenue or decreasing expenses, encryption has historically been a project solely driven by the need to meet compliance regulations.

There are a large variety of compliance regulations that most, if not all, businesses fall under. One common misconception about compliance regulations is that they don’t equally apply to both private and public companies. To clarify, these regulations apply to all companies, of all sizes, whether they are privately-held or publicly-owned. For example, if you take credit cards for any reason, you fall under Payment Card Industry - Data Security Standards (PCI-DSS). Other common regulations are:

• HIPAA Data Security & HITECH Act of 2009 which applies to Medical Providers and the healthcare industry.
• GLBA/FFIEC apply to banks, credit unions, credit reporting agencies, and anyone in the financial industry.
• FISMA is for Federal US Government Agencies.
• The Federal Trade Commission (FTC) also gets involved with anyone who issues a privacy statement.

More than 45 states also have their own privacy rules, in addition to the ones listed above, that strongly recommend encryption of any personally identifiable information (PII).

So, beyond compliance with regulations, why should you care about encryption… and what is it anyways?  First of all, your customers, clients, and suppliers all expect you to protect their sensitive data.  Hackers and data thieves are targeting mid-sized companies because, as larger companies get better at securing sensitive information, the hackers see smaller companies as better targets.  Financial fraud and data breaches become more common in those businesses that might not be as prepared without the resources to have an internal security team. Data loss can have a big impact on a company's reputation as well as their financial health.

AES encryption is a mathematical formula for protecting data.  It is based on a proven, well-known algorithm and standards published by NIST.  But since that formula is a open and vetted standard use, it is not the mathematical algorithm that is the big secret.  It is what happens with the “Key” that locks and unlocks the data that all the fuss is about.

Key management is so important because the encryption keys are THE secret that must be protected.  Without access to the key, a hacker that accesses encrypted data has no way to read it.  Industry standards and best practices for encryption key management, as well as compliance regulations that require proper encryption key management, all state that storing encryption keys on the server with the protected data is a poor security practice.  Encryption keys are unique and cryptographically secure, and once created, protecting the key is the core practice that will protect the sensitive data.  It will not be defensible in the event of a data breach if the keys were stored in the same server as the data.  (Akin to leaving the key to your house in the door lock and being surprised that someone has entered uninvited!)

Our solutions help Microsoft SQL Server customers really protect their data.  Alliance Key Manager, our encryption key management hardware security module (HSM), is FIPS 140-2 certiied.  This means it meets Federal standards that private enterprises expect around key management.  We provide encryption key management solutions for every version and edition of SQL Server starting with SQL Server 2005.

Please join our founder and data security expert, Patrick Townsend, in this 30-minute webinar that will cover encryption and key management best practices with Microsoft SQL Server!

As always, your comments and feedback are appreciated! 

Today there are hundreds of independent software vendors (ISVs) selling niche retail management software and payment applications designed specifically for various types of businesses. All of these retail ISVs must certify all payment applications that process credit card data with the payment card industry (PCI) payment application data security standard (PA-DSS). This certification verifies that the software handling customer credit and debit card information encrypts the software and protects the encryption keys.

Although all retail ISVs must certify their payment application software under the PA-DSS standard, many vendors skate by with poor encryption and encryption key management that has been thrown together to meet the bare minimum requirements. Good encryption and key management is the cornerstone of good security. When retail ISVs don’t adequately protect encryption keys or use encryption key management best practices to secure cardholder data, they leave  their customers vulnerable to data breaches.

In order to protect customers, retail management software vendors can upgrade their encryption and key management solutions. Townsend Security offers industry standard AES encryption and certified key management that ease the burden of data security with these three features:

1. Reduced Cost and Complexity

Getting a new encryption key management project off the ground is difficult when you have to justify doing the project over again. Encryption key Management has a reputation for being both costly and difficult, which is partly the reason why many encryption key management projects are rushed through certifications using the bare minimum requirements. That reputation was accurate ten years ago, but today certified encryption key management using best practices can be achieved quickly, easily, and at an affordable price. We help businesses achieve this by offering encryption key management that is easy and fast to deploy, has an easy and cost effective licensing model, and has OEM or “white label” options because we don’t believe issues around branding should get in the way of good data security.

2. Certifications

We supply NIST and FIPS 140-2 certified encryption and key management, or we’ll help you achieve FIPS certifications for your solution. Retailers, especially at the enterprise level, are becoming more and more savvy about the need for certified solutions, and their demand is increasing. NIST and FIPS certifications ensure that their encryption key management has been tested against government standards and will stand up to scrutiny in the event of a breach.

3. Protect Your Customers from Data Breaches

As we see time and time again in the news, retailers still experience data breaches through their payment application software, despite the fact that these applications have a PA-DSS certification. This tells us that certifications don’t always equal good security. In order to protect your customers from a data breach, you must not only meet these certifications, but also build a security solution that will truly protect data at rest and in transit using industry best practices. If your customer experiences a data breach, and you have implemented adequate security that renders the data that was compromised unreadable, you will be not only your customer’s hero, but your own company’s hero as well.

Retail ISVs and payment application software companies also need to know that although they  have certified their solutions with PA-DSS, these standards, like all PCI standards, are not set in stone. Data security is constantly evolving to meet the challenges of new threats that are always surfacing. Retail ISVs need to be aware that just because their solution has been certified, their encryption and key management practices might not suffice during their next certification.

Townsend Security has redefined what it means to partner with a security company. With our NIST and FIPS certified encryption and key management solutions, retail ISVs can offer easy and affordable industry standard data security. Our dedicated team provides our partners with extensive training, back end support, marketing materials, and a cost effective licensing model. We’ll help you turn encryption and key management into a revenue generating option to help build your business and protect your valued customers.

ISV Executives Can Improve their Payment Applications with the Right Encryption and Key Management Partner

Your company competes against many other ISVs selling niche retail management software and payment applications. You need a strong partner to guarantee you are providing the best encryption and key management to your customers.
Because when payment applications don’t adequately protect encryption keys or use encryption key management best practices to secure cardholder data, they leave your customers extremely vulnerable to data breaches.

At Townsend Security, we offer industry standard AES encryption and certified key management and we believe that good encryption and key management is the cornerstone of good security.  Here are three ways we believe a good partner should help ease the burden of data security:

1. Reduced Cost and Complexity          

I know... you are thinking “Key management is both costly and difficult” - while that reputation was accurate ten years ago, today certified encryption key management using best practices can be achieved quickly, easily, and at an affordable price. We help you by offering encryption key management that is quick and easy to deploy, has a cost effective licensing model, and we will even OEM or “white label” for you because we don’t believe issues around branding should get in the way of good data security.

2. Provide Certified Solutions

We believe that data security should be constantly evolving to meet the challenges of new security threats. Retail ISVs and payment application software companies need to know that although their solution may have earned a PA-DSS certification, these standards, like all PCI standards, are not set in stone. Just because a solution has been certified once, outdated encryption and key management practices might not suffice during the next certification process. Since encryption and key management are necessary components of payment application systems, providing customers with third party OEM NIST-certified AES encryption and FIPS 140-2 compliant key management would give an ISV some critical advantages.

Townsend Security not only supplies NIST and FIPS 140-2 certified encryption and key management, we'll help you achieve your own FIPS certification under our OEM program. In order to confidently protect your customers, NIST and FIPS certifications ensure that encryption key management has been tested against government standards and will protect compromised data in the event of a breach.

3. Protect Your Customers

While many payment applications have a PA-DSS certification, in order to protect your customers from a data breach, you must not only meet these certifications, but also build a security solution that will truly protect data at rest and data in transit using industry best practices. Data security must be a critical element in your risk management plan and conveyed well to your customers.

With our NIST and FIPS certified encryption and key management solutions, retail ISVs can offer easy and affordable industry standard data security. Townsend security has redefined what it means to partner with a security company. Our dedicated team provides our partners with extensive training, back end support, marketing materials, and a cost effective licensing model.  So when (not if) your customer experiences a data breach, and you have implemented adequate security that renders the compromised data unreadable, you will not only be your customer’s hero, but your own company’s hero as well.

In this complimentary podcast, security expert Patrick Townsend discusses “How Retail ISVs Can Improve Their Payment Applications” with Paul Taylor from Security Insider.
 

As always, we welcome your comments and questions! 

Are you providing your customers with the very best in point of sale (POS) data security?

On an almost daily basis, the news media reminds us of the risks associated with unprotected data as they report on each massive data breach that cost companies billions of dollars in lost value and remediation costs.  Data breaches are not a matter of “if”, but more a matter of “when” as hackers get more and more creative.  Many CEO’s think that meeting the basic requirements of the Payment Card Industry (PCI) for data protection will keep their point-of-sale (POS) systems from being compromised. Truth is, hacking into retailer POS payment applications is a recurring problem worldwide, even for retailers who meet compliance standards.

1.     Know Your Data Breach Risks – Ask the Right Questions!

As CEO, security and risk management is your bottom line. You need to know if and how your product development team is following best practices to protect your company and your customers from a data breach.  Most payment application vendors offer encryption and key management, however not all of them are following best practices by using an encryption key management hardware security module (HSM). An HSM keeps the encryption key physically separate from the encrypted data, making sure that the data a hacker retrieves from a compromised system is functionally unusable.

With tighter security standards for data encryption, encryption key management, and constantly evolving regulations, you have an opportunity to go beyond basic compliance and gain consumers’ trust amid growing concern about the amount of electronic data companies collect, analyze, and share. 

So, what can you do as a CEO to ensure your products are fully protecting your customers’ data? One important thing to do is start asking more specific questions of your product managers. Asking the right question can quickly expose data protection risks that you didn’t know you have.

Here are some sample questions:

• Where in our systems does sensitive data reside, even briefly, in unencrypted form? Could I get a list?
• What type of encryption do we use in our payment application for data at rest?
• How are we protecting encryption keys?
• Are any of the encryption keys stored on the same server with the protected data?
• Are we protecting our encryption keys with an HSM?
• Are we using industry standard encryption and key management?
• Are our encryption and key management solutions NIST certified?
  

There are really straight-forward answers to these questions. The lack of clear and unambiguous answers should raise an immediate red flag in your mind, and provide the beginning of a deeper discussion about data protection with your product development team.

2.     Know What Your Customers Fear– Think Like a Hacker!

Awareness is the first step toward point-of-sale security. Retail payment systems are frequently hacked by criminals who are employed seasonally or temporarily, and given access to a system with insufficient security measures in place.

Help gain your customers trust by training them on the importance of good password management and system log monitoring as a part of their overall POS security efforts.

• A surprising number of retailers never change the factory passwords on their POS systems and this is a huge security risk. Not only should factory passwords be changed, subsequent passwords should be changed regularly. Often, cracking a payment application system relies on the merchant being lazy about password implementation and changes.  Make sure your customers know best practices and you’ll be their hero!
• Hackers’ techniques have gotten more sophisticated and they can hide evidence of attacks; going undetected for months or even years. Yet, a study of confirmed breach cases in 2009 found that nearly 90 percent of victims had evidence of the breach in their system log files.  Do you train your customers in the importance of monitoring their system logs in real time?

3.     Proactive Security Planning - Use Best Practices To Start With!

Keeping on top of point-of-sale security is essential for every business.  Good encryption and key management is the cornerstone of good security. It can’t be an afterthought at the executive level; data security has to be a critical element in every risk management plan and conveyed well to your customers.

An effective data breach plan can mean the difference between a quick recovery and a serious blow to a company’s reputation. The steady pace of data breaches reinforces the need for encryption as a first line of defense. Firewalls and VPNs can provide some protection against data breaches and theft, but there is no substitute for strong encryption and effective encryption key management, especially in customer data and cloud environments. There’s no longer an excuse not to properly protect your POS payment application system and educate your POS system customers in security best practices.

In this complimentary eBook, "Turning a Blind Eye to Data Security: Mending the Breakdown of Communication CEOs and CIOs", authors Kevin Beaver, CISSP, Patrick Townsend, and Todd Ostrander will teach you about:

• Business risks associated with unprotected sensitive data
• Tools and resources to begin the discussion about data security in your company
• 5 Common misconceptions
• Actionable steps YOU can take