EI3PA Requirements - Build And Maintain A Secure Network

EI3PA, which is an acronym for “Experian Independent Third Party Assessment,” is a list of requirements that they enforce with third parties who have access to credit history information.

EI3PA is based entirely on PCI DSS – or PCI data security standard – and it demands that any business who handles credit histories complies with all twelve requirements.

This essentially means that any company seeking to do business utilizing credit histories must build and maintain a secure network in order to do so.

What Are The 12 EI3PA Requirements?

Although we are only going to deal with the first two in this article, there are twelve EI3PA requirements in total.

Each of these twelve requirements fall under six sub-categories, which you will find below.

Build & Maintain A Secure Network

Requirement 1: Install & maintain a firewall configuration to protect cardholder data

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

Requirement 3: Protect stored cardholder data

Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain A Vulnerability Management Program

Requirement 5: Use and regularly update antivirus software

Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

Requirement 7: Restrict access to cardholder data by business need-to-know

Requirement 8: Assign a unique ID to each person with computer access

Requirement 9: Restrict physical access to cardholder data

Regularly Monitor & Test Networks

Requirement 10: Track and monitor all access to network resources and cardholder data

Requirement 11: Regularly test security systems and processes

Maintain An Information Security Policy

Requirement 12: Maintain a policy that addresses information security

EI3PA

Each of the above is critical to your business achieving EI3PA compliance. In this article, we’ll talk about the first two.

So let’s start at the beginning.

Requirement 1: Install & maintain a firewall configuration to protect cardholder data

The first requirement covers installing and maintaining a firewall to protect the cardholder data – further, it needs to be configured for both inward and outward traffic, and is preferably configured within different wireless networks for security.

It makes recommendations regarding the configurations of firewalls and routers, mobile devices, and employee-owned devices that access the network.

It asks that you ensure untrusted networks are not gaining access to any of your system components in the cardholder data environment – direct public access from the internet to any system component in the cardholder data environment should be prohibited entirely.

When it comes to personal devices, they should have personal firewall software that remains running and cannot be altered by either the carrier or the employee.

To ensure tampering doesn’t happen, we recommend a periodic audit of a sample of employee-owned devices to ensure compliance with standards.

As well, the EI3PA requirements make the excellent point that all the security policies and operational procedures that a company implements regarding EI3PA be well documented, kept up to date, and is communicated properly to all stakeholders.

This point is particularly important, because once the setup is completed, businesses sometimes forget that use, customer needs, and vulnerabilities change over time, thus affecting the rules that need addressing to keep you up to date and compliant.

Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

While it may seem obvious, you’d be surprised how often people forget to update passwords.

Requirement number two requires all vendor-supplied defaults for system passwords and other security parameters be changed, because these are known to hackers and can be easily guessed.

Standards should be set in place for configuring system components, and should be consistent with industry standards.

Utilize strong cryptography for non-console administrative access, and appropriate technology for web-based management, or where called for.

Remember, as well, that any shared hosting providers must protect each hosted environment, especially the cardholder data.

Once again, documentation is important, because it allows a company to monitor the parts of the whole to ensure that no weak links are left untended.

When auditing this requirement, you should check to ensure that each system component has their functionality included.

If you wish to go the extra mile, and ensure the list of hardware and software components that you are verifying are being kept updated by personnel at all times, a survey or interview with employees is a best practice to ensure their commitment to the updates.

Contact 1st Secure IT

No matter whether you need help preparing for EI3PA or managing your business once you are in partnership, 1st Secure IT can help you achieve EI3PA compliance and stay that way.

Your job is to manage your business – we exist because experts are needed in this field, and we are dedicated to insuring that your network is both secure AND compliant with requirements.

Call 1st Secure IT now to schedule an audit and discussion about vulnerabilities and opportunities.

Continue reading
696 Hits
0 Comments

What Is EI3PA?

Consumers today are becoming more and more savvy when it comes to their personal information.

Worries of credit card fraud and identity theft mean that companies have to be diligent with the information entrusted to them.

After seeing news of large data breaches with companies such as Facebook and Equifax, people want to know that the companies that are using their data are taking all possible and reasonable measure to protect their information, and to guard against identity theft.

If your company deals with credit information from Experian, you will need to ensure you meet EI3PA compliance guidelines.

What Is EI3PA?

EI3PA stands for Experian Independent 3rd Party Assessment.

It is an assessment of the ability of Experian resellers to protect the customer information they purchase from Experian.

This standard is closely related to the Payment Card Industry Data Security Standard (PCI-DSS).

The requirements of the EI3PA assessment include the following:

  • Build and maintain a secure network
  • Install a firewall to protect customer data
  • Ensure system passwords are changed from the defaults
  • Protect credit history information
  • Encrypt transmission of data when sending over unsecured networks
  • Maintaining a vulnerability management program
  • Keep anti-virus software up-to-date
  • Implement strong access control
  • Restrict access to customer data to those who have a need-to-know
  • Assign a unique ID to any person who has access to the systems where this information is stored
  • Monitor and test networks regularly
  • Maintain an Information Security Policy, and ensure all employees are familiar with this policy

These are the minimum standards for protecting Experian customer information.

It is important for Experian to ensure that all vendors and resellers with access to customer information are taking adequate measures to protect customer information from the possibility of fraud and identity theft.

After all, a data breach can have wide-reaching consequences, both financially and for your company’s reputation.

Who Needs To Be EI3PA Compliant?

Any organization which transmits, stores, processes, or provides consumer credit data from Experian is considered a Level 1 reseller and must comply with this standard.

Essentially, if you have access in any form to consumer data from Experian, you need to comply.

Level 1 resellers of Experian information cannot perform self-assessments, a third-party must be used.

As the EI3PA is closely based on the Payment Card Industry Data Security Standard (PCI-DSS), any organization which already meets this requirement is most likely already compliant, or comes close to it.

Resellers, as well as Experian themselves, face large risks if customer data is not adequately protected.

Who Can Do An EI3PA Assessment?

EI3PA assessments for Level 1 resellers must be performed by a 3rd party Qualified Security Assessor (QSA), such as 1st Secure IT.

Additionally, Experian will sometimes perform random security compliance audits to verify that providers are meeting all security policy requirements.

If you do not meet the conditions for being a Level 1 reseller, and have approval from Experian Information Security you may be able to perform a Level 3 Self-Assessment.

In addition to the EI3PA assessment, there is a requirement for quarterly scans of resellers networks for vulnerabilities.

These scans must be done by an Authorized Scanning Vendor (ASV) which will often be the same as your QSA.

Note that quarterly scans are required for both Level 1 and Level 3 vendors.

Contact 1st Secure IT

Is EIP3A compliance a concern for you?

If you are dealing with consumer credit history information, it should be.

Do you need a level 1 assessment performed, or guidance for performing a self-assessment?

1st Secure IT can help.

Contact us today to help you become EI3PA compliant, or to prepare for an audit.

Acting as an Experian reseller without being EI3PA compliant can have a major impact on your business if you’re found out, and can be even worse if you suffer a data breach while being noncompliant.

Contact 1st Secure IT today, and take the steps you need to keep your business secure in an uncertain digital world.

Continue reading
652 Hits
0 Comments

These PCI DSS Changes Took Place On June 30th. Are You Ready For Them?

For anyone who has a businesses that regularly uses POI and POS the new PCI SSC guidelines for TLSare of massive importance.

Are you prepared for them?

New PCI SSC Guidance For SSL/TLS

The PCI SSC (Payment Card Industry Security Standards Council) has taken their old set of guidelines, Migrating from SSL/Early TLS Information Supplement, and replaced it with two new sets.

This was done because of the new guidelines, PCI DSS V3.2.1 and the passing of various official deadlines for how systems are managed include June 30, 2018, the deadline for Secure Sockets Layer (SSL)/early Transport Layer Security (TLS) migration.

The first new guide, Information Supplement: Use of SSL/Early TLS and Impact on ASV Scans explains the impact for PCI DSS and ASV scans to retailers and service providers, and information for those using early SSL/TLS after the June 30,2018 deadline.

The second new guide, Information Supplement: Use of SSL/Early TLS for POS POI Terminal Connections is more information for retailers and service providers using those tame systems that incorporate card-present POS POI terminal connections.

These guidelines also define terms like “early systems”, while providing in depth requirements for the new technology.

Why Is The PCI SSC Publishing This?

As we stated above, the June 30 milestone is a tremendously important one.

Beginning July 1, SSL and Early TLS may not be valid as security controls for PCI DSS, except by POS POI terminals that have been verified as not being susceptible to verified exploits.

In May 2018, PCI DSS was updated to v3.2.1, with new security requirements.

What Merchants Need To Know

If you're a merchant, you'll need to check how old your TLS systems are and make sure they comply with new security standards.

To find out whether they are, you can get in touch with your POS/POI supplier, or call us at 1st Secure IT.

It's worth noting that any new installs of POI and POS terminals cannot use SSL or early TLS, so if you've just set up your POS systems with a new product you're likely okay.

If any new vulnerabilities emerge that affect POI terminals and that can't be addressed by a software patch or updated controls, you'll need to immediately update them.

If you use SSL or early TLS for purposes other than as allowed for your POS POI terminal connection, note that your systems are out of date. You'll need to update your controls to minimize any risks and remain PCI DSS compliant.

Contact us here at 1st Secure IT if you need help with this.

If you're using SSL/early TLS but have other security protocols in place to meet a PCI DSS requirement, however, you can maintain your current protocols.

But you really should update to a modern encryption protocol as soon as possible, as SSL and early TLS have a number of vulnerabilities in them these days.

On top of that, having SSL or early TLS in a system can often result in ASV scan failures.

Either way, contact us here at 1st Secure IT and we'll help you find out whether you're still compliant.

What Acquiring Banks Need To Know

If you're an acquiring bank that provides termination points for POS and POI terminal connections, you should follow the same advice listed above.

You should also be ready to help your merchants and retailers to ensure their systems are in compliance and secure against threats.

After all, if your merchants are found to be noncompliant, you could be liable for a fine as well.

If you require your merchants and retailers to provide you with ASV Scan Reports as part of their compliance reporting, be sure to familiarize yourself with how to handle false positives triggered by older technology protocols.

Contact 1st Secure IT

Did all that make your head spin?

If so, you're not the only one.

The world of PCI DSS compliance can be overwhelming even if you already specialize in IT.

But you don't have to go through it alone.

At 1st Secure IT, we're here for you.

We'll take you by the hand and walk you through every step you need to take in order to make sure you remain PCI DSS compliant.

Whether you're a merchant, an acquirer, or a service provider, we've got your back.

Call us at 866-735-3369 or email us at info@1stsecureit.com, and keep your business safe and secure in an uncertain digital world.

Continue reading
861 Hits
0 Comments

The Consequences Of Being PCI DSS Noncompliant

The Consequences Of Being PCI DSS Noncompliant | 1st Secure IT data loss prevention cyber and IT security services risk management protection firm

The PCI DSS is mandatory for any business that processes credit card transactions. This is important stuff – not only are you taking a huge risk of a catastrophic data breach, there are stiff penalties for those who are found to be noncompliant.

But by whose authority is it mandatory? And where do the penalties come from?

This is a bit of a confusing subject for some people, and I hope this article clears things up.

Is PCI DSS The Law?

Strangely enough, unless you live in Nevada, PCI DSS is not actually a law. Many states have laws that directly reference the PCI DSS, but only in Nevada has it been specifically sworn into law.  The actual text of Nevada Senate Bill 227 can be found here and there are also no federal statutes that mandate PCI Compliance.

This seems strange though, doesn’t it? If, in general, the PCI DSS is not a law, then how is it mandatory?

The simple answer is that it’s a self-governing system set up by the PCI SSC on behalf of the card brands. It’s their primary criteria for your business being allowed to process their credit cards through your systems. No one is forcing you to comply with the PCI DSS, but if you refuse to play by their rules, they may not trust you with their credit card data.

On top of this, when you agree to process credit card data, you’re agreeing to the terms of the PCI DSS. And if you’re found to be PCI DSS noncompliant, you may be found in breach of contract.

It ought to go without saying, though, that I’m an IT security specialist and not a lawyer, and the above shouldn’t be taken as legal advice.

Repercussions For PCI DSS Noncompliance From Your Payment Processor

So, now we know that the PCI DSS is not the law, but you can still be fined as though it were a law. But what are the penalties?

First of all, if you’re found to be noncompliant, your payment processor will also be fined for working with a noncompliant company. These companies will likely pass that fine on to you, since the only reason they were found to be noncompliant was because of your negligence.

But there’s more than just financial penalties. Your payment processor and the credit card company may elect to end their relationship with you, which can be disastrous for a business that relies heavily on credit card transactions for its income. Your bank may also cut ties with you. Yikes.

Even if they do decide to keep you around, they may decide to raise your transaction fees, forcing you to either lose money on every transaction or raise your prices. This is bad news for anyone, but even moreso if you’re the type of business who relies on competitive pricing.

How Much Are The Fines?

The amount you’re fined for non-compliance varies depending on the card brand you work with. Each card brand has standard penalty system and while the exact amount you could be fined depends on many variables, it helps to get a general idea of how much you’re looking at. For more detailed information, consult the agreement you have with your payment processor and the various card brand security programs:

Visa US – Cardholder Information Security Program ( CISP )

MasterCard – Site Data Protection ( SDP )

Amex – Data Security Operating Policy ( DSOP )

Discover – Information Security & Compliance ( DISC )

JCB – Data Security Program ( DSP ).

 

The penalty system is laid out in a monthly fee system.  Generally, the longer you remain in noncompliance, the heftier your penalties will be. This provides extra incentive for you to become compliant as soon as possible.

Depending on how long it’s been since you’ve been noncompliant and how large your business is, the fees can range anywhere from $5000 to $100,000 a month. These fees aren’t widely discussed or publicized, but either way these aren’t small numbers, especially for a small business. On the heavy end, this could easily lead to more than $1 million in fines in less than a year.

The PCI SSC is serious about data security, and wants you to know about it.

The Consequences Of Being PCI DSS Noncompliant | 1st Secure IT data loss prevention cyber and IT security services risk management protection firm

Penalties If You Are Compliant

Believe it or not, you can be found 100% in compliance with the PCI DSS and still receive a fine. This is what happens when you experience a data breach, and it’s part of the risk every company has to take if they’re going to be trusted with credit card data.

The unfortunate truth is that you can be in compliance with the PCI DSS and still experience a data breach from an ingenious hacker. This is an incentive for businesses to not only meet the minimum requirements, but go beyond to implement the best known cybersecurity practices.

If you do experience a data breach that results in a loss of credit card data, you could likely face a fine of $50 to $90 per credit card lost. On top of this, you may lose your relationship with your payment processors and banks, even though you were compliant.

Of course, a data breach can result in external consequences too – bad publicity, damage to your reputation, costs associated with customer credit monitoring, and lawsuits from affected customers, for example.  This is precisely why companies should consider a data breach protection policy.

How To Avoid PCI DSS Noncompliance

The truth is that it’s difficult for small and medium businesses to recover from PCI DSS noncompliance fees. Even if you don’t lose your relationships with your payment processors, your bank, and the credit card companies, the fines will certainly sting.

If you don’t know if you’re PCI DSS compliant, the truth is you’re probably not. Which makes it even more important that you contact 1st Secure IT today.

1st Secure IT is a registered QSA, which means we’re qualified to perform PCI DSS compliance audits on your business.

We can also monitor your business to ensure it remains PCI DSS compliant, since new software, updates, and glitches can pull you out of compliance without your noticing.

Don’t’ get caught with PCI DSS noncompliance – there’s too much on the line.

Contact 1st Secure IT today.

Continue reading
1343 Hits
0 Comments

4 Reasons You Need To Be PCI DSS Compliant

If you’re in the business of interacting with credit card transactions, you need to be PCI DSS compliant. But why?

Just because someone shows up on the scene and tells you you need to do something, doesn’t mean you have to do it, right?

That may be true, but there are some extremely compelling reasons why PCI DSS compliance is a good idea. Here are a few of them.

1. You may get fined if you don’t

This is the obvious one. The threat of force is a powerful motivator for us.

If you’re found to be noncompliant with the PCI DSS, it is possible that you may end up with a hefty fine.

The fines are different depending on the card brand and how long you’ve been noncompliant, but obviously no business wants to incur unnecessary fees and fines.  Depending on various circumstances, they can add up to more than a million in less than a year if you’re particularly negligent.

2. You’re more at risk for a data breach

The PCI DSS has some of the best modern practices for credit card security and IT security in general. After all, if people are afraid to use their credit cards because of a perceived lack of security and risk, the credit card companies are going to have a hard time continuing to do business.

So along with PCI DSS compliance comes better information technology security.

If you’re noncompliant, your business may be missing some of these important security features, which leaves your business vulnerable to a data breach.

And if you experience a data breach, not only may you face fines from your processor, you also may have to deal with lawsuits against your company by your own customers whose credit card data was compromised.

3. You’re on track for a bad reputation

A data breach is always bad press, no matter what happens. Even if you were 100% in compliance with PCI DSS regulations.

But what happens if it turns out that you knew what you could have done to stop a data breach, and you didn’t do it?

What happens if your data breach wasn’t a result of an ingenious hacker, but rather your own negligence?

How many people do you think will want to do business with you in the future?

4. Your business can be destroyed

That might sound a little melodramatic, but I’m not exaggerating here.

When your payment processor finds out you’re noncompliant with the PCI DSS, they’ll hear about it from the one of the card brands and, as a result, they may be fined. After all, businesses that work with noncompliant companies are themselves found to be noncompliant as a result.

Depending on the type of business you run, this can mean your ability to accept credit card payment either shrinks significantly or dries up altogether, and you’re left with reduced revenue, or even no revenue whatsoever.

On top of that, your bank may decide to close your account as well, as may your credit card company.

So if you’re found to be PCI DSS noncompliant, you can go from a fully functioning business to one that lacks any financial services whatsoever, almost overnight.

Yikes.

Contact 1st Secure IT

The above repercussions are just some of the reasons why PCI DSS compliance is important.

But does your organization even need to be PCI DSS compliant? If so, which requirements do you need to be compliant with? And what do you actually need to do in order to be compliant with them?

Navigating the world of PCI DSS compliance can be confusing and overwhelming. And as you’ve just read above, the consequences of doing it wrong are potentially catastrophic. This can make it even more concerning.

But it doesn’t have to be that way. 1st Secure IT can help.

Contact 1st Secure IT today, and speak with one of our experienced PCI DSS consultants. They’ll help you understand everything you need to do in order to become PCI DSS compliant, or to stay that way.

Contact 1st Secure IT, and keep your organization safe in the uncertain modern world.

Continue reading
1175 Hits
0 Comments

What Is The PCI DSS?

If you run a business that processes, transmits, stores, or otherwise interacts with credit card information, you need to be compliant with PCI DSS.

What is the PCI DSS? Where did it come from? And why is it so important that you comply with these regulations?

Keep reading and you’ll find out.

What Is The PCI DSS

PCI DSS stands for Payment Card Industry Data Security Standard. It’s a security standard set forth by the PCI SSC – the Payment Card Industry Security Standards Council. A lot of acronyms, I know.

The PCI SSC is made up of representatives from the 5 largest credit card issuers – Visa, MasterCard, American Express, Discover, and JCB. But it wasn’t always that way.

As the world wide web increased in popularity, so too did the possibility of committing credit card fraud from the comfort of one’s own living room. And so each of the five above mentioned credit card companies formed their own security standards programs, with the idea of establishing minimum requirements and best practices for anyone who processed their cards.

Eventually, however, it became inconvenient for vendors to adhere to the various card brand security programs. And, since each of the above credit card issuers had the same goals, in 2004 they united to form the Payment Card Industry Data Security Standard.

The Requirements

The PCI DSS is a complicated beast, but in its simplest form there are 12 different requirements. They are as follows:

  1. Maintain a firewall to protect your data
  2. Change your passwords from the defaults
  3. Protect the cardholder data you store
  4. Encrypt cardholder data whenever you transfer it across open networks
  5. Maintain an antivirus and anti-malware suite
  6. Develop & maintain a high level of security on all systems
  7. Restrict access to the data you store to only those who need to access it
  8. Give each user with access to your data a unique ID
  9. Restrict access to cardholder data physically
  10. Maintain a monitoring system of all access to cardholder data
  11. Perform regular tests of your security systems
  12. Maintain a security policy for all staff, employees, or other personnel

This is, of course, just an overview of what the PCI DSS requirements are. An entire book could be written on each of the above requirements.

Do I Need To BE PCI DSS Compliant?

The short answer is yes, if you interact in any way with credit card data.

But there’s more to it than that.

If you run a small ecommerce store, for example, and you process all your credit card data through PayPal, you’re likely already at least partially PCI DSS compliant without even knowing it. This is because PayPal itself, as one of the world’s largest credit card processors, has to be compliant itself. And if you’re using it to redirect and process your transactions, you aren’t actually storing any credit card data yourself.

Whether or not your business is PCI DSS compliant, or if you even need to worry about it in the first place, isn’t always clear. That’s why it’s worthwhile to seek the help of a qualified security assessor to find out.

What Is A Qualified Security Assessor Company?

A qualified security assessor company, or QSAC, is an impartial third party brought in during a PCI DSS compliance audit. QSA auditors have completed the Quality Security Assessor Qualification course created specifically by the PCI SSC, so their knowledge is standardized across the board.  QSAs are the experts when it comes to PCI Complaince.

The PCI SSC also maintains a registry of people and businesses which have passed the course, which you can find here. If your QSA isn’t on this list, they aren’t qualified to act as a QSA, so be careful.

During an audit, your QSA will fill out a report on compliance for your business, and verify whether or not you’re found to be compliant. From there, you may send the report to your bank, which will, in turn, then send the report to the credit card companies to verify the findings.

Contact 1st Secure IT

Is your business compliant with PCI DSS? Or are you wondering whether or not you even need to worry about it?

If so, 1st Secure IT can help.

We have a number of QSA-certified specialists who can help you through the process of compliance. We’ll take you by the hand and provide you with a clear, easy-to-understand game plan for how you can become compliant or maintain your existing compliance.

If you’re not sure you’re PCI DSS compliant, you’re probably not. Contact 1st Secure IT and get PCI DSS certified today.

Continue reading
718 Hits
0 Comments

Forever 21 And The Importance Of Penetration Testing

Forever 21 And The Importance Of Penetration Testing 
| 1st Secure IT data loss prevention cyber and IT security services risk management protection firm

When you’re in a store buying a new pair of pants or going back-to-school shopping with your kids, IT security might be the last thing on your mind. But the unfortunate reality of the 21st century is that credit card fraud and data breaches can happen anywhere you use your credit card, including in a store.

This is what happened with Forever 21. If you shopped at one of their more than 600 stores across North and South America at any point between April 3rd and November 18th, 2017, your data may have been compromised.

But what happened during this breach? What data was stolen? How did the hackers access this data? And what could Forever 21 have done differently to stop it?

Read on to find out.

What happened?

Forever 21 actually made an announcement back in November warning of a potential breach, which they said they discovered after receiving a third-party report, though they had received said information in October.

In that report, they discovered that while they had been using encryption on their POS devices since 2015, it wasn’t always turned on. As a result, the data they had was as vulnerable as if they hadn’t used encryption at all.

The report also found evidence that malware was installed on some of their POS devices. Some of this malware was only active for a few days, while others had been active for the entire time – some were even active when discovered.

Each Forever 21 store has a log of all completed credit card transactions, and when the encryption was off, the hackers could access all the information contained in that log.

Forever 21 has been working with their payment processor and IT security firms to fix these gaps in security, but meanwhile their customers are left at risk.

What Did The Hackers Take?

It’s difficult to say which stores were compromised, and which were not. At the time of this writing, Forever 21 has yet to release any data on that.

They did, however, have access to complete credit card data for a significant number of Forever 21’s customers. Because the stores log all their customer credit card information, the hackers only needed to install malware on a single terminal per store.

In some cases, though, Forever 21’s IT security investigation company found that the credit card data was incomplete – having a card number, expiration data, and internal verification code, but not the cardholder’s name. This was only sometimes though – the cardholder’s name leaker along with the data as well in multiple cases.

Notably, credit car purchases made online were not affected. While Forever 21’s POS systems work differently outside the US, the company is still investigating whether or not they were affected by the breach. Sorry, Canadians and Latin Americans, you’re not out of the woods yet.

Forever 21 And The Importance Of Penetration Testing 
| 1st Secure IT data loss prevention cyber and IT security services risk management protection firm

What Did Forever 21 Do Wrong?

The multimillion dollar question.

First of all, let’s talk about what they did right. They acquired encryption for their POS systems. That’s a great first step. They clearly installed it, too.

But that wasn’t enough. If it was, they wouldn’t have suffered a data breach, and I’d be writing this article about something else.

Think about your home. Imagine you live in a multimillion dollar mansion with priceless artwork on your walls. Naturally, you’ll want to make sure it has the highest quality security system on it.

But what happens if the security system you purchase is so complex that you’re not sure if it’s actually locked? What do you do?

Hope for the best? Maybe, but if your home is on the line you might take it a little more seriously.

No, your best solution is to hire someone with a good understanding of your home’s security systems to test it for you and make sure it’s protecting you as best it can.

Penetration Testing

That’s exactly what penetration testing does.

A penetration testing team is essentially a team of hackers you hire to try and breach your defenses.

A penetration tester’s job is to stay up to date with the latest developments in the world of IT security, and hacking itself, but to use their powers for good instead of evil.

It may seem weird to hire someone to hack your systems, but when a penetration testing team does it, it’s not for the same reason the bad guys are doing it. We find gaps in your security systems and tell you about them, so you can be prepared for when the bad guys actually do show up.

Had Forever 21 contracted a third-party penetration testing team to test their new encryption systems for the POS terminals, this entire situation could have been avoided.

Contact 1st Secure IT

Have you recently acquired a new encryption layer for your POS systems? Implemented a new suite of security software? Are you wondering whether your current IT security systems are up to snuff?

Contact 1st Secure IT today.

We can run a penetration test on your systems, discover any potential weaknesses, and report back to you with concrete solutions on how you can improve your security and mitigate the risk of a data breach or other cyber attack.

Don’t wait until you’re in a situation like Forever 21 is now. Contact 1st Secure IT today, and take your first step toward a safer, securer business.

Continue reading
792 Hits
0 Comments

If you need help getting started... Contact Us!