As it turns out, the POS product in question did not comply with the Payment Card Industry Data Security Standard (PCI DSS) -- a fact that the reseller and the upstream POS software vendor apparently knew, even though its customers did not. That didn't stop the issuers of the stolen credit card numbers from going after the restaurant owners for chargebacks, audit fees, and other costs associated with the heist.
Cue the attorneys. The restaurant owners want the POS reseller and software developer to take responsibility for keeping the PCI DSS non-compliance issues to themselves and for allowing hackers to exploit the flawed remote support software. The developer, Radiant Systems, appears content to blame the victims. The credit card companies probably don't care who pays, as long as it isn't them.
Why is this mess relevant to your own small business? Consider a few of the allegations in play here:
- First, according to the lawsuit, the POS vendor installed systems missing critical security patches for their remote support features -- a major element in the claim that the systems violated PCI DSS standards.
- Second, the victims allege that the vendor used the same remote access password on at least 200 individual POS systems. The password in question: "password," of course.
Remote access and support technologies serve a vital purpose. Yet they also give attackers fast-lane access to the very heart of a compromised system -- especially when the geniuses charged with protecting those systems demonstrate about as much IT security competence as a tree stump.
I know that it sounds unfair to blame the victims in this case. As their attorney points out, these are restaurateurs, not IT experts.
Don't Miss: NEW! Remote Access How-To Center
Yet it doesn't require a tech-savvy business owner to realize that these systems contained data every bit as valuable as the cash in their registers. With that knowledge comes the responsibility to educate oneself about the risks involved with a networked POS system.
Consider applying the same standard to your own company's systems, especially those that store business-critical data. If you work with technology resellers, ask them to document the presence of remote access or support features on any of their products. Then ensure that these features are disabled by default -- and set stringent requirements to justify when, how, and why they are enabled, on a case-by-case basis.
Also be sure to scrutinize your contracts and service agreements with resellers. Ensure that these agreements spell out the reseller's obligations with regard to industry payment standards like PCI DSS, regulatory compliance, and state data privacy laws.
Next, ask the same questions about remote support and access tools intended for use by your own employees and IT staff. Identify which systems store at-risk data, and determine whether the remote access technology used to access them offers an appropriate level of security. While gateway- or appliance-based remote access solutions generally offer very good end-to-end security, some systems clearly demand a much higher level of security oversight than others.
Sometimes, there is simply no way to avoid dealing with the fallout when a reseller or technology partner fails to meet its obligations. But by understanding what is at risk and who is responsible when things go south, your business will be in a much better position to ensure that it doesn't get left holding the bag.