Small to medium-sized businesses are quickly becoming Internet dependent and utilizing the services of the cloud to pass information back and forth. Through payment processing and data hosting, smaller businesses are seeing the value of using managed service providers (MSPs) to help run their company. The MSP can help maximize security when accepting electronic payments using the Internet.
With mobile technology coming to the forefront, many businesses have developed new models and applications as a way to gain consumer trust in buying products and services online. However, it is imperative that MSPs educate their retail clients to build and maintain a strong commitment to security. This will help ensure compliance when safeguarding crucial, confidential information concerning their customer base.
Many businesses turn to MSPs to maintain compliance and reduce the risks involved in doing business over the Internet. Companies that operate primarily as a merchant will understand how a managed service provider can maintain the scope of compliance when dealing with PCI DSS (Payment Credit Card Industry Data Security Standard).
The service provider is expected to maintain the standards when they are involved in the transmission, storage, and processing of all debit and credit card holder information. This includes providing services that manage and control the information. It could also be a company that might have an impact on the security of the data.
The MSP’s Safeguard Responsibilities
In an effort to maintain the highest standards of security levels many MSPs will complete an audit at the PCI level I to validate their compliance status. The MSP will use a qualified security assessor (QSA) to demonstrate their durable security posture when protecting critical data for the client.
The Client’s Safeguard Responsibilities
It is imperative that the managed service provider maintain the highest level of safeguarding, protecting and managing crucial, confidential customer information. However, it is just as important to educate the retail clients to act responsibly when maintaining their end of the deal. This requires developing strong passwords and other viable second level (two-factor) authentication verifications when logging on to their intranet, extranet, or POS system.
How to Educate
The managed service provider fully manages of all the connections from the company intranet server to the MSP servers. The managed service provider however does not have control over the protection of passwords at the employee level. It is imperative to educate the retail client that every member of the team must develop, create, maintain and safeguard their password/username combinations to ensure no unauthorized access is obtained to the server.
Additionally, it is the responsibility of the managed service provider to develop a standard where only strong passwords are accepted from the employee. By developing strong protocols, the MSP might set up a system that only accepts a combination of uppercase and lowercase letters in combination with numbers and symbols. By building a password on mnemonics, the first layer of authentication can remain secure.
However, a single layer of authentication is never enough. The MSP must offer viable solutions of providing two-factor authentication that might include hardware or software solutions. These solutions could include:
- USB Tokens – Utilized for providing an instant logon credential, USB tokens work well in identifying the user, unless the token is stolen.
- Magnetic Stripe Cards – These smartcards are no larger than a credit card and hold credential information for logging on to an account.
- Wireless Tokens – A wireless token holds the same information as a smart card but uses RFID or Bluetooth technology to communicate wirelessly.
- Key Fobs– Often referred to as a “disconnected token”, these “tokens with the display” are usually an authentication token that fits comfortably in a pocket. Its functionality is based on either a time-based, or event-based list of values.
- Soft Tokens – Similar to a virtual token, a soft token can be utilized on both a PC and a smart phone.
- Smart Phone Tokens – A smartphone
token is available in a variety of different options that include:
- Smart Phone Push
- Mobile Applications
- Mobile Signature
- SMS One Time Passwords
- Assignment to the Bearer
- Biometrics – A biometric system utilizes a technology of scanning an iris or fingerprint. Some biometric systems are built on facial recognition software technology or pattern technology. The software can recognize how an individual types, moves, blinks or other basic features of movement.
With changing technology, and the increase of cyber-attacks from all corners of the earth, it is important that MSPs educate their clients on managing and protecting their connectivity across the Internet. Adding an additional layer of built-in, multi-factor authentication security can empower both the MSP and the client while safeguarding confidential, critical information concerning online retail sales.
Struggling with PCI compliance? Check out this free whitepaper that will show you how to use AuthAnvil to fulfil the strong authentication requirements of PCI.