The Payment Card Industry (PCI) Security Standards Council (SSC) has launched a new awareness initiative, Passwords for Payments (P4P), aimed to educate small businesses on utilizing effective password protection.[1] Small merchants are prime targets for data thieves and password protection is one component of a comprehensive security strategy.
Did You Know?
- 60% of small businesses close six months after experiencing a breach, according to PCI SSC.
- Easily guessed passwords or weak passwords on payment systems are a primary method used by hackers.
- Basic steps can reduce chances of breach
While the PCI SSC efforts are focused on small merchants, everyone can benefit from reexamining their password practices. Why? The most common password used by global businesses is “Password1”, according to the Trustwave 2013 Global Security Report.[2] Further, of the three million user passwords analyzed in the study, 50% of users were using only the basic minimum requirements.
What Can You Do?
Start following some common sense best practices. Passwords are often compromised because they are easy to guess by humans or programs, users write them down making them subject to exposure, or they are stored or transmitted in plaintext. To guard against these weaknesses, consider following these recognized best practices:
- Never leave an industry set default password in place on service accounts or systems, including POS terminals. Ever.
- The PCI SSC recommends passwords that are at least seven digits long and include a combination of letters and numbers.
- The longer the password the better. The more characters in a password, the greater number of combinations possible. Consider using a long passphrase.[3]
- Don’t use the same password for all your accounts.
- Change your password with some frequency.
Worth the Effort
Something as simple as having strong password controls can have a positive impact on the security of your organization. Make the effort to adhere to best practices to ensure the proper set up, care, and handling of passwords. If you don’t, you risk wishing you had.
As Chairman of the Homeland Security Advisory Council, William H. Webster said,
“Security is always seen as too much until the day it’s not enough…”
If you found this article helpful, read this recent post on protecting your organization from a security breach.
[1] http://www.v3.co.uk/v3-uk/news/2349799/pci-security-standards-council-calls-for-payment-password-revamp
[2] http://www2.trustwave.com/rs/trustwave/images/2013-Global-Security-Report.pdf
[3] http://www.computerweekly.com/tip/Password-security-best-practices-Change-passwords-to-passphrases