c Recent findings of “Shadow IT” within Padgett-Beale properties have been
shocking discovery. Micro payments using unauthorized payment card and
said processing of such transactions are not authorized in the organization’s
IT policy. All properties issuing payment cards with property name is to be
cease the activity immediately. The technology and the implementation must
meet Padgett-Beale’s IT device and software approval process prior to
implementation of said technologies. Unsecure payment methods and
processing violates Payment Card Industry Data Security Standard, otherwise
PCI-DSS, an industry wide standard that protects customer data and
minimizing serious breaches and major losses of confidentiality.
PCI-DSS, by no means is law, it is part of the contractual relationship
between merchant and card company. Some states may write laws modeling
the PCI DSS (Willis, 2019). c There are several factors required for
compliance with PCI-DSS, which is not met by the unauthorized micro
payment systems that are tied to customers’ credit cards. These factors
include installing and maintaining a firewall to protect data in transmission
and at rest. Changing vendor supplied login credentials and using secure
communication ports and protocols. Encrypting of data in transit and data at
rest. As well as having access control to the credit card data collected by the
business. In its current state, the micropayment that’s been illicitly installed
on some Padgett-Beale had not been documented to follow any of the
mentioned examples that would bring it to compliance with PCI-DSS.
Padgett-Beale is expose to penalties from card brands and banks in the case
of a breach. This will severely affect the confidence in the business, and the
bottom line of the organization will be negatively affected (Willis, 2019).
c c c c c c c c c c One of the most concerning parts of the rogue micropayment
process installed at Padgett-Beale is the connection to customer credit card
information. This information needs to be secure in several ways. First, all IT
devices that are part of the payment system must be scanned for
vulnerabilities. Vulnerabilities discovered should be closed or mitigated by
working with the suppliers of the IT devices that are part of the payment
processing. Open vulnerabilities are some of the easiest ways for outside
threats to expose and steal sensitive customer data (Wilder, 2020). Firewalls
to protect all network connected payment process devices must be enabled,
for added layers of security. These firewalls cannot allow any traffic not
authorized or required by the payment processing systems. Securing the data
in transit by encryption and using secure protocols is a must in deterring any
main in the middle attacks from deciphering the information being captured if
an attack were to occur. Data that are stored in the organization’s servers
must also be encrypted and protected through proper firewall, patching
vulnerabilities, and proper access control for need to know only.
c c c c c c c c c c In the current state, unauthorized micropayment processing that’s
been installed on Padgett-Beale does not comply with the organization’s IT
governance nor follows PCI-DSS compliance. Therefore, the micropayment
processing system at our facilities should be suspended until security is in
place to bring it in to compliance with PCD-DSS. This will ensure the
protection of customer payment information from being stolen, resulting in
sever penalties that may fall on Padgett-Beale for negligence and non-
compliance. It is important that IT devices and software are secured,
validated, and approved before connected to the enterprise network. With
proper hardening and due diligence, Padgett-Beale can provide safe, secure,
and easy payment systems for its customers.
References
Kossman, S. (2021, December 17). 8 FAQs about EMV credit cards.
CreditCards.Com. https://www.creditcards.com/education/emv-faq-chip-cards-
answers-1264/
Wilder, J. (2020, August 6). The 2019 PCI Compliance Annual Plan. PCI
Compliance Guide. https://www.pcicomplianceguide.org/2019-pci-compliance-
annual-plan/
Willis, L. (2019, January 3). The Payment Card Industry Data Security
Standard. American Bar Association.
https://www.americanbar.org/groups/litigation/committees/minority-trial-
lawyer/practice/2019/the-payment-card-industry-data-security-standard/
less