Simple Hacks to Accept Credit Cards
Accepting credit cards used to be simple. Open an account with your bank, connect a small terminal and start swiping payments from clients. But the Internet has changed all of that. An explosion of e-commerce websites accepting credit card payments has created a rich target for criminals. And so banks and processors have created a complex web of rules and requirements that you must follow. Failure to comply can means fines in the thousands of dollars and loss of your status as a merchant; which means say good bye to your clients.
The rules are called the Payment Card Industry Data Security Standards or PCI-DSS and are grouped into 12 areas of how a business handles credit cards. These are further broken down into some 220 requirements a business is required to meet.
We’re going to look at collection of simple technology hacks you can use to ensure your infrastructure is compliant. These hacks can be easily scripted to make deploying them a snap. We’ll describe each hack individually in this article, along with it’s justifications.
PCI-DSS Rule 8.1.4 Remove inactive user accounts within 90-days
Companies that accept credit cards are required to remove accounts that have drifted into inactivity. The idea behind this rule is that accounts that are not used regularly are often the target of hackers. Hackers look for these accounts to hide their tracks. If they can break into an inactive account, they can gain a foothold in the network and then explore how to wreak havoc without anyone noticing their activity.
You need to police your accounts and look for those that have not been used in more than 90-Days. The PCI rule calls for you to disable these accounts. By only disabling the account you can easily reactivate it if you decided you need it in the future.
The command to list all accounts on Windows is:
C:\> NET USER
To see the last time a specific user logged on, pass the name of the account. You can then filter for the string “Last logon”, eg:
C:\> NET USER account | FINDSTR /B /C:”Last logon”
To disable an account, use the command:
C:\> NET USER account /ACTIVE:NO
If you have WMIC.exe, you can generate a report of all local accounts and their last logon in a single step with the command:
C:\> FOR /F "skip=1" %N IN ('WMIC PATH Win32_UserAccount Get Name^| FINDSTR /R /V "^$"') DO @ECHO ACCOUNT %N && NET USER %N|FINDSTR /B /C:"Last logon"
PCI-DSS Rule 8.1.6 Limit repeated access attempts by locking out the user ID after not more than six attempts.
Companies that accept credit cards are required to limit the number of failed logon attempts an account will accept before it is “locked out”. “Lock out” means the account is locked either for a period of time or until an authorized administrator releases the lock. This requirement is designed to block hacking using so called “dictionary attacks”, where hackers systematically try different combinations of passwords in an attempt to hit on the right one.
The command to see the current account lockout settings is:
C:\> NET ACCOUNTS | FINDSTR /B /C:"Lockout threshold"
Changing the lockout setting to 6 as required by PCI requires using an undocumented option of the NET ACCOUNTS command, eg:
C:\> NET ACCOUNTS /LOCKOUTTHRESHOLD:6
PCI-DSS Rule 8.1.7 Set the lockout duration to a minimum of 30 minutes or until an administrator enables the user ID
Companies that accept credit cards are required to set a lockout duration on failed logon attempts. It limits the amount of time an account is locked out before the lockout is released and the account is available for logon again. Introducing a minimum 30-minute delay will slow down hackers who are attempting to mount a dictionary style attack and effectively defeat their activity.
Changing the lockout duration requires making two separate changes to the lockout policy, both using undocumented options of the NET ACCOUNTS command, eg:
C:\> NET ACCOUNTS /LOCKOUTDURATION:30 C:\> NET ACCOUNTS /LOCKOUTWINDOW:30
You can confirm your settings have taken affect with the command:
C:\> NET ACCOUNTS
PCI DSS Rule 8.1.8 If a session has been idle for more than 15 minutes, require the user to re-authenticate to re-activate the terminal or session.
Companies that accept credit cards are expected to protect cardholder data by ensuring that if a user walks away from a machine, that the unattended machine automatically locks the session after 15 minutes of idle. The machine lock out should hide the screen behind a pattern lock (ie: a screensaver), and require the user to re-authenticate when they return to the machine.
There are three registry settings that relate to this requirement. The first enables a screensaver, the second requires the user to re-authenticate and the third sets the timeout period fifteen minutes:
C:\> REG ADD "HKCU\Control Panel\Desktop" /v SCRNSAVE.EXE /t REG_SZ /d C:\Windows\system32\scrnsave.scr /f C:\> REG ADD "HKCU\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_SZ /d 1 /f C:\> REG ADD "HKCU\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d 900 /f
To make these changes take effect, you either need to reboot, or run the following command:
C:\> rundll32.exe user32.dll, UpdatePerUserSystemParameters
PCI-DSS Rule 8.2.3 Passwords/passphrases must meet the following: Require a minimum length of at least seven characters, Contain both numeric and alphabetic characters.
Companies that accept credit cards are expected to use smart password policies to make it more difficult for hackers to successfully guess the password. The requirement is that the password be at least seven characters and contain letters and numbers.
You can set the minimum password length to 7 characters using the NET ACCOUNTS command, eg:
C:\> NET ACCOUNTS /MINPWLEN:7
Windows can force users to select passwords that are a mixture of letters and numbers by applying a Password Complexity policy. This setting can only be accessed through the Security Policy Editor:
Security Settings > Account Policies > Password Policy
Password must meet complexity requirements => Enabled
PCI-DSS Rule 8.2.4 Change user passwords/passphrases at least once every 90 days.
In keeping with the policy that companies use smart password policy, PCI requires that users be forced to change their passwords every 90-days. The principle is that passwords that are valid for a long time without change provides malicious individuals more time to work on breaking the password.
You can enforce a password expiration of 90-days using the NET ACCOUNTS command, eg:
C:\> NET ACCOUNTS /MAXPWAGE:90
PCI-DSS Rule 8.2.5 Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases he or she has used.
In keeping with the policy that companies use smart password policy, PCI requires that users not be allowed to reuse passwords too frequently. Without this policy, users could keep reusing the same old passwords which would reduce the effectiveness of changing passwords. Requiring that passwords cannot be reused for a period of time reduces the likelihood that passwords that have been guessed or brute-forced will be used in the future.
There are two Windows settings that enforce this policy, both of which can be set using the NET ACCOUNTS command, eg:
C:\> NET ACCOUNTS /UNIQUEPW:4 C:\> NET ACCOUNTS /MINPWAGE:1
The second settings MINPWAGE prevents a user from quickly changing their password 4 times and thereby trick the system into letting them reuse their favorite password. This setting enforces that any password they choose must be used for a least one day.
If you follow the simple procedures in this article, you’ve addressed a material number of those PCI-DSS Rules that fall under the category ‘8 — Identify and authenticate access to system components’. You’ll find anytime you can find a series of quick hacks such as these to get in compliance it’s best to take advantage of them. The remaining provisions of this category need to address with user awareness training and documentation, which is a bit more work, so it’s great to have a few quick fixes when possible.