Once upon a time the net was fairly safe, the major unpleasantness being flame wars between opinionated geeks spouting from the safety of their bedrooms.
Things have moved on and today an enormous amount of commerce is conducted online. Naturally this has created a huge incentive for those who feel less bound by society’s conventions, mostly people trying to get rich quick, but sometimes someone with a grudge who just wants to cause damage to an organisation.
When looking for financial gain, attackers may turn their attention on several areas. Customer details, including email addresses, are traded on the underground markets, payment card numbers are a useful commodity and direct compromise of a system, for example to deliver a loaded pre-paid card to an address of the attacker’s choice can net plenty of rewards.
The criminals have plenty of resource on their side. There is a thriving dark economy in software and skills used to exploit sites and services and UltraPoS, dealing with thousands of financial transactions per day is in the frame for some attention.
SCL employ a variety of defences against attack. The first is obviously the firewalls and intrusion detection systems that deter the door knob rattlers of the cyber world – if there isn’t an open door, a lot of the opportunists will move on. Our technical team take a lot of care in denying access by default – only the right sort of traffic from the right sort of places gets in.
It goes without saying that UltraPoS uses encryption in many areas. The session between your browser and our application servers is encrypted; customer and other sensitive data is encrypted in our databases; communication between UltraPoS and our third-party providers is encrypted; delivery of overnight reports or general ledger information to your organisation is encrypted. We also take key management seriously by using properly shared certificates. Yes it’s a nuisance going through all the hoops, but whilst sharing a password in an email may be quick and easy it’s not very secure. As in all other areas, process is paramount – we are not going to exchange a certificate without any validation of the recipient.
Phishing is one of the key attacks an organisation can suffer. Whilst SCL have limited influence on our clients’ users, our support staff use process and training to avoid fraudsters from being able to gain access to UltraPoS by asking for a password reset, for example. All such requests need proof identity or use a second channel of communication. It may not be glamourous, and it may at times be infuriating to people who cannot muster the required credentials, but an inflexible process is a great barrier to people trying to get hold of a password for nefarious means.
UltraPoS copes with many forms of payment, including, of course, credit and debit cards. Because of that we need to take a great deal of care in protecting card numbers, and here PCI compliance is a big factor. UltraPoS is PCI certified. This means that unlike other vendors who push PCI compliance on to the organisations they sell to, we have annual audits on our technology, process and even staff to make sure we are doing our best to protect our clients’ customers. To satisfy the auditor we need to demonstrate our processes are sound, our staff have the necessary training and our technology is up to the job. I have experienced a couple of interviews with the auditor, but our technical director and his team, the development manager and the support team manager suffer much more intensive sessions. Ultimately once payment card information is submitted to UltraPoS you can be confident that it is looked after properly, from the technical aspects of making sure it’s encrypted, to the organisational aspects of controlling and auditing access to it.
As well as scammers, fraudsters and phishers, hackers are a threat, seeking to find nooks and crannies in any organisation. Whilst the capabilities of hackers are sometimes exaggerated, the potential for a one-off attack with a high gain is a significant risk. There are plenty of technical barriers we raise to do with session management and authorisation which I’m not going to disclose here, other than to say http only cookies, token cycling and message hashes are the sort of phrases our design teams mumble during their coffee breaks. Suffice to say that we are aware this is a moving landscape and have to keep on our toes.
Finally, I’d like to touch on availability. It’s all very well having your data encrypted and controlled, but data security is also about it being there when you need it. UltraPoS uses the software as a service model. This means that SCL worry about multiple data centres, redundancy, fail-overs, and disaster recovery. Whilst it contributes to our technical director’s grey hairs, the planning and exercises we have in place saves our clients, especially of the USBE edition of UltraPoS, from having to spend time, resource and money on backups, strategy documents, and secure storage. These aspects are our problem, not yours.
These are not the only mechanisms we use, but hopefully I’ve outlined some of the tenets by which SCL operates. Securing data takes as much effort as building the set of features you will use in the next version of UltraPoS. If we weren’t secure we wouldn’t be able to sell UltraPoS.
I suppose I should also say our technical director is not the only one with grey hairs in his beard.
Fred Smith is a technical lead at SCL. His roles are varied but include moulding UltraPoS to clients’ needs as well as designing the next generation of UltraPoS technology. And managing his beard.