Subway Franchisees Learn the Value of PCI DSS — Quick Take

Although some small businesses might feel intimidated and overwhelmed by the PCI DSS, let this recent point-of-sale (POS) attack on Subway franchisees be a lesson in IT security for all.

Ars Technica reports on an unsealed indictment from the US District Court of New Hampshire, which reveals that a group of Romanian hackers stole credit and debit card data from over 80,000 customers — many of which came from roughly 150 Subway restaurants — by hacking in to the POS systems with remote access software. Remote access software on POS systems is a no-no according to the PCI DSS, which means this attack could’ve been prevented if the businesses had complied with the PCI DSS standard.

"With PCI compliance, those apps shouldn't be on those systems," said Konrad Fellmann, audit and compliance manager for SecureState, an IT security firm with a practice in retail security auditing, in an interview with Ars. But because small retailers don't store credit card data, they're not required to have the same level of auditing as larger companies, Fellmann said.

In the case of Subway restaurants, those requirements were provided to franchisees. But according to Evan Schuman, editor of retail technology trade site StorefrontBacktalk, some of the franchisees "directly and blatantly disregarded" Subway's security and POS configuration standards. "It's not like they had to install something and they didn't," Schuman told Ars. "They did it proactively," he said, downloading low-cost remote desktop software from the Internet and refusing to use point-to-point encryption as Subway dictated.

PCI DSS compliance is clearly not optional with Internet hackers on the prowl for easy prey. It’s now, more than ever, a must-do for small and medium-sized businesses that deal with payment data.

Read more about IT security and PCI DSS compliance in the full story from Ars Technica.

For more great stories from around the web, visit our list of 50 Must-Read IT blogs.