• Developers
  • Reporting
  • Disputes
  • Contact us
  • Log in

Main Navigation

  • Account

      Account

        • Customer docs & pricing

          Find important documents such as our Terms of Service and Merchant Operating Instructions, as well as more information on things like Stored Credential Transactions and the Account Updater Service

        • Compliance & security

          For more information on Strong Customer Authentication, PCI Compliance, and fraud prevention best practices

        • Stationery ordering

          Order your tally rolls, card scheme logo stickers, and more

        • FAQs

          Our FAQs can help you with queries including pricing changes, cleaning and restarting your terminals, and Multi-Factor Authentication

  • Products

      Products

        • POS help
        • Ecommerce help
        • Bank Payment
  • Insights
  • Trending Articles
Sign up
Search

Main Navigation

  • Account
      Account

      Account

    • Customer docs & pricing
    • Compliance & security
    • Stationery ordering
    • FAQs
  • Products
      Products

      Products

    • POS help
    • Ecommerce help
    • Bank Payment
  • Insights
  • Trending Articles
    • Developers
    • Reporting
    • Disputes
    • Contact us
    • Log in
    Sign up /en-gb/sitecore/content/gpn/corporate/corporate/home/modals/signup-homepage

Sidebar Navigation

  • Account -
    • FAQs +
      • Pricing frequently asked questions +
      • PCI Frequently asked questions +
      • Best practice for cleaning your POS device(s) +
      • Terminal restart guide +
      • CNP FAQs - resubmitting declined transactions +
      • Multi-Factor Authentication for Global Payments Ecommerce Portal +
      • Ecommerce FAQs +
      • Bank Payment FAQs +
      • Your invoice explained +
      • How do I make a complaint +
    • Customer Docs & Pricing +
      • Terms of Service +
      • Merchant Operating Instructions +
      • Interchange fee update +
      • Recovered card form +
      • Mastercard and Visa Interchange rates +
      • Merchant Data Processing Notice +
      • Enhanced Authorisation Data Service merchant implementation guide +
      • Stored Credential Guide +
      • SCT Technical Implementation Guide +
      • SCT Decision Tree +
      • Account Updater Service +
      • Account Updater migration to UK Ensurebill +
    • Compliance & Security -
      • Ecommerce fraud management +
      • Know the risks +
      • Online Card Not Present Best Practices +
      • Fraud Hints and Tips Guide +
      • Reducing Risk of Fraud Guide +
      • Guide to Patching -
      • Know the risks +
      • What To Do If You're Compromised +
      • PCI Frequently asked questions +
      • SCA +
        • One-off payments without saving card details
        • One-click payments without saving card details
        • Card saved for recurring, automatic payments
        • Payment over the phone (MO/TO)
        • What Do I Need to Do to Be SCA Compliant?
        • PSD2 and SCA Technical Information Guide
        • Strong Customer Authentication Decision Tree
        • How to use the Strong Customer Authentication (SCA) Authentication Outage Indicator
    • Stationery ordering +
    • How do I understand my invoice? +
  • Products +
    • Point of Sale Help +
      • Quick Start Guide Miura M10 Device +
      • Quickstart Guide Miura M20 Device +
    • Ecommerce Help +
      • Transaction management +
      • Customer management +
      • Fraud Management +
      • Resetting your password +
      • Virtual Terminal +
      • Ecommerce portal navigation +
      • User Management +
      • Transaction reporting +
      • Ecommerce FAQs +
    • Bank Payment +
      • Bank Payment FAQs +
      • Bank Payment sales sheet +
  1. Home
  2. Account
  3. Compliance & Security
  4. Guide to Patching
Last updated 01/25/2023
2 Min Read Time

Guide to Patching

RISK & COMPLIANCE 

Data security update  guide to patching 

Patching and why it’s important 

Forensic investigation findings of account data compromises have shown that one of the key reasons for the loss of data is due to a lack of security patching. 

It’s thought that the vast majority of merchants are using out of date software, leaving them vulnerable to attack, as timely security updates aren’t being made.  Criminals are preying on such users and are hacking their customers’ personal data, including card data.  

By simply following your service provider’s instructions and installing the patches immediately,  or as soon as possible, you can reduce your chance of becoming a victim. 

What’s a patch?  

A patch is a piece of software designed to upgrade a  computer programme to a more recent version. A patch can be required for a number of reasons, not only to introduce new features but also, and more importantly,  to iron out any known security issues or vulnerabilities.  These vulnerabilities, if not fixed, could mean your business is open to a cyberattack. These are sometimes known as critical patches. 

Why’s patching important?  

By not applying critical patches, the software installed on your website or elsewhere in your network becomes out of date. Criminals are able to exploit any known vulnerabilities associated with it. All it takes is for an attacker to identify that a patch hasn’t been installed to allow them the opportunity to access your web environment and lay the path to steal your customers’  data.  

The Payment Card Industry Security Standards Council  (PCI SSC) published an infographic and a short video to help educate merchants and businesses on the importance of patching. 

Please click on the links below to view: 

  • PCI SSC Infographic: Patching 
  • PCI SSC Video: Patching 

UNPATCHED SOFTWARE IS ONE OF THE LEADING CAUSES OF DATA BREACHES FOR BUSINESSES.

How and when are you notified about patches?

Like any software updates, patches are released by your service provider on a regular basis, dependent on the severity. It’s up to you to ensure that you action all update requests as many will require your approval before they’re actioned.  

What about Approved Scanning Vendor (ASV) scans and how can they help?  

ASV scans are a perimeter check of your website and/ or your payment environment and form part of your  Payment Card Industry Data Security Standards (PCI  DSS) validation, dependent on your environment. ASV  scans are looking for vulnerabilities or weaknesses that could be misused by someone to gain access to your systems and produce a report for any vulnerabilities identified. But what does this actually mean?  • It’s a bit like having someone check your premises are  

physically secure - Have you locked the back door?  Are your windows shut? Are there any known defects with your security alarm? 

  • The scans are basically highlighting that you may have left a port open, which hackers could gain entry through. Or, you’re using an outdated and vulnerable piece of software and you are required to upgrade to the latest version/install a patch to fix the vulnerability. 

Further useful resources from the PCI SSC: 

  • Defending Against Ransomware 
  • Defending Against Phishing & Social Engineering Attacks 
  • Protecting Your Customers’ Payment Card Data from Malware
  • Guide to Safe Payments Version 2.0 • August 2018

Remember that an ASV scan shouldn’t be used solely as a means to identify any vulnerabilities. It’s up to you to ensure you install all critical security patches provided by your service provider!  

PCI DSS patching requirements  

It’s worth noting that PCI DSS addresses the  requirement to install security patches, with critical  patches required to be installed within one month of  release, if not sooner:  

6.1 Establish a process to identify security  

vulnerabilities, using reputable outside sources for security vulnerability information, and assign a risk ranking (for example, as “high,” “medium,” or “low”) to newly discovered security vulnerabilities. 

6.2 Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release. 

Although applying patches or fixing vulnerabilities won’t always prevent a breach, it’ll definitely reduce the impact or the exposure to your business, which,  in turn, will reduce any Card Scheme penalties under consideration!  

  • Account
  • Products
  • Customer Docs & Pricing
  • Compliance & Security
  • Industry news
  • Trending articles
  • Notices and Policies
  • Sitemap

Already a customer?

Log in

Connect

  • LinkedIn
  • Twitter
  • Facebook
  • YouTube
{D6036E8F-C9A1-420D-AEC3-5680EC9FBE35}
 

Global Payments is a trading name of GPUK LLP. GPUK LLP is authorised by the Financial Conduct Authority under the Payment Services Regulations 2017 (504290) for the provision of payment services and under the Consumer Credit Act (714439) for the undertaking of terminal rental agreements. GPUK LLP is a limited liability partnership registered in England with company number OC337146. Registered Office: Granite House, Granite Way, Syston, Leicester, LE7 1PL. The members are Global Payments U.K. Limited and Global Payments U.K. 2 Limited. Service of any documents relating to the business will be effective if served at the Registered Office.

Global Payments is also a trading name of Pay and Shop Limited. Pay and Shop Limited is a limited company registered in Ireland with company number 324929. Registered Office: The Observatory, 7-11 Sir John Rogerson's Quay, Dublin 2, Ireland. Service of any documents relating to the business will be effective if served at the Registered Office.

© 2023 GPUK LLP. All rights reserved. Privacy Statement | Terms of Use  | Ethics Reporting Hotline | Gender Pay Report  | Anti Slavery Statement