The Green Sheet Online Edition
November 10, 2008 • Issue 08:11:01
Be a payment security architect
There's no denying the retail environment is a tempting target for criminals intent on capturing cardholder information to create counterfeit payment cards or commit other fraudulent acts.
The good news is an increasing array of solutions are aimed at bolstering security in the checkout lane; the bad news is it seems like each individual merchant is expected to put together his or her own patchwork quilt of defenses.
All not a few
Data breach incidents over the past couple of years have demonstrated conclusively that this is a problem for retailers both large and small - from the chains with thousands of checkout counters to the small convenience store with just one payment terminal.
Retailers, understandably, are frustrated. They face increasing demands to comply with a dizzying array of industry mandates aimed at filling the most glaring gaps in the security value chain. They are concerned penalties will flow downhill so, ultimately, they will be left holding the bag for breaches.
Consulting versus selling
As always, with any problem of this magnitude, there is great opportunity for ISOs and merchant level salespeople who can make the leap from product sales to consultative solution sales. Merchants need help figuring out what standards they must meet. They also need assistance in identifying the best, most cost-effective solutions to keep them in compliance now and in the future.
It should be clear by now to all in the payments industry that security requirements are based on shifting sands. The Payment Card Industry (PCI) Data Security Standard (DSS), for example, was recently updated from version 1.1 to 1.2.
At the time, the PCI Security Standards Council made an emphatic point of reiterating it is committed to an "established lifecycle process that will ensure that the PCI DSS ... is revised and updated on a two-year cycle."
WPA over WEP
Much of the PCI DSS 1.2 update refined the previous version to clarify provisions and make it easier to implement. Probably the most substantial change involves the requirements for wireless payment security.
The updated version prohibits implementation of wireless equivalent privacy (WEP) for new deployments after March 31, 2009; for current wireless implementations, it bans the use of WEP after June 30, 2010.
Many merchants undoubtedly are not clear on the differences between WEP and Wi-Fi Protected Access (WPA and WPA2). It's a good bet you could still find a merchant who hasn't even turned on WEP or is still using the factory-implemented login and password on the wireless router being used.
Evolving versus static
Regardless, the PCI DSS represents a snapshot in time. Achieving compliance today does not mean you'll be in compliance tomorrow.
There's also the troubling issue of whether being certified as compliant is sufficient to protect a merchant if it later turns out the merchant's compliance auditor missed something or otherwise erred in making such certification.
Even if a merchant can keep up with updates to the PCI DSS, the PCI council pointed out that "each card brand has defined specific requirements for validation of compliance and reporting, such as provisions for self assessment versus using a qualified security assessor."
Passing or holding the bag
Visa Inc., for example, stated acquirers are responsible for all their merchants' compliance. Mandating level 1, 2 and 3 merchants to have quarterly network scans done by approved scanning vendors is an extension of this.
However, Visa pointed out compliance validation "may be required" even for level 4 merchants. Under Visa's PCI Compliance Acceleration Program, acquirers are vested with the responsibility to identify, prioritize and manage risk within their level 4 merchant populations.
Well, we all know who bridges the gap between the small merchants and acquirers. Do you feel that, today, you are qualified to quickly identify and manage risk among your merchant customers? I invite you to have your team take VeriFone's quick Security Quiz at www.verifone.com/about-us/industry-leadership/security.aspx to check out basic understanding of some of the issues you and your customers face.
End-to-end, not piecemeal
There are many options available today that offer much stronger security safeguards than existed just a couple of years ago. It's important to educate and encourage your merchant customers to make the investment in up-to-date terminals and software that meet today's standards.
Ultimately, however, the only sure way to ensure security is end-to-end card data encryption. By protecting card data from the point at which it is swiped at the POS, merchants will be protected from the unknown.
They will no longer have to worry that somewhere in their systems they are unwittingly storing card information or inadvertently providing a gateway for criminals to intercept unencrypted card data.
Encrypting data directly at the POS with what is known as Triple Data Encryption Standard (DES) increases exponentially the complexity of the card holder data encryption and makes it practically impossible to crack.
But simply encrypting data in this manner also renders it useless to many in-store systems and networks because they can't read the relevant data to process transactions. Besides, most retailers have fine-tuned their networks, so any drastic increase in data overhead would cripple the system and force network upgrades to handle the additional data traffic.
One solution is to utilize Hidden Triple DES to format data when the card is swiped.
With this technology, data from the stripe not only looks exactly like an unencrypted mag stripe data string - including the bank identification number and the last four digits of the card which most systems are designed to read - but it also adds no additional data overhead. Thus, current retail network systems do not need to undergo unnecessary upgrades to enjoy end-to-end card data encryption.
In-store systems, servers and networks are able to pass the data through to the processor without any possibility that it could be compromised even if it were captured by a criminal.
Airtight and impenetrable
Another byproduct of the solution is that stolen card business will be polluted at the source, and criminals will not know they are receiving card information that is useless for their purposes.
Once critical mass is achieved, fraudsters' return on investment in stolen card information will be reduced to the point at which the criminal element will no longer see it as a viable pursuit.
Large retailers have already stated publicly that end-to-end encryption is the only truly secure method for dealing with card data. That, I believe, will lead the card brands and standards-setting bodies to move in this direction - eventually.
Anybody in the payment value chain who doesn't want to get left holding the data breach ball has a vested stake in the adoption of end-to-end encryption. As vendors adapt to this approach to security, it will become easier and more cost-effective to craft architected solutions for even the smallest merchants. Scott Henry is Director, North America Product Marketing, for VeriFone. He can be contacted at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.