GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

2008: Keeping it sticky


Industry Update

Mega-mergers' impact on payments

Mega-mergers' impact on payments

E-commerce fraud hits $4 billion

Outsmarting data thieves

ACH evolving and prospering DIVAs honored

2009 Calendar of events



Casey Leloux

The prepaid, m-payments intersection

The archetype in the mirror


What history teaches about change

Patti Murphy
The Takoma Group

The case for collecting fees

Ken Musante
Humboldt Merchant Services


Street SmartsSM:
Dreams fulfilled: Six easy steps

Jason Felts
Advanced Merchant Services

The promise of September 2009

Lane Gordon

Capturing verticals

Nancy Drexler
SignaPay Ltd.

The skinny on thin client

Dale S. Laszig
DSL Direct LLC

The law of fine print

Adam Atlas
Attorney at Law

Ease the pain

Daniel Wadleigh
Marketing Consultant

Company Profile

Affirmative Technologies Inc.

New Products

Payments in your pocket

MicroSecure Card Reader
ProPay Inc.

Multifactor ID for RDC

Excella MDX
MagTek Inc.


Take action, banish fear





Resource Guide


A Bigger Thing

The Green Sheet Online Edition

December 22, 2008  •  Issue 08:12:02

previous next

Outsmarting data thieves

Security compliance management firm Trustwave recently reported that businesses have made progress in protecting customer data over the years, but cyber criminals have adapted their techniques to access more carefully protected data.

Historically, data compromises have been the result of unauthorized parties penetrating network defenses and breaking into databases storing card data. To combat this cyber theft, the card brands now prohibit the storage of certain types of information.

As a result, nearly 87 percent of processors in North America no longer store Card Verification Value or Card Identification Number data. And according to Trustwave, these efforts appear to be working. Fewer compromised organizations investigated by Trustwave store prohibited data.

A numbers game

However, in 2008, the most notable development in payment card compromises has been the shift from stealing stored cardholder data to its theft in transit, Trustwave noted. Hackers are now pilfering data in real time as it passes through systems, not simply targeting at-rest cardholder information.

New attack vectors are increasing as cyber thieves attempt to stay one step ahead of their prey's defensive measures. One example is attackers' use of malicious software (malware) to steal sensitive data from a computer's random access memory (RAM).

With this technique, hackers install malware on computers that use RAM to gather information as it passes through payment applications. Even though card data is never actually written to a disk or stored, it is still vulnerable.

Trustwave has only recently discovered real-world examples of data taken from computers' RAM. The company said this development is unsettling because merchants can use applications that comply with the Payment Application (PA) Data Security Standard (DSS) and still fall victim to data compromise.

Other examples of cardholder data theft in transit involve key-logging software and packet analyzing - or sniffing - programs that access data as it enters or leaves systems.

Sniffing programs intercept and record data traffic entering or leaving systems. Key-logging records the information entered on keyboard or card reading devices as data travels through computers or payment applications.

Work the steps

Trustwave found the most troublesome aspect of merchant payment systems in North America is payment applications. Many victims of compromise use legacy systems or don't have their systems securely configured. Additionally, 66 percent of such merchants depend on third-party vendors to install, configure and support their payment applications. Trustwave found that negligence on the part of these vendors more often than not contributed to card compromises.

Merchants and ISOs must recognize that security extends beyond using PA DSS-validated applications and eliminating the storage of prohibited cardholder data.

Entities involved in the processing, storage or transmission of cardholder data also must ensure their network environments comply with the Payment Card Industry (PCI) DSS; organizations continue to fall victim to compromise by failing to do this.

Even though some data security pundits disparage the standard, PCI DSS compliance is ultimately the key to safeguarding cardholder data, according to Trustwave.

When all its steps are followed, the PCI DSS provides a comprehensive security protocol that prevents cardholder data theft, Trustwave noted. Many organizations have eliminated data storage prohibited by the card brands, but until they comply with all 12 PCI DSS steps, criminals will penetrate payment networks and continue to plunder.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Board Studios