By Scott Henry
Big data breaches get big headlines, but criminals are targeting merchants of all sizes to gain cardholder data that can be quickly turned to illicit profits. Smaller merchants should not be ignored when it comes to payment card security.
While sophisticated criminal organizations employ high-tech methods to infiltrate corporate networks, plenty of lower-level criminals are using any tricks and techniques they can to steal data.
Increasingly, ISOs and merchant level salespeople will be elevated - or forced - into becoming payment security consultants to small and mid-sized merchants who are confused by the complex array of industry mandates with which they are expected to comply.
While it may seem that mom-and-pop retail operators are a far cry from the large supermarkets and multilane retailers that have coughed up millions of card numbers, there's a basic, time-tested rule of crime: Criminals will go where the easy money is.
As the companies categorized under the Payment Card Industry (PCI) Data Security Standard (DSS) as level 1 (over 6 million transactions per year) and level 2 (1 million to 6 million) approach 100 percent compliance with the PCI DSS and PCI PIN Entry Device (PED) security requirements, crooks will find it increasingly difficult and expensive to target larger organizations.
The easy pickings will be with the mom-and-pop organizations. In fact, Visa Inc. indicated 62 percent of known compromises during 2007 occurred in restaurants, the vast majority of which are level 4.
Another time-tested rule is that when it comes to accountability, the flow goes downhill to the point of least resistance. Many consumer and legislative groups are clamoring alongside financial institutions to place the cost burden of card attacks fully on merchants.
Card companies put the onus on acquirers, who in turn place the blame and the costs on merchants. Larger companies have clout to negotiate such costs, but smaller merchants do not.
Many payment systems in use today were built long before criminals even thought of implanting electronic bugs in payment devices. These systems can still execute payment transactions, but they are effectively obsolete with regard to security.
The card brands and vendors within the industry have recognized the need to replace outmoded, insecure systems. Hence the imposition of regulations: the PCI DSS, PCI PED and Payment Application (PA) DSS.
Larger organizations have information technology and compliance groups that can navigate the PCI legalese; smaller organizations are often left to fend for themselves.
PCI PED is readily understood: Effective Jan. 1, 2008, retailers may not purchase systems that are not PCI PED approved. Retailers are taking steps to lower their risk by implementing PCI PED-compliant credit and debit card terminals.
The card brands have mandated that retailers who deploy non-PCI PED approved terminals purchased after Jan. 1, 2008, will be liable in the event of a debit card information compromise that can be traced to non-PCI PED approved systems. This liability would include consumer card losses, costs incurred by card issuers for re-issuing compromised cards, card company fines and, potentially, civil penalties, not to mention the likely loss of customer goodwill and business from negative publicity.
Selling merchants on the need for an upgrade when they haven't felt any threat is no easy feat, but it is necessary. It's incumbent on all of us as an industry to educate them.
First off, the cost of legal representation alone could be enough to bankrupt a small merchant's business, and it's certainly a heck of a lot more than the cost of a new terminal or PIN pad.
Secondly, the clock is ticking on systems that predate the PCI PED requirements: These systems must be removed from service no later than June 30, 2010 - just a little over a year from now.
Many smaller merchants are moving to accommodate electronic commerce customers - in essence having both brick-and-mortar storefronts as well as virtual, click-based storefronts on the Web, along with internal networks and servers to support them.
Pizza stores, dry cleaners, limousine services, restaurants and so on are increasingly compelled by competition to offer online services, including payment. That exposes them to additional liability with regard to the storage and transmission of cardholder data.
To address such concerns, the PCI Security Standards Council (SSC) oversees the PCI DSS. The current PCI DSS is "a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures," according to the PCI SSC.
The focus on compliance has been primarily at levels 1 and 2 merchants, who do large volumes of card transactions. However, Visa has implemented a level 4 program that requires acquirers to identify, prioritize and manage overall risk within the large population of smaller merchants. That means acquirers will increasingly require merchants they deem the riskiest to undergo stricter compliance requirements.
In 2007, the PCI SSC formally adopted Visa's Payment Application Best Practices guidelines and codified them as the PA DSS.
Visa's PABP applied to the development of secure software applications that are intended to mitigate compromises, prevent storage of sensitive cardholder data and support overall compliance with the PCI DSS. PA DSS moved beyond that scope to encompass applications running on standalone payment terminals. At minimum, your customers need guidance on living in a PA DSS world. Get up to speed on overall PCI DSS and PA DSS requirements so you can educate customers regarding such things as firewalls and computer access management.
With the wide availability of commodity-priced networking equipment, it's tempting for click-and-brick merchants to save a buck and install their own Wi-Fi and even Ethernet local area networks. But in doing so they can set themselves up for costly exposure unless they have advice on how to properly set up and maintain their networks in accordance with the PCI DSS.
Networks are vulnerable points of entry for criminals unless they are properly protected against worms, viruses, unauthorized entry and other assaults.
There are many broadband and Wi-Fi network compliant installation and management services available that you can draw into your portfolio of value-added services. In doing so, you will make it easier for your merchants to achieve compliance; you will also create for yourself an additional revenue stream and deeper customer relationships.
There are two great benefits to investing in security:
Those of you who can learn to sell security as a feature will be able to speed up the migration. However, those who can function as security consultants to smaller merchants will be able to gain market share. In turn, you can help your customers learn to sell security as a feature to consumers, giving them an edge over their competitors.
Ultimately, everybody will be happier - and safer.
Scott Henry is Director, North America Product Marketing, for VeriFone. He can be contacted at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next