The Green Sheet Online Edition
June 25, 2007 • Issue 07:06:02
Shape up those level 4 merchants - now
The Payment Card Industry (PCI) Data Security Standard exists to minimize the potential of card breaches. The standard divides merchants into four categories as follows:
- Level 1: Any merchant, regardless of acceptance channel, processing over 6 million Visa U.S.A. or MasterCard Worldwide transactions per year and merchants who experienced an account data compromise
- Level 2: Any merchant, regardless of acceptance channel, processing 1 million to 6 million Visa or MasterCard transactions per year
- Level 3: Any merchant processing 20,000 to 1 million Visa or MasterCard e-commerce transactions per year
- Level 4: All other merchants. That is, merchants processing fewer than 20,000 Visa or MasterCard e-commerce transactions per year, and all other merchants, regardless of acceptance channel, processing up to 1 million Visa or MasterCard transactions per year.
Level 4 in the spotlight
Although level 4 merchants process only 30% of total transaction volume, they comprise 99% of all merchants.
Because the Associations first wished to zero in on the most sensitive data and protect the greatest number of cards and cardholders, they initially focused on the first three merchant levels.
This makes sense given the number of merchants in those levels relative to the number of transactions.
Level 4 merchants were an afterthought. In fact, until now, acquirers were not even required to validate compliance for level 4 merchants.
Unfortunately, because level 4 merchants are the least sophisticated technologically and overlooked because acquirers were focusing on their larger merchants, these merchants are targets for hackers.
Another reason level 4 merchants were the last category given scrutiny is their processing hardware has been historically difficult to hack.
Most level 4 merchants utilize dial-up terminals and are well-protected because their standalone phone lines cannot be accessed from the Internet.
A growing number of level 4 merchants, however, are using integrated POS systems connected to high speed Internet connections. These merchants are becoming targets at an increasing rate.
AmbironTrustWave's SpiderLabs found that out of 215 card compromises, 62% came from the food services industry - by far the largest single category.
Surprisingly, 75% of the breaches studied came at brick-and-mortar merchants who, according to the same report, were less aware of the risks than their online brethren. Seventy-one percent of the cases involved a compromise of POS systems or software.
Integrated POS merchants are vulnerable because, typically, business owners are not proficient in the details of their networks.
They do not fully understand the importance of properly configuring a firewall. Too often they do not reset passwords from the manufacturers' defaults.
These business owners sometimes rely on third-party vendors to ensure card data is not inappropriately stored and protected. They may be using outdated or noncompliant systems unknowingly.
Also, as more and more merchants migrate to high-speed communication lines with enhanced reporting, the risks of a hack increase because the environment is less secure.
In addition to card numbers, some of these systems store magnetic stripe data as well. Further, with the costs of integrated POS systems dropping, an escalating number of smaller merchants can afford them.
Unfortunately, they cannot afford the expertise to support them.
Breaches, breaches everywhere
By number, level 4 merchants represent the greatest number of breaches. However, the number of cards lost per incident is dwarfed by the major breaches, so the level 4 breaches do not make news in the trade press - yet they occur every day.
In an attempt to mitigate the number of breaches, Visa is requiring all acquirers to develop a written data security plan for level 4 merchants.
Plans must be completed by July 31, 2007. At minimum, a data security plan must include:
- Timeline of completion dates and milestones
- Prioritization of level 4 merchants into subgroups and target compliance efforts for each subgroup
- Merchant education strategy, including timeline for communication security alerts
- Compliance strategy designed to eliminate prohibited data from being stored, protect stored data, make sure merchants are only storing data they truly require, and ensure compliance with PCI, which includes ensuring payment applications are compliant and any third party is registered
- Monthly compliance reporting to executive or board management. Visa may also request these reports.
Onerous, but necessary action
The sheer number of level 4 merchants makes this task intimidating. Yet the daily breaches from level 4 merchants are causing real losses to the system.
When a breach occurs, issuing banks must enhance their monitoring (or accept greater losses) and inconvenience cardholders by blocking and re-issuing their cards. Re-issuing cards is expensive.
The cost of postage, plastics, customer communication and lost sales is problematic, especially when issuers cannot plan for or predict the breaches. These costs are over and above the lost confidence and lost sales from concerned cardholders.
Yes, the compliance program is onerous, but I applaud Visa for addressing this problem within the level 4 merchant category.
To reiterate, this group represents 99% of all merchants and individual merchants processing up to approximately 1 million transactions per year.
These merchants are least equipped to deal with threats from card breaches and in most need of assistance. These actions will help ensure we collectively better equip level 4 merchants with the knowledge and tools they need to accomplish their jobs.
Ken Musante is President of Humboldt Merchant Services. Contact him by e-mail at email@example.com or by phone at 707-269-3200.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.