GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Warning: Merchants turning up the heat on interchange


Industry Update

Wal-Mart banks on the underbanked

MasterCard wins injunction against Visa

A new, happy tune for GS Online


GS Advisory Board:
Value-adds: Recipe for success? Part I

Coinstar and the unbanked

Marvin Lazaro
Kiosk Marketplace and Self-Service World

The symmetry of sponsorship

Industry Leader

John McCormick –
Sharing many kinds of riches


PayPal: 21st century cash

Patti Murphy
The Takoma Group

Spot-on sales savvy

Steve Schwimmer
Renaissance Merchant Services

Kicking the horse we all rode in on

Biff Matthews
CardWare International


Street SmartsSM:
Veritably valuable added services

Dee Karawadra
Impact PaySystem

The lowdown on locked documents

Adam Atlas
Attorney at Law

Shape up those level 4 merchants - now

Ken Musante
Humboldt Merchant Services

10 keys to unlocking your million-dollar portfolio

Jason Felts
Advanced Merchant Services Inc.

What do your customers say about you?

Joel and Rachael Rydbeck
Nubrek Inc.

Company Profile

Central Point Resources Inc.

New Products

POS equipment fit for royalty

EZPROX, Vega9300 and Vega7000
Castles Technology Co. Ltd.

A gift-bearing kiosk

Reward and Gift Card Kiosk
Pay By Touch


Are you living in current reality?


Resource Guide


A Bigger Thing

The Green Sheet Online Edition

June 25, 2007  •  Issue 07:06:02

previous next

Shape up those level 4 merchants - now

By Ken Musante

The Payment Card Industry (PCI) Data Security Standard exists to minimize the potential of card breaches. The standard divides merchants into four categories as follows:

Level 4 in the spotlight

Although level 4 merchants process only 30% of total transaction volume, they comprise 99% of all merchants.

Because the Associations first wished to zero in on the most sensitive data and protect the greatest number of cards and cardholders, they initially focused on the first three merchant levels.

This makes sense given the number of merchants in those levels relative to the number of transactions.

Level 4 merchants were an afterthought. In fact, until now, acquirers were not even required to validate compliance for level 4 merchants.

Unfortunately, because level 4 merchants are the least sophisticated technologically and overlooked because acquirers were focusing on their larger merchants, these merchants are targets for hackers.

Another reason level 4 merchants were the last category given scrutiny is their processing hardware has been historically difficult to hack.

Most level 4 merchants utilize dial-up terminals and are well-protected because their standalone phone lines cannot be accessed from the Internet.

A growing number of level 4 merchants, however, are using integrated POS systems connected to high speed Internet connections. These merchants are becoming targets at an increasing rate.

Emerging vulnerabilities

AmbironTrustWave's SpiderLabs found that out of 215 card compromises, 62% came from the food services industry - by far the largest single category.

Surprisingly, 75% of the breaches studied came at brick-and-mortar merchants who, according to the same report, were less aware of the risks than their online brethren. Seventy-one percent of the cases involved a compromise of POS systems or software.

Integrated POS merchants are vulnerable because, typically, business owners are not proficient in the details of their networks.

They do not fully understand the importance of properly configuring a firewall. Too often they do not reset passwords from the manufacturers' defaults.

These business owners sometimes rely on third-party vendors to ensure card data is not inappropriately stored and protected. They may be using outdated or noncompliant systems unknowingly.

Also, as more and more merchants migrate to high-speed communication lines with enhanced reporting, the risks of a hack increase because the environment is less secure.

In addition to card numbers, some of these systems store magnetic stripe data as well. Further, with the costs of integrated POS systems dropping, an escalating number of smaller merchants can afford them.

Unfortunately, they cannot afford the expertise to support them.

Breaches, breaches everywhere

By number, level 4 merchants represent the greatest number of breaches. However, the number of cards lost per incident is dwarfed by the major breaches, so the level 4 breaches do not make news in the trade press - yet they occur every day.

In an attempt to mitigate the number of breaches, Visa is requiring all acquirers to develop a written data security plan for level 4 merchants.

Plans must be completed by July 31, 2007. At minimum, a data security plan must include:

The sheer number of level 4 merchants makes this task intimidating. Yet the daily breaches from level 4 merchants are causing real losses to the system.

When a breach occurs, issuing banks must enhance their monitoring (or accept greater losses) and inconvenience cardholders by blocking and re-issuing their cards. Re-issuing cards is expensive.

The cost of postage, plastics, customer communication and lost sales is problematic, especially when issuers cannot plan for or predict the breaches. These costs are over and above the lost confidence and lost sales from concerned cardholders.

Yes, the compliance program is onerous, but I applaud Visa for addressing this problem within the level 4 merchant category.

To reiterate, this group represents 99% of all merchants and individual merchants processing up to approximately 1 million transactions per year.

These merchants are least equipped to deal with threats from card breaches and in most need of assistance. These actions will help ensure we collectively better equip level 4 merchants with the knowledge and tools they need to accomplish their jobs.

Ken Musante is President of Humboldt Merchant Services. Contact him by e-mail at or by phone at 707-269-3200.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios