A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

August 13, 2007 • Issue 07:08:01

Small shops under the PCI gun

By Michael Petitti

In May, Visa U.S.A. released a new Cardholder Information Security Program (CISP) bulletin: Level 4 Merchant Compliance Program Requirements. It called for acquirers to submit to Visa formal compliance programs for their level 4 merchant population by July 31, 2007.

In the beginning of the data security movement within the payments industry, the card Associations (and, in turn, acquiring banks) focused on convincing larger merchants to validate compliance with the Payment Card Industry (PCI) Data Security Standard.

The card Associations lauded the benefits of protecting cardholder data and threatened to fine acquiring banks whose merchants failed to take action. Visa's latest CISP bulletin can be downloaded on the Web at http://usa.visa.com/download/merchants/level_4_merchant_compliance.pdf.

It is important to you, as ISOs and merchant level salespeople (MLSs), because, as stated in the bulletin, 99% of organizations that accept Visa-branded cards fall into the level 4 category.

Visa and MasterCard Worldwide categorize larger retailers as level 1, 2 or 3 merchants. Those businesses process more than 20,000 e-commerce transactions annually or more than 1 million transactions, regardless of acceptance channel, annually.

According to Visa, this segment accounts for more than two thirds of all Visa transactions, which justifies the original emphasis on spreading compliance validation among this group. Now, evidence shows that smaller merchants (level 4) account for the majority of payment card compromises. So, the card Associations are taking action.

Visa and MasterCard define level 4 merchants as organizations that process fewer than 20,000 Visa e-commerce transactions per year and any other organizations that process fewer than 1 million Visa transactions, regardless of acceptance channel, per year.

Convincing stats

As acquirers escalate PCI educational efforts, level 4 merchants will hear more and more about PCI, the selfassessment questionnaire and vulnerability scans. If you gain command of this information, you can reassure anxious merchants and provide them the epitome of added value.

To start, it's important to convey that hackers are not only targeting large merchants or e-commerce merchants. AmbironTrustWave, which investigates payment card compromises, finds that 85% of the over 250 payment card compromises we have investigated occurred within the level 4 category.

We attribute this to three main factors:

  1. The majority of merchants who accept payment card transactions fall into the level 4 category. Thus, a greater number of level 4 targets are available.
  2. Many smaller merchants do not possess the resources necessary to hire an information technology employee, let alone one with data security experience.
  3. Level 1, 2 and 3 merchants have received intensive PCI education. Awareness of the PCI requirements among level 4 merchants has lagged.
Our investigations have also revealed that three of four compromises occur at brick-and-mortar establishments as opposed to e-commerce Web sites. Again, a few factors contribute to this.
  1. In general, e-commerce merchants have more technical expertise than owners of corner stores or restaurants. Thus, e-commerce entrepreneurs are more likely to understand the basic tenets of data security.
  2. It's also a matter of awareness. Originally, the card Associations (and as a result the acquiring banks) concentrated educational efforts on e-commerce merchants, fearing they were at greatest risk of card compromise.
  3. Brick-and-mortar merchants are more likely to use antiquated POS systems that store full track data (the information encoded on a payment card's magnetic stripe).
With track data, a hacker can easily manufacture bogus cards encoded with stolen card numbers. Storing track data is a blatant violation of both PCI and Visa's Payment Application Best Practices.

Armed with statistics like these, you can show smaller merchants that the threat to their environment is real. The card Associations have informed acquiring banks of these facts. Emphasizing them to merchants will build your credibility on the subject.

Good faith inspections

Visa issued the CISP bulletin to enlist acquirers' aid in curbing compromises and ensuring that level 4 merchants handle payment card data in a PCI-compliant manner. The card Associations leave validation of level 4 compliance to the acquirers' discretion. Thus, many acquirer compliance programs will require level 4 merchants to validate compliance by completing the PCI self-assessment questionnaire and undergoing quarterly vulnerability scans.

The self-assessment questionnaire is a series of questions based on PCI. Honest, affirmative answers to every question and quarterly vulnerability scans will validate a merchant's compliance with PCI.

A vulnerability scan is an external scan of a merchant's environment that reports on the configuration of the merchant's firewall, among other information. It is akin to walking around the perimeter of a house and jiggling doorknobs and windows to ensure they're locked and will keep intruders out.

Fortunately, a great many resources are available to merchants to complete each of these actions. Merchants can access the PCI self-assessment questionnaire at www.pcisecuritystandards.org/tech/supporting_documents.htm. In addition, many organizations offer free vulnerability scanning promotions. Encourage merchants to contact their acquiring banks for more information about vulnerability scans. A list of approved scanning vendors is on the Web at www.pcisecuritystandards.org/resources/approved_scanning_vendors.htm. Speaking with merchants about PCI will show them you understand their plight and that they can rely on you for accurate information about securing cardholder data. end of article

Michael Petitti is Chief Marketing Officer of AmbironTrustWave and is responsible for all of the company's marketing initiatives. He serves on the Merchant Risk Council's board of advisers and on The Green Sheet Inc. Advisory Board. Call him at 312-873-7291 or e-mail him at mpetitti@atwcorp.com.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next
A Thing