The Green Sheet Online Edition
August 13, 2007 • Issue 07:08:01
Small shops under the PCI gun
In May, Visa U.S.A. released a new Cardholder
Information Security Program (CISP) bulletin: Level
4 Merchant Compliance Program Requirements.
It called for acquirers to submit to Visa formal
compliance programs for their level 4 merchant population
by July 31, 2007.
In the beginning of the data security movement within the
payments industry, the card Associations (and, in turn,
acquiring banks) focused on convincing larger merchants
to validate compliance with the Payment Card Industry (PCI) Data Security Standard.
The card Associations lauded the benefits of protecting
cardholder data and threatened to fine acquiring banks
whose merchants failed to take action. Visa's latest CISP
bulletin can be downloaded on the Web at http://usa.visa.com/download/merchants/level_4_merchant_compliance.pdf.
It is important to you, as ISOs and merchant level salespeople
(MLSs), because, as stated in the bulletin, 99% of
organizations that accept Visa-branded cards fall into the
level 4 category.
Visa and MasterCard Worldwide categorize larger retailers
as level 1, 2 or 3 merchants. Those businesses process
more than 20,000 e-commerce transactions annually or
more than 1 million transactions, regardless of acceptance
According to Visa, this segment accounts for more than
two thirds of all Visa transactions, which justifies the original
emphasis on spreading compliance validation among
this group. Now, evidence shows that smaller merchants
(level 4) account for the majority of payment card compromises.
So, the card Associations are taking action.
Visa and MasterCard define level 4 merchants as organizations
that process fewer than 20,000 Visa e-commerce
transactions per year and any other organizations that
process fewer than 1 million Visa transactions, regardless
of acceptance channel, per year.
As acquirers escalate PCI educational efforts, level 4
merchants will hear more and more about PCI, the selfassessment
questionnaire and vulnerability scans. If you
gain command of this information, you can reassure
anxious merchants and provide them the epitome of
To start, it's important to convey that hackers are not
only targeting large merchants or e-commerce merchants.
AmbironTrustWave, which investigates payment card
compromises, finds that 85% of the over 250 payment
card compromises we have investigated occurred within
the level 4 category.
We attribute this to three main factors:
- The majority of merchants who accept payment card
transactions fall into the level 4 category. Thus, a
greater number of level 4 targets are available.
- Many smaller merchants do not possess the resources
necessary to hire an information technology employee,
let alone one with data security experience.
- Level 1, 2 and 3 merchants have received intensive PCI
education. Awareness of the PCI requirements among
level 4 merchants has lagged.
Our investigations have also revealed that three of four
compromises occur at brick-and-mortar establishments
as opposed to e-commerce Web sites. Again, a few factors
contribute to this.
- In general, e-commerce merchants have more technical
expertise than owners of corner stores or restaurants.
Thus, e-commerce entrepreneurs are more likely to
understand the basic tenets of data security.
- It's also a matter of awareness. Originally, the card
Associations (and as a result the acquiring banks)
concentrated educational efforts on e-commerce merchants,
fearing they were at greatest risk of
- Brick-and-mortar merchants are more likely to use
antiquated POS systems that store full track data
(the information encoded on a payment card's magnetic
With track data, a hacker can easily manufacture
bogus cards encoded with stolen card numbers.
Storing track data is a blatant violation of both PCI
and Visa's Payment Application Best Practices.
Armed with statistics like these, you can show smaller
merchants that the threat to their environment is real.
The card Associations have informed acquiring banks of
these facts. Emphasizing them to merchants will build
your credibility on the subject.
Good faith inspections
Visa issued the CISP bulletin to enlist acquirers' aid in
curbing compromises and ensuring that level 4 merchants
handle payment card data in a PCI-compliant
manner. The card Associations leave validation of level 4 compliance to the acquirers' discretion. Thus,
many acquirer compliance programs will require level 4
merchants to validate compliance by completing the PCI
self-assessment questionnaire and undergoing quarterly
The self-assessment questionnaire is a series of questions
based on PCI. Honest, affirmative answers to every
question and quarterly vulnerability scans will validate a
merchant's compliance with PCI.
A vulnerability scan is an external scan of a merchant's
environment that reports on the configuration of the
merchant's firewall, among other information. It is akin
to walking around the perimeter of a house and jiggling
doorknobs and windows to ensure they're locked and will
keep intruders out.
Fortunately, a great many resources are available to
merchants to complete each of these actions. Merchants
can access the PCI self-assessment questionnaire at
In addition, many organizations offer free vulnerability
scanning promotions. Encourage merchants to contact
their acquiring banks for more information about vulnerability
scans. A list of approved scanning vendors is on the
Web at www.pcisecuritystandards.org/resources/approved_scanning_vendors.htm.
Speaking with merchants about PCI will show them you
understand their plight and that they can rely on you for
accurate information about securing cardholder data.
Michael Petitti is Chief Marketing Officer of AmbironTrustWave
and is responsible for all of the company's marketing initiatives.
He serves on the Merchant Risk Council's board of advisers and on
The Green Sheet Inc. Advisory Board. Call him at 312-873-7291
or e-mail him at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.