By Grant Drummond
Yesterday's business model is obsolete. Criminals are craftier. Just about every week, the media report on hacking incidents, theft of personal information and every conceivable variation on security breaches. In an attempt to keep up, networks and card Associations are adopting more stringent security requirements.
In a world where security is being breached daily, companies are strategizing on how to better protect themselves from liability claims, bad public relations and lawsuits. Merchants and those who provide their electronic payment processing products need to know who's liable for what.
Retailers are susceptible to two types of breaches. One concerns card data in their possession, which must be protected from the moment of entry to the time of exit to an acquirer. In the absence of secure handling, criminals obtain access to card data, which they duplicate or sell to others.
Also on the increase is the interception of PIN entry device (PED) data. Criminals physically modify PEDs to capture PIN and card data, or they "shoulder surf," using cameras to record PINs and skim card information from POS terminals.
Thieves time-stamp and synchronize the data to produce duplicate cards. Credit cards are the easiest target because the information flows unencrypted through the networks.
Eeny, meeny, miney who?
So who is liable for what? There is no easy answer. Each acquirer network has its own regulations. These range from checking the signatures on cards against signatures on receipts, to truncating receipts, to encrypting data if it travels via the Internet. In the event of an attack, the network involved conducts an audit.
If merchants use POS equipment and systems approved by their acquirers and otherwise are in complete compliance with their contractual obligations, they are protected from liability, provided their employees have not engaged in fraudulent activity.
However, when it comes to determining liability, all networks are not equal. Their compliance assurance and audit processes may vary greatly.
Acquirers must follow the security procedures set by the card Association on whose behalf they operate. In addition, acquirers are responsible for certifying the hardware operating on their networks.
If an acquirer is part of a regional network, which in turn is just one leg in a series of larger networks, industry regulations are pushed down from the top. Embedded in these regulations are government regulations.
Keep your nose to the PCI-stone
Best practice documents list security measures for companies anxious to reduce the likelihood of fraud originating from their businesses. For example, in January 2007, the ATM Industry Association published Best Practices for xPoint of Sale Lifecycle Security.
The report contains minimum international data security guidelines for retailers, processors, encryption service organizations, auditors, security personnel and managers who are responsible for securing POS installations and systems to meet network and Payment Card Industry (PCI) Data Security Standard requirements.
The major card Associations have joined in the creation of PCI and the publication of best practices on the handling of card data. Best practices documents for merchants are published on the Internet at www.mastercard.com/us/merchant/security/index.html and www.usa.visa.com/merchants. All merchants should become familiar with these documents.
The PCI Security Standards Council has addressed the entire scope of transactions, from the location of card devices through back-end servers. More specifically, PCI's PED standard addresses the handling of card data with PEDs. It incorporates ANSI encryption and ISO standards.
The security industry is changing rapidly. Devices currently available that meet Visa PED standards may be installed only up until the end of this year. If they are installed by Dec. 31, 2007, these devices have no sunset provision and will continue to be covered under card Association liability clauses.
However, as of January 1, 2008, there will be a new game in town called PCI PED. It is a much broader and higher level of security brought to the PED access point by PCI. In fact, April 2008 has already been set for PCI PED II, an enhanced level of security, with future reviews of standards scheduled every three years.
Even though PCI PED II is now available and equipment can be certified under that standard, devices that have been certified under PCI PED I may be sold until 2014. To assist businesses in reducing their risk of fraud, POS equipment suppliers must be aware and inform their merchant customers of current and emerging industry standards. Fortunately, help is available.
Equipment manufacturers, industry standard setting committees, card Associations and, to some extent, governments are collaborating to stay ahead of the game and help ensure that merchants, processors/acquirers and manufacturers can implement the upcoming changes. For merchants, asking the supplier for information on security requirements is a good place to start. Card Associations are also providing incentives and training to facilitate compliance, including seminars, webinars, newsletters and individual programs for merchants and ISOs.
For information on these programs, visit the links listed in this article or the Web site of the applicable card Association.
My cost is your cost
Europe and Canada have taken security measures much further than the United States. EMV (Europay, MasterCard and Visa) standards in Europe now require PIN entry with credit card transactions, and a similar system has been adopted by the Canadian industry, with an implementation target of 2010.
Despite the benefits of increased security and lower dollar amounts of fraud, the U.S. market has not yet created a business case to move forward with EMV. This is due to the huge costs of changing the entire transaction processing system from host to POS. However, even without the switch to the European system, the new PCI standards will raise the cost of POS terminals.
PCI PED II, in particular, requires significant security upgrades and will impact the final cost of deploying these terminals. Equipment providers can assist merchants in adapting to the new environment by raising awareness of the need for ever-increasing security to combat relentless fraud.
Greater diligence and more secure equipment and processes come at a cost, but it's an investment that will protect merchants in the long run.
Grant Drummond is Director of Marcom with Ingenico, a worldwide provider of electronic payment and secure transaction solutions. For further information, visit www.ingenico.com, e-mail firstname.lastname@example.org or call 416-245-6700.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next