GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?


Table of Contents

Lead Story

Learning the ISO lingo

News

GS Online: 4.2 million and climbing ...

MWAA 2007: Security, depth and rock-and-roll

VeriFone corners NYC taxi business

Who's minding the small-business store, Visa wants to know

TMS, AMS settle their grudge

Congress grills warring parties on interchange

Features

AgenTalkSM:
David E. Hanlin Jr.

Dark cloud shrouds ATM ISOs in Sunshine State

Missy Baxter
ATMmarketplace.com

ISOMetrics:
Prepaid cards: An obsolescent evolution?

Views

On queue: Self-service card payments come of age

Paul Rasori
VeriFone

Breached security: The buck stops where?

Grant Drummond
Ingenico

Education

Street SmartsSM:
Demand defrays doubts about costly cash advance

Dee Karawadra
Impact PaySystem

Perfect storm of acquirer liability averted

Theodore F. Monroe and Bradley Cebeci
Attorneys at Law

Size up your sales pitch

Marcelo Paladini
Cynergy Data

P-cards: The payoff is palpable

Aaron Bills
3Delta Systems Inc.

Small shops under the PCI gun

Michael Petitti
AmbironTrustWave

Company Profile

Money Movers of America Inc.

New Products

It's hues to you

POS Supply Solutions Inc.
Colored paper rolls

Outsource the chargeback confusion

ChargebackAudit LLC
Chargeback Dispute Management System

Inspiration

You are the sunshine of your life

Departments

Forum

Industry Update

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

August 13, 2007  •  Issue 07:08:01

previous next

Breached security: The buck stops where?

By Grant Drummond

Yesterday's business model is obsolete. Criminals are craftier. Just about every week, the media report on hacking incidents, theft of personal information and every conceivable variation on security breaches. In an attempt to keep up, networks and card Associations are adopting more stringent security requirements.

In a world where security is being breached daily, companies are strategizing on how to better protect themselves from liability claims, bad public relations and lawsuits. Merchants and those who provide their electronic payment processing products need to know who's liable for what.

Retailers are susceptible to two types of breaches. One concerns card data in their possession, which must be protected from the moment of entry to the time of exit to an acquirer. In the absence of secure handling, criminals obtain access to card data, which they duplicate or sell to others.

Also on the increase is the interception of PIN entry device (PED) data. Criminals physically modify PEDs to capture PIN and card data, or they "shoulder surf," using cameras to record PINs and skim card information from POS terminals.

Thieves time-stamp and synchronize the data to produce duplicate cards. Credit cards are the easiest target because the information flows unencrypted through the networks.

Eeny, meeny, miney who?

So who is liable for what? There is no easy answer. Each acquirer network has its own regulations. These range from checking the signatures on cards against signatures on receipts, to truncating receipts, to encrypting data if it travels via the Internet. In the event of an attack, the network involved conducts an audit.

If merchants use POS equipment and systems approved by their acquirers and otherwise are in complete compliance with their contractual obligations, they are protected from liability, provided their employees have not engaged in fraudulent activity.

However, when it comes to determining liability, all networks are not equal. Their compliance assurance and audit processes may vary greatly.

Acquirers must follow the security procedures set by the card Association on whose behalf they operate. In addition, acquirers are responsible for certifying the hardware operating on their networks.

If an acquirer is part of a regional network, which in turn is just one leg in a series of larger networks, industry regulations are pushed down from the top. Embedded in these regulations are government regulations.

Keep your nose to the PCI-stone

Best practice documents list security measures for companies anxious to reduce the likelihood of fraud originating from their businesses. For example, in January 2007, the ATM Industry Association published Best Practices for xPoint of Sale Lifecycle Security.

The report contains minimum international data security guidelines for retailers, processors, encryption service organizations, auditors, security personnel and managers who are responsible for securing POS installations and systems to meet network and Payment Card Industry (PCI) Data Security Standard requirements.

The major card Associations have joined in the creation of PCI and the publication of best practices on the handling of card data. Best practices documents for merchants are published on the Internet at www.mastercard.com/us/merchant/security/index.html and www.usa.visa.com/merchants. All merchants should become familiar with these documents.

The PCI Security Standards Council has addressed the entire scope of transactions, from the location of card devices through back-end servers. More specifically, PCI's PED standard addresses the handling of card data with PEDs. It incorporates ANSI encryption and ISO standards.

The security industry is changing rapidly. Devices currently available that meet Visa PED standards may be installed only up until the end of this year. If they are installed by Dec. 31, 2007, these devices have no sunset provision and will continue to be covered under card Association liability clauses.

However, as of January 1, 2008, there will be a new game in town called PCI PED. It is a much broader and higher level of security brought to the PED access point by PCI. In fact, April 2008 has already been set for PCI PED II, an enhanced level of security, with future reviews of standards scheduled every three years.

Even though PCI PED II is now available and equipment can be certified under that standard, devices that have been certified under PCI PED I may be sold until 2014. To assist businesses in reducing their risk of fraud, POS equipment suppliers must be aware and inform their merchant customers of current and emerging industry standards. Fortunately, help is available.

Equipment manufacturers, industry standard setting committees, card Associations and, to some extent, governments are collaborating to stay ahead of the game and help ensure that merchants, processors/acquirers and manufacturers can implement the upcoming changes. For merchants, asking the supplier for information on security requirements is a good place to start. Card Associations are also providing incentives and training to facilitate compliance, including seminars, webinars, newsletters and individual programs for merchants and ISOs.

For information on these programs, visit the links listed in this article or the Web site of the applicable card Association.

My cost is your cost

Europe and Canada have taken security measures much further than the United States. EMV (Europay, MasterCard and Visa) standards in Europe now require PIN entry with credit card transactions, and a similar system has been adopted by the Canadian industry, with an implementation target of 2010.

Despite the benefits of increased security and lower dollar amounts of fraud, the U.S. market has not yet created a business case to move forward with EMV. This is due to the huge costs of changing the entire transaction processing system from host to POS. However, even without the switch to the European system, the new PCI standards will raise the cost of POS terminals.

PCI PED II, in particular, requires significant security upgrades and will impact the final cost of deploying these terminals. Equipment providers can assist merchants in adapting to the new environment by raising awareness of the need for ever-increasing security to combat relentless fraud.

Greater diligence and more secure equipment and processes come at a cost, but it's an investment that will protect merchants in the long run.

Grant Drummond is Director of Marcom with Ingenico, a worldwide provider of electronic payment and secure transaction solutions. For further information, visit www.ingenico.com, e-mail grant.drummond@ingenico.com or call 416-245-6700.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Super G Capital LLC | Humboldt Merchant Services | Impact Paysystems | Electronic Merchant Systems