The Green Sheet Online Edition
August 13, 2007 • Issue 07:08:01
Breached security: The buck stops where?
Yesterday's business model is obsolete. Criminals
are craftier. Just about every week, the media
report on hacking incidents, theft of personal
information and every conceivable variation
on security breaches. In an attempt to keep up, networks
and card Associations are adopting more stringent security
In a world where security is being breached daily,
companies are strategizing on how to better protect themselves
from liability claims, bad public relations and lawsuits.
Merchants and those who provide their electronic
payment processing products need to know who's liable
Retailers are susceptible to two types of breaches.
One concerns card data in their possession, which must
be protected from the moment of entry to the time of exit
to an acquirer. In the absence of secure handling, criminals
obtain access to card data, which they duplicate or
sell to others.
Also on the increase is the interception of PIN entry
device (PED) data. Criminals physically modify PEDs to
capture PIN and card data, or they "shoulder surf," using
cameras to record PINs and skim card information from
Thieves time-stamp and synchronize the data to
produce duplicate cards. Credit cards are the easiest target
because the information flows unencrypted through
Eeny, meeny, miney who?
So who is liable for what? There is no easy answer. Each
acquirer network has its own regulations. These range
from checking the signatures on cards against signatures
on receipts, to truncating receipts, to encrypting data if it
travels via the Internet. In the event of an attack, the network
involved conducts an audit.
If merchants use POS equipment and systems approved
by their acquirers and otherwise are in complete compliance
with their contractual obligations, they are protected
from liability, provided their employees have not engaged
in fraudulent activity.
However, when it comes to determining liability, all
networks are not equal. Their compliance assurance and
audit processes may vary greatly.
Acquirers must follow the security procedures set by the
card Association on whose behalf they operate. In addition,
acquirers are responsible for certifying the hardware
operating on their networks.
If an acquirer is part of a regional network, which in turn
is just one leg in a series of larger networks, industry regulations
are pushed down from the top. Embedded in these
regulations are government regulations.
Keep your nose to the PCI-stone
Best practice documents list security measures for companies
anxious to reduce the likelihood of fraud originating
from their businesses. For example, in January 2007, the
ATM Industry Association published Best Practices for xPoint of Sale Lifecycle Security.
The report contains minimum international data security
guidelines for retailers, processors, encryption service
organizations, auditors, security personnel and managers
who are responsible for securing POS installations and
systems to meet network and Payment Card Industry
(PCI) Data Security Standard requirements.
The major card Associations have joined in the creation
of PCI and the publication of best practices on the
handling of card data. Best practices documents for
merchants are published on the Internet at
www.usa.visa.com/merchants. All merchants should become
familiar with these documents.
The PCI Security Standards Council has addressed
the entire scope of transactions, from the location of
card devices through back-end servers. More
specifically, PCI's PED standard addresses the handling
of card data with PEDs. It incorporates ANSI encryption
and ISO standards.
The security industry is changing rapidly. Devices currently
available that meet Visa PED standards may be
installed only up until the end of this year. If they are
installed by Dec. 31, 2007, these devices have no sunset
provision and will continue to be covered under card
Association liability clauses.
However, as of January 1, 2008, there will be a new game
in town called PCI PED. It is a much broader and higher
level of security brought to the PED access point by PCI.
In fact, April 2008 has already been set for PCI PED II, an
enhanced level of security, with future reviews of standards
scheduled every three years.
Even though PCI PED II is now available and equipment
can be certified under that standard, devices that have
been certified under PCI PED I may be sold until 2014.
To assist businesses in reducing their risk of fraud, POS
equipment suppliers must be aware and inform their
merchant customers of current and emerging industry
standards. Fortunately, help is available.
Equipment manufacturers, industry standard setting
committees, card Associations and, to some extent, governments
are collaborating to stay ahead of the game and
help ensure that merchants, processors/acquirers and
manufacturers can implement the upcoming changes.
For merchants, asking the supplier for information
on security requirements is a good place to start.
Card Associations are also providing incentives and
training to facilitate compliance, including seminars,
webinars, newsletters and individual programs for merchants
For information on these programs, visit the links
listed in this article or the Web site of the applicable
My cost is your cost
Europe and Canada have taken security measures much
further than the United States. EMV (Europay, MasterCard
and Visa) standards in Europe now require PIN entry
with credit card transactions, and a similar system has
been adopted by the Canadian industry, with an implementation
target of 2010.
Despite the benefits of increased security and lower
dollar amounts of fraud, the U.S. market has not yet created
a business case to move forward with EMV. This is
due to the huge costs of changing the entire transaction
processing system from host to POS. However, even
without the switch to the European system, the new PCI
standards will raise the cost of POS terminals.
PCI PED II, in particular, requires significant
security upgrades and will impact the final cost of
deploying these terminals. Equipment providers can
assist merchants in adapting to the new environment by
raising awareness of the need for ever-increasing security
to combat relentless fraud.
Greater diligence and more secure equipment and processes
come at a cost, but it's an investment that will protect
merchants in the long run.
Grant Drummond is Director of Marcom with Ingenico, a worldwide
provider of electronic payment and secure transaction
solutions. For further information, visit www.ingenico.com, e-mail
firstname.lastname@example.org or call 416-245-6700.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.