The Green Sheet Online Edition
August 08, 2011 • Issue 11:08:01
Identifying and securing your highest risk merchants
Although data breaches within Level 1 or Level 2 merchants are well-documented and garner the majority of attention, information in the Verizon 2011 Data Breach Investigations Report notes a significant, recent decline in large-scale breaches.
At first, the numbers might give us cause to celebrate the lowest amount of data lost since 2004. A closer look, however, also unveils an all-time high in the number of incidents investigated. And within Level 4 merchant portfolios, the potential risk - particularly to accounts that are not Payment Card Industry (PCI) Data Security Standard (DSS) compliant - is unsettling.
In an article about the report, SecurityWeek wrote that hackers "may be making a classic risk versus reward decision and opting to 'play it safe' in light of recent arrests and prosecutions. Numerous smaller strikes on hotels, restaurants and retailers represent a lower-risk alternative, and cybercriminals appear to be taking greater advantage of that option."
Level 4 in the crosshairs
Visa Inc. defines Level 4 merchants as businesses processing fewer than 20,000 Visa e-commerce transactions an-nually or all other merchants processing up to 1 million Visa transactions annually.
While these smaller numbers may lead some to envision mom-and-pop stores using knuckle busters, it is likely today they also have websites selling their goods and pay little time and attention to firewalls or securely coded payment pages.
The Level 4 distinction may also include ultra, high-end hotels or restaurants with complex POS networks. Level 4 merchants have the broadest array of payment technology in use and, therefore, are at the greatest risk for data breaches. This is mainly a result of merchants being defined by their volume, not by their sophistication, product or service.
The Verizon report identifies an alarming trend in how breaches occurred over the last year. Ninety-two percent of data breaches originated from external sources, usually involving a hack or introduction of malware. For the first time, physical attacks, which include ATM compromises and credit card data theft, ranked third and accounted for 29 percent of breaches.
Level 4 PCI validation is up to you
The PCI Security Standards Council (PCI SSC) prescribes an ongoing process for Level 4 merchant compliance, including completion of an annual self-assessment questionnaire (SAQ) and potentially a quarterly network scan by an Approved Scanning Vendor (ASV). The card brands, through the PCI SSC, do not require onsite assessments and leave management of compliance deadlines - validation and revalidation - largely to the discretion of ISOs and acquirers.
Almost all organizations reporting payment card breaches in 2010 were not validated as compliant with the PCI DSS at the time of the breach - a staggering 89 percent, according to the Verizon breach report.
How to identify risky merchants
Segmentation is the key to identifying and prioritizing risky merchants within an acquirer's portfolio. To get started, consider the following approaches:
- Industry or vertical: What industries do your merchants serve? Health care? Higher education? Hospitality? Hospitality businesses such as restaurants are typically targeted more than any other merchant category and are therefore the riskiest. E-commerce websites are also attractive targets because of their ease of access via the Internet and the challenge of completely eliminating vulnerabilities in website code.
- Card acceptance: How do your merchants accept payments? Card present or card not present? Mag stripe? Is a PIN required?
- Payment processing: Are your merchants using dial-up terminals or an integrated POS system? Integrated, networked POS systems are at greater risk than stand-alone, dial-up POS setups. Do they store card data within their systems? If so, storing card data poses one of the biggest security risks, which is avoidable through implementing such technologies as tokenization.
- Number of locations: How many locations does each merchant have? How much do locations vary in terms of payment processes and technologies? Do they make sales online? Are there franchises? The greater the number of locations accepting card payments, the greater the potential for noncompliance and breaches - especially if POS equipment and procedures are not uniform.
- Merchant versus service provider: In many cases you may find what initially looks like a merchant may actually be a service provider. Thus, the risk goes up. Be sure to understand PCI's definition of a service provider.
- Number of third-party service providers being used: While using third parties to outsource functions like payment processing and information technology (IT) infrastructure can reduce the effort required to comply with PCI, merchants must maintain a complete inventory of third parties who touch their cardholder data; they must also know the PCI compliance status of each party.
- Merchant resources: How large is the merchant's staff? Does the merchant employ dedicated IT personnel? Has the merchant delegated PCI responsibility to someone within the organization? Merchants with a staff member focused on PCI are more likely to maintain compliance and less likely to be at risk of a breach.
After reviewing this list, you will inevitably have additional questions or be able to identify merchants warranting further evaluation. This is where good, old-fashioned merchant relationships come into play. Based on what you know about a given merchant, how the business accepts payments and whether the merchant is active in PCI compliance, can you determine whether the merchant is at high risk for a breach?
Risk identified - now what?
Now that your portfolio is segmented, gauge what your risky merchants know about PCI compliance. Can an out-of-compliance merchant's risk stance be remediated through education and context-setting? With the help of your PCI compliance solutions provider (who typically will have a library of educational material) you can promote the importance of a secure environment.
Next, monitor each merchant organization's completion of security awareness training, which should include guidance on how to properly handle card data. Ensure that merchants track employee completion of training. Also consider helping risky merchants set up comprehensive security policies. Ask your PCI compliance solutions provider to help with security policy templates your merchants can use to create customized security policies based on how each one processes payments.
Once you have educated your risky merchants on PCI compliance and have provided them security awareness training, continue to monitor their compliance progress.
Do they know which SAQ to fill out? Have they completed and submitted it? It is OK to maintain healthy skepticism of your merchants' responses. Some business owners put significant thought, research and effort into filling out the SAQ. Others simply check the boxes. Of those who are required to fill out SAQ C or D (the most complex versions), do you know if they are completing their quarterly ASV scans?
Also consider whether your PCI compliance solutions provider offers you a robust reporting and notification system to help you stay on top of risky merchants. Compliance represents a state at a point in time and must be monitored; many merchants can (and do) fall out of compliance.
Even after you take the suggested steps, a few high-risk merchants will remain of concern. For those, consider engaging a Qualified Security Assessor (QSA) to identify and document, in writing, the steps required for them to achieve PCI compliance.
With a QSA's assistance, you can also formally scope the merchant's cardholder data environment and suggest ways in which it could be reduced. Remember, the smaller the scope of your merchant's cardholder data environment, the more secure the card data and the smaller the impact and costs of compliance.
Low risk doesn't mean unavoidable
There is little hope of stopping fraudsters, hackers and identity thieves from attempting to exploit vulnerabilities in merchants' systems to steal customer data. That is not an excuse, however, to wait passively for them to attack.
The Verizon report notes 83 percent of victims were targets of opportunity, and 96 percent of breaches were avoidable. This is a clear sign that identifying risky merchants, or those who have not met the PCI DSS, is well worth your time, that of your merchants and definitely that of your PCI compliance solutions provider.
Hackers tend to gravitate toward what they perceive to be the easiest targets. Helping your merchants guard against security attacks by taking basic steps toward PCI compliance is perhaps the most productive move you can make.
Steve Robb is Vice President of Operations for Atlanta-based ControlScan, a provider of PCI compliance solutions and QSA services that fit the specific needs of small- to medium-sized merchants. He can be reached at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.