By Steve Robb
Although data breaches within Level 1 or Level 2 merchants are well-documented and garner the majority of attention, information in the Verizon 2011 Data Breach Investigations Report notes a significant, recent decline in large-scale breaches.
At first, the numbers might give us cause to celebrate the lowest amount of data lost since 2004. A closer look, however, also unveils an all-time high in the number of incidents investigated. And within Level 4 merchant portfolios, the potential risk - particularly to accounts that are not Payment Card Industry (PCI) Data Security Standard (DSS) compliant - is unsettling.
In an article about the report, SecurityWeek wrote that hackers "may be making a classic risk versus reward decision and opting to 'play it safe' in light of recent arrests and prosecutions. Numerous smaller strikes on hotels, restaurants and retailers represent a lower-risk alternative, and cybercriminals appear to be taking greater advantage of that option."
Visa Inc. defines Level 4 merchants as businesses processing fewer than 20,000 Visa e-commerce transactions an-nually or all other merchants processing up to 1 million Visa transactions annually.
While these smaller numbers may lead some to envision mom-and-pop stores using knuckle busters, it is likely today they also have websites selling their goods and pay little time and attention to firewalls or securely coded payment pages.
The Level 4 distinction may also include ultra, high-end hotels or restaurants with complex POS networks. Level 4 merchants have the broadest array of payment technology in use and, therefore, are at the greatest risk for data breaches. This is mainly a result of merchants being defined by their volume, not by their sophistication, product or service.
The Verizon report identifies an alarming trend in how breaches occurred over the last year. Ninety-two percent of data breaches originated from external sources, usually involving a hack or introduction of malware. For the first time, physical attacks, which include ATM compromises and credit card data theft, ranked third and accounted for 29 percent of breaches.
The PCI Security Standards Council (PCI SSC) prescribes an ongoing process for Level 4 merchant compliance, including completion of an annual self-assessment questionnaire (SAQ) and potentially a quarterly network scan by an Approved Scanning Vendor (ASV). The card brands, through the PCI SSC, do not require onsite assessments and leave management of compliance deadlines - validation and revalidation - largely to the discretion of ISOs and acquirers.
Almost all organizations reporting payment card breaches in 2010 were not validated as compliant with the PCI DSS at the time of the breach - a staggering 89 percent, according to the Verizon breach report.
Segmentation is the key to identifying and prioritizing risky merchants within an acquirer's portfolio. To get started, consider the following approaches:
After reviewing this list, you will inevitably have additional questions or be able to identify merchants warranting further evaluation. This is where good, old-fashioned merchant relationships come into play. Based on what you know about a given merchant, how the business accepts payments and whether the merchant is active in PCI compliance, can you determine whether the merchant is at high risk for a breach?
Now that your portfolio is segmented, gauge what your risky merchants know about PCI compliance. Can an out-of-compliance merchant's risk stance be remediated through education and context-setting? With the help of your PCI compliance solutions provider (who typically will have a library of educational material) you can promote the importance of a secure environment.
Next, monitor each merchant organization's completion of security awareness training, which should include guidance on how to properly handle card data. Ensure that merchants track employee completion of training. Also consider helping risky merchants set up comprehensive security policies. Ask your PCI compliance solutions provider to help with security policy templates your merchants can use to create customized security policies based on how each one processes payments.
Once you have educated your risky merchants on PCI compliance and have provided them security awareness training, continue to monitor their compliance progress.
Do they know which SAQ to fill out? Have they completed and submitted it? It is OK to maintain healthy skepticism of your merchants' responses. Some business owners put significant thought, research and effort into filling out the SAQ. Others simply check the boxes. Of those who are required to fill out SAQ C or D (the most complex versions), do you know if they are completing their quarterly ASV scans?
Also consider whether your PCI compliance solutions provider offers you a robust reporting and notification system to help you stay on top of risky merchants. Compliance represents a state at a point in time and must be monitored; many merchants can (and do) fall out of compliance.
Even after you take the suggested steps, a few high-risk merchants will remain of concern. For those, consider engaging a Qualified Security Assessor (QSA) to identify and document, in writing, the steps required for them to achieve PCI compliance.
With a QSA's assistance, you can also formally scope the merchant's cardholder data environment and suggest ways in which it could be reduced. Remember, the smaller the scope of your merchant's cardholder data environment, the more secure the card data and the smaller the impact and costs of compliance.
There is little hope of stopping fraudsters, hackers and identity thieves from attempting to exploit vulnerabilities in merchants' systems to steal customer data. That is not an excuse, however, to wait passively for them to attack.
The Verizon report notes 83 percent of victims were targets of opportunity, and 96 percent of breaches were avoidable. This is a clear sign that identifying risky merchants, or those who have not met the PCI DSS, is well worth your time, that of your merchants and definitely that of your PCI compliance solutions provider.
Hackers tend to gravitate toward what they perceive to be the easiest targets. Helping your merchants guard against security attacks by taking basic steps toward PCI compliance is perhaps the most productive move you can make.
Steve Robb is Vice President of Operations for Atlanta-based ControlScan, a provider of PCI compliance solutions and QSA services that fit the specific needs of small- to medium-sized merchants. He can be reached at firstname.lastname@example.org.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next