The Green Sheet Online Edition
July 23, 2012 • Issue 12:07:02
Spotting unlikely service providers in your midst
Conventional wisdom holds that hackers don't target small business, just the big guys. While that may have been true before, today's data thief doesn't differentiate between large and small. Hackers actively seek easy-to-exploit security holes wherever they find them on the Internet. Any company that moves or stores data electronically is now a target.
Small merchants have generally been slow to adopt a data security mindset. An "it can't happen to me" viewpoint is especially risky for organizations that operate as service providers, because a single data breach can impact an entire network of merchants. This increases the liability of the primary ISO or merchant acquirer.
On June 25, 2010, for instance, City Newsstand Inc. - prompted by MasterCard Worldwide - found a software program on two cash registers in Chicago that since April 15, 2009, had been transmitting payments data to Russia. (See "Hackers Shift Attacks to Small Firms," The Wall Street Journal, July 21, 2011, http://online.wsj.com/article/SB10001424052702304567604576454173706460768.html).
The hackers apparently entered through a weak user name and pass code on the store's remote desktop. With computers infected, City Newsstand's customer payment data that traveled from the reader to the computer to the Internet was being intercepted and sent to a Russian server and email address.
More than merchants in your portfolio
According to the PCI Security Standards Council (PCI SSC), City Newsstand is a service provider. The council, which is the Payment Card Industry (PCI) standards organization, defines a service provider as a business entity "that is not a payment brand, directly involved in the processing, storage or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data."
The "merchant as a service provider" role is further specified by the PCI SSC as "a merchant that accepts payment cards as payment for goods and/or services ... if the services sold result in storing, processing or transmitting cardholder data on behalf of other merchants or service providers."
Many merchants do not even realize they also function as service providers, and this lack of awareness puts both their businesses and your portfolio at risk. To minimize exposure to hackers and scrutiny from the card brands, ISOs and acquirers should conduct a basic portfolio analysis to identify these unconventional service providers. The analysis involves two basic questions.
- Question 1: What kind of companies are in my base: known service providers, such as traditional ISOs, or merchants also serving as nontraditional, third-party service providers (as defined above)?
- Question 2: Does the portfolio contain concentrations of customers in certain vertical markets or niches (see following examples) that could be functioning as both merchants and service providers?
Consider these examples:
- An e-commerce merchant also hosts e-commerce sites for other merchants. These websites accept credit cards for payment processing. The primary merchant is in the payment path (if, for example, card transactions traverse its network environment), so the primary merchant is both a merchant and a service provider.
- Large hospitality chains can also contain hidden service providers. Say a hotel chain maintains both corporate-owned and franchisee locations, making the corporation a franchisor. The franchisee locations utilize the systems at the franchisor's headquarters for card payment processing. This makes the corporation both a merchant and a service provider. The franchisee locations would likely be classified as merchants.
Since the service provider designation is potentially difficult to navigate, especially for businesses that do not have a designated compliance person on staff, the ISO or acquirer should identify such a service provider by actively monitoring its portfolio for card brand registration and PCI Data Security Standard (DSS) compliance. Otherwise, risk may go unidentified and unmanaged.
Risk mitigation, step by step
Once merchants operating as service providers are identified, it's time to start prioritizing and mitigating risk. The ISO or acquirer should evaluate each merchant for specific risk indicators and assign a corresponding priority to the account. The following are some basic high-risk indicators:
- The merchant is a Registration Level 4 (as designated by the individual card brand).
- The merchant operates within an especially vulnerable niche, such as hospitality, retail chains, restaurants, food delivery/carryout chains, universities and the emerging risk area of medical offices.
- The merchant utilizes a POS system and has Internet access for processing payment information.
- The merchant electronically stores cardholder data.
- The merchant heavily relies on a specialized service provider (which could compromise payment-related terminals, devices or applications), for example an information technology services company for restaurant POS systems.
ISOs and acquirers should reach out to these high-risk service providers/merchants first to verify that they are effectively managing their compliance status, including card brand registration and PCI compliance. Part of this outreach includes educating service providers on the requirements they must meet to achieve PCI compliance.
Service provider/merchant gray areas may require the involvement of a Qualified Security Assessor (QSA). PCI DSS validation can possibly be achieved in one integrated process or two distinct paths with separate records of compliance. A QSA, preferably one recommended by the ISO or acquirer, is in the best position to identify the required course of action.
Some service providers - regardless of level - are meeting the requirements of a Level 1 assessment and audit, which also necessitate the involvement of a QSA. An ISO or acquirer can recommend this course of action to help a service provider minimize risk, relieve compliance pressure and get positive marketing attention.
Off to a solid start
ISOs and acquirers can greatly reduce, if not eliminate, exposure to potentially devastating breaches by refuting the belief that hackers don't target small companies, by analyzing their portfolios to identify unconventional service providers and by working with those merchants to strengthen their security posture. Regardless of an ISO's or acquirer's size, we recommend that an individual within the organization be designated as the PCI/security point person. This person can coordinate all aspects of the processes involved.
The steps discussed here can give the ISO or acquirer a strong, healthy start in identifying merchants operating as service providers and mitigating the associated risk through educational support, as well as recommended security assessment services.
Chris Bucolo is Senior Manager, Security Consulting, of Atlanta-based ControlScan, a leading provider of PCI compliance and security solutions designed for small merchants and the acquirers that serve them. He can be reached at firstname.lastname@example.org. Audio on the topic of service provider designation can be found at www.controlscan.com/webinars/demystifying_service_provider_designation.php.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.