By Chris Bucolo
Conventional wisdom holds that hackers don't target small business, just the big guys. While that may have been true before, today's data thief doesn't differentiate between large and small. Hackers actively seek easy-to-exploit security holes wherever they find them on the Internet. Any company that moves or stores data electronically is now a target.
Small merchants have generally been slow to adopt a data security mindset. An "it can't happen to me" viewpoint is especially risky for organizations that operate as service providers, because a single data breach can impact an entire network of merchants. This increases the liability of the primary ISO or merchant acquirer.
On June 25, 2010, for instance, City Newsstand Inc. - prompted by MasterCard Worldwide - found a software program on two cash registers in Chicago that since April 15, 2009, had been transmitting payments data to Russia. (See "Hackers Shift Attacks to Small Firms," The Wall Street Journal, July 21, 2011, http://online.wsj.com/article/SB10001424052702304567604576454173706460768.html).
The hackers apparently entered through a weak user name and pass code on the store's remote desktop. With computers infected, City Newsstand's customer payment data that traveled from the reader to the computer to the Internet was being intercepted and sent to a Russian server and email address.
According to the PCI Security Standards Council (PCI SSC), City Newsstand is a service provider. The council, which is the Payment Card Industry (PCI) standards organization, defines a service provider as a business entity "that is not a payment brand, directly involved in the processing, storage or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data."
The "merchant as a service provider" role is further specified by the PCI SSC as "a merchant that accepts payment cards as payment for goods and/or services ... if the services sold result in storing, processing or transmitting cardholder data on behalf of other merchants or service providers."
Many merchants do not even realize they also function as service providers, and this lack of awareness puts both their businesses and your portfolio at risk. To minimize exposure to hackers and scrutiny from the card brands, ISOs and acquirers should conduct a basic portfolio analysis to identify these unconventional service providers. The analysis involves two basic questions.
Consider these examples:
Since the service provider designation is potentially difficult to navigate, especially for businesses that do not have a designated compliance person on staff, the ISO or acquirer should identify such a service provider by actively monitoring its portfolio for card brand registration and PCI Data Security Standard (DSS) compliance. Otherwise, risk may go unidentified and unmanaged.
Once merchants operating as service providers are identified, it's time to start prioritizing and mitigating risk. The ISO or acquirer should evaluate each merchant for specific risk indicators and assign a corresponding priority to the account. The following are some basic high-risk indicators:
ISOs and acquirers should reach out to these high-risk service providers/merchants first to verify that they are effectively managing their compliance status, including card brand registration and PCI compliance. Part of this outreach includes educating service providers on the requirements they must meet to achieve PCI compliance.
Service provider/merchant gray areas may require the involvement of a Qualified Security Assessor (QSA). PCI DSS validation can possibly be achieved in one integrated process or two distinct paths with separate records of compliance. A QSA, preferably one recommended by the ISO or acquirer, is in the best position to identify the required course of action.
Some service providers - regardless of level - are meeting the requirements of a Level 1 assessment and audit, which also necessitate the involvement of a QSA. An ISO or acquirer can recommend this course of action to help a service provider minimize risk, relieve compliance pressure and get positive marketing attention.
ISOs and acquirers can greatly reduce, if not eliminate, exposure to potentially devastating breaches by refuting the belief that hackers don't target small companies, by analyzing their portfolios to identify unconventional service providers and by working with those merchants to strengthen their security posture. Regardless of an ISO's or acquirer's size, we recommend that an individual within the organization be designated as the PCI/security point person. This person can coordinate all aspects of the processes involved.
The steps discussed here can give the ISO or acquirer a strong, healthy start in identifying merchants operating as service providers and mitigating the associated risk through educational support, as well as recommended security assessment services.
Chris Bucolo is Senior Manager, Security Consulting, of Atlanta-based ControlScan, a leading provider of PCI compliance and security solutions designed for small merchants and the acquirers that serve them. He can be reached at firstname.lastname@example.org. Audio on the topic of service provider designation can be found at www.controlscan.com/webinars/demystifying_service_provider_designation.php.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next