GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View PDF of this issue

Care to Share?

Table of Contents

Lead Story

Size matters with big data


Industry Update

AmEx joins EMV push

Congress urged not to stifle mobile innovation

Google makes Wallet changes

New Zeus malware puts payments at risk


GS Advisory Board:
New times, new strategies: What are you doing?

Details on big data

Selling Prepaid

Prepaid in brief

Prepaid EMV reaches U.S. shores

Rev takes off where Square left off


When mobile meets RDC

Patti Murphy
ProScribes Inc.


Street SmartsSM:
Why should a merchant be fired?

Jeff Fortney
Clearent LLC

Cooperation, social strategies combat fraud

Nicholas Cucci
Network Merchants Inc.

Five ways to fix your marketing problems

Nancy Drexler
President, Acquired Marketing

Reach your company's peak performance with training

Alan Kleinman
Meritus Payment Solutions

Spotting unlikely service providers in your midst

Chris Bucolo

Company Profile

Ingenico Inc.

New Products

Table for two, please

Harbortouch Reservations

A mobile-friendly website

Paynet Systems mobile website
Paynet Systems Inc.


Give yourself a break, a long break



Resource Guide


A Bigger Thing

The Green Sheet Online Edition

July 23, 2012  •  Issue 12:07:02

previous next

Spotting unlikely service providers in your midst

By Chris Bucolo

Conventional wisdom holds that hackers don't target small business, just the big guys. While that may have been true before, today's data thief doesn't differentiate between large and small. Hackers actively seek easy-to-exploit security holes wherever they find them on the Internet. Any company that moves or stores data electronically is now a target.

Small merchants have generally been slow to adopt a data security mindset. An "it can't happen to me" viewpoint is especially risky for organizations that operate as service providers, because a single data breach can impact an entire network of merchants. This increases the liability of the primary ISO or merchant acquirer.

On June 25, 2010, for instance, City Newsstand Inc. - prompted by MasterCard Worldwide - found a software program on two cash registers in Chicago that since April 15, 2009, had been transmitting payments data to Russia. (See "Hackers Shift Attacks to Small Firms," The Wall Street Journal, July 21, 2011,

The hackers apparently entered through a weak user name and pass code on the store's remote desktop. With computers infected, City Newsstand's customer payment data that traveled from the reader to the computer to the Internet was being intercepted and sent to a Russian server and email address.

More than merchants in your portfolio

According to the PCI Security Standards Council (PCI SSC), City Newsstand is a service provider. The council, which is the Payment Card Industry (PCI) standards organization, defines a service provider as a business entity "that is not a payment brand, directly involved in the processing, storage or transmission of cardholder data. This also includes companies that provide services that control or could impact the security of cardholder data."

The "merchant as a service provider" role is further specified by the PCI SSC as "a merchant that accepts payment cards as payment for goods and/or services ... if the services sold result in storing, processing or transmitting cardholder data on behalf of other merchants or service providers."

Many merchants do not even realize they also function as service providers, and this lack of awareness puts both their businesses and your portfolio at risk. To minimize exposure to hackers and scrutiny from the card brands, ISOs and acquirers should conduct a basic portfolio analysis to identify these unconventional service providers. The analysis involves two basic questions.

Consider these examples:

Since the service provider designation is potentially difficult to navigate, especially for businesses that do not have a designated compliance person on staff, the ISO or acquirer should identify such a service provider by actively monitoring its portfolio for card brand registration and PCI Data Security Standard (DSS) compliance. Otherwise, risk may go unidentified and unmanaged.

Risk mitigation, step by step

Once merchants operating as service providers are identified, it's time to start prioritizing and mitigating risk. The ISO or acquirer should evaluate each merchant for specific risk indicators and assign a corresponding priority to the account. The following are some basic high-risk indicators:

ISOs and acquirers should reach out to these high-risk service providers/merchants first to verify that they are effectively managing their compliance status, including card brand registration and PCI compliance. Part of this outreach includes educating service providers on the requirements they must meet to achieve PCI compliance.

Service provider/merchant gray areas may require the involvement of a Qualified Security Assessor (QSA). PCI DSS validation can possibly be achieved in one integrated process or two distinct paths with separate records of compliance. A QSA, preferably one recommended by the ISO or acquirer, is in the best position to identify the required course of action.

Some service providers - regardless of level - are meeting the requirements of a Level 1 assessment and audit, which also necessitate the involvement of a QSA. An ISO or acquirer can recommend this course of action to help a service provider minimize risk, relieve compliance pressure and get positive marketing attention.

Off to a solid start

ISOs and acquirers can greatly reduce, if not eliminate, exposure to potentially devastating breaches by refuting the belief that hackers don't target small companies, by analyzing their portfolios to identify unconventional service providers and by working with those merchants to strengthen their security posture. Regardless of an ISO's or acquirer's size, we recommend that an individual within the organization be designated as the PCI/security point person. This person can coordinate all aspects of the processes involved.

The steps discussed here can give the ISO or acquirer a strong, healthy start in identifying merchants operating as service providers and mitigating the associated risk through educational support, as well as recommended security assessment services.

Chris Bucolo is Senior Manager, Security Consulting, of Atlanta-based ControlScan, a leading provider of PCI compliance and security solutions designed for small merchants and the acquirers that serve them. He can be reached at Audio on the topic of service provider designation can be found at

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Board Studios