GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View flipbook of this issue

Care to Share?


Table of Contents

Lead Story

Retail strategies converge at merchant threshold

News

Industry Update

NEAA bids farewell to industry leader

Heartland levels host of charges at Mercury

The risky business of bitcoin

Mothballs for XP raises security concerns for ATM ISOs

Features

The development of Payza's mobile strategy

Views

Leading the charge on card data security

Patti Murphy
ProScribes Inc.

Bitcoin bubble: Risks to the payment system

Edward Barton
G2 Web Services

Education

Street SmartsSM:
Who's your data?

Dale S. Laszig
DSL Direct LLC

Marketing: Getting your brand out there

Michael Gavin
Merchant Warehouse

Which sales model is right for you? – Part 1

Aaron Nasseh
Prudential Payment Systems Inc.

Company Profile

Payvision

Tranzlogic

New Products

Streamlined social media payments

Yapyzal
ePaymentAmerica

Inspiration

Simple ways to retain top MLSs

Departments

Resource Guide

Datebook

A Bigger Thing

The Green Sheet Online Edition

February 24, 2014  •  Issue 14:02:02

previous next

Insider's report on payments:
Leading the charge on card data security

By Patti Murphy

It's time for the industry to get fully behind a card security regimen that benefits everyone in the payment stream: merchants, customers, issuers, acquirers and the card brands, too. And the first step in that process should be an honest and open dialogue about the vulnerabilities that exist and how they can best be contained.

The urgency of the situation is being driven by news reports of breaches involving high-profile retailers, like Target Corp. and Neiman Marcus Group, as well as spiraling costs – both social and financial.

The Ponemon Institute, a Michigan think tank that conducts regular data security research, reported in 2013 that 60 percent of the small and midsize businesses it surveyed had experienced at least one data breach in the preceding 12 months; 51 percent said their businesses' reputations had been damaged as a result of those breaches. The average cost of each of those breaches was $900,000, Ponemon noted.

The online channel is especially vulnerable. A 2012 consumer survey by the Edelman Data Security and Privacy Group found the vast majority of consumers (84 percent) consider information privacy and security to be very important when purchasing items online. Yet only 33 percent said they trusted online retailers to properly protect their personal information.

Smaller is not safer

Not long after the initial news reports about the Target and Neiman Marcus breaches, I was shopping at a small store and I found myself engaged in a conversation about card data breaches. "You know, it's a lot safer using your card at a small shop like ours, because [cyber-criminals] don't even know about us," the store manager said.

I couldn't let that pass without comment. "Who is your acquirer?" I asked.

"Heartland," she responded.

"Are you aware Heartland was breached a few years ago?"

She wasn't, and as it turned out, the store had a different acquirer at the time, so it wasn't affected by that breach. But the entire exchange got me to thinking about just how uneducated many merchants are about card data security, and how acquirers, ISOs and their partners can and should do more to turn the situation around.

A report released earlier this month by the payment security company ControlScan Inc. and the Merchant Acquirers' Committee illustrates my point. Just 44 percent of the merchant services providers surveyed said they offer clients risk-reducing tools or services beyond just providing access to the Payment Card Industry (PCI) Data Security Standard (DSS) Self-Assessment Questionnaires and external vulnerability scanning.

Among ISOs and acquirers that do offer additional services, tokenization and point-to-point encryption are the most common, the survey revealed. With tokenization, sensitive cardholder information is masked with unique identifiers for purposes of authorizing and completing transactions. Tokenization has emerged as a viable security option, especially when used in conjunction with encryption, because it eliminates the possibility of merchants retaining card account information. That, in turn, reduces merchants' PCI compliance costs.

Some may balk at the notion of lowering merchant compliance costs, as in many cases PCI compliance fees contribute to bottom-line profits of ISOs and acquirers. But that's a short-term view of a long-term problem. And it doesn't bode well for merchant retention.

"Today's threat environment challenges merchant service providers to take a fresh look at their PCI programs," said Heather Foster, Vice President of Marketing at ControlScan. "Small merchants in particular need guidance in terms of readily available technologies and services that reduce PCI scope and support a strong security posture."

Susan Matt, Chief Executive Officer of payment consulting firm ThoughtKey Inc., and a MAC member, said the survey results point to significant opportunities for merchant acquirers and their sales partners. Among these are the "ability to offer merchants risk-reducing tools as well as justification for being more aggressive in charging non-compliance fees," Matt noted. And companies that "seize these opportunities will achieve greater risk reduction overall, gain revenue and ensure merchant retention," she added.

Further findings from the ControlScan/MAC survey suggest acquirers and their partners are making progress toward greater PCI-compliance validation among small merchants. For example, more companies are seeing portfolio compliance rates that exceed 40 percent. On the flip side, the survey revealed there has been a 23 percent increase in the number of merchant breaches since 2012.

The report contains results of ControlScan's latest poll of acquirers' perspectives on PCI compliance. Titled Building Momentum: The Third Annual Survey of Acquirers' Perspectives on Level 4 Merchant PCI Compliance, it also includes recommendations for successfully engaging merchants in the PCI compliance process. I've summarized those here, along with additional common-sense ideas gleaned from my conversations with industry leaders.

  1. Get up to speed on what information needs to be protected, the risks posed to the security of that data and how those risks can be addressed. Don't forget that different types of merchants can be dealing with different types of risks. There is no broad-based approach to assessing risks to card-data security. Make sure all your employees are on board with the program; regular security awareness training sessions are crucial.
  2. Start talking turkey. As the conversation I excerpted previously in this article illustrates, ISOs and their sales agents aren't sufficiently explaining the nuances of card data security to their clients. Merchants must understand that smaller is not necessarily safer with respect to cybercriminals and card data security. They also need to be cautioned against storing sensitive customer information.
  3. Take the lead in protecting merchants. Be proactive about things like passing along security templates, offering low-cost breach insurance options, helping them to understand various security options as well as the importance of partnering with third-party service providers that have good PCI-compliance programs.
  4. Develop products and services that match merchants' security and compliance needs. "The current threat landscape presents MSPs with a unique opportunity for marketplace differentiation," the ControlScan/MAC report stated. "MSPs that seize the opportunity to develop valuable partnerships with their merchants can realize the results in a more stable base of customers."
  5. Consider offering newer card-acceptance terminals that support end-to-end encryption, thereby eliminating opportunities for data to be stolen from POS systems.
  6. Test security systems and procedures regularly, and take decisive action when necessary.

Patti Murphy is Senior Editor of The Green Sheet and President of ProScribes Inc. She is also the founder of InsideMicrofinance.com. Email her at patti@greensheet.com.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | USAePay | Super G Capital LLC | Humboldt Merchant Services | Impact Paysystems | Electronic Merchant Systems