The Green Sheet Online Edition
May 12, 2014 • Issue 14:05:01
Lower your data breach risk, a mathematical approach
At the risk of sounding like a broken record, I won't write in detail about recent high-risk breaches. But I will say this: reducing merchant risk is key to avoiding compromise. I know what you're thinking. "Everyone knows that!" Just stay with me.
Merchants pose a security risk for a variety of reasons. The nature of specific industries makes some merchants more attractive to criminals. For example, hospitality merchants have a higher security risk not only because hotel-goers bring a daily influx of new credit cards, but also because many hotels are franchised in a network with identical security flaws. If a hacker can breach one, he or she can often breach them all. Easy money.
In addition, all merchants are in different stages of Payment Card Industry (PCI) Data Security Standard (DSS) compliance and security. Hackers probe small businesses to find their security flaws. They’re looking for easy paths to compromise, and are often dissuaded by simple security roadblocks. They know easier targets exist. Merchants may be deemed the next target if cybercriminals find vulnerabilities that simple tools could have easily eliminated.
Many ISOs come to me looking for the magic solution to ensure the permanent elimination of breaches from their portfolios. While I can't provide any sort of breach-reducing spell, what I can do is lay out the types of merchants that pose the highest risk.
First, we have to dive deep into your merchant base and learn more about what creates portfolio risk.
Merchant type considerations
In its latest PANscan security study, SecurityMetrics found that financial, hospitality and retail merchants store the most unencrypted payment card information. (Which is 100 percent against the PCI DSS, by the way.) This data coincides closely with other security reports that state the specific industries hackers are most likely to target.
Your portfolio risk could be very high or low simply because of the merchant types you acquire. Technically speaking, if your portfolio includes a majority of health care and food service merchants, it could result in more breach incidents, as opposed to a portfolio consisting mostly of merchants in the agriculture and real estate industries.
A merchant's transaction volume may also have a big impact on your risk level. High-profile breaches are in the news at least once a quarter. What I don't see in the news are the dozens of small breaches happening every single week. Though it seems a bit backward, hackers regularly go after the smaller merchants.
Let me explain. Although bigger merchants have more booty to steal, their systems tend to be very well protected and take more legwork for attackers. Large merchants have the money to hire information technology staff and chief security officers. They have the time to spend learning how to correctly set up a firewall and patch operating system holes. The smaller merchants, on the other hand, are easy targets. According to the National Cyber Security Alliance, one in five small businesses falls victim to cybercrime each year.
The availability of online hacking tools has swelled the ranks of effective hackers. Now, an amateur with a grade-school computer education can hack a poorly defended business in minutes after downloading a free hacking template.
How much do you think your merchants know about security? From my experience, it's less than you might think. Offering merchant security awareness training is one of the most inexpensive and effective ways to lower the possibility of data breach.
According to the PWC Global State of Information Security Survey 2014, 22 percent of respondents indicated they do not have an employee security awareness training program in place, but designated it a top priority for the coming year.
People make smarter decisions when they're presented with better data. It's the same in security. Taking the time to educate your merchants, or asking your PCI vendor to help, could mean the difference between a simple security error and a secure processing environment.
Now for some technological considerations.
Although Europay/MasterCard/Visa (EMV) is the upcoming deadline on acquirers' plates, the trend I see dramatically reducing data breaches in the long run is point-to-point encryption (P2PE).
P2PE is the most secure and liability-reducing payment technology available to businesses today. Not only does it securely process cards with encryption above industry standards, it reduces PCI scope. Because it is so secure, a PCI-validated P2PE solution basically negates the need for many of the security items required in a Self-Assessment Questionnaire (SAQ).
After including the brick-and-mortar factors already discussed above, there is an issue unique to e-commerce. Even though you don't have control over this factor, you should still be familiar with it.
Right now, according to Feedzai, online shopping only accounts for 6 percent of consumer spending, which equals $343 billion out of the $4 trillion in retail purchases. So, although CyberSource reported hackers were responsible for $3.5 billion lost in e-commerce sales in 2012, it was a mere drop in the bucket. This trend is likely to change starting in 2015.
Beyond 2015, e-commerce merchants will pose a greater risk than today due to the butterfly effect following the mass adoption of EMV. Although EMV doesn’t directly affect e-commerce, once U.S. brick-and-mortar merchants seriously begin the EMV migration, hackers will begin to focus their efforts toward the e-commerce industry.
PCI compliance considerations
You probably already guessed it was coming, but PCI compliance is a big factor in your risk reduction. The more noncompliant merchants you have, the higher your risk of being affected by a data breach. No big news there. The thing most acquirers and ISOs haven't done yet is figure out how many merchants are actually compliant. In 2014, Fortinet found that one in five small to midsize business retailers are not PCI compliant.
An easy (though not foolproof, and somewhat time consuming) way to estimate claimed compliance versus actual compliance is by tracking how long it takes a merchant to fill out an online SAQ for the first time. Merchants who spend less than 10 minutes on it are probably racing through just to check it off their do lists. If they spend a few hours or days on it, they're probably being honest in the way they fill it out. But like I said, this is a somewhat unrealistic technique. If you try this method, and the results don't meet your own PCI compliance standard, you may wish to discover other ways to motivate your merchants.
Based on what I've just discussed, a risk-averse portfolio with the lowest chance of data breach has no high-risk industries (like hospitality, food, retail, or finance), and includes 100 percent PCI-compliant, midsize, and P2PE-using brick-and-mortar merchants. Whew. Obviously, the perfect statistical approach doesn't account for real life.
Risk calculation exercise
Following is an exercise that may provide more insight into your portfolio risk level.
Section 1: Check all that apply to your portfolio:
- hospitality merchants
- retail merchants
- food and beverage merchants
- health care merchants
- finance merchants
- merchants not undergoing security training program
- more than 20 percent PCI noncompliant
- compromised merchants (past or present)
- Total checks from Section 1
Section 2: Check all that apply to your portfolio:
- most merchants are L2-L3
- most merchants are brick-and-mortar
- most merchants use PCI-validated P2PE solution
- most merchants use EMV solution
- most merchants conduct quarterly vulnerability scanning
- most merchants scan for unencrypted card data
- most merchants actually PCI compliant
- Total checks from Section 2
Instructions: Subtract Section 2 total from Section 1 total to receive your portfolio risk score.
Portfolio risk score
-7 to 3: Good work. You're doing the right things to reduce your merchants' risk and increase their security! Statistically speaking, your portfolio has a very low possibility of data breach.
3 to 5: Needs improvement. Your portfolio is on the right track, but there are many ways you can reduce risk. Have you started offering an EMV solution yet?
5 to 8: Yikes! Enforce compliance now! There's no easy way to say it: your portfolio probably has a high chance of data breach. But the positive news is, there's lots of room for improvement! Start offering a P2PE solution in addition to a proven PCI compliance program to show that risk who's really in charge.
Jake Young is Director of Business Development for SecurityMetrics, and can be reached at firstname.lastname@example.org or 801-995-6340. SecurityMetrics is a global data security and compliance company and offers PCI compliance solutions for processing and acquiring entities.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.