The Green Sheet Online Edition
January 12, 2015 • Issue 15:01:01
Charge Anywhere puts spotlight on TPSPs
Recent news of a security breach at Charge Anywhere has raised concerns about vulnerabilities that may exist in payments industry middleware and third-party service providers (TPSPs).
Charge Anywhere, a New Jersey-based payment gateway, has long been considered an innovator in the mobile payments space, marketing payment solutions and services through ISO and reseller distribution channels since 2002. Now, the company is working with its channel partners to help them mitigate risk, as well as teaming up with security specialists to forensically investigate malware initially discovered on Sept. 22, 2014. The malware has since been removed.
In a written notice posted on the company's website, Charge Anywhere stated its investigation had "revealed that an unauthorized person initially gained access to the network and installed sophisticated malware that was then used to create the ability to capture segments of outbound network traffic. Much of the outbound traffic was encrypted. However, the format and method of connection for certain outbound messages enabled the unauthorized person to capture and ultimately then gain access to plain text payment card transaction authorization requests.
"While we discovered the malware on September 22, 2014, it required extensive forensic investigative efforts to de-code it and determine its capabilities. During the exhaustive investigation, only files containing the segments of captured network traffic from August 17, 2014 through September 24, 2014 were identified. Although we only found evidence of actual network traffic capture for this short time frame, the unauthorized person had the ability to capture network traffic as early as November 5, 2009."
The malicious act struck a collective nerve in the vast, interconnected payments ecosystem. Other reports of high-profile data breaches such as those at Bebe Stores Inc., The Home Depot Inc., and Target Corp. made no mention of the processors or middleware service providers behind compromised big-box brands.
However, the Charge Anywhere breach provided news media with a rare behind-the-scenes peek at the payments industry. Charge Anywhere senior management said they appreciate the gestures of support received from industry friends and colleagues and told The Green Sheet the company needs a bit more time before its representatives can make further comments. The ultimate impact the apparent five-year intrusion will have on Charge Anywhere's business is as yet unknown.
PCI provides guidance, not guarantees
Chris Bucolo, ControlScan's Senior Manager of Security Consulting, noted that hackers have become more advanced, sophisticated and innovative at exploiting vulnerabilities in merchant and processor environments, prompting some clients to debate the overall effectiveness of Payment Card Industry (PCI) Data Security Standard (DSS) security.
"Some of our clients claim that PCI security doesn't go far enough because you can pass a couple of tests but still be at risk for a data breach," Bucolo said. He added that PCI is designed to provide guidelines but not guarantees. He recommended that payment professionals and merchants perform due diligence when vetting prospective service providers and make sure they fully understand the potential providers' security practices. He would like to see more clients push for detailed explanations about the ways in which service providers manage security.
"We encourage clients to ask the tough questions," Bucolo said. "When their processor says, 'We're compliant,' clients can ask processors how frequently they test security levels and how they assess the compliance of other third-party service providers in their networks."
Build relationships with trusted TPSPs
ControlScan is a member company of Third-Party Security Assurance Group, a special interest group of The PCI Security Standards Council (PCI SSC) that's focused on security best practices by TPSPs. The committee published a report in August 2014 providing guidance to businesses that use TPSPs to "store, process, or transmit cardholder data on the entity's behalf, or to manage components of the entity's cardholder data environment (CDE), such as routers, firewalls, databases, physical security, and/or servers."
The comprehensive 44-page report covers everything from how to identify an appropriate TPSP to how to perform risk assessments and maintain a satisfactory, ongoing relationship with aligned interests and optimal security practices. The guidelines list five milestones in a business relationship with a third party: setting expectations, gaining transparency, establishing communications, requesting evidence and obtaining information about PCI compliance.
The report gives several reasons that justify the time and effort involved in developing and implementing a strong TPSP monitoring program. Such a program:
- Improves the security of the cardholder data environment
- Sets expectations for businesses and their service providers
- Keeps the lines of communication open with a formal monitoring program
- Shows businesses how to actively participate in protecting their card data environments by taking a proactive – instead of reactive – position
- Can demonstrate compliance with a key section of the PCI DSS if requested by a party performing an assessment
Biff Matthews is President of CardWare International, a full-service provider of hardware, software, supply logistics and call center services in Heath, Ohio. Matthews saw similarities in the PCI SSC guidelines and the federal guidelines that require banks to know their customers. He noted that all financial institutions, ISOs and merchant level salespeople should really know their vendors, including the individuals who download their POS and PIN entry devices.
Matthews advised to ask plenty of questions before establishing a working relationship. "Is that service provider PCI compliant, and a certified ESO [encryption services organization]?" Matthews said. "Don't hesitate to validate their computer system, physical location security and perform employee background checks. Be secure."
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.