The Green Sheet Online Edition
May 12, 2008 • Issue 08:05:01
Merchant security is your business
Most security breaches happen when someone hacks into POS or business computer systems and steals cardholder data that merchants - knowingly or unknowingly - stored.
In addition to losing merchant accounts and possibly getting added to the Terminated Merchant File/MATCH list - Member Alert to Control High-Risk database that contains information on merchants who have been terminated for cause - merchants can be charged hefty fines by card brands for security breaches.
It is in the best interest of ISOs and merchant level salespeople (MLSs) to counsel merchants to review the security of their systems before a breach happens, regardless of who is liable for merchant security breaches.
ISOs and MLSs should keep these ideas in mind when thinking about merchant security.
Wherever possible, ISOs or MLSs should make sure acquirers assume liability for merchant security breaches. If ISO or MLS agreements are silent on this point, asking for a revision at the next renewal signing or sometime before then should be considered.
Between POS software providers and merchants, the former are in a much better position to supply Payment Card Industry (PCI) Data Security Standard (DSS) compliance assurances. ISOs and MLSs should encourage merchants to ensure their POS software suppliers undertake, contractually, to keep POS systems in compliance with the various applicable security standards.
Some providers are supplying a one-stop solution for merchants who choose to host all their data in an off-site secure location.
In the payments industry, ISOs and MLSs have the most contact with merchants. Regardless of the large brand for which they may be selling, ISOs or MLSs are often the go-to when merchants have questions concerning their accounts.
Ideally, merchants know and trust their local MLSs. As such, MLSs should use their privileged relationship to educate merchants on all important aspects of their merchant accounts.
Without excluding other topics of education for which MLSs are responsible, they should make sure merchants know failure to comply with security guidelines - such as the PCI DSS and other commonsense procedures - could cost them their entire livelihood overnight as a consequence of a security breach.
When merchants install or purchase POS systems that come already equipped with software, they often assume it is up-to-date and compliant with the various applicable security standards. Merchants must be educated to not make that assumption because it could result in a very costly error.
Merchants must grill their POS and software providers on exactly how secure their systems are and whether the systems are storing cardholder data. If systems are storing cardholder data, then that information must be encrypted and only be saved to the extent absolutely necessary for the operation of the merchant.
I won't go through PCI DSS regulations here, but merchants should be aware of the rules and seek consulting, if necessary, to ensure compliance is fulfilled.
Due process vindication
Due process is sorely lacking in the area of merchant security breach fines. In my experience, card brands do not supply detailed justifications for the fines levied in the event of a merchant security breach.
In other words, from the point of view of the typical merchant, the amount of the fine is barely distinguishable from an arbitrary fee from the now for-profit card brands. For example, merchants could be assessed hundreds of thousands of dollars in fines for fraudulent transactions on stolen cards that might have or might not have occurred.
When assessed these fines, there is little the merchant can do to contest the amount of the fine or the fact it is being assessed against the merchant, other than hire an auditing company.
In short, even for well-meaning and innocent merchants, security breach fines are often the end of their business as they knew it. I think ISOs and MLSs should ask the card brands why they are so far behind in implementing a measure of procedural justice in the security fines area.
There are a number of security consultants in the payments industry that would be only too pleased to have referrals from ISOs and MLSs. After finding one or two trustworthy and enjoyable consultants, ISOs and MLSs should introduce them to their merchants so everyone can work together to improve the security in portfolios of merchants.
In today's market, ISOs and MLSs can distinguish themselves from the competition by being vigilant with merchant security compliance. It may be a hassle for merchants, but they will appreciate the dedication of ISOs and MLSs when hounding them to get in compliance.
Obviously, anyone who is not qualified to advise on security compliance shouldn't misrepresent themselves by stating they can give guidance. However, you do not need to be a certified PCI auditor to tell merchants to have their systems checked on a regular basis by someone who is.
ISOs and MLSs are generally not supposed to come into contact with cardholder data. However, out in the real world, all kinds of things happen. If, for whatever reason, they come into possession of that kind of information, they should either destroy it immediately or discuss with card brands the best destruction procedure to keep the material confidential and secure.
Merchant applications and agreements should be kept under lock and key in a secure area of ISO and MLS offices, and not accessible to all employees. They should also adhere to all policies and procedures of their acquiring banks concerning security of merchant information.
Security is not just a fad. Security is one of the cornerstones of the payments industry. Making sure that merchants are compliant is part of the customer service that ISOs and MLSs are obliged to provide. In publishing The Green Sheet, neither the author nor the publisher is engaged in rendering legal, accounting or other professional services. If you require legal advice or other expert assistance, seek the services of a competent professional. For further information on this article, e-mail Adam Atlas, Attorney at Law, at firstname.lastname@example.org or call him at 514-842-0886.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.