The Green Sheet Online Edition
October 24, 2011 • Issue 11:10:02
Insider's report on payments
Merchants lack focus, fraud eats profits
As reports filtered out about the "largest ID fraud case in U.S. history" (among them, "Operation Swiper succeeds, cyber theft continues" on page 27 of this issue of The Green Sheet), those of us in the merchant acquiring space were reminded once again just how big a threat card skimming and associated fraud schemes have become to merchants, consumers and the card systems.
According to law enforcement officials in New York, the skimming was conducted by waiters and service sector workers who passed on the information to international crime syndicates that created bogus credit cards to finance a $13 million shopping spree. A total of 111 people from five different criminal gangs were indicted on a slew of charges following a two-year investigation known as "Operation Swiper."
The fraudulent shopping spree focused primarily on Apple Inc.-branded products that were sold in overseas markets. Police reported seizing Apple devices worth tens of thousands of dollars during raids in and around New York City in early October, as well as $850,000 worth of other computer equipment, $650,000 in cash, and a truckload of designer shoes, electronics, watches and other fraudulently purchased items.
Skimming an ongoing problem
The extensive nature of this fraud illustrates just how quick fraudsters are to retool in response to stepped
Although card skimming has been around almost as long as magnetic stripe cards have been in use, it seems to have become more prevalent in recent years as increasingly more successful network intrusions (hackings) have grabbed headlines and forced greater attention to breaches within the processing stream. Think Payment Card Industry (PCI) Data Security Standard (DSS).
Skimming, on the other hand, often occurs outside the processing stream. That kid at the ice cream stand? The one who took your credit card around the corner to run it the other day?
He could have had a card-skimming device back there (or even in his pocket) that snagged information off the mag stripe before he ever ran the card for your milkshake. Or what about that ATM you just used? Card skimming is a huge problem with ATMs and unattended gas pumps.
The PCI Security Standards Council addressed the problem of card skimming in an August 2009 supplement to its transaction security standards for PIN entry devices (PEDs) titled Skimming Prevention - Best Practices for Merchants.
That document, which places much of the responsibility for combating skimming on merchants, isn't pertinent just to PIN transactions.
"Merchants are the first line of defense for POS fraud," the guidance stated, adding that merchants must "enhance the security provided by the current PCI DSS standards and payment terminal vendors." That is to say, merchants need to accept that protecting against card skimming is as important as keeping card databases and terminals safe from hackers.
The guidelines and best practices offered in the document fall into three areas of focus:
- Physical location and security controls
- Terminals and terminal infrastructure security
- Staff conduct and access to payment devices
Like the PCI DSS, these guidelines can be prescriptive. For example, merchants are advised to place surveillance cameras "such that they record the area around the POS PED device, without actually being able to record the PIN number entered."
But let's get real: merchants aren't eager to spend money on sophisticated surveillance technologies. After all, there's no immediate financial impact felt by individual merchants when credit cards are skimmed due to compromised terminals or fraudulent employees, although good arguments can be made that they can lose customer trust and future sales.
The PCI DSS is inherently flawed because payment card security is a moving target. Even the best prepared organizations can be compromised. Just ask the folks at Heartland Payment Systems Inc., which uncovered a major breach in 2010, not long after it had a compliance review that suggested it was operating in line with the PCI DSS.
"Even the best organizations make mistakes, but all too many businesses simply put a band-aid over bullet holes in the hope that the effort will last until the assessor has left," stated a new report from Verizon - the Verizon 2011 Payment Card Industry Compliance Report. Verizon employs teams of Qualified Security Assessors (QSAs) that conduct security assessments required under PCI DSS. Its latest report distills QSAs filed over the past year.
Verizon reported only 21 percent of organizations it assessed over the past year were fully PCI DSS compliant at the time of their assessments.
This is one percentage point higher than Verizon reported last year, which is practically unchanged. "This lack of change is a bit disappointing, as many in the industry were hoping to see an increase in overall compliance as the PCI DSS became more familiar to an increasing number of organizations," the report said.
Tested organizations, on average, met 78 percent of the requirements laid out in the PCI DSS, Verizon noted. Organizations assessed by Verizon's QSAs struggled most with four of the 12 core requirements of the PCI DSS. These were:
- Protecting stored cardholder data
- Tracking and monitoring access to systems containing card data
- Regularly testing systems and processes
- Maintaining clearly articulated security policies
Verizon said the PCI requirements that seemed least problematic for businesses were encryption, installing and updating anti-virus software, and restricting staff access to cardholder data.
The PCI standards for card security have been in place for at least six years. So why are merchants and their processors having difficulties keeping in step with them? The Verizon report offered several possibilities, including complacency and fatigue.
Merchants complain about the costs of doing business - costs like interchange. But the interchange dollars they pay pale in comparison to the amount of money lost to fraud. According to the LexisNexis True Cost of Fraud Benchmark Study, published in 2009, identity theft fraud costs U.S. merchants $100 billion a year, or $191 billion when the cost of lost and stolen merchandize is factored in.
Maybe it's time for merchants to take a rest from fighting for interchange reform and spend more time and money combating card fraud. Yeah, sure.
Patti Murphy is Senior Editor of The Green Sheet and President of ProScribes Inc. She is also the founder of InsideMicrofinance.com. Email her at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.