The Green Sheet Online Edition

February 24, 2014 • Issue 14:02:02

Insider's report on payments:
Leading the charge on card data security

By Patti Murphy
ProScribes Inc.

It's time for the industry to get fully behind a card security regimen that benefits everyone in the payment stream: merchants, customers, issuers, acquirers and the card brands, too. And the first step in that process should be an honest and open dialogue about the vulnerabilities that exist and how they can best be contained.

The urgency of the situation is being driven by news reports of breaches involving high-profile retailers, like Target Corp. and Neiman Marcus Group, as well as spiraling costs – both social and financial.

The Ponemon Institute, a Michigan think tank that conducts regular data security research, reported in 2013 that 60 percent of the small and midsize businesses it surveyed had experienced at least one data breach in the preceding 12 months; 51 percent said their businesses' reputations had been damaged as a result of those breaches. The average cost of each of those breaches was $900,000, Ponemon noted.

The online channel is especially vulnerable. A 2012 consumer survey by the Edelman Data Security and Privacy Group found the vast majority of consumers (84 percent) consider information privacy and security to be very important when purchasing items online. Yet only 33 percent said they trusted online retailers to properly protect their personal information.

Smaller is not safer

Not long after the initial news reports about the Target and Neiman Marcus breaches, I was shopping at a small store and I found myself engaged in a conversation about card data breaches. "You know, it's a lot safer using your card at a small shop like ours, because [cyber-criminals] don't even know about us," the store manager said.

I couldn't let that pass without comment. "Who is your acquirer?" I asked.

"Heartland," she responded.

"Are you aware Heartland was breached a few years ago?"

She wasn't, and as it turned out, the store had a different acquirer at the time, so it wasn't affected by that breach. But the entire exchange got me to thinking about just how uneducated many merchants are about card data security, and how acquirers, ISOs and their partners can and should do more to turn the situation around.

A report released earlier this month by the payment security company ControlScan Inc. and the Merchant Acquirers' Committee illustrates my point. Just 44 percent of the merchant services providers surveyed said they offer clients risk-reducing tools or services beyond just providing access to the Payment Card Industry (PCI) Data Security Standard (DSS) Self-Assessment Questionnaires and external vulnerability scanning.

Among ISOs and acquirers that do offer additional services, tokenization and point-to-point encryption are the most common, the survey revealed. With tokenization, sensitive cardholder information is masked with unique identifiers for purposes of authorizing and completing transactions. Tokenization has emerged as a viable security option, especially when used in conjunction with encryption, because it eliminates the possibility of merchants retaining card account information. That, in turn, reduces merchants' PCI compliance costs.

Some may balk at the notion of lowering merchant compliance costs, as in many cases PCI compliance fees contribute to bottom-line profits of ISOs and acquirers. But that's a short-term view of a long-term problem. And it doesn't bode well for merchant retention.

"Today's threat environment challenges merchant service providers to take a fresh look at their PCI programs," said Heather Foster, Vice President of Marketing at ControlScan. "Small merchants in particular need guidance in terms of readily available technologies and services that reduce PCI scope and support a strong security posture."

Susan Matt, Chief Executive Officer of payment consulting firm ThoughtKey Inc., and a MAC member, said the survey results point to significant opportunities for merchant acquirers and their sales partners. Among these are the "ability to offer merchants risk-reducing tools as well as justification for being more aggressive in charging non-compliance fees," Matt noted. And companies that "seize these opportunities will achieve greater risk reduction overall, gain revenue and ensure merchant retention," she added.

Further findings from the ControlScan/MAC survey suggest acquirers and their partners are making progress toward greater PCI-compliance validation among small merchants. For example, more companies are seeing portfolio compliance rates that exceed 40 percent. On the flip side, the survey revealed there has been a 23 percent increase in the number of merchant breaches since 2012.

The report contains results of ControlScan's latest poll of acquirers' perspectives on PCI compliance. Titled Building Momentum: The Third Annual Survey of Acquirers' Perspectives on Level 4 Merchant PCI Compliance, it also includes recommendations for successfully engaging merchants in the PCI compliance process. I've summarized those here, along with additional common-sense ideas gleaned from my conversations with industry leaders.

1. Get up to speed on what information needs to be protected, the risks posed to the security of that data and how those risks can be addressed. Don't forget that different types of merchants can be dealing with different types of risks. There is no broad-based approach to assessing risks to card-data security. Make sure all your employees are on board with the program; regular security awareness training sessions are crucial.
2. Start talking turkey. As the conversation I excerpted previously in this article illustrates, ISOs and their sales agents aren't sufficiently explaining the nuances of card data security to their clients. Merchants must understand that smaller is not necessarily safer with respect to cybercriminals and card data security. They also need to be cautioned against storing sensitive customer information.
3. Take the lead in protecting merchants. Be proactive about things like passing along security templates, offering low-cost breach insurance options, helping them to understand various security options as well as the importance of partnering with third-party service providers that have good PCI-compliance programs.
4. Develop products and services that match merchants' security and compliance needs. "The current threat landscape presents MSPs with a unique opportunity for marketplace differentiation," the ControlScan/MAC report stated. "MSPs that seize the opportunity to develop valuable partnerships with their merchants can realize the results in a more stable base of customers."
5. Consider offering newer card-acceptance terminals that support end-to-end encryption, thereby eliminating opportunities for data to be stolen from POS systems.
6. Test security systems and procedures regularly, and take decisive action when necessary.

Patti Murphy is Senior Editor of The Green Sheet and President of ProScribes Inc. She is also the founder of InsideMicrofinance.com. Email her at patti@greensheet.com.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.