New research: Biggest card security risk is at merchant level

Malware, counterfeit card fraud and card-not-present fraud are at the top of the list of threats to merchants today, according to a new report from the research firm Aite Group this month. The research report highlighted merchants as the most vulnerable position in the card data security ecosystem.

The report, “Card Data Security: In Search of a Technology Solution,” talked to heads of risk management for North American issuing banks or payment processors to determine what they saw as the biggest card security problems, the responsibilities of stakeholders and possible security solutions that could minimize the risk.

Who is most at risk? The report says 62% of survey respondents said the merchants, followed by acquirers, with 43% of the respondents naming this group as vulnerable or very vulnerable to security breaches. ISOs may have the least to worry about, with only 30% of respondents calling them vulnerable or very vulnerable to security breaches.

Aite’s Nick Holland points out that the promising solution of shifting the industry from magnetic stripe cards to smart cards, also called EMV architecture, may never happen.  Holland  warns that  “with the deeply entrenched magnetic stripe infrastructure in the United States, and the cost and effort involved in transitioning stakeholders to chip and PIN infrastructure,” may preclude a move to more secure EMV architectures.

More info on the report is here.

Aite is also currently offering a survey for C-level technology and operations executives at North American banks to participate in to share their views on IT strategy trends in the banking industry. Click here to participate.

Nearly 90% ‘trying to implement PCI Compliance process’ says report

A new report out from the Institute of Internal Auditors reveals that nearly 90 percent of companies surveyed are trying to implement a PCI compliance process. The report also says that 56 percent of companies are in compliance with PCI DSS today.

The entire report, “Moving Toward PCI Compliance,” is available here. 

As a bonus the report offers some tips for internal auditors to help achieve PCI Compliance from the IT Compliance Institute as well.

Has your third party vendor put you at risk?

Since 2006, over 70 retailers and payment processors have disclosed breaches that involved tens of millions of credit and debit card numbers, this according to the Privacy Rights Clearinghouse.

As more and more small businesses comply with PCI DSS and are considering their systems' resilience to attack, being hacked by a bad guy is still –as it should be -- of utmost concern in the eyes of most business owners.

But what if your security expert is the one that puts you at risk? Would you know?

A business person runs a business. Regulations like PCI DSS and other security laws are increasingly making business owners responsible for ensuring the integrity of their computer systems and credit card data. While simple processes such as where to store paper credit card data or ensuring systems are locked in an appropriate facility within the business are fairly routine processes for a business owner to address, ensuring that computer systems are not only PCI-compliant but resilient to a hack goes beyond most business owners’ expertise.

Most often a business will engage a 'security expert.' If a new system is required and deployed that could offer ‘improved’ security, most businesses rely on their POS (Point of Sale) vendor to set up a system in a secure manner – an arguably reasonable expectation.

Not so fast. Our forensics team was recently called in to perform an investigation for a small business owner in the Southeastern US that was hacked. In reviewing the log files and performing our investigation we uncovered a very disturbing fact -- the third party vendor had left behind information on the system that detailed several other businesses in the region that were also under contract to that same vendor including passwords and computer configuration data.

It was, in this case, a POS vendor and not a security vendor that had performed the system’s security setup. Attackers then used this information to access the other businesses named in the documentation left behind by the vendor. In each instance it was found that the business was set-up uniformly and exactly as  each of the other businesses were set up, thereby making them all insecure. Additionally, each business had been set up to utilize the exact same default passwords for each location, giving the attacker immediate administrative access to over 40 additional businesses.

There are reasons to be concerned about leaving your data security in someone else’s' hands. Your customers entrust your business to protect the information they share with you. Breaching that trust could mean less business and could be far more damaging than monetary consequences like paying a fine for a security breach or a noncompliance fee to Visa.

Picking your security vendor, and learning how your business can be more secure working with third party security or other vendor should be a critical decision for any business owner.

-Dave Ellis, Director, Forensic Investigations

MasterCard’s changes could affect 2000 merchants

SearchSecurity’s Marcia Savage put together a great summary and industry response to increased PCI requirements announced last week by MasterCard.

The new rules, she reports, will mean that merchants processing between one and six million transactions annually will, or Level 2 merchants, will be required to use a PCI-approved auditor to complete an annual onsite data security assessment by Dec. 31, 2010.

MasterCard estimates that “fewer than 2,000 merchants will be directly affected by the revised rules” according to the report.

Just What Is the Cost of a Breach?

What is the cost of a breach to a retailer?

We get  asked this question all the time. Putting a number on this is exceptionally hard with so many variables coming into play. We expect that it is “a lot”  -- as TJX companies found out this week.

The company, which owns large volume discount retailers T.J. Maxx and Marshall stores, was the victim of perhaps the largest credit card breach disclosed by a retailer to date. This week it was announced that that have settled lawsuits with over 41 states in a deal. Back in January 2007 TJX disclosed that its systems were hacked over a period of 18 months without security detecting the theft.

Under the terms of the settlement, the company has agreed to pay $9.75 million according to multiple reports.

SearchSecurity has a complete recap of the settlement here.

MasterCard Requires ‘Authorized’ QSA for Level 1 & 2 Merchants

MasterCard announced a new requirement for Level 1 and Level 2 Merchants, mandating these two groups must use an authorized Qualified Security Assessor (QSA) to conduct a PCI DSS security assessment. 

The requirement has a "due date" of December 31, 2010, meaning that each Level 1 and 2 merchant must submit proof of compliance filed by an authorized QSA by that date versus the date you would START working with a QSA. 

Based on our experience validating PCI DSS compliance for Level 1 and Level 2 merchants over the past 5 years, achieving full compliance is not something to put off until sometime in 2010.  Many large merchants required as much as 18+ months to get compliant and not one was accomplished in less than 10 months.  Many of these merchants had already conducted their own internal PCI audit or completed SAQ's and had felt pretty good about their compliance program. 

Larger merchants should begin a program with an authorized QSA as soon as possible, no matter how compliant you ‘think’ you are.  If network and processes are in good shape, it could work out that you are done "early" for the MasterCard deadline – though chances are,  you will need the time to prepare for a compliant PCI-DSS assessment.

Level 1 merchants are defined as those that store, transmit, or process more than 6 million MasterCard transactions/accounts per year and Level 2 are those that handle between 1 million and 6 million annually.

-Gary

Who oversees payment security?

A recent Visa-Economist poll of global executives was released at Visa’s Summit this Spring. The report demonstrated that over 75 percent said a C-level executive is now responsible for payment security within their company, which is a great indicator of data security being given more prominence in business.

Moving the charter of safeguarding data to the C-Suite is a good start but thanks to investment and innovative security solutions, “fraud rates in the credit card industry remain near all-time lows,” said Ellen Richey, Chief Enterprise Risk Officer, Visa Inc.

Richey goes on to note the real progress and inroads PCI has made, pointing to 90% of large U.S. merchants now validating compliance and goes into details about the Heartland breach, how a vigilant PCI can contribute to overall data security and the state of data security in credit cards in her talk.

Good read…