Eduardo Perez, Visa's senior vice president of payment system risk, says one of the key merchant vulnerabilities his company is most concerned about is weak remote-access controls for point-of-sale systems and devices.
Visa recently partnered with the Financial Services Information Sharing and Analysis Center to offer guidance about addressing cybersecurity concerns related to point-of-sale providers and resellers, which often cater to smaller merchants, Perez explains in an interview with Information Security Media Group (see FS-ISAC: Remote-Access Attack Alert). Perez will be the keynote speaker at ISMG's Fraud Summit San Francisco on Sept. 15.
"Cyber hackers have been targeting POS resellers recently to gain access to merchant systems, typically through weak remote-access controls, including weak passwords or the use of default passwords that can be compromised, and/or shared passwords that sometimes are used by these integrators and resellers," he says.
Risks related to third-parties have been a growing concern for the payments industry, Perez notes (see Denver POS Service Provider Breached). That's why merchants need to ensure that they are working with vendors that meet high standards for protecting their systems, Perez says.
Merchants also can find additional information about cardholder information security at the website for Visa's Cardholder Information Security Program , Perez adds.
"We're taking a number of actions to help merchants mitigate the potential of being breached," he says. "We've been working with our partners and our acquirers in the industry, along with other industry groups, to alert them of common deficiencies or vulnerabilities that hackers and organized crime are looking to take advantage of."
Perez also points out that Visa is educating merchants about how EMV will dramatically improve card security.
"The EMV chip generates a one-time code for each transaction," he says. "So if that information is compromised by hackers, they can't use it to conduct counterfeit fraud (see Dynamic Authentication and Card Security).
During this interview, Perez also discusses:
- How tokenization, end-to-end encryption and network security can complement EMV;
- How Visa works with law enforcement to investigate card breaches; and
- Topics he plans to touch on during his keynote presentation at September's Fraud Summit.
Perez has been with Visa since 2002 and currently leads the card brand's risk strategy and payment system cybersecurity teams. He oversees the evolution of Visa's risk strategy and execution of the card brand's payment system cybersecurity programs. His group has developed and executed industry risk and authentication initiatives to eliminate, protect and devalue sensitive payment data and promote the long-term integrity of the payment system. Before joining Visa, Perez was with the Federal Reserve Bank of San Francisco's Division of Banking Supervision and Regulation, where he held various positions.