Mitigating Point-of-Sale Security Risks

Chase Paymentech Highlights Compliance Efforts

By , January 17, 2013.
Mitigating Point-of-Sale Security Risks

The security of the payments chain requires strategic planning and ongoing cooperation between merchants and their business partners, says David Wallace, who oversees merchant security compliance for Chase Paymentech, a merchant acquirer.

See Also: Actionable Threat Intelligence: From Theory to Practice

Compliance with security mandates, such as the Payment Card Industry Data Security Standard, cannot fall solely on the shoulders of merchants, he says. Merchant vendors and others have roles to play as well.

"As an acquirer, our success is inextricably linked to our merchants and our business partners who service them," says Wallace in an interview with BankInfoSecurity [transcript below].

"Less risk for merchants means less risk for us," he says. "We add value to our merchant relationships by playing an active role in helping reduce their risk by achieving and maintaining PCI compliance."

One of the greatest concerns in merchant security now is improperly installed or configured point-of-sale applications and devices, Wallace says, "particularly where third parties or remote-access is used."

It's a worry shared by the PCI Security Standards Council. In August, the council launched a new training program aimed at POS installers and integrators (see: PCI: new Approach to Merchant Security).

"[The program] provides training and qualification to ensure integrators and resellers have the expertise required to install and maintain applications in a secure manner," Wallace says.

"The QIR program is a direct response to what forensics investigators are seeing in the field," he adds. "It holds QIRs accountable for installing and configuring applications to facilitate their customer's PCI compliance via built-in quality assurance components."

During this interview, Wallace discusses:

  • Why no single product, service or best practice renders a business secure;
  • Why franchises and merchants in the hospitality space are often the most vulnerable;
  • How the new PCI POS integrators and installers program is being rolled out in a way that's easy for merchants.

Before joining Chase Paymentech, Wallace was an independent IT consultant specializing in security architecture and strategy. With 30 years of experience in the information technology industry, Wallace gained experience serving in information security management roles with companies such as NationsBank, Sabre Holdings/Travelocity, Pilgrim's Pride and Perot Systems. He holds several industry certifications, including credentials for being a Certified Information Systems Security Professional, Certified Information Security Manager and Certified Information Systems Auditor.

POS System Security

TRACY KITTEN: How is Chase Paymentech involved with this new PCI program?

DAVID WALLACE: Chase Paymentech is a Payment Card Industry Security Standard Council participating organization and has been since the council was founded. We're a charter member of the PCI-SSC board of advisors and we continue to serve in that role today, helping to educate and protect our customers in our industry. We strongly advocate merchant adoption of standards-based information security programs that include compliance with the PCI-DSS and all applicable payment brand cardholder data security program rules. We were involved in the QIR program from the outset as member of the council's taskforce, and as an acquirer we see multiple areas of value to our merchants and our industry. We see participation as a market differentiator, providing competitive advantage to QIRs who train and certify through the program, and we see the advantages associated with our merchants having access to trained and accredited professionals who can help them achieve higher degrees of protection against an increasingly opportunistic, organized and technically sophisticated criminal threat.

KITTEN: What can you tell us about the merchants that you serve and the types of programs that you oversee?

Follow Jeffrey Roman on Twitter: @gen_sec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Nepal Launches National Response Team

ITSERT's Rajan Raj Pant discusses the formation of ITSERT-NP to address Nepal's security...

Latest Tweets and Mentions

ARTICLE Nepal Launches National Response Team

ITSERT's Rajan Raj Pant discusses the formation of ITSERT-NP to address Nepal's security...

The ISMG Network