Over the past year, First Data, the largest payments processor in the U.S., has seen an uptick in "trolling" - hackers sniffing networks for remote access into point-of-sale systems that are open or loosely protected.
The targets: Smaller merchants, those categorized by Visa as Level 4. These merchants process fewer than 1 million transactions per year and account for 32 percent of Visa's U.S. transactions. They also are largely non-compliant with the Payment Card Industry Data Security Standard.
The risk, says John Graham, vice president of global information assurance and risk at First Data Corp., is that because these smaller merchants are not PCI compliant, they are vulnerable to breaches of credit and debit card data. "Over the last 12 months or so, trolling has really become prevalent," Graham says.
So, too, have breaches. Erik Rasmussen, a special agent within the Cyber Intelligence Section of the U.S. Secret Service's Criminal Investigative Division, says most card fraud incidents today stem from POS hacks. "The No.1 way criminals are getting in is through remote access to the backhouse server," Rasmussen said during a recent RSA Conference presentation.
The onus, then, is on processors and banking institutions to educate these merchants on the risks, as well as PCI compliance. But education, experts says, is an uphill battle.
"Level 4 merchants are a huge hole," says Anton Chuvakin, a PCI expert and Gartner analyst. "I've met more than a few that don't even know PCI exists."
Graham agrees. "If you go to a small merchant and ask if they know what PCI is, most will just look at you," he says. "That's a big area of interest to us. We want to be sure they understand PCI and the need for compliance."
Level 4 RisksPayment card risks have gained greater visibility since the Global Payments data breach of an estimated 1.5 million payment cards was announced on March 30.
But in a March 2 presentation at RSA, Rasmussen of the Secret Service described the ubiquity of POS attacks against small merchants - typically involving malware implanted by the hackers. Nearly half of the card breaches investigated by the Secret Service involve malware, and the retail, food and beverage, and hospitality sectors are the most vulnerable. "Once the hackers get into the system, it's all become too easy for them," Rasmussen said.
Pointing to the $20 million card breach that recently hit 100 Subway locations and exposed 100,000 cardholders, Rasmussen described how easy it was for four Romanians to tap Subway's network and exploit the system for more than a year before striking.
"Payments systems attacks are not going away," Rasmussen said. "In fact, we expect them to grow, as more payments options, through PayPal and Google, for instance, hit the market."
The challenge: Until recently, few small merchants needed to comply with PCI. Most relied on dial-up POS connectivity. Because their POS systems were not IP-connected and stored no card data, they posed no risk of being hacked.
But as more Level 4 merchants upgrade their technology and integrate their systems, they open their networks to common Internet threats - hence the need to comply with the PCI-DSS.
Yet, few small merchants understand the risks.
It's a known problem, even among the card brands. Both Visa and MasterCard , on their U.S. lists of PCI-DSS compliant merchants, note compliance among Level 4 merchants is an unknown. Because Level 4 merchants are not required to undergo compliance audits by qualified security assessors, the card brands take it on faith that these merchants conduct self-assessments.
It's a dicey way to handle card security, says First Data's Graham.
Payments processors such as First Data have taken the lead on helping Level 4 merchants secure their transactions.
In 2010, First Data released TransArmor, a tokenization product created with RSA for Level 4 merchants. TransArmor tokenizes the card number at the POS. If the system is hacked, the token is meaningless to the fraudster.
Heartland Payments System, after suffering its own breach in 2009, exposing an estimated 130 million debit and credit accounts, launched a similar product. E3 is an end-to-end encryption solution for Heartland-connected merchants. It encrypts card data from the swipe at the POS through the processing of the transaction on the Heartland network.
The site briefly explains PCI compliance and offers vendor contact information for Level 4 merchants interested in PCI audits. If hired, the vendors would:
- Evaluate the extent of a Level 4 merchant's PCI-DSS validation requirements;
- Assist the merchant in obtaining full compliance, which will include the completion of a self-assessment questionnaire.
What Banks Can Do
Like processors, most acquiring banks offer programs to help merchants attain and maintain PCI compliance. Gartner's Chuvakin says banks and processors have incentive to hold Level 4 merchants accountable.
"Some say the only way to help these guys is to give them a terminal that never stores the data; it just goes directly to the processor," Chuvakin says. "Removing their environment out of PCI scope might be the only way. The best way to protect the data is just not to have it in the first place."
Some institutions are proactive in their education efforts.
Wells Fargo, as part of its Merchant Services offers, lists PCI standards and frequently asked questions on its website.
In the FAQs, Wells Fargo highlights Internet-connected systems and the risks they pose for merchants, especially Level 4 merchants that may be considered "high risk."
"An Internet protocol (IP)-based POS environment is one in which transactions are stored, processed, or transmitted on IP-based systems, or systems communicating via TCP/IP," the site says. "If a Level 4 merchant is deemed to be a "High Risk" merchant by Wells Fargo, they are required to validate compliance with the PCI Data Security Standards. Wells Fargo will contact Level 4 "High Risk" merchants to discuss next steps."
But Chuvakin warns banks cannot push the risks or the message too hard.
"To motivate these merchants to comply, banks have to hammer down," he says. "But when they do that, they run the risk of the merchants picking up and leaving. They'll change banks and go somewhere that has less diligent processes."