Breach Notification , Card Not Present Fraud , Incident & Breach Response

Denver POS Service Provider Breached

Third-Party Breach Highlights Risks to Small Merchants
Denver POS Service Provider Breached

Denver-based managed services provider Service Systems Associates has reported a breach that likely affected about 12 of the payments systems it operates for gifts shops at its clients, which include zoos, museums and parks across the country.

See Also: Effective Communication Is Key to Successful Cybersecurity

The incident is yet another example of the growing POS risks associated with third-party managed services providers, as highlighted in this week's cybersecurity alert from the Financial Services Information Sharing and Analysis Center and others.

In a July 8 statement posted to its site and Facebook page about the breach, Service Systems Associates says debit and credit purchases made between March 23 and June 25 in gift shops that it manages for several U.S. clients may have been compromised by a point-of-sale malware attack that infected its system.

"As soon as we learned about the attack, SSA began working with law enforcement officials and a third-party forensics investigator, Sikich, to investigate the breach," SSA states. "Though the investigation into this attack continues, the malware that caused the breach was identified and removed. All visitors should feel confident using credit or debit cards anywhere in these facilities. SSA is also taking several steps to improve its security and prevent future attacks."

Impact of Breach Unkown

SSA spokeswoman Kara Hamstra tells Information Security Media Group that the company is not yet revealing the number of cards and locations that may have been affected. Whether some of the locations share one of the dozen payments systems infected with the malware was not noted in SSA's statement, and Hamstra was not able to offer additional details.

SSA's clients, according to its website, include the History Colorado Center, the Detroit Zoo, the Cincinnati Zoo, the Cincinnati Museum Center, the Minnesota Zoo, Oklahoma's Tulsa Zoo, the Denver Zoo, the California's Monterey Bay Aquarium, Kentucky's Louisville Zoo, the Dallas Zoo, Zoo Miami, the Nashville Zoo, the Pittsburgh Zoo, the Honolulu Zoo, New York's Buffalo Zoo and New Mexico's Albuquerque Bio Park.

Several card-issuing institutions contacted by ISMG say they are not aware of any fraud related to cards that may have been compromised in the SSA breach. However, all point out that tracing fraud back to a third party that provides outsourced or managed payment services is difficult.

"The POS software vendor is not visible to the issuer, so it is difficult to recognize the commonality of the point of purchase," says one executive with a leading issuer on the West Coast, who asked not to be named.

Risks to Smaller Merchants

Charles Bretz, director of payment risk at the FS-ISAC, notes that smaller merchants are at greatest risk of breaches involving managed services providers because they commonly use these vendors for payments processing and POS management.

"Criminals continue to find success by targeting smaller retailers that use common IT and payments systems," Bretz explains in a recent interview with ISMG. "Merchants in industry verticals use managed service provider systems. There might be 100 merchants that use a managed service provider that provides IT and payment services for their business."


About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.