January 4th, 2010
Many ISO’s and MLSs do not fully understand the initiative for enhanced pinpad security, which is now being managed by the PCI Security Standards Council (PCI SSC), PIN Transaction Security program. Normally, it’s not that merchants and those servicing their accounts don’t want to comply; it is that they do not know where to start in the process. There are many terms and acronyms used to speak about the process, which makes it all the more confusing.
Compliance dates are approaching fast. In this article, I will explain a basic understanding of PCI compliance.
What’s the big deal?
Cyber thieves are continuously targeting credit card data, but it is the data along with the pin numbers that is the goldmine. Why is this?
Counterfeiting credit cards and making multiple purchases can definitely provide a criminal with a decent living, but the pin number gives the thieves information that can deplete the cardholder’s bank account.
New tools have been developed by criminals, like memory scraping malware, to snatch pin numbers of consumers.
A Verizon Business webinar reported that a Russian gang of criminals offers a data encryption cracking device for a fee. If you ship a POS PED to the gang, they will return the keys within two days for $250,000, or you get your money back, according to a RetailPayments blog.
It is almost unimaginable for decoding to take place in such a short amount of time, but with rising demand and new technology these decoding devices are rising at an alarming rate.
What is this all about?
The PED security requirements issued by Visa apply to all hardware that accepts pin entry card transactions. It is designed to ensure security of these transactions. A PED usually consists of a screen display, keypad, a processor, storage, and firmware for PIN processing.
Data is kept secure by not allowing the device to produce a clear text PIN. If the device fully meets all security requirements, it reduces the chance of the device being embedded with a bug that would disclose PIN information.
The security requirements also have guidelines for the management of devices up to the point of initial loading of the acquirers secret encryption keys.
Device management includes its manufacturing, encryption, delivery, and even storage. During its lifecycle, these guidelines are made to reduce unauthorized modifications to the device.
How has the PED security standard become enhanced?
The PED standard was restructured along with the PCI data security standard. In 2004, the Visa company mandated that all POS PEDs had to support triple data encryption, and be approved by Visa directly. MasterCard and JCB followed and joined Visa to come up with joint security and approval requirements.
The PCI SSC gained full responsibility in 2007 to be the source of information for all PED requirements and the PCI PED approval list.
What are the different kinds of PEDs?
-Unattended devices: Made for self-service situations, like pay-at-the-pump, ATMs, and kiosks.
-Attended devices: Sales clerk managed: retail stores, delis, etc.
-Hardware security modules: Support various debit features. Not customer facing.
How to merchants comply with POS PED requirements?
Merchants must ensure that they are using PCI PED approved pinpads with their terminals. Devices that aren’t approved need to be out of use by July 1, 2010, if it has not been upgraded to the new security standards.
You can check your device against one of two lists. Visa has a list of all approved devices, as does PCI SSC.
The lists can be found at:
www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.html
https://partnernetwork.visa.com/vpn/global/category.do?categoryId=19&documentId=33&userRegion=1
What is the TDES in regards to PED security?
In addition to ensuring that your pin devices are all approved, Visa mandates that all devices be enabled with TDES by July 1, 2010. TDES is an encryption standard that greatly strengthens the encryption and reduces the risk of a compromise from an attack.
Acquirers can be assessed fines for having merchants that are using non compliant PIN devices by August of 2012. Even though it seems far away, the July 1st mandate should not be ignored.
If a PIN is compromised resulting in a data breach, the acquirer may not be protected by Visa’s liability protection program. The acquirer could be liable for penalties associated with the breach.
Although the acquirers are not being fined until 2012, Visa reserves the right to fine the merchant directly at any time.
How do merchants comply with TDES?
A merchant must determine if the pinpad used it Triple DES capable. Most pin pads purchased in the last five years are capable of this feature.
If you already have a Triple DES capable pinpad, you can make arrangements with your provider to have the pinpad injected.
Older devices were only made to support single DES. These terminals must be upgraded to new devices. External pinpads are also an option.
Start planning!
July 2010 is not that far away.
November 25th, 2009
On October 8, 2009, people opposing the interchange status quo had another chance to get support of congress with a hearing held before the US House Financial Services Committee. The hearing was held in order to accept a testimony on the Credit Card Interchange Fees Act of 2009, HR2382, and the Expedited CARD Reform for Consumers Act of 2009, HR3639. Instead of a serious attempt to address interchange legislation, the hearing seemed to be more of a formality in regards to HR2382.
During the hearing, Committee Chairman Barney Frank, D-Mass., made it clear that he didn’t want to enact legislation that would move up the implementation date on parts of the Credit Card Accountability, Responsibility and Disclosure Act of 2009.
Strict limits were established on how and when banks can increase rates on credit card holders with the Credit CARD Act of 2009. In February of 2010, these limits are supposed to take hold. Frank and many other want to move it to December 2009 because many banks are hiking up rates now in an attempt to make a last minute profit.
Legislation Consideration
Last week, Rep. Peter Welch, D-Vt., the person that introduced HR2382, appeared before the House Financial Services committee. He urged congress to consider the struggle of the small business owner. Kathy Miller joined Peter Welch at the witness table. She is a constituent that owns a small country store in Elmore, Vermont. She complained to the panel that interchange charges cause her to lose money on small purchases. She insisted that business owners “just can’t keep absorbing fees and survive through these tough economic times.”
The Credit Card Interchange Fees Act, drafted by Peter Welch and sponsored in part by a bipartisan group consisting of 13 other house members, would let merchants impose a minimum purchase amount if consumers are paying by credit card. Visa and Mastercard would be prohibited from charging different interchange rates for rewards cards, public disclosure of merchant agreements would be required, and the FTC would have oversight authority for the merchant acquiring space.
October 6th, 2009
Experts in the payment industry believe that lack of education and inactivity are the two biggest challenges when it comes to bringing Level 4 merchants into PCI (Payment Card Industry) DSS (Data Security Standard) compliance. Most small and medium sized merchants are still perplexed in regards to the purpose and language of PCI compliance, despite efforts by ISOs and MLSs (Merchant Level Salespeople).
In order to rectify this situation, ControlScan Inc., a PCI security and solutions provider, The National Retail Federation, and PCI Knowledge Base, a research firm, released a report called What Small Merchants Know (And Don’t Know) About PCI Compliance. Level 4 merchants are those that process less than a million transactions annually, or 20,000 transactions annually for web based businesses. The report was based on a survey of 220 merchants that were classified as Level 4.
The founder of PCI Knowledge Base, David Taylor, says that since PCI DSS was introduced in 2005, awareness has increased by 86 percent; however, a lack of intelligence has hindered a large number from taking action and becoming PCI DSS certified.
According to Taylor, many people that he has spoken to don’t believe that PCI is worthwhile, and they don’t feel that just because you are PCI compliant you are secure against a data beach. Payment security organizations are getting frustrated because the level of action and knowledge they are seeing is minimal. Positive feelings don’t just appear because you’re aware of something, a fact that Taylor has acknowledged.
Based on the survey eighty five percent of breaches occur with small businesses and eighty one percent of businesses that are breached and are subject to PCI compliance, were not compliant at the time of the breach. Fines that occur when small businesses are breached are much higher than the cost of upgrading terminal systems and getting certified- $5,000.00 to $25,000.00 for every month of noncompliance!
All three organizations are offering the report on their websites at no charge. Determining the knowledge of merchants when it comes to acceptance and understanding, level of confidence in their PCI programs, risks associated with being breached, and money spent on compliance were the surveys main goal.
The Vice President of Marketing for ControlScan, Heather Varian Foster, voices her concern by saying “My main worry is that these merchants think that they know more than they really do… they view PCI and security very high, but they don’t see how much risk they face, and that’s the dichotomy. And certainly through our partnership with the NRF and PCI Knowledge Base we are working to help educate all those involved.”
Heather goes on to say that by merchants expressing their thoughts on PCI compliance, it means that they are willingly opening the doors for PCI services and products. She states “Most Level 4 merchants’ compliance rates are very low, so I think this is huge progress and something we can use as a platform to help them fine tune what they need to know and provide better service and instruction as an industry to keep them from being a statistic.’ She believes that the merchants are asking for assistance and guidance in securing their businesses without it being too much to handle.
Helping merchants complete the Security Assessment Questionnaire and explaining the requirements in terms that are easily understood, for knowledge of what PCI compliance entrails, can give way to ISOs and MLSs to take initiative in administering PCI compliance programs, according to Heather Foster. Merchants want to be informed, but they want their service providers to be their #1 resource.
Foster goes on about PCI education by saying “There really has to be specific training, so that what we’ve done through this partnership is to really drill down and target a focused education program so those ISOs and acquirers can position their PCI service as a value that ties to that level of support and have the opportunity to really distinguish themselves.”
As part of their product development process, many ISOs are starting to include PCI. Getting PCI beyond the check-the-box approach may be a challenge, but there are certainly ways to do it. The process has been made as simple as possible with the help of the NRF and PCI Knowledge Base.
October 6th, 2009
According to the third edition of The North American Market for 3rd Party Payroll, Payment & Healthcare Transaction Processing, a published report by Packaged Facts, a research firm and a part of Market Research Group LLC, the 3rd Party Processing market jumped in growth by more than eleven percent in the year 2008 to 61.9 billion. By 2013, it is anticipated to grow by another 57 percent!
Back-office tasks such as customer service, record management, accounts payable and receivable, payroll, transaction processing, human resources, and accounting are being contracted to third party services according to the report. To boost business, many major third party processors are offering mobile transactions and human resource outsourcing, among other new ideas.
Three sectors were focused on in regards to the outsourcing of data and payment transactions: payroll, electronic, and healthcare transaction processing. The Publisher of Packaged Facts, Tatjana Meerman, says “The drive for healthcare reform is helping to train public attention on using technology to streamline healthcare for patients and providers, a shift that won’t come overnight, but is likely.”
August 31st, 2009
Network Solutions Security Breach
Network Solutions has recently experienced a security breach which has led to the theft of over a half of a million peoples credit card data. The data was breached by the websites people use for purchases hosted by the company. The accounts that were affected belonged to its customers of e-commerce merchants.
Here is a quick overview
1. On July 24, 2009 Network Solutions notified over 4300 of its 10,000 ecommerce merchants about the breach.
2. The breach effects 573,938 of its cardholders whose credit card numbers, addresses and names were exposed between March 12th and June 8th.
3. Susan Wade, a spokeswoman for Network solutions, said a mysterious code was found on servers hosting e-commerce client’s sites during routine maintenance in June and is unknown how the code got into the system.
4. Networks Solutions other breaches which include email hosting, online marketing, and domain registration were not affected by the breach.
On July 13th Network Solutions brought in a forensics company to help investigate. The company cracked part of the code determining that it could be related to credit card data, Wade said. Wade also stated “So we notified law enforcement and began the process of notifying our customers,” Wade said. “At this point, we don’t have a reason to believe that (the data) has been used, but we are working with the credit card companies,” nonetheless.
Network Solutions is PCI complaint and Wade had also had this to say: “We store credit card data in an encrypted manner, and we are PCI (Payment Card Industry)-compliant. Unfortunately, any company operating in our business could have become a victim of this type of invasion,” the company said on a blog post on the customer information Web site. “In this situation, the unauthorized code appears to have transmitted information about credit card transactions as they were being completed; it did not involve a vulnerability in the way we store data in our systems.”
This incident is the second invasion this year Network Solutions has experienced and is the largest security breach since the Heartland payment systems security breach. Network Solutions does feel “terribly bad about this” according to Wade so affected customers will get twelve months free of credit monitoring services from the company.
July 30th, 2009
We are facing challenges in our economy that no one has experienced before. The news gives us little pieces of hope but usually just goes from bad to worse on a regular basis. Many business’ are plagued with fear of not being able to continue to the future.
Top companies that never had to worry are now scrounging to survive. Economists are troubled and marketing departments in many companies are more worried about there own jobs then the well being of their company. As professionals how do we find the way to grow our business?
Following are 10 tips to help you navigate successfully despite today’s frigid business conditions.
1: Understand the terrain
Wikipedia defines trench warfare as “forms of warfare where both combatants have fortified positions, and fighting lines are static. “The key word is static. By noticing and dealing with the fact that businesses have buckled down. You can begin to strategize the path that will move your business forward.
2: Recognize early progress could be agonizingly slow
In World War I advancements were measured in feet or sometimes inches. Even now with the economy we measure the same way. Given our current situation it may seem everything is happening in a slow pace but take your business plan into thought for they may be a reduced pace of progress. Sustainable success can be best achieved through a series of minor victories.
3: Lose the fear
A good salesperson knows the fear of being a strong motivator. They understand that fear needs to be under control, if not brought under control the fear can lead distress or high anxiety. Your success will be determined not only by how you deal with these fears but also how you talk to the fears with your customers, clients and competitors. As you focus your attention on your immediate plan of action your sense of fear will begin to decline.
4: Be different
A common saying most people know goes something like this. Performing the same action repeatedly and expecting a different outcome is a definition of insanity. It is also proven true that what may have worked well in the past may not work in today’s economic climate. Take serious action to change your approach. Breaking from the mold will cause you to look at your business with a newer and different perspective.
5: Be a puzzle solver
Treating your business like a puzzle to be solved much like a cross word adding one new word at a time. Writing down specific difficulties to be solved, and than writing down possible solutions can lead to unexpected and creative results.
6: Tell your story
Whether the story is about you and your business or about a client the story still needs to be told. One effective way to get stories out to the public is through creative public relations. PR does not have to cost much but PR companies are feeling the slowdown like every one else and are looking for new clients like they never had to before.
Using professional service on an individual basis could give your business greater exposure with little expenses. Also, having a timely release can reward you with huge payments.
7: Make technology work for you
Email marketing is a proven way to get your message across to your targeted audience. Every business, including yours, has an email database. The database may consist of clients, friends and customers. There are numerous ways to do this. Some examples include email blasts, and even an email in form of a video which many people tend to like more.
Many companies have email lists to reach specific businesses and or customers to reach a larger audience. You should however avoid bulk email lists due to the fact that they are usually associated with spam. Using email creatively can be a really great way to promote for your business.
8: Use direct mail
Even though postal costs are on the rise using direct mail can also be a great way to get your message out to a big audience. There are companies who odder good mailing lists at a low cost. Remember; when you do a bulk mail the response will most always be a small percentage of the number of pieces mailed out.
9: Know your competition better than they know you
Knowing your competition is especially important in today’s society. Your competition is experiencing the economic concern you are and are dealing with this in ways that you should make yourself aware of. By simply observing your competition you can learn and adapt that to your business environment.
10: Do your homework
You have the greatest research tool ever invented right at your finger tips, the internet. Use the internet to your advantage. A portion of your business day should be doing research online. By doing this you will be on top of many things related to your business.
Also, you will be able to learn about new technology, products and other important information that can help give your business the upper hand. Researching historical information on the internet will give you better insight on how you can improve your business.
Today’s economy is tough there is no single way out. By using these tips it will help produce a better business. Keep at it and people will soon be asking you for tips and advice!
July 29th, 2009
The PCI (payment card industry) DSS (data security standard) is a new reality for small merchants and their service providers. Many processors and ISOs have to ask the question how do I execute on this instead of what is PCI? The right answers will ultimately lead to an approach that will help ISOs avoid needless cost and also minimizing the risks to the ISOs portfolios.
These seven steps will help build you an effective and practical PCI program not only for yourself but also your merchant customers.
Step One: Realize your merchants need assistance, not just audits.
Small merchants often face considerable obstacles to PCI success. Simply pushing the PCI burden onto merchants in your portfolio is not enough. Addressing PCI issues will produce more than frustration all around, unless their ISOs figure out different ways to lower these obstacles. Many merchants in today’s market are already going against poorly designed PCI programs.
One common thing that is causing these ineffective programs is that smaller merchants can’t call on internal resources to have PCI compliance they also do not have the means to hire a consultant.
Without having someone to provide these merchants with knowledge and walk them through the PCI process any program will just upset your merchants.
Step two: Keep moving forward
In order to have a successful PCI program, the program needs to be apart of every day business not just a project that needs to be done by a certain time. create a program that continuously engages in this or find a security company to partner with that will do this for you.
Step Three: Create a structured program
We all know security is a never ending process but progress still has to be shown to your merchants. Having the feeling that they will never get anywhere regardless of all their efforts is discouraging for anyone. So keep your merchants up to date.
Make sure your program has an understandable structure and correspond it with your merchants. Let them know they have made progress with there status and PCI compliance. Also let them know where they are going next.
Step four: Make it active, not passive
Putting merchants through an evaluation is not all the PCI DSS is about. The PCI DSS is about fixing problems that are revealed.
Many vendors are only doing the easiest part and that is the passive assessment phase which is only going halfway and then abandoning their partners and customers. Make sure the PCI programs give merchants the answers they need to fix the problem.
Step five: Support them, but be smart about it
A support program is an essential in small merchants understanding PCI. But, a inexperienced program will only bring a huge support load and put a drain on your time and your finances.
By getting things right upfront and having a structured program to minimize the support load. By giving merchants the help they really need this will limit the support calls coming in that may over whelm you. Too many merchants today are not being helped enough and in result this leads to a huge wave of support demands and unnecessary costs.
Step six: Learn from your PCI program
By bringing portfolio of merchants into PCI compliance can be hard it is also a option to learn more and build faithfulness and actual value with those relationships. You will be able to do a better job at what to do next. You will know what the weaknesses are and also you’ll know what is working and what isn’t.
One thing to remember is that the process needs to be set up correctly from day one. By simply sending out assessment questionnaires your merchants you wont gather any useful information. You can get the correct information from the very beginning and use that to make your merchant and your self smarter in the long run.
Step Seven: Make it revenue-positive
If done correctly, a PCI program doesn’t have to cost you anything. It actually can make be revenue for you. You never want to stick your merchants with outlandish prices but the right result can give the program needed at a low cost. This makes it possible to charge a lower monthly fee and make a reasonable profit.
The industry is already in the right direction by charging mandatory monthly PCI fees. This way the processors and ISOs don’t have to worry about being at a competitive disadvantage as long as the price is controlled.
If doing it right you can have a program that: reduces your legal and financial exposure, improves security to merchants and their clients, builds your connection with merchants in your portfolio and is a profit stream not a financial burden.
June 15th, 2009
Given the economy we are in money is tight and everyone is cutting expenses. We eat in more and avoid trips to the cleaners; hard times bring people right back to the basics. When in such an economy we have to look over expenses and look for ways to cut down the budget. An imprinter and sales slip would be the ways for the people actually processing the transactions. Many people would ask why imprinters and sales slips are important to merchants. Well, the answer is simple; a lot of charge backs could be avoided if these merchants have imprinters at all there locations. It would also be helpful to know how and when to use the imprinters.
A painful truth
Here is a true story that will prove this point. A hotel in a major resort is now fighting an illicit $1400 chargeback and doesn’t have anything to back them up. The cardholder and his wife checked in for a weekend that included, expensive dinners, and spa visits everything one could ask for, for a relaxing weekend.
The hotel clerk had to key in the information on the account because the magnetic strip was unable to be read. The cardholder then signed the check in sheet and went on his way to have his weekend with his wife. All charges on the account were signed by the wife. After leaving the resort the cardholder argued his $1400 charge.
The hotel had no card imprint, no entry of the CVV (cardholder verification value) on the keyed transaction. Also the signature was illegible on the sheet and every other charge signed for by the cardholder’s wife. Even worse, the cardholder and wife could not be exposed on the check in video because the wife was not in the frame and the cardholder never showed his face.
This could have had a simple outcome if the hotel had taken an imprint of the card and also providing a prompt for entry for the CVV. The hotel did have one imprinter, but unfortunately it had been broken for some time and no one took the proper procedures to take it fixed. There has been a card brand rule that has been the unchanged for years and years. That is the when requested, the merchant shall provide a readable copy of the imprint of the card.
Merchant Safeguards
Merchants must use every option they have to protect their rights. It is even more important for them now because of the economy. There are so many cases of fraud that are increasing due to the hard times. Some CardWare clients are making big mistakes. They are getting rid of the imprinter plate from their kits because they feel it is unnecessary.
If the processors fail to provide the merchants with imprints, the merchants could then hold the processors responsible for the charge back due to the lack of imprints. An imprinter has one job and that is to prove the card was there during the actual transaction.
MLS protection
Ask merchants to show you their imprinters; don’t short your sale by not using an imprinter. As an MLS you should also not let your processor to expose you to possible lawsuits because your merchants weren’t given the suitable gear for their protection.
Providing an imprinter is the right thing to do. You wouldn’t send a printer without the terminal to a new merchant would you? Of course you wouldn’t. So do yourself the favor and use an imprinter and avoid many hassles that come along with not using one.
May 29th, 2009
Budget cuts are happening everywhere. As profits decrease, retailers and the organizations that support them are doing everything they can to lessen expenses. In these harsh economic times businesses can gain some control over how much they spend by cutting expenses for everything from utilities to insurance. In the spectrum of payments, merchants can cut costs in several ways — including encouraging PIN debit for payments, and putting all store activities on one single broadband network. Technological advancements make it possible for any organization that supports merchants to reduce support-related costs. Understanding these options will put the organization in a better position to deliver better support using fewer resources.
Support teams, whether at the merchant or ISO/processor level are typically overtaxed. Merchants still require and expect the same amount of support even though staff is being eliminated. How can this support still be delivered? One successful move is to put tools in the hands of the user, enabling them to find out things for themselves.
There has been a major growth in online network management tools. With that growth has come an opportunity for ISOs. Web-based management and reporting suites allow you to provide your merchant the tools for finding their own answers. Usually, when the merchant has a problem there is no data available to help figure out the issue at hand. The merchant has no choice but to call the ISO, dealer, or processor. It happens too many times where the merchant is forced to call all three, while at the same time they each blame the problem on the other. Merchants that monitor and track all their transactions as well as their status in the network can address some of their own support issues. They can even provide valuable information to the help desk that will help narrow down the problem. The merchant can often view transactions by card type, date and time, and see unsettled batches in order to fix mistakes. Tools like these will reduce support calls and will give the merchant valuable information on all their transactions. For ISOs, tools like these reduce the amount of merchants as they become more and more dependent on the data in order to operate their business successfully.
ISOs can also take advantage of management tools that help them deliver support services. With remote access available to POS devices and networks, onsite visits are no longer needed. The ISOs now have greater control over payment devices. They can perform administrative tasks for the merchant, such as configuration changes and routing to different processors —things, until now, they were not able to do. If support is going to be available around the clock there are tools that make merchant data available with just one button of the keyboard. Fingerprinting of suppliers will no longer be needed. All data will be accessible and all problems will be addressed and resolved so quickly that most merchants won’t even know the problem even existed. The amount of time networks are up is put to the max with the use of network management tools. Alerts can be delivered by email or pager as soon as trouble is detected. With uptime being so important for merchants, the ability to short-circuit the support process is of no importance. Maximizing uptime will make loyalty grow and revenue recur.
In this day and age most businesses, if not all, are online in some way. More and more, companies are building online services for their product or service to reduce support calls for themselves and by making important information easily available and accessible to their customers. The strategy does work. One web hosting company went and compared two web hosts. One of the web hosts had online tools while the other did not. A 20-40% decrease was seen in incoming support issues with the web host that used online tools and data. With computers and the internet being available in almost every store environment business owners expect information to be at their fingertips. With a question as basic as “how do I configure this terminal to do x?” there is no excuse for the user having to wait forever for the answer. It is very frustrating for consumers to search for a simple piece of information on a product and find it unavailable, or find that they will need to follow some crazy complicated steps before they even come close to an answer. There are simple, inexpensive ways to provide this information to your customers 24/7. The perfect forum for support data is a Wiki. It is an interactive website that is designed to allow a group of users to edit and contribute content by their web browser. Thousands of agencies and private organizations use Wikis today, from Fortune 500 companies to political figures, to sports organizations. Wiki comes from the Hawaiian word for “fast,” which is exactly what customers expect when they want answers to their questions. A Wiki is simple and easy to set up. Google “setting up a wiki” and you will find downloadable wiki applications, even ones that won’t charge you. Wikis are easy to add especially if you already have a website. An important point when using a Wiki is that it needs to be loaded with important, helpful information and be updated often. Start with a list of Frequently Asked Questions (FAQs) and allow your wiki to be open for questions and feedback from customers. Your wiki will soon be filled with new documents, graphics and information that will target the specific needs of your customers. Pair the Wiki with an RSS feed which will allow your customers to receive update alerts and let them return to view new material.
When it comes to support, especially in hard economic times like these, self-help tools can be life-savers for your customers. You can save them hours of frustration and eliminate un-needed calls. You benefit too by being able to maximize your support resources where they are really needed
May 23rd, 2009
The payment card industry experienced its first main public concession of cardholder data in 2003. This was a result of a layer attack against a imperfectly configured firewall. This began to force card companies to be compliant with the many data security programs. Since 2003 the industry has evolved as well as the Payment Card Industry Data Security Standard but unfortunately so have the data criminals. Many companies presently are fighting attacks from highly sophisticated and motivated criminals.
Below is a timeline of how these criminals are adapting with the security changes as the years go on.
6 Years Ago
The attack was basic. A U.S. payment processor was compromised as a result of a imperfect configured firewall. Also referred to as a basic layer network attack.
4 Years Ago
A data thief posed as a customer and a U.S. data aggregator failed to verify him as a thief. He was compromised with thousands and thousands of client records which contained personal identifiable information. This kind of attack is known as an “old-school” social trade attack.
2-4 Years Ago
Thailand hackers placed taps on phone lines to seize information being sent for authorizations. This is not an uncommon method of attack in the Middle East and Asia.
2 Years Ago
Using malicious software a main retailer was compromised.
Last Year
Using malicious software a main supermarket chain was compromised.
Those were just a few of the examples of how thieves are adapting there tactics to recent security changes and standards. Back in 2003 many of the attacks were simple and intended to take advantage of networks and unencrypted data. Companies weren’t encrypting data yet so this was a huge and valuable win for the criminals. More companies have been in comply with the security steps needed to be taken to make certain that the data is not retained. In return the thieves have to continuously change their tactics to retrieve the data needed.
More and more of these data thieves are trying to gain the sensitive data by using malicious software as it is being sent for authorizations. It increases the chances of obtaining the sensitive data.
Trojans, wireless attacks, have also begun to take a big role within the payment card industry. The result of external attacks within the payment card industry is huge. An analysis acknowledged outer sources being held accountable for 73% of breaches and 31% resulting in using malicious software.
As time goes on and advances so does technology. The payment card industry is always going to have to be one step ahead of these thieves at all times. Only time will tell if they can obtain more sophisticated security programs that these thieves can’t get through.
