A grassroots campaign is under way to educate payment-application resellers and integrators about data-security best practices. Will costs prove to be a barrier?
Data breaches at small merchants may not grab the headlines that hacks at huge chains such as Target Corp. do, but make no mistake, small merchants are just as ripe a target for data thieves.
The vulnerability for a small merchant lies in Internet-facing payment systems integrated into the merchant’s software platform, which houses its business applications.
While integrators and resellers of payment applications are supposed to make certain a merchant’s payment application is compliant with the Payment Card Industry data-security standard (PCI), they don’t always do so, according to data-security experts. When resellers and integrators do take the time to make sure the payment application is PCI-compliant, they often leave the task of network security to the merchant.
Since most Mom-and-Pop merchants lack the technical knowledge or resources to secure their network, they typically forgo implementing such security controls as firewalls to enable employees’ unimpeded access to the network from a remote location. Small merchants will even overlook such basic security controls as password management and two-factor user authentication.
Such oversights, data-security experts say, open the door for criminals to breach a merchant’s network and gain immediate access to payment applications. They do this by stealing employee credentials, such as user names and static passwords, through malware attacks. Once inside the merchant’s network, criminals have a direct path to the payment application and can plunder the customer data within it at will.
“We are seeing more targeted attacks aimed at merchants’ payment applications,” says Troy Leach, chief technology officer for the Wakefield, Mass.-based PCI Security Standards Council, the organization set up by the payments networks to administer PCI. “Many of the breaches come from improper installation of payment applications.”
To address the problem, the Council has developed a certification program for payment-application resellers and integrators to ensure a secure connection between a merchant’s payment application and its software platform. Upon completion of the program, which was updated in September 2015, integrators and resellers are certified as Qualified Integrators and Resellers (QIRs), and can use that designation to market their service to merchants.
The Council sees resellers and integrators as the conduit for data security to small merchants because of the close relationship between the two groups. “Level 4 merchants are very reliant on QIRs” says Leach. “Our goal is to train QIRs to protect merchants from data breaches.” In the Visa system, Level 4 merchants process fewer than 20,000 e-commerce transactions, or fewer than 1 million transactions overall, each year.
Impressing the need upon resellers and integrators to educate merchants about network security is an important step, says Mike Seymour, president of Postec Inc., an Atlanta-based reseller of payment and security applications, because most merchants do not understand how far their security obligation extends.
“A reseller may do something for the merchant around network security or it may not,” says Seymour. “Level 4 merchants need a clear understanding of the importance of firewalls and password management and that it may be up to them to address those issues.”
As part of its QIR certification program, the PCI Council trains resellers and integrators about the need to educate merchants to activate all necessary security controls within the payment application, as these controls do not necessarily turn on automatically upon installation.
Installing firewalls is another practice the QIR program stresses, as some merchants will disable them to make remote access easier. Or, merchants will keep their firewalls intact and install a remote-access program. A common mistake is that the merchant will leave the remote-access program running at all times, which gives criminals a pathway into the merchant’s network.
“A simple solution is to turn off the remote-access program when not in use,” Chuck Danner, vice president of integrated payments for Cincinnati-based processor Vantiv Inc., says by email.
Vantiv has provided financial and QIR-certification preparatory assistance to 67 third-party partners that have become QIR-certified. “Vantiv is working with our partners to integrate security into the sales dialogue and promote to (their clients) the responsibility and advantages of using partners who have achieved the QIR program certification,” Danner says.
Other best practices include limiting employee access to the payment application and requiring two-factor authentication to access not just the payment application, but the merchant’s own software platform.
“QIR training is intended to help QIRs understand how to segment the payment application from the rest of the merchant’s network and limit application access to only those users that need it,” says Leach.
As of mid-March, 108 QIRs were listed on the PCI Council’s Web site and several hundred more companies were in the process of becoming certified. Of the QIRs listed, more than 200 employees from those companies have completed the QIR training and exam.
As of March 31, Visa Inc., which is partnering with the PCI Council to get integrators and resellers QIR-certified, mandated that acquirers make sure all Level 4 merchants use certified QIR companies by Jan. 31, 2017. Level 4 merchants include owner-operated locations of franchise or corporate organizations, according to Visa’s Web site.
While QIRs’ training is primarily focused on helping merchants secure their networks, Visa is also stressing to acquirers and processors the need for resellers and integrators to secure their remote connections to merchants for providing software upgrades and troubleshooting.
Failure to secure these connections can provide an opportunity for criminals to breach a reseller’s network and steal the default password for its payment application. Criminals can then use the direct connection between the reseller and its customers to hack a merchant’s payment application using the default password.
“Criminals are exploiting the remote access resellers and integrators have to merchants’ payment applications,” says Eduardo Perez, senior vice president for payment system risk at Visa. “Once hackers get into a vendor’s network, they can get access to their entire customer portfolio. From there they can attack individual merchants.”
In addition to making certain connections are secure, Visa and the Council recommend that QIRs either regularly change application passwords for merchants or educate merchants about the need to do so, and how.
Other payments-industry organizations, such as the Retail Solutions Providers Association (RSPA), whose membership includes POS solution resellers, distributors, and hardware manufacturers, are helping to lead the charge on QIR certification. The RSPA negotiated a reduced rate of $250 per person through April for members whose employees are getting QIR certification. The QIR program typically costs $395 per employee for non-participating organizations of the PCI Council. Participating organizations pay $250 per employee.
“The rate reduction has helped make the program more accessible to members,” says Kelly Funk, president and chief executive of the Charlotte, N.C.-based association. As of mid-March, more than 60 members had signed up for QIR certification.
RSPA is also creating awareness of QIR certification and best practices through webinars and sessions at its annual conference in August.
‘Cost And Pain’
Despite industry efforts, one area of security not specifically addressed by QIR certification is the vulnerability of merchants’ business applications, such as order management and time and attendance, residing on the same network as their payment application.
While QIR certification is intended to help merchants plug data-security holes, there is one potential shortcoming. Merchants may become too focused on securing their payment application and not always recognize that a third-party installing a non-payment application, such as an order-management system, can sometimes make changes in the payment infrastructure. That can make the network vulnerable to hackers.
“Creating vulnerabilities downstream after the installation of a business application happens all the time,” says Seymour. “QIR certification addresses payment application security, which is a good step forward, but it does not necessarily address this scenario.”
A more effective alternative, some security experts argue, is to require merchant adoption of point-to-point encryption, which encrypts card data as soon as the card is swiped, then sends it directly to the transaction processor. Upon receipt of the data, the processor uses its key to decipher the data.
“One of the benefits of point-to-point encryption is that it scrambles card data immediately, so that it is concealed before it passes into the merchant’s integrated POS system,” says Ken Oros, a senior associate with Omaha, Neb.-based consulting firm The Strawhecker Group. “There are encryption devices that can be attached to a computer running a payment application.”
One drawback of point-to-point encryption, says Seymour, is that it typically increases the cost to process a transaction. “Without an incentive, it will be tough to get merchants to embrace point-to-point encryption,” he says. “The most likely candidates to adopt it are small merchants that have suffered a data breach because they have experienced the cost and pain of a breach.”
‘Incentives And Penalties’
While QIR certification is seen as a plus for small merchants, a potential barrier to mainstream acceptance by resellers and integrators is the cost. Seymour points out that while RSPA negotiated a reduced course rate for its members, the $395-per-employee price tag for the certification for non-participating organizations can add up quickly. “I have about 60 employees that work with POS applications, and getting them all certified can be expensive,” he says. “So far, we’ve signed up 12 to go through the training.”
Security and payments experts believe some sort of financial incentive or penalty will have to be mandated by Visa or one of the other card networks to spur mainstream adoption of QIR certification. “Requiring QIR certification by the [value-added reseller] community is going to be a challenge, as it’s a new requirement,” says Vantiv’s Danner. “Having either an incentive or penalty will help promote the program and the resultant secure behaviors.”
If nothing else, history has shown that incentives and penalties can move the needle on data security, according to Franklin Tallah, principal consultant for Columbus, Ohio-based Verizon Enterprise Solutions.
“While the industry is seeing a good uptick in educational efforts by different entities, all security standards at some point have relied on incentives and penalties to drive adoption,” he says.
Yet, because hackers continually evolve their craft, QIR certification can’t be a one-and-done proposition. “Ongoing education about new ways hackers are attacking a network is essential,” says Steve Petrevski, senior vice president, fraud and security for Atlanta-based First Data Corp.
And, while efforts to build awareness about the need for QIR certification among resellers and integrators have gotten off to a strong start, how actively merchants embrace QIRs—and follow their recommended security practices, especially for non-payment applications—remains a question mark.
“The Visa mandate is a good step, but it’s still up to merchants to follow a QIR’s security recommendations,” Seymour says. “Many Level 4 merchants are either just not aware of the importance of following those recommendations or do not have the resources to implement, which is an issue.”