Security: The Value of Added Security

Lauri Giesen

Many in the payments industry fault value-added resellers for lax data security, an accusation VARs resent. What’s the real story, and how are VARs working to make their products more secure?

Most retailers and their merchant acquirers and third-party processors take careful measures to assure that fraudsters can’t steal the payment data they control, or use it if they do get a hold of it. Big merchants, especially, use the latest technologies and engage in best practices to make sure their systems comply with the Payment Card Industry data-security standard (PCI).

But what about the vendors collectively known as value-added resellers that develop software and point-of-sale devices that often work in tandem with a retailer’s payments platform, including customer-loyalty and sales-tracking programs? Are their products always as secure? They’re supposed to comply with the PCI rules if they touch payment data at all, but they could unwittingly provide unauthorized persons with access to sensitive credit and debit card information.

Two years ago, Visa Inc. issued what it called the Top 10 best practices for secure software. It was aimed at VARs, including third-party software vendors, integrators, and others that sell or license applications to merchants and processors related to payment systems. Visa issued the best practices in response to industry allegations that negligence or misuse of these third-party vendors’ systems was resulting in payment card security breaches.

The good news today is that many payments experts believe that since the Visa report came out in August 2010, there is now a greater awareness of problems related to VAR systems and increased vigilance regarding their secure use by merchants, their acquirers and third-party processors, and the VARs themselves. Additionally, newer technologies developed in recent years help address some of the concerns that Visa noted.

The bad news is that as new payments-related technologies are being introduced—such as mobile and contactless systems—new vendors and applications are coming to market that have to be watched even more closely. And many of these new vendors, while bringing innovative ideas to payments applications, do not have as strong an understanding of security issues as the VARs that have worked for years in the payments industry.

‘Weakest Link’

The problem is not so much that the VARs themselves are sloppy. It’s just that every time a new application is added to a payments system, there is the potential for access to primary account numbers and related sensitive data, security experts say.

“VARs represent the weakest link in the payments system,” says Avivah Litan, security analyst and vice president at Stamford, Conn.-based Gartner Inc. “They represent another window of access into the system. It’s like your house. If people can get into your home through an open window, they don’t need access to the front door.”

Ultimately, the burden of securely installing and using VARs’ applications falls on the merchant and its acquirer. The first step is a check of a product’s PCI status.

“The best way to prevent any breach is to make sure any new system is compliant with industry security standards,” says Bob Russo, general manager of PCI Security Standards Council, the Wakefield, Mass.-based organization that administers and updates the main PCI standard and its two related standards for payments software and PIN-accepting devices.

Lists of resellers and systems integrators whose products are deemed PCI compliant can be found on the council’s Web site (pcisecuritystandards.org).

Another source of information and lists of technology firms that have undergone rigorous PCI education and training is on the Web site of the VAR trade association, the Retail Solutions Providers Association. The gorspa.org site not only lists vendors that have received PCI compliance training but also allows end users to give reviews and comment on the quality of the vendors they’ve used.

The RSPA has been training companies in payment-security compliance since 2009, and vendors can be certified on two levels. The first level shows they have received at least seven hours of PCI training. The second shows they have been evaluated on their code of ethics, professionalism, and other qualities, according to Joe Finizio, president and chief executive of the Charlotte, N.C.-based RSPA.

But finding a PCI-compliant and -trained vendor is just the first step.

“Being compliant is like having a smoke detector or a deadbolt lock on your door. The smoke detector is not any good if the batteries are dead and the lock won’t work if it is not locked. Compliance alone doesn’t mean you are secure,” Russo says.

Indeed, Finizio argues that many of the problems associated with outside systems that work in tandem with payment-processing systems happened not because VARs’ products were inherently insecure, but because merchants or processors used them incorrectly. For example, no one changed default passwords even though they were told to do so, or a business used unqualified persons to make changes or adjustments to its computer system without consideration of how that would affect data security.

“PCI compliance is an ongoing process. Just buying a compliant system is not enough. You have to keep it in compliance. About 95% of the breaches I have seen were because of two things: password administration or failure to lock down access,” Finizio says.

Follow the Transaction

Once a vendor has been chosen, retailers and acquirers need to examine the VAR’s product and its installation to make sure there are no “open doors.” While it may be a common practice for the VAR to access portions of a client’s payment system to update software or introduce new applications, programmers and administrators need to be vigilant about closing access immediately after the change is made and ascertain that only authorized people get into the system.

“When attempting to add new technology, you need to interrogate each step of the system to make sure the new technology does not introduce new risks into the system,” says Bruce Dragt, senior vice president and division manager for payment acceptance for processor First Data Corp., Atlanta.

One of the problems is that in a rush to get a new application going, a systems vendor and end user may not study each step that a transaction takes from the time a card is swiped until the transaction is approved, Dragt says.

“You have to do a flow-through analysis. Who is seeing this information at each level the transaction passes through and are there any holes?” he explains.

Additionally, because multiple vendors may be involved in the introduction of a new technology, the responsibility for security could get confused. A thorough system check should prevent most such problems.

“You could have two partners and each thought the other one was looking out for the security of the transaction when in fact nobody was,” Dragt says.

Another precaution is when installing or updating applications, retailers should only engage the services of so-called Qualified Integrators and Resellers, companies trained in proper PCI procedures. They’re listed on the PCI Council’s Web site.

“A lot of small retailers in particular try to save money when updating systems and they hire people to upgrade their systems who are not qualified in security measures. They might have their brother-in-law write a new software application or have their kid create a Web application rather than use qualified professionals,” Russo says.

Card Data And Loyalty

One of the biggest problems associated with VAR systems relates to passwords. Many applications come with a default password for system access that merchants fail to change upon installation. Fraudsters often easily guess these default passwords, which gets them one big step closer to sensitive payment data that when stolen can be used to make counterfeit cards.

The latest data-breach study by a unit of New York City-based telecommunications giant Verizon Communications Inc. found that exploitation of default or guessable passwords was involved in 44% of breaches that Verizon investigated or analyzed.

This can be an especially big problem with restaurant franchises that all install the same new application and use the same default password for every location, Russo explains. Then, if a fraudster gains access to that password, he or she can then not only access data from one location, but from every franchisee in the chain that failed to change the password.

In these situations, Russo says not only should the franchisees change the default password, but also each franchisee’s new password should be different from all the rest.

Another important security step is making sure payment card information is not used to identify customers for other applications, explains Rodolphe Simonetti, manager of PCI compliance services for Verizon Enterprise Solutions.

For example, some systems identify customers in a loyalty program by their credit or debit card numbers. This presents considerable risk in that the card number can more easily fall into the wrong hands.

“You don’t need credit card data to register loyalty points. There are many other ways to reference a customer besides using credit card data and risk compromising that data,” Simonetti says.

‘A Big Challenge’

Problems like those associated with default passwords and separating payments and customer identification data from nonpayment data, however, are nothing new. Many industry experts believe merchants and processors now indeed use better practices.

“The situation is improving and people are more aware of the problem and taking the right steps,” Simonetti says.

In the business-to-business world, some companies won’t even buy from vendors that can’t document their security and show they are protecting the buyer’s payment data, Simonetti says. That mindset is filtering down to consumer payments.

“A few years ago, technology companies were adhering to security standards just to be compliant so they wouldn’t have to pay a fine. Today, the movement toward better security is being driven by the market. Customers expect you to protect their payment data and if you can’t, they won’t do business with you,” he says.

Simonetti also says newer technology is coming out that is specifically designed to help retailers and processors keep sensitive data out of the wrong hands. End-to-end data encryption and transaction tokens can help retailers make sure data do not leave their systems when new applications are added.

Finally, Simonetti believes that, unlike in the past, software and point-of-sale hardware from VARs is designed and manufactured with data security in mind.

“Most of the problems we still see are on systems that are 10 years old or older,” he says. “The newer systems take security into account right from the beginning. With the older systems, you have to go in and make a lot of changes to make sure they are PCI-compliant. That can be a big challenge.”

‘Missing the Boat’

While technology companies may be getting better at understanding payment card security risks, consultant Litan says merchants and their acquirers still need to monitor activities vigilantly.

“Most companies are only aware of PCI when it is being enforced. The real burden is on the acquirer because they are the ones who have been made responsible [by the card networks] for PCI compliance,” she explains.

Additionally, while veteran payments-technology companies may be getting better at understanding data protection, some in the industry worry about market newcomers and their presumed inexperience with security issues that could increase the risk.

“With the emergence of mobile devices and new payments applications, new areas have to be covered to protect the security of a transaction that have not been dealt with in the past,” First Data’s Dragt says.

Finizio of the RSPA argues that more detailed compliance standards are needed for some of the newer technologies, especially mobile payments.

“There is some confusion with mobile,” he says. “The PCI Council has given some guidance about how to protect mobile transactions but it has not come out with a complete list of PCI standards for mobile transactions. They are waiting to see how mobile is going to shake out and what systems the industry is going to use. But they can’t risk missing the boat to get standards in place early.”

‘A Starting Point’

Russo responds that the Council already has provided some guidance to merchants on how to apply PCI standards to mobile applications and it has developed a series of best practices for mobile-technology developers.

“These aren’t standards, but they are a starting point for developers when considering how to build secure solutions for retailers,” he says. “With emerging technologies like mobile that are rapidly changing and still developing, we’ve got to look first at how our standards apply to this environment and then build from there as the technology matures,” he says.

Russo adds that the council in 2013 will release more information for merchants about mobile security as it decides whether it needs to update or create additional requirements.

Not only is the advent of new, advanced payments bringing in new VARs, but the entrance of merchant processors catering to micromerchants and even part-time sellers who want to accept cards through smart-phone apps and card readers is adding a host of merchants inexperienced in monitoring card security.

“You may have a housewife who bakes cookies and has begun selling them at the local flea market. Now she can take credit cards on her cell phone and she will not have the experience in security to know how to protect that data,” Russo says.

Now that VARs are getting data-security religion, this new flock of micromerchants looks like the next big group of potential converts.