Most Breaches Occur at Card-Present Merchants, Auditor Data Show

Brick-and-mortar merchants?and restaurants in particular?pose the biggest risk when it comes to card-data compromises, while point-of-sale systems based on personal computers as well as those hooked up to broadband connections are at significantly greater risk. That's according to new data released by AmbironTrustWave, a Chicago-based company that performs security audits to certify compliance with the 18-month-old Payment Card Industry data-security standard (PCI). Food-service businesses accounted for 77% of more than 100 cases of card compromise investigated by AmbironTrustWave, the company's data show. Retail businesses accounted for 7%, as did universities and hosting providers. Transaction processors accounted for the remaining 2%. Reflecting this problem, Visa USA recently issued a memo to members alerting them to the risk of data breaches at small and mid-sized restaurants (Digital Transactions News, July 12). In the security alert, the second Visa has released this year, the bank card network blamed the problem largely on improperly installed point-of-sale software that, among other things, stores sensitive data, such as PIN blocks. In this vein, AmbironTrustWave found that some 60% of compromises occurred as a result of a defect caused by a third-party vendor, with the remaining 40% caused by merchant errors. “POS developers, integrators, [and] IT firms are not following PCI DSS and [are] leaving merchants at risk,” the company warned in a presentation it gave last week at the Midwest Acquirers Association's annual conference in Chicago. Visa, which has said it will soon require software vendors to comply with a set of security recommendations known as Payment Applications Best Practices (PABP), sent a letter to software companies in late June in which it said PABP is “expected to soon become an industry-standard requirement” and in which it told recipients it “expects all payment application vendors to adhere to the PABP.” At the same time, AmbironTrustWave has found physical stores to be much riskier than e-commerce merchants. Card-present merchants, it says, accounted for 85% of compromises, with the remaining 15% occurring in card-not-present businesses. This mirrors recent industry experience, which has included data breaches at chains like BJ's Warehouse Club, DSW Shoe Warehouse, and Polo Ralph Lauren. Indeed, last week Visa revised the criteria by which it groups and defines merchants to force merchants that derive more than 1 million transactions a year from physical stores to prove compliance with PCI (Digital Transactions News, July 19). AmbironTrustWave's data also indicate that fully 84% of the investigated breaches occurred in POS systems based on PCs. Shopping carts came in a distant second at 12% of cases. None of the systems AmbironTrustWave investigated, it says, complied with PCI, a set of security requirements adopted by the major general-purpose card networks in January 2005. Meanwhile, systems running on DSL or cable links accounted for 47% of cases, compared to 31% for dial-up systems and 22% for those on T1 connections. This may mean increasing risk given the current trend in which more merchants are converting POS systems from leased lines to Internet Protocol connections. “All Internet connectivity should be considered high risk,” the company warned in its presentation. Although it did not provide numbers, the company said the absence of a firewall was the No. 1 reason it encountered for card-data compromises.