Digital Transactions Authoritative, insightful and timely information for payments professionals
Visa USA Inc. is releasing a security alert in response to an increase in data breaches it has detected among small and mid-sized restaurants. In reviewing data from the last few months, Visa saw “there's been an uptick in incidents from this sector” compared to previous time periods, says Martin Elliott, vice president for emerging risk at the bank card network. Elliott would not give specifics regarding the number of locations affected. “It's been enough to warrant notice to merchants,” he says. Because of the urgency of the situation, Elliott says he has not attempted to break out any fraud losses stemming from the incidents from Visa's aggregate loss statistics. “We wanted to get this [alert] out as quickly as possible,” he says. Elliott says Visa is also moving toward making a set of so-called best practices surrounding data security and point-of-sale software, which up to now have been industry recommendations, requirements for developers and merchants. These standards largely touch on whether and how POS software is storing card data. He says there's no timetable for establishing the Payment Application Best Practices (PABP) as required rules, but hints it won't be long. “We're sizing and scoping that right now,” he says. “It's safe to say software developers will soon be seeing communications from Visa on that point.” The second in a series of monthly data-security alerts Visa began issuing in May, the latest one refers to a heightened risk stemming from “mis-configured” or improperly installed point-of-sale systems at smaller restaurants “and other merchants” (the first alert discussed so-called SQL-injection attacks). The notice, which Visa has distributed to acquirer members to pass along to independent sales organizations and directly to merchants, says the compromised POS systems have put cardholder data at risk and recommends restaurateurs ask their system vendors a number of questions to ensure data security. These include making sure that the systems don't store PIN blocks, that firewalls have been installed around the systems, that access doesn't depend on default passwords, and that software complies with PABP. Visa lists PABP-compliant software on its Web site. Elliott says the problem often arises because smaller restaurants tend to rely on system integrators and resellers to install their POS systems. These third parties, he says, vary in their ability to set up basic protections, such as firewalls. “I'm not trying to denigrate resellers or integrators, but if you use them you want to ask these questions and make sure they're doing it right,” he says.
