Visa Admonishes Merchants To Segment Electronic Traffic

In the latest of its so-called Data Security Alerts aimed at strengthening merchant payment card security, Visa USA is putting the spotlight on point-of-sale systems that provide electronic on-ramps for fraudsters. In particular, Visa wants merchants to remedy the vulnerabilities of what it calls “improperly segmented network environments.” Merchants can unintentionally create such environments when they install networked POS systems that, in addition to carrying e-mail and allowing for Web browsing and other linked functions, transmit payment card transaction data. Without proper firewalls?electronic barriers separating different functions?fraudsters using the Internet can compromise card data. “A malicious e-mail attachment or a malicious Web page can introduce viruses, spyware, and malware into an internal network,” the alert says. “Once such harmful software is within the boundaries of your internal 'trusted' network, it allows uninhibited access to all devices on the network. This scenario can be abused to gain access from a user system to a business (payment-processing) system and result in data loss.” Visa did not issue the alert in response to any specific fraudulent incident, according to Martin Elliott, Visa's vice president for emerging risk. “I wouldn't point to any one event, but this vulnerability has been present in several events,” he says. Elliott likens the need for firewalls to tight security in the home, where internal locks would prevent someone who broke in from getting past one room. He adds that when merchants build their POS networks, “they are not necessarily focusing on security, they're focusing on convenience. I wouldn't want to identify any one merchant event, but it is a common vulnerability.” The alert gives seven recommendations covering everything from firewalls to network access for ensuring that segmentation meets the Payment Card Industry (PCI) data-security standards being promulgated by Visa, MasterCard Worldwide, American Express Co., Discover Financial Services LLC, and the major debit networks. According to Elliott, about one-third of so-called Level 1 merchants?those generating 6 million or more Visa transactions annually?are now PCI-compliant. Based on what members are reporting, he expects that number to rise rapidly in the coming months. Visa started posting security alerts in May after a series of high-profile database breaches at processors and retailers compromised millions of card accounts, including PIN-debit accounts usually considered more secure than credit and signature-based debit card accounts (Digital Transactions News, March 16). The Oct. 31 alert is the sixth in the series. Like the others, Visa intends this latest alert for public consumption. The payment network distributed it to its member financial institutions with the message to pass it on to merchants, independent sales organizations, and processors. The entire series and related materials are posted at www.visa.com/cisp.