Merchant Link SecurityCents

We’ve all heard of flash mobs, or groups of people that meet in a particular place and do something fun, creative or unique, such as break out in dance or song. These flash mobs are an interesting phenomenon that have even broken into the mainstream, being parodied in advertisements and featured in TV shows.

But have you heard of flash attacks? They’re not nearly as innocuous and fun as flash mobs, and they can directly result in loss of money and damage to retailers’ brand reputation.

Flash attacks are what Gartner analyst, Avivah Litan, calls credit card skimming schemes, something we’ve discussed previously on the blog.  Essentially, credit card skimming involves individuals either tampering with, or otherwise replacing, credit card readers on point-of-sale (POS) devices within retail establishments. These tampered or replaced devices then compromise the credit card data of the cards that pass through them.

As described by Avivah in her latest blog post, these credit card skimming schemes, or flash attacks, are extremely sophisticated. More than simple acts of vandalism by random data thieves, these are highly-targeted, well-planned attacks by organized groups.

So how do these criminal operations work? Group ringleaders hire individuals to install skimmers into the POS devices or replace the equipment. From there, counterfeiters take the data and create cards, complete with pin numbers taped right on.

More individuals are recruited to then hit up ATM machines and other retail establishments where they can get cash or products that are easily resold (electronics, etc.). The attacks occur quickly and can take place in the country where the theft occurred or in other countries. The individuals withdrawing money or making purchases are instructed to pace themselves and otherwise avoid fraud detection systems.

Avivah’s blog post is an eye-opener and really highlights just how dubious and organized the people running these credit card skimming scams truly are. It’s frightening just how calculated, educated and efficient these attacks can be.

With the National Retail Federation (NRF) annual convention coming up next month, data theft and security issues facing retailers and merchants will be taking center stage. It’s important that retailers educate themselves about the attacks that are occurring, and familiarize themselves with the technologies and solutions available to help eliminate their risk. As the cost of a data breach continues to rise, no retailer can afford to be caught by surprise.

By Beth McGarrity

As the year comes to a close, and TV personalities from Oprah to Ellen to Barbara Walters highlight their favorite things and most fascinating stories in 2011,  I thought I’d take a moment to reflect on my favorite SecurityCents posts and industry news and share them with you.

PCI Announces Guidance for Merchants.

Merchants were provided with an abundance of guidance this year on emerging technologies that assist with compliance and securing sensitive data.  The first documents were released in late 2010 and focused on point-to-point encryption followed by tokenization and virtualization.  In the New Year, the Council will focus on three new areas including cloud, risk assessment and e-commerce security.

Validation from Coalfire Systems.

It’s easy for vendors to say that their product or solution is going to help merchants reduce the scope of PCI compliance.  In some cases, it’s really just unsubstantiated marketing hype.  At Merchant Link, we invest significantly in R&D to ensure that our solutions really do reduce PCI scope and we wanted to offer our customers a third-party validation of this fact.  Coalfire evaluated our TransactionVault™ and TransactionShield™ solutions for tokenization and encryption and confirmed our findings.

Avivah Litan Talks Tokenization.

We had the honor of featuring Avivah Litan on a podcast recently to discuss payment security.  As a renowned expert in this area, Avivah regularly publishes industry research and opinions on her own blog that we avidly follow here at Merchant Link.  For this podcast, Avivah focused on key trends in payment security, specifically as it relates to point-to-point encryption and tokenization.

Google Wallet Meets MasterCard and NFC.

Its here!  Finally…well…sort of.  The technology for mobile wallets has been around for awhile, but the concept hasn’t caught on very well. Then Google entered the market with the mobile wallet, using Near Field Communications (NFC) to allow for data exchange with point-of-sale (POS) technologies. From the payment side, the company partnered with MasterCard and Citi to allow users to pair credit cards to their phones.  It’s been an interesting progression to watch and something we will certainly keep an eye out for as the issues surrounding secure payment transactions will be top of mind for merchants.

What else is on your list of favorite things from 2011?  Share them with us by posting a comment below.

Avivah Litan is a vice president and distinguished analyst in Gartner Research and is a renowned expert in the area of payments security.   She regularly publishes key industry research reports with regards to PCI compliance, has a well-read blog and is often quoted in the media discussing PCI compliance and payment security – among other things. Following is an exclusive podcast with Avivah Litan who discusses key payment security trends and highlights the value of end-to-end encryption and tokenization.

By Mike Ryan

As anticipated, Visa announced the extension of the Technology Innovation Program (TIP) originally announced for non-U.S. markets back in February.  Reading through the document, it is clear that this is an attempt to get the market moving on two major Visa initiatives: near-field communications (NFC) and EMV.

As several analysts and my fellow bloggers have pointed out, this program says at least as much about Visa’s focus on NFC as it does about EMV. But, I’m more interested in what it doesn’t say.

First, the announcement doesn’t say that to qualify for PCI exemptions, 75 percent of the traffic needs to be EMV transactions.  It only says that the terminal must be EMV and NFC capable.  U.S. payment processors don’t support the standard today, so clearly no merchant would qualify. Obviously this is not an attempt to make the industry more secure or reduce fraud in the short term.

Second, you may have also noted that there are no liability shifts or protections from data breach penalties as there were in the global version of the program.  It seems that Visa knows that this program will not enhance security or prevent fraud, so while merchants may get a temporary reprieve from regulation they will still be subject to fines and penalties if they are breached

I’ll be honest…a part of me wants to applaud the effort to accelerate the NFC roll out because I want to use my phone to make purchases at the point-of-sale (POS).  However, I can’t do this with a clear conscience because my job is to help merchants become more secure and avoid the high cost of a data breach.

The reality is that EMV is still several years away.  While it will eventually help prevent some types of card-present fraud, it does nothing to protect cardholder data from being stolen from merchants’ networks.  The EMV message still sends card numbers in the clear — without point-to-point encryption (P2PE) and/or tokenization — so it essentially does nothing to protect data.

That data, if stolen, can still be used at the POS until EMV is widely adopted several years from now — or for the foreseeable future in card-not-present (CNP) fraud.  According to Javelin Strategy & Research’s most recent Identity Fraud Survey Report, CNP has outpaced card-present fraud for the first time ever.

Visa’s program doesn’t offer any new protection, so the penalties will continue to rest with the merchant.  So let’s start preparing for EMV and NFC, but don’t be fooled…unless you render the data useless, criminals will still try to steal that data and someone will ultimately pay the price when a breach occurs.

By Michael Ryan

Recently, Gartner Group, surveyed U.S. retailers looking at the spending levels for PCI compliance.  The findings reflect much of what we’ve seen in the market as we have discussions with major retailers.  Most big brands have already taken steps to achieve PCI compliance and so 89 percent of Level 1 merchants surveys were compliant while 57 percent of merchants that  that fall between Level 2-4 were compliant.  But interestingly, the survey found that Level 2-4 merchants are spending more on compliance.

So what gives?

Of course, the spending increase for lower level merchants could just be basic math.  There are far more retailers at the lower levels than at Level 1, half of which still need to take steps to become PCI compliant.

One of the motivations that Gartner analyst, Avivah Litan, points to is that the merchant-acquiring banks that enforce PCI compliance on behalf of the card brands like Visa, MasterCard etc., have been contacting Level 1 merchants, reinforcing the message that they must be in compliance with PCI standards.  Fines and threats are usually effective motivators.

The costs increases for Level 2 merchants are just the associations’ long term plans playing out. They started with e-commerce merchants, moved to the largest retailers and are now increasing pressure on the next level of retailers who are currently not meeting compliance standards.

The pressure is good and we do hope that retailers realize that becoming PCI compliant is necessary, but only a baseline.  It’s necessary but it is only the baseline.  In fact, Gartner predicts that by the end of 2012, 75 percent of the retailers that are breached will be PCI compliant.

So what is a retailer to do?

Use PCI standards as a baseline for protection but understand that newer technologies are available to remove the sensitive data from their systems altogether and ensure that they have a layered approach to securing their networks.  From encryption to tokenization, retailers must realize the benefits of implementing these technologies including reductions in the scope of PCI audits as well as minimizing card data exposure, making retailers a less attractive target for attacks.

By Sue Zloth

For years, we’ve been hearing about the mobile wallet.  The idea that you could scan your phone to pay for an item instantly without having to carry cash or plastic, is appealing.  It used to seem a bit futuristic, but mobile near-field communications (NFC) payments are here with Google at the forefront with their mobile wallet.

While it is exciting that mobile payments are here, most of us in the payments industry are still aware of the many unknowns that exist.  So I was pleased to see this blog post from Avivah Litan, of Gartner Group, which outlines all the major unknowns that come with mobile payments.

One of the unknowns not mentioned, but one that will be an issue for merchants is the security of payment data.  NFC or  traditional point of sale (POS) transactions require a layered approach to security.  Merchants who are struggling to secure transactions today, will need to consider how they will secure mobile transactions in the near future.

Read below to see what Avivah has to say:

I’m as excited as anyone about the prospects of mobile NFC payments, and it was good to see Google line up much-needed cooperation from MasterCard, Sprint, Citi, and some retailers with its new Google Wallet initiative. We just wrote a Gartner First Take that explores the benefits of Google Wallet as well as the hurdles to adoption.

In my opinion, the main hurdle is convincing retailers to accept these new payment types. In watching payment systems evolve over the past decade and more, I’ve come to strongly believe that it’s the sellers (or retailers) that drive new payment system adoption. And I just don’t see a strong enough value proposition for the retailers out of the gate to drive success here. Sure, in the long run, there is likely to be value with customer acquisition and retention generated via the Google Offers (advertising, coupons, loyalty, etc.) program. But it’s the short run that immediately matters because if we don’t get past the short run hurdles, there won’t be any significant adoption.

And in the short run – the expense and costs for this new program will probably outweigh the benefits for most retailers that consider it, unless of course Google and other Google Wallet participants PAY merchants to join (which is a common approach struggling new payment systems have taken in the past).

In my opinion, the big unknowns are:

a) why are merchants requiring signatures on these contactless transactions, which defeats the (albeit questionable) promise of speed and convenience at the check out lane?

b) what in fact are the interchange fees that the retailers will have to pay? Retailers pay more for signature based payment card transactions than they do for PIN ones, and even with low value debit payments that don’t require signatures, my understanding from talking with retailers is that contactless debit payments typically cost merchants more than debit card-swipes.

In fact, retailers have been known to shut off contactless payments over interchange disputes. For example Storefront Backtalk (www.storefrontbacktalk.com) reported early last year on BestBuy’s dispute with Visa over its contactless debit card payment interchange policies and fees, which led the mega-retailer to stop accepting Visa’s contactless transactions. The news group, a rich and well-respected source for retail industry information, also disclosed issues other large retailers had with the contactless fee structure.

Indeed, interchange fees paid for credit and debit card payment processing is a sizable chunk of many retailers’ balance sheets (the second largest line item at Target for example, right after labor costs).  It’s a constant source of friction between retailers and the banks, and is being hotly debated as part of the Durbin amendment which threatens to dramatically reduce bank debit card interchange fees.

So while mobile payments are not just about payments – they are trying to be about the entire customer shopping experience – fees play a critical role in merchant willingness to promote new payment types. Most retailers will already have to upgrade their POS equipment to accept the contactless payments. And now they have to be willing to forego lower interchange fees on PIN debit.

I’m just not sure this is going to fly, despite the mobility.