A large retail chain announces that cyber criminals have broken into the computer network of many of its franchised retail outlets, stealing the account information of millions of its customers. A dozen or so gift shops across the country reveal that they are the latest victims of a data breach. A small business owner finds that hackers wormed their way into a computer system after taking what she thought were all the right steps to keep her customers’ data safe.
What do these recent cyber incidents have in common? All of them occurred when data thieves were able to steal credentials belonging to outside vendors that worked closely with these merchants. These vendors set up in-store payment networks and point-of-sale (POS) systems, and then making periodic maintenance updates to maintain these merchant payment systems.
Most of this work is done in a way such that the vendor never actually enters the physical store, but instead, remotely accesses the merchants’ computer network. That makes these so-called “payment integrators” a target for data thieves. Increasingly, Visa has found that cyber criminals are exploiting basic vulnerabilities in these vendors’ remote access controls in order to gain access to a merchant’s systems and install malicious code. Once inside the network, they use that access to steal cardholder data and other sensitive personal information that is processed on the merchant’s computer or integrated payment application. The risk is particularly acute for small and medium-sized businesses, which are more likely to rely on integrators than their larger peers, which tend to have in-house expertise*.
In some cases, the cyber thieves are able to gain access to the merchant’s system because the integrator and retailer have left the default password in place, use a weak or generic password, and rarely change the code. In other cases, an integrator might leave the network remote access port open once they have completed their work – the cyber equivalent of a handyman who has bolted shut all of the doors to the home where he is working, but leaves the kitchen window propped open after he has headed home for the day. Still, in other cases, the retailer’s point-of-sale network might not have received the latest security updates to protect against malware and other harmful software.
The Financial Services Information Sharing and Analysis Center (FS-ISAC), Retail Cyber Intelligence Sharing Center (R-CISC) and the United States Secret Service recently addressed this issue, publishing a joint advisory alert. Even the major financial regulators have flagged the issue. In its most recent annual report, the Financial Stability Oversight Council, an umbrella group of the major federal and state financial regulators, “highlighted the importance of establishing robust system controls for third-party vendors” in the wake of recent cyber attacks.
To address this problem, each of us must do our part. For starters, integrators need to participate in the Payment Card Industry Security Council’s Qualified Integrated Resellers (QIR) program, which provides training and best practices to ensure the secure installation of merchants’ payment systems. This industry-recognized qualification, good for three years, effectively serves as a “Good Housekeeping Seal of Approval” for participants and enables them to be included on Visa’s “go-to” global list of service providers that notes their compliance with Visa and other payment security rules. It also qualifies them for additional training courses led by PCI data security experts to make sure their knowledge remains current as the cybersecurity landscape evolves.
To promote this effort, Visa and the PCI Security Standards Council have partnered to promote the QIR program. Integrators and resellers can use the exclusive Visa promotional code, VISA50%OFF, to receive discounted pricing on the QIR Program through December 31, 2015. In addition, Visa will list qualified integrators and resellers who register with Visa through the Merchant Servicer Self-Identification tool. The Registry allows service providers to broadcast their compliance with Visa Inc. program requirements and PCI security standards, and to promote their services to potential clients worldwide. Visa is waiving the Merchant Servicer Self-Identification program fee for qualified integrators and resellers that register in 2015.
Of course, merchants (and the acquiring banks that work with them) must continue to strengthen the security of their payment networks. Merchants should only work with an integrated service provider that is certified as a Qualified Integrator Reseller by the PCI Security Council. (If your current integrator is not yet on the list, encourage them to get certified.) But that’s only the start. Merchants should regularly audit how customer data is stored, moved, and deleted—and adopt point-to-point encryption technology when appropriate. They should also conduct information security and risk assessments of all third-party vendors that may have access to their in-store payment networks – and establish stronger remote access and password management policies, like the use of one-time passwords, two-factor authentication technologies, and digital tokens. They also should segregate payment processing systems from remote access applications when possible, and restrict the network resources that remote access users can use. Finally, merchants should also continue to deploy proven cyber security practices, such as making sure that firewalls, intrusion detection systems, remote access, and antivirus logging are enabled.
An additional shift will take place in March 2016: all acquirers must ensure that newly boarded Level 4 merchant POS software and terminal installations and integrations are performed by QIR-certified companies and professionals. By January 2017, all servicing of POS applications and terminals will also be required to be performed by QIR certified professionals and companies. Visa is also working with the Payment Card Industry Security Council, the Retail Service Providers Association, and individual independent sales organizations like Mercury Payments on a number of educational efforts, like these webinars at www.pcisecuritystandards.org and www.visa.com/CISP.
Of course, like any of our security initiatives, we recognize that we are only as strong as the weakest link in the payment chain. In order to succeed, we all must work together -- integrators, merchants, acquirers, and payment networks alike – to strengthen our security practices and keep our customers’ data safe.
* An April 2015 Symantec Internet Security Threat Report noted that more than 95% of the US data breaches that Visa has investigated in 2015 to date have involved small and medium-sized businesses.