Jetro v. MasterCard: New Concerns for Merchants and Insurers

A Q&A with Doug Meal
The brave new world of cyber liability got a lot more complicated last May. That’s when the Jetro Holdings LLC v MasterCard Inc. case held that if a card brand withholds merchant funds to satisfy the brand’s PCI fines and assessments following a data breach, the merchant has no legal recourse against the brand—even if the brand acted unlawfully in imposing the fines and assessments in the first place. I talked to attorney Doug Meal of Ropes & Gray, LLP, to explore this case and its implications for retailers and their insurers.

Continue Reading

EMV and Payment Security: What’s Next

A Q&A with Dan Fritsche of Coalfire
The introduction of EMV chip cards and newer PCI Security standards go a long way toward reducing data breach incidents and payment card-related fraud. Yet many retailers still have not adopted the technology and EMV in and of itself is not a wholesale solution for data loss. I spoke with Dan Fritsche, Vice President of Solution Architecture at Coalfire, about ongoing payment card concerns for retailers and what they can do to make their systems more secure.

Continue Reading

Adopting EMV: The Word from Ponemon

EMVmediumA Q&A with Michael Bruemmer of Experian Data Breach Resolution
The deadline for merchants transitioning to the EMV payment system looms: Organizations are expected to adopt the technology by October. I spoke to Michael Bruemmer of Experian Data Breach Resolution about a recently released Ponemon Institute study documenting industry attitudes toward this shift.

Continue Reading

Payment Cards and Data Breaches

A Q&A with Grayson Lenik
The retail industry is now the top target for cybercriminals, according to the 2013 Trustwave Global Security Report, and payment card data (PCI) is a critical area of concern. Yet many businesses, especially smaller retailers, are still unaware of basic PCI requirements. I asked Grayson Lenik, senior security consultant at Trustwave, for an overview of what small merchants need to know.

Can you give us a summary of the key PCI threats and requirements facing retailers today?
I wish I could say it was complicated, but it’s really not. The basics of the PCI requirements, such as installing a firewall to protect data and creating strong passwords, are still killing people, especially small merchants. Without a good firewall configuration, you’re leaving remote access wide open to the internet. As far as the passwords go, I don’t know if it’s that people are not in tune with the basics of security or whether they are not aware that they need to change the defaults, but either way, weak passwords combined with easy remote access are a recipe for disaster.

In the PCI arena, the biggest threat to everyone is organized crime—large crews who are dedicated to stealing cardholder data. There’s a sophisticated black market surrounding the sale of this information. If a hacker wants to find a specific credit card from a certain region he could easily find it. So we know the operations are out there and they are very well developed.

What areas are your clients struggling with most?
I really think the big piece is education. That’s the first priority. I handle these breaches all the time and I find out from the business owners that this is the first time they’ve heard of PCI compliance. They ask, ‘Why didn’t my merchant bank or anyone ever talk to me about this?’ That’s remarkable since the regulation has been on the books for 10 or 11 years. Aside from that, it’s the basics: storage of cardholder data, firewalls and two-factor authentication.

People worry that it’s going to be very expensive, but there are very simple ways to comply. There are whitepapers available geared toward smaller merchants, about purchasing and configuring a firewall for less than five hundred dollars. Trustwave specializes in managed security services and offers a preconfigured firewall complete with two-factor authentication, including digital certificates, which is ideal for a smaller business such as a restaurant or small retail store.

Thankfully, I think the mainstream media is starting to do a better job of covering the topic so people are becoming more aware that small merchants are also at risk.

Do you see any trends for key causes of a PCI breach?
I think that goes right back to the first question. We see a lot of everything but remote access and weak passwords are still the biggest causes of PCI breaches. The big trend we saw for 2012 was the rise in eCommerce attacks. It’s frightening to see how simple it is for hackers, even hackers with a low skill level, to exploit these sites. I would recommend anyone in the security profession or even anyone who develops websites to test their own security on their own websites. With even some minimal steps, you can prevent these attacks.

In summary…
PCI continues to be a thorn in the side for many clients, and for many of the reasons that Mr. Lenik mentions. Often, it is the simple mistakes and commonly known exploits that can trip up organizations—and some mistakenly believe they have no credit card liability exposure if they outsource credit card processing (this is not the case in the eyes of victims or their lawyers). I personally feel that PCI is a fairly complex, granular and ever-changing standard that can be costly for clients to comply with, year after year. To complicate matters, the class-action plaintiff lawyers look to PCI DSS as an industry “standard of care.” This can increase the liability for a company that suffered a breach and was found to be lacking in a PCI-required practice that might have contributed to the incident (even if they were otherwise 95% compliant). On the plus side, regarding PCI as a standard of care can be useful to businesses in retail and beyond.

No more posts.