ackers target vulnerable POS systems they suspect store card data, Visa U.S.A. recently warned, and, in conjunction with the U.S. Chamber of Commerce, stated the five leading causes of data breaches and specific prevention strategies for each.
Visa is aware of credit and debit card account information compromises occurring from improperly stored magnetic stripe, or track, data after transaction authorizations are completed. Track data refers to the information encoded in Tracks 1 and 2 of the mag stripe.
The card Association has also observed compromises involving improperly stored card verification value 2 (CVV2) data, PINs and PIN blocks.
To guard against compromises, Visa advised merchants to implement the following strategies:
- Ask their POS or payment software vendor (or reseller/integrator) to confirm their software version does not store mag stripe data, CVV2, PINs or encrypted PIN blocks. If it does, they should have these elements removed immediately.
- Ask their payment software vendor for a list of files written by the application and a summary of the content to verify prohibited data is not stored.
- Review custom POS applications for any evidence of prohibited data storage. Eliminate any functionality that enables storage of this data.
- Search for and expunge all historical prohibited data elements that may reside within their payment system infrastructure.
- Confirm that all cardholder data storage is necessary and appropriate for the transaction type.
- Verify that their POS software version has been validated as compliant with the Visa Payment Application Best Practices. A list of PABP-compliant applications is available at www.visa.com/cisp
Merchants are permitted to store only specific data elements from the mag stripe to support card acceptance, according to Visa. This data includes cardholder’s name, primary account number, expiration date and service code. However, merchants should store this data only if needed, and they must protect it as required by the Payment Card Industry (PCI) Data Security Standard.
Merchants can limit damage from a compromise by not storing track data, CVV2, PINs and PIN blocks. Merchants sometimes store track and other data in the mistaken belief they need it to process merchandise returns and transaction reversals. Acquirers should ensure their merchants have proper processes for each type of transaction, Visa stated.
The most-effective weapon
The findings on data breaches came from a detailed review of the card security environment, including common fraud techniques, potential areas of weakness by card-accepting merchants and emerging threats.
“The single most effective weapon in the battle against today’s data theft is education,” said Sean Heather, Executive Director of the U.S. Chamber of Commerce, which, with Visa, conducted a survey of 600 small merchants in 12 target areas.
The survey of businesses accepting credit cards for payments revealed:
- 64% accept PIN debit.
- 42% do not worry about securing customer information.
- 5% have had an incident of lost, hacked or stolen customer data.
- 29% made improvements to protect customer information, including card data, within the previous three months; 63% did so within the previous year.
- The top three improvements (14% each) included 1) securing information physically or by adding password-protection; 2) identifying account numbers by the last four digits only; and 3) shredding or eliminating storage of customer information.
An astounding 82% did not know what mag-stripe data is. More businesses (34%) spend a greater share of their resources preventing theft of products and cash than in securing customer data (20%). Some 69% handle data security in-house.