Page 50 - GS140501
P. 50
Education
Lower your data speaking, if your portfolio includes a majority of health
care and food service merchants, it could result in more
breach risk, breach incidents, as opposed to a portfolio consisting
mostly of merchants in the agriculture and real estate
industries.
a mathematical A merchant's transaction volume may also have a big
impact on your risk level. High-profile breaches are in the
approach news at least once a quarter. What I don't see in the news
are the dozens of small breaches happening every single
By Jake Young week. Though it seems a bit backward, hackers regularly
go after the smaller merchants.
SecurityMetrics
Let me explain. Although bigger merchants have more
t the risk of sounding like a broken record, I booty to steal, their systems tend to be very well protected
won't write in detail about recent high-risk and take more legwork for attackers. Large merchants
breaches. But I will say this: reducing merchant have the money to hire information technology staff
A risk is key to avoiding compromise. I know and chief security officers. They have the time to spend
what you're thinking. "Everyone knows that!" Just stay learning how to correctly set up a firewall and patch
with me. operating system holes. The smaller merchants, on the
other hand, are easy targets. According to the National
Merchants pose a security risk for a variety of reasons. The Cyber Security Alliance, one in five small businesses falls
nature of specific industries makes some merchants more victim to cybercrime each year.
attractive to criminals. For example, hospitality merchants
have a higher security risk not only because hotel-goers The availability of online hacking tools has swelled the
bring a daily influx of new credit cards, but also because ranks of effective hackers. Now, an amateur with a grade-
many hotels are franchised in a network with identical school computer education can hack a poorly defended
security flaws. If a hacker can breach one, he or she can business in minutes after downloading a free hacking
often breach them all. Easy money. template.
Brick-and-mortar considerations
In addition, all merchants are in different stages of
Payment Card Industry (PCI) Data Security Standard How much do you think your merchants know about
(DSS) compliance and security. Hackers probe small security? From my experience, it's less than you might
businesses to find their security flaws. They’re looking think. Offering merchant security awareness training is
for easy paths to compromise, and are often dissuaded one of the most inexpensive and effective ways to lower
by simple security roadblocks. They know easier targets the possibility of data breach.
exist. Merchants may be deemed the next target if
cybercriminals find vulnerabilities that simple tools could According to the PWC Global State of Information Security
have easily eliminated. Survey 2014, 22 percent of respondents indicated they
do not have an employee security awareness training
Many ISOs come to me looking for the magic solution to program in place, but designated it a top priority for the
ensure the permanent elimination of breaches from their coming year.
portfolios. While I can't provide any sort of breach-reducing
spell, what I can do is lay out the types of merchants that People make smarter decisions when they're presented
pose the highest risk. with better data. It's the same in security. Taking the time
to educate your merchants, or asking your PCI vendor to
First, we have to dive deep into your merchant base and help, could mean the difference between a simple security
learn more about what creates portfolio risk. error and a secure processing environment.
Merchant type considerations
Now for some technological considerations.
In its latest PANscan security study, SecurityMetrics
found that financial, hospitality and retail merchants store Although Europay/MasterCard/Visa (EMV) is the
the most unencrypted payment card information. (Which upcoming deadline on acquirers' plates, the trend I see
is 100 percent against the PCI DSS, by the way.) This data dramatically reducing data breaches in the long run is
coincides closely with other security reports that state the point-to-point encryption (P2PE).
specific industries hackers are most likely to target.
P2PE is the most secure and liability-reducing payment
Your portfolio risk could be very high or low simply technology available to businesses today. Not only does
because of the merchant types you acquire. Technically it securely process cards with encryption above industry
50
Lower your data speaking, if your portfolio includes a majority of health
care and food service merchants, it could result in more
breach risk, breach incidents, as opposed to a portfolio consisting
mostly of merchants in the agriculture and real estate
industries.
a mathematical A merchant's transaction volume may also have a big
impact on your risk level. High-profile breaches are in the
approach news at least once a quarter. What I don't see in the news
are the dozens of small breaches happening every single
By Jake Young week. Though it seems a bit backward, hackers regularly
go after the smaller merchants.
SecurityMetrics
Let me explain. Although bigger merchants have more
t the risk of sounding like a broken record, I booty to steal, their systems tend to be very well protected
won't write in detail about recent high-risk and take more legwork for attackers. Large merchants
breaches. But I will say this: reducing merchant have the money to hire information technology staff
A risk is key to avoiding compromise. I know and chief security officers. They have the time to spend
what you're thinking. "Everyone knows that!" Just stay learning how to correctly set up a firewall and patch
with me. operating system holes. The smaller merchants, on the
other hand, are easy targets. According to the National
Merchants pose a security risk for a variety of reasons. The Cyber Security Alliance, one in five small businesses falls
nature of specific industries makes some merchants more victim to cybercrime each year.
attractive to criminals. For example, hospitality merchants
have a higher security risk not only because hotel-goers The availability of online hacking tools has swelled the
bring a daily influx of new credit cards, but also because ranks of effective hackers. Now, an amateur with a grade-
many hotels are franchised in a network with identical school computer education can hack a poorly defended
security flaws. If a hacker can breach one, he or she can business in minutes after downloading a free hacking
often breach them all. Easy money. template.
Brick-and-mortar considerations
In addition, all merchants are in different stages of
Payment Card Industry (PCI) Data Security Standard How much do you think your merchants know about
(DSS) compliance and security. Hackers probe small security? From my experience, it's less than you might
businesses to find their security flaws. They’re looking think. Offering merchant security awareness training is
for easy paths to compromise, and are often dissuaded one of the most inexpensive and effective ways to lower
by simple security roadblocks. They know easier targets the possibility of data breach.
exist. Merchants may be deemed the next target if
cybercriminals find vulnerabilities that simple tools could According to the PWC Global State of Information Security
have easily eliminated. Survey 2014, 22 percent of respondents indicated they
do not have an employee security awareness training
Many ISOs come to me looking for the magic solution to program in place, but designated it a top priority for the
ensure the permanent elimination of breaches from their coming year.
portfolios. While I can't provide any sort of breach-reducing
spell, what I can do is lay out the types of merchants that People make smarter decisions when they're presented
pose the highest risk. with better data. It's the same in security. Taking the time
to educate your merchants, or asking your PCI vendor to
First, we have to dive deep into your merchant base and help, could mean the difference between a simple security
learn more about what creates portfolio risk. error and a secure processing environment.
Merchant type considerations
Now for some technological considerations.
In its latest PANscan security study, SecurityMetrics
found that financial, hospitality and retail merchants store Although Europay/MasterCard/Visa (EMV) is the
the most unencrypted payment card information. (Which upcoming deadline on acquirers' plates, the trend I see
is 100 percent against the PCI DSS, by the way.) This data dramatically reducing data breaches in the long run is
coincides closely with other security reports that state the point-to-point encryption (P2PE).
specific industries hackers are most likely to target.
P2PE is the most secure and liability-reducing payment
Your portfolio risk could be very high or low simply technology available to businesses today. Not only does
because of the merchant types you acquire. Technically it securely process cards with encryption above industry
50
