In light of the well-know data compromises including TJX Corp reported earlier this year by the retail-blog.com, Visa USA announced a program earlier in the month of July designed to help the nation's small businesses improve their security.
Visa's program calls for acquiring financial institutions to strengthen their existing data security efforts to identify and address risks among their small merchant customers, including identifying whether merchants are storing sensitive account data and are complying with the industry-wide Payment Card Industry Data Security Standard (PCI DSS). Visa has long required all entities, including small businesses, which store, process, or transmit Visa cardholder data, to comply with PCI DSS.
More than 80 percent of all identified compromises since January 1, 2005 occurred at smaller merchants. "Data security breaches involving payment card information occur at small businesses more frequently than at all other merchant levels combined," said Michael E. Smith, Senior Vice President, Enterprise Risk and Compliance, Visa USA. "We are committed to working with our acquirers and their small business customers to get ahead of this growing vulnerability."
The challenge for many small business owners today is that they are too busy running the day-to-day operations of their companies to take the time to be security experts. Furthermore, in some instances they may not be fully aware that their systems are storing highly sensitive information that criminals seek in order to commit payment fraud. By further assisting them in eliminating the storage of sensitive card data, a merchant's chances of becoming a breach victim can be greatly reduced.
According to a recent survey conducted by Visa and National Federation of Independent Business, most small businesses (57 percent) do not see securing customer data as something that requires formal planning, and many (39 percent) say they rely on common sense to keep data safe. Visa and NFIB have partnered to educate small businesses on data security threats and how to successfully avoid them. As part of their efforts, Visa and NFIB have developed free educational materials and tools, available as of August 1, 2007 at www.NFIB.org, to help small businesses protect themselves from data fraud.
Visa acquirers are required to provide Visa with a summary of their small merchant compliance plans by July 31, 2007. As part of their plans, acquirers must submit how they will identify where the greatest potential security risks exist in order to manage them. Factors such as the likelihood of sensitive data retention, transaction volume, market segment, acceptance channel, number of locations and other factors can help qualify or quantify the merchant's risk level and may be used by acquirers to categorize merchants into specific risk groups.
The highest priority Visa is asking acquirers to address is to verify that small businesses are not retaining prohibited cardholder data (including magnetic stripe data, CVV2 and PIN data) after transaction authorization. "This is precisely the kind of data most sought by hackers because of its use in counterfeiting payment cards," said Smith. "Merchants who store this sensitive data are placing their businesses in the cross-hairs for today's data thieves."
In some cases, small businesses store prohibited cardholder data without knowing it because the systems they use to process card payments store it by default. To avoid that problem, Visa is strongly recommending that acquirers make merchants aware of Visa's list of payment applications that have been validated as being compliant with the Payment Application Best Practices (PABP), which can be found at www.visa.com/pabp. Acquirers should also make certain that their small business customers do not use vulnerable payment applications that have been previously identified as storing prohibited data.
Businesses should evaluate all cardholder data that they store and consider the business case for doing so. Visa has embarked on a campaign to educate merchants about cardholder data security, emphasizing the theme "don't store it if you don't need it." Smith said, "Minimizing data storage is the easiest thing a small business can do to mitigate risk."
"Visa is committed to increasing data security awareness by providing a wide range of communications, including webinars, training and support," said Smith. "As we continue with these efforts, we are asking our acquiring banks to provide direct data security education and tools to their small business customers." Such a package of information and tools can be provided in a variety of ways, across both print and web-based channels, and using Visa's own comprehensive set of educational materials, he added. "While small merchants may have limited access to sophisticated security analysis and tools, even small changes can dramatically improve security for them, their customers and the payment system," said Smith.
Visa USA is a leading payments brand and the nation's largest payments system, enabling banks to provide their consumer and business customers with a wide variety of payment alternatives tailored to meet their evolving needs. In the United States, more than 521 million Visa-branded cards have been issued by more than 13,000 financial institution customers. Visa products generated $1.8 trillion in total volume in the United States during the four quarters ended March 31, 2007. Visa enjoys unsurpassed acceptance around the globe. For more information, visit www.visa.com