European merchants need to pay more attention to securing electronic payments, warns the Payment Card Industry Security Standards Council (PCI SSC), in a stark warning over cyber attack.
This was one of the key messages at the recent Annual European Community Meeting in Berlin, Germany of the PCI SSC, which administers the industry’s data security standard (PCI DSS).
“Cyber criminals have intensified the attack on US merchants as they move to the more secure Chip and PIN system based on theEMV standard already widely used in Europe,” said Jeremy King, European director of the PCI SSC.
“However, this does not mean that European merchants can relax because cyber criminals are targeting online transactions where the EMV standard still offers little protection,” he told Computer Weekly.
Europe’s Chip and PIN adoption has slashed card-present fraud, but card-not-present fraud continues unabated, particularly affecting online transactions used in e-commerce.
“Cyber criminals only need to steal a few key pieces of information to enable them to carry out this kind of fraud, and they are proving to be successful at it in Europe,” said King.
“The critical pieces of information, such as the card holder’s name and the card expiry date, are still easily available to attackers, even in an EMV message,” he said.
This means European merchants still need to pay attention to security and ensure appropriate security education and awareness training at all levels, he said, from the shop floor to the board of directors.
“Lack of understanding about the importance of strong passwords on all transactions systems, point of sale devices, routers and firewalls is still a big problem in Europe,” said King.“Organisations also need to be sure they are changing the default passwords in the systems and equipment they are using,” he said.
Underlining this problem, an annual security survey byTrustwave has revealed that for the past three years one of the most common passwords used by organisations is “password1”.
“Using poor or default passwords is making it very easy for criminals to find a way in to payment systems by either looking them up or simply guessing them,” said King.
Organisations should educate all staff to replace weak or default passwords with stronger pass phrases, he said, that are easy to use, and yet provide much greater security.
The PCI SSC has called for merchants to become more security aware and understand that they are likely to be breached and therefore need a good incident response plan.
“Many organisations still lack an incident response plan, and even where they do have one set up, they are unlikely to have tested it,” said King.
The PCI SSC recommends all orgnisations set up an incident response plan and test it regularly to ensure that, when they are breached, the intrusion can be contained quickly and the damage minimised.
“Incident response plans, which require training and planning, are also critical to enabling organisations, and merchants in particular, to recover quickly from attacks and resume business,” said King.
The PCI SCC provides support to merchant organisations through training programmes that are aimed at all levels in an organisation to promote understanding of key areas of cyber security, he said.
In the coming months, the PCI SCC plans to work with banks in Europe and the US to find ways of improving security, particularly for small merchants that lack the resources of larger organisations.
“We are looking at ways to make security as easy as possible by building more security into the payment services they are using to reduce the burden on the merchants,” said King.
“Chip and pin took away a lot of card-present fraud, so now we have to come up with a similar process for the e-commerce space where payment providers handle payments securely,” he said.
The PCI SCC is working with banks to draw up a list of reasonably priced, good third-party payment providers that are secure and comply with the PCI data security standards (PCI DSS).
“This approach means the merchant is no longer seeing the card data because all that is being handled by payment service providers who are experts in the field,” said King.
“Instead of trying to tacking e-commerce payments all on their own, merchants will be able to go for help to the financial institution that that they bank with, and the acquiring banks will be responsible for ensuring a consistent service to all merchants,” he said.
Following consultation with acquiring banks, the PCI SCC plans to publish guidance for banks on how to provide services that reduce what merchants have to do to ensure secure online transactions.
Although the initiative is aimed at helping small merchants, organisations of all sizes will benefit from services that automatically include a high level of security for transactions.
King said the European community meeting in Berlin also featured discussions around new technologies such as mobile commerce.
“There is a lot of interest in using mobile commerce in the merchant environment to accept payments, and we have been very busy in that regard,” he said.
PCI SCC is working closely with all stakeholders, he said, to find ways of making mobile payments as secure as possible, and evaluating card readers and pin pads that plug into mobile phones.
“We see a lot of challenges as well as opportunities associated with mobile ommerce, which will be another hot topic for the council in the coming year,” said King.
In the meantime, he said the PCI SCC has updated its guidance for merchants looking to accept mobile payments and its guidance on the topic for developers that are available in the online documents library.