5 Things the Payments Industry Should Watch

For in 2015

PCI DSS

5 Things the Payments Industry Should Watch For in 2015 | 2

Introduction2015 looks to be a big year for the payments industry. Not only will there be new technology, opportunities, and compliance mandates, but inevitably there will also be the emergence of threats that will shape the industry going forward. Read on as we discuss five changes the payments industry should watch for this year, and detail ways your organization can ensure a secure and successful 2015.

More of a video person?Check out the full length webinar for additional insights and info.

Five Big Payment Changes in 2015

New compliance mandates, enforcement, technology, and threats

5 Things the Payments Industry Should Watch For in 2015 | 3

#1 PCI DSS 3.0January 1, 2015 marked the official kickoff of the PCI DSS 3.0. According to Bob Russo, general manager of the PCI Security Standards Council, the new standard is “about making PCI compliance part of your business, not a once-a-year, study-for-the-test kind of thing.”

In the past, many merchants have struggled with the practicality of the PCI stan-dard—not understanding how to implement certain requirements, or even why some requirements are important. PCI 3.0 is designed to ease these struggles and improve on the previous standard by:

• Providing additional guidance and real-world examples

• Removing interpretation through more defined and specific requirements

• Evolving requirements to address new technology, payment trends, and threats

Let’s take a quick look at the evolution of the PCI Self-Assessment Questionnaires, or SAQs. Initially there were four SAQs. A for card not present (CNP) merchants, B for knucklebuster and telephone based transactions, C for internet processing, and D for merchants storing card data, as well as a catch-all for everyone who didn’t quite fit the other SAQs.

As the standard matured, SAQs were added to address new technology and common processing methods—first a SAQ C-VT for virtual terminal merchants, and more recently a SAQ for merchants processing with point-to-point encryption technology (P2PE).

Interested in PCI DSS 3.0?

Check out our recent blog post, The Ultimate Guide to PCI DSS 3.0, which contains links to recorded webinars, FAQs, and other great 3.0 resources.

5 Things the Payments Industry Should Watch For in 2015 | 4

Share this ebook!

PCI 3.0 offers the most sweeping changes to the security standard to date and introduces three new questionnaires: SAQ A-EP for ecommerce processing, SAQ B-IP for IP-connected terminals, and SAQ D-SP, a version of D specific to service providers.

PCI DSS 2.0 vs 3.0

PCI DSS 2.0 PCI DSS 3.0

Questions Questions External Scan Internal Scan Pen Test

SAQ A 13 14

SAQ A-EP n/a 139 Yes Yes Yes

SAQ B 29 41

SAQ B-IP n/a 83 Yes

SAQ C 80 139 Yes Yes Yes*

SAQ C-VT 51 73

SAQ D 286 326 Yes Yes Yes

SAQ D-SP n/a 347 Yes Yes Yes

SAQ P2PE 18 35

There are two PCI DSS 3.0 deadlines in 2015. The first was January 1, when the new standard officially went into effect. Keep in mind that while merchants must be in compliance with PCI 3.0 after this date, validation to the new standard is not required until their compliance expiration date. In other words, if a merchant vali-dated compliance to PCI 2.0 in March 2014, they would not be required to validate compliance with 3.0 until March 2015.

The second deadline is July 1, 2015, when a handful of additional standards go into effect, most notably requirements relating to service provider documentation and penetration testing methodology.

PCI DSS 3.0 may provide a dramatic change in compliance validation for some merchants. By taking time to familiarize yourself with the new standard today, you can better prepare your organization for any potential impact PCI DSS 3.0 may present in 2015.

*New requirement for PCI DSS 3.0

5 Things the Payments Industry Should Watch For in 2015 | 5

Share this ebook!

#2 Visa’s Enhanced PCI DSS Enforcement PlanIn October of 2014, Visa announced a new PCI DSS enforcement plan designed to encourage Visa clients to push their noncompliant and overdue service provid-ers, level 1, and level 2 merchants, to obtain PCI validation.

Starting January 1, 2015, entities that have not validated PCI DSS compliance are required to create a detailed compliance remediation plan, which must be accept-ed by both the client and Visa. If a remediation plan is not provided, or the plan is not accepted by all parties, Visa will begin to issue noncompliance assessments. The following table details the schedule of noncompliance assessments:

Consequences of Overdue Compliance

With Visa’s new enforcement plan, escalating penalties are not only levied against the noncompliant entity, but also against organizations upstream in the card pro-cessing flow. For level 1 & 2 merchants, these assessments are applied to the ac-quirer that processes the most transactions for the merchant.

As you can see, this is a fairly aggressive move by Visa to ensure the PCI message is supported by all parties involved in the payment process.

Days Overdue Consequences 1-60 •  Entity’s listing on Visa Global Registry of Service Providers turns yellow*

•  Clients must notify merchants & agents of status •  Must obtain validation documentation or a remediation plan

61-90 •  Entity’s listing on Visa Global Registry of Service Providers turns red*

91-180 •  Entity is removed from Visa Global Registry of Service Providers* •  Entity must submit & gain approval of remediation plan from Visa Client(s),

which then must be submitted to Visa •  If remediation plan is not accepted by client(s), Visa will assess monthly

noncompliance assessments to each of entity’s clients

181-270 •  If remediation plan is not submitted & accepted by Visa client, Visa may escalate noncompliance assessments to entity’s Visa sponsors

271+ •  Visa continues to assess noncompliance penalties to entity’s Visa sponsor •  Risk reduction requirements, disconnect from VisaNet, disqualification

*N/A for merchants

5 Things the Payments Industry Should Watch For in 2015 | 6

This next table summarizes the noncompliance assessments, as outlined in the Visa Account Information Security Program. With penalties potentially doubling with each violation, noncompliant merchants and service providers may prove to be an incredibly costly burden to Visa clients and sponsors.

Visa Noncompliance Assessments

But as noted by the ‘Consequences of Overdue Compliance’ table, Visa does not limit its penalties strictly to fines. Clients whose merchants and service providers have not achieved PCI compliance may also be prohibited from card issuance, signing merchants, and more.

If you didn’t think Visa was serious about PCI compliance in the past, this should prove they mean business in 2015.

Violation Penalty (USD)

First violation Up to $50,000

Second violation Up to $100,000

Third or subsequent violations Up to $200,000

With Visa’s new enforcement plan, escalating penalties are not only levied against the noncompliant entity, but also against organizations upstream in the card processing flow.

5 Things the Payments Industry Should Watch For in 2015 | 7

#3 EMVIn recent years, Europay, MasterCard, and Visa technology (EMV) has proven to be a successful way of reducing fraud. Since the European EMV migration nearly a decade ago, POS fraud losses in the United Kingdom have reportedly dropped by 63%.

But despite its documented ability to reduce payment card fraud, the cost to de-velop infrastructure, and general lack of consumer demand have delayed EMV’s introduction in the U.S. market for many years. However, thanks in part to recent highly-publicized breaches, increasing consumer awareness of fraud, and balloon-ing costs associated with data compromise, we are about to witness the dawn of EMV in the U.S.

Forecasts project that

70%of credit cards and over

40% of debit cards in the U.S. will be

EMV-protectedby the end of 2015.

5 Things the Payments Industry Should Watch For in 2015 | 8

Share this ebook!

By the end of 2015, it’s projected that almost 575 million EMV cards will be in circulation, with nearly 50% of terminals equipped to process these cards do-mestically. As you can see, EMV is truly shaping the payments industry for 2015 and beyond.

Perhaps the single biggest driver of the EMV movement is the Visa Global Coun-terfeit Liability Shift, which is set to take effect in the U.S. in October 2015. Ac-cording to Visa, this program is “designed to encourage EMV chip card issuance and acceptance in participating geographical regions, effectively creating a more secure environment for transactions within and between each participat-ing Visa region.”

Essentially, what this means is that starting on October 1, 2015, liability for any counterfeit card transactions resulting from a breach will fall on the party that does not support EMV. For example, a breached merchant that chose not to upgrade terminals to support EMV payments would be liable for any resulting counterfeit charges. However, if the merchant were unable to accept EMV payments because their processor did not support EMV transactions, the processor would be liable for the counterfeit fraud. (The liability shift will not go into effect for fuel pumps until October 1, 2017.)

Supported by payment industry mandates and government encouragement, we can expect EMV to explode domestically in 2015—but it won’t be without a few bumps along the way. Terminal upgrades, employee training, and endless cus-tomer education (“Where do I put my card?”) are all prerequisites for EMV success in the U.S. However, establishing EMV as commonplace in domestic commerce is well worth the hassle, and will ultimately provide benefits for all parties involved in the payment process.

5 Things the Payments Industry Should Watch For in 2015 | 9

#4 Apple PayApple made a lot of noise in 2014 when it announced Apple Pay, and it looks like we will hear much more about the mobile payment platform in 2015.

Like its predecessor Google Wallet, Apple Pay utilizes Near Field Communication (NFC) technology to process mobile payments. However, Apple looks to thrive where other NFC services have failed by leveraging a broad acceptance infrastruc-ture and well-established, fiercely loyal user base.

Apple Pay may also benefit from the impending EMV shift in the U.S. As mer-chants upgrade terminals to support EMV payments, many will also gain the ability to process NFC transactions through dual-interface (chip and contactless) termi-nals. Piggybacking on the EMV movement allows merchants to avoid prohibitive upgrade costs that have deterred NFC acceptance growth in the past.

But it’s not all rainbows and sunshine for Apple Pay in 2015. Currently, only 5% of U.S. locations are set up to accept Apple Pay. According to a recent survey conducted by NewTek Business Services, 82% of merchants are not set up to accept NFC payments, and 93% do not have plans to upgrade terminals to accept these transactions (although many merchants will gain the ability to process NFC transactions when upgrading to EMV-capable terminals).

“PCI compliance was made easy with

SecurityMetrics! Their agents were both helpful

and pleasant. Thanks SecurityMetrics!”

–Paula R.Hometown Village Pharmacy

See what everyone is talking about.

Call today and learn how SecurityMetrics can simplify PCI compliance for

your organization.

801.705.5656

5 Things the Payments Industry Should Watch For in 2015 | 10

Perhaps the biggest threat to Apple Pay’s success is the Merchant Customer Exchange (MCX), a merchant network comprised of over 50 organizations like Walmart, Shell, Best Buy, and more. Together, these organizations are working to create a new mobile commerce network based on QR codes instead of NFC, which will be used by consumers through the CurrentC app. MCX is in firm com-petition with Apple Pay, and NFC payments will not be accepted at companies within the MCX family.

From a security perspective, Apple Pay appears to be a relatively low-risk form of payment. Apple pairs NFC technology with tokenization, secure-chip processing, and biometric security controls to protect sensitive payment data. In fact, the card brands are so confident in Apple Pay’s security, that they classify these as “card present” transactions, which allow for a lower interchange fee.

However, keep in mind that no payments or devices are 100% secure. Apple’s Touch ID has already proven to be hackable, although this specific attack is not scalable enough to truly affect a sizeable number of consumers.

In fact, the card brands are so confident

in Apple Pay’s security, that they classify these as

“card present” transactions, which allow for a lower interchange fee.

5 Things the Payments Industry Should Watch For in 2015 | 11

Share this ebook!

#5 POS MalwareCases of POS malware have grown exponentially for several years now, and with reports of over 1,000 merchants affected last year alone, it’s safe to assume that 2015 will be no different.

POS malware are programs designed to steal track data and payment account information from business computer systems. Once hackers successfully retrieve key data, it is sold through various black market websites.

Why the rapid growth in POS malware? Well, there are a few main reasons:

1. DIY Hacking: Thanks to the Internet, you no longer need to be a computer genius to be a hacker. Pre-made tools, such as data scrapers commonly used in POS attacks, are not only readily available online, but are often inexpensive or free. Numerous websites and forums exist that allow hackers to share and teach their malicious exploits. You can even just search YouTube.

2. Malware Evolves: Like a virus that mutates to stay one step ahead of vac-cines, hackers create new malware by combining components from existing strains. This Darwinistic approach allows hackers to continuously evolve mal-ware through new variants and keep it one step ahead of antivirus and other detection controls.

3. It Works: Perhaps the biggest reason we have seen a dramatic rise in breaches associated with POS malware is that malware is a very effective way to steal sen-sitive cardholder data. New strains of malware are notoriously difficult to detect and often live on merchant systems for months before discovery. During this time, the hacker can just sit back, relax, and watch the data come rollin’ in.

How does this malware get on merchant systems in the first place? Right now, in-secure remote access is public enemy #1.

Share this ebook!

5 Things the Payments Industry Should Watch For in 2015 | 12

Share this ebook!

Remote Access ExploitationRemote Desktop, LogMeIn, GoToMyPC, and other remote access programs are incredibly convenient for people that want to take work with them. Unfortunately, remote access can also be an incredibly convenient tool for hackers, too.

Let’s take a quick look at a common way hackers attack systems with unsecured remote access.

This is a very simple attack to perform with a few tools from the Internet. However, there are ways to prevent this attack with basic security controls and processes. Implement two-factor authentication, change default usernames, establish strong password practices, enable user lockouts, and limit remote access to only critical job functions. All of these are taken care of through PCI compliance. Moral of the story—get compliant and stay there.

STEP 3: Once the brute force tool has completed its test, it creates a list of all successful logins, listing the IP address and corresponding username and password. At this point the hacker has direct access into the com-puter system. Even worse, because the hacker can log-in with authentic user credentials, it’s unlikely that your security controls will raise any red flags.

STEP 1: Using a scanning program (many of which can be downloaded for free), the hacker scans the Internet for IP addresses with open remote access ports. These ports, which must remain open to facilitate remote ac-cess, can be easily identified using a basic port scan.

STEP 2: Now that the hacker has identified IPs with an open remote access port, they attempt to gain ac-cess to the computer using a brute force tool. These tools are designed to automatically test usernames against thousands of password combinations. Hack-ers will typically start with default usernames, such as ‘Admin’, ‘Administrator’, and ‘Guest’. Lists of known passwords are easily downloaded from the Internet.

Share this ebook!

5 Things the Payments Industry Should Watch For in 2015 | 13

SummaryWith a little education, preparation, and strategic planning, you can make 2015 a successful year for your organization. We can help you protect that success. For over 15 years, SecurityMetrics has helped businesses of all shapes and sizes secure sensitive data, comply with industry mandates, and protect consumer trust. Make data security a belated New Year’s resolution and call SecurityMetrics today for a free consultation.

About SecurityMetricsSecurityMetrics has tested over one million payment systems for data security and compliance mandates. Our solutions com-bine innovative technology that streamlines validation with the personal support you need to fully understand compliance requirements. You focus on the business stuff—we’ve got com-pliance covered.

For more information please contact:

Enterprise Accountssales@securitymetrics.com | 801.705.5656www.securitymetrics.com

Share this ebook!

© 2015 SecurityMetrics