That statistic shouldn’t be surprising.  After all, data breaches typically result in financial liability for fraud and chargebacks, related fines, costs for security forensics and remediation, legal expenses and government and regulatory scrutiny.  Worst of all may be the embarrassing media headlines which may damage customer trust.

The most valuable item stolen in a data breach, however, is customer trust. The impact is swift, persistent and hard to overcome.  A survey released by Javelin Strategy and Research last year found that only 20 percent of consumers surveyed would likely continue doing business with a company if they learned it had a data breach that may have compromised their card account information.

Security, therefore, must be thought of not as a cost that we have to pay, but rather as a smart, strategic investment that can return significant bottom-line growth.  By making compliance with the Payment Card Industry Data Security Standard (PCI DSS) a 24/7 commitment, you can help avoid having to explain a data breach to your boss – or more importantly to your customers. 

To compliment compliance with PCI DSS, Visa recently announced a series of requirements for U.S. merchants to use payment system software that does not store sensitive card information.  Visa research confirms that vulnerable payment applications have been the leading cause of compromise incidents, particularly within the hospitality industry. 

Criminals have been systematically targeting certain versions of software because of their known security gaps.  For example, some versions of software in use today are known to store the full contents of the magnetic stripe, PIN data or security codes contrary to Visa rules and the PCI Data Security Standard.  These payment card elements are sought by criminals for their potential use in creating counterfeit cards.  In most cases, data storage can be eliminated by using an updated version of a business’ existing payment software.

Under the Visa mandates, U.S. acquirers (banks that service merchants) may not sign on new merchants using known vulnerable payment applications.  A list of vulnerable payment applications is updated quarterly and made available to merchants and agents through their respective acquirers.

Here are some additional important milestones for the phased-in mandates:

• Effective October 1, 2008, acquirers can only sign new Level 3 and Level 4 merchants that are PCI DSS compliant or utilize applications that are compliant with the Payment Application Data Security Standard (PA-DSS).  PA-DSS does not apply to applications developed for in-house use only or to stand-alone terminals.
• VisaNet processors and agents are required to decertify all known vulnerable payment applications by October 1, 2009, including those published on Visa’s list of vulnerable payment applications.  As future vulnerable payment applications are identified, VisaNet processors and agents must decertify these applications within 12 months of identification. 
• Finally, by July 1, 2010, acquirers must ensure their merchants and agents only use applications that comply with the PA-DSS. 

A list of applications that have been validated as being PA-DSS compliant is available at www.visa.com/pabp.

An encouraging sign within the hospitality industry is that a majority of those surveyed indicated that they are already working to implement solutions that do not store sensitive data within their payment systems.

While progress is being made, it’s important to be aware that we are in an arms race with today’s relentless data thieves.  As attacks upon data at rest have become more difficult, computer hackers have increasingly shifted their attacks to intercept cardholder data in motion during transaction authorization through the use of packet sniffers.  Packet sniffers are computer software or hardware used to capture and interpret a stream or block of data (referred to as a packet) traveling over a computer network. Recent investigations have found evidence of packet sniffers installed on critical systems in order to steal payment card track data as it is transmitted over the network during transaction authorization.

Packet sniffers are a form of malicious software or malware. Once network intruders gain entry into a merchant’s system, the packet sniffer programs are installed and can be difficult to detect. 

The threat of packet sniffing underscores the urgency of remaining compliant with all PCI DSS requirements. 

Recommended Mitigation Strategy for Packet Sniffing
The following best practices should be utilized to mitigate the risk of exposure to critical systems, such as point-of-sale (POS) systems, payment processing servers, database servers or other servers where cardholder data resides:

• Utilize host-based Intrusion Detection Systems (IDS)
• Monitor firewalls for suspicious traffic, particularly outbound traffic to unknown addresses
• Implement file integrity monitoring
• Secure workstations so packet sniffers or other malware cannot be installed
• Utilize encrypted protocols or encryption to protect sensitive data
• Use packet sniffers legitimately to detect network intrusion attempts or suspicious activity on a network
• Ensure anti-virus and anti-spyware software are up to date
• Routinely examine systems and networks for newly added hardware devices

For more information and mitigation strategies regarding data security vulnerabilities, please visit www.visa.com/cisp to download an alert entitled, “Packet Sniffing Vulnerabilities”.

Protecting payment card data may require a significant devotion of time and resources.  In the final analysis, it is a necessary investment to avoid the far costlier alternative of a data compromise.

Michael E. Smith is the head of payment system risk for Visa Inc. and a regular contributor to Hospitality Upgrade.