Cybersecurity Insights | Blog | Foregenix

The Visa EU Acquirer Mandate - What it means to SME Business

Written by Foregenix | 3/23/16 1:24 PM


As a PCI Forensic Investigator (PFI) we have experienced an exponential increase in the number of e-commerce merchants who are succumbing to account data compromises.  This new mandate could have serious implications for those businesses and their acquiring banks.

Putting aside common traits including the vulnerabilities that are being exploited, the universal common denominator is that virtually every eCommerce victim was unaware of the fact that they had been hacked and bleeding card data - and often their customer’s Personally Identifiable Information (PII) - for many months.  Long before it was brought to their attention by a third party.

In most instances, a consumer questioning suspicious or fraudulent activity on a given card would have triggered a notification. The issuing bank will then have been contacted by the consumer and via a circuitous route involving card brands and acquiring banks, the offending merchant will have been notified that they are a suspected ‘common point of purchase’ linked to a number of cards used fraudulently and subsqnently required to undergo a forensic investigation to establish how much was lost, how, when and who did it.

Without a doubt, acquiring bank sponsored PCI programs (such as WorldPay’s SaferPayments, Barclaycard’s Data Security Manager, Global Payments’ Global Fortress) have done a tremendous job of highlighting the need for SME merchants to adhere to the PCI DSS. Until now the emphasis has been very much on self-assessed compliance, however this is forecast to change as a result of a VISA EU Mandate due to come into effect on May 1st 2016.  

In a recent briefing, Neira Jones outlined how the industry is likely to see a marked shift towards tangible risk reduction, with PCI DSS compliance becoming a by-product rather than the end game.  One of the key drivers will be incentives to encourage acquiring banks to ‘self-notify’ of suspected breaches. The underlying objective is to stay ahead of the game and spot issues before they become a problem.

Coupled with a significant increase in penalties and liabilities for cardholder data breaches, acquiring banks are challenged with understanding and actively managing risk across their portfolios. In turn, that will increase the stakes and focus on the SME businesses to ensure that they are managing their data and card acceptance channels securely.

The Current Situation

The reality is that while awareness via the acquiring bank PCI programs is increasing across the merchant portfolios, most SME businesses do not have the skills or resources to effectively protect their business data assets. They also often outsource to 3rd parties who they assume are “taking care of it all”. In reality, most of the 3rd parties are marginally better prepared to defend their clients – as often seen in the PCI Forensic Investigations carried out by our team.

Meanwhile, the evidence from our forensic team shows a level of sophistication and skill in attackers that would mostly only be found in highly skilled IT security specialists. 

Simply put, we have victim businesses that may be specialists in their field – retail, online, hospitality etc – having to use their limited, part-time skills to defend their businesses against a highly skilled predator. It is a clear skills mismatch and almost always results in the victim being hacked and losing their customer data.

The result being significantly increased penalties and possible closure for many small businesses (and potentially their 3rd party suppliers).

What is likely to happen?

Acquiring banks have no interest in seeing their clients getting hacked – they want to have a successful, growing client base. So, how do they manage their risk with the new Visa Europe Mandate in mind?

Card Present Payments

We firmly expect to see a strong focus on the rollout of PCI Point-to-Point-Encryption solutions to card present merchants. This will mitigate the vast majority of risk for these merchants – in fact the overall benefits are:

  • The merchant will be able to focus on their business, knowing that they have a secure payment partner managing their transactions.
  • PCI DSS Compliance is simplified drastically.
  • PCI DSS becomes a LOT less costly.

MOTO Payments

In the MOTO space, the message is the same – don’t handle the data, or use technology that can effectively protect the business. Organisations that specialise in this area such as Eckoh, Datadivider, Semaphone and others have innovative, specialist solutions that help call centres to reduce or eliminate their PCI DSS risk. 

eCommerce Payments

The eCommerce market has been under sustained attack for the last few years and the mantra from the PCI Security Standards Council, card schemes and acquiring banks has been to use hosted payment pages and secure iframes – outsource the payments to secure 3rd parties. It’s a similar message to the MOTO and Card Present payment acceptance channels.

However, experience through our forensic team tells us that this is not enough. Multiple cases in the last 6 months have shown a rapid increase in Malicious Client Side Javascript and iFrame Interception Malware, showing that outsourcing the payment acceptance to a 3rd party does not guarantee anything – particularly if the SME business’ website is insecure.

The challenge in the eCommerce world is that the supply chain supporting an Acquiring Bank’s eCommerce portfolio is diverse and largely unknown. Often the merchant will outsource web development to a web developer who is highly capable of building a beautiful, online sales masterpiece, yet will know very little about security of the website or the platform/technology on which the website is built (Magento, Drupal, .Net etc). Often times, the web developers who we partner with, or come into contact via forensic investigations tell us that they are aware that security is a challenge, but often find themselves limited by time and resources to properly manage their portfolio of clients - so security tends to slip down the list of priorities.

No doubt this is a challenge most web developers are facing. Yet this is the (currently) most vulnerable sector with the payment card industry – and this is where the acquiring banks are most exposed with the new Visa Europe Mandate starting on May 1st, 2016.

What can be done to help these developers manage the security of their clients better to reduce the risk of data compromise?

Foregenix has developed FGX-Web expressly to address this challenge and we have a partner program for:

  • Acquiring banks and payment service providers – to help them provide base-level security monitoring and protection to their portfolio of merchants by “baking in” our technology and relying on our team’s expertise. Through our technology we are able to enable acquirers to raise the level of security across their ecommerce portfolio quickly, simply and cost effectively, thereby reducing the risk of data compromise penalties from the card schemes.
  • Web Developers – we provide the technology and support that will enable you to “bake security in” to your new and existing client websites very easily and simply. Our support team will help you to understand and manage the threats to your client websites before they become a victim. We will also help you to turn security from a cost centre into a profit centre via our partner program. 

With FGX-Web, ‘baking-in’ core cyber security protection, monitoring and reporting technology into new and existing e-commerce websites is simple, available and will provide practical cyber risk reduction right now.

In summary

The stakes are rising – the risk of not taking effective steps to protect client data is increasing. There are plenty of great solutions out there available to help SME businesses to reduce their risk and PCI DSS overheads – it is now going to be in the acquiring banks’ best interest to ensure that their merchants are taking real steps towards protecting their client data – and that when they tick the boxes on the Self Assessment Questionaire, that the risk has in fact been managed. 

For more information on FGX-Web, please get in touch using the form below or visit the website