40,000 small businesses at risk of fraud

Powered by SC Magazine

Visa, banks spearhead three-year security crackdown.

Some 40,000 small and medium-sized businesses across Australia and New Zealand are considered the highest risk victims of fraud, according to Visa.

The businesses were large enough to process just shy of 20,000 eCommerce transactions each year but too small to adequately protect their systems.

The most at-risk cases were businesses like small eCommerce merchants independent supermarket chains, clubs and restaurants that processed Point of Sale (PoS) credit card and Eftpos transactions through backroom servers in batches.

Those so-called integrated PoS systems were favourites of fraudsters because they were scarcely or never updated and patched yet had internet access and were easy to crack.

“These merchants obtained their own integrated PoS systems that were satisfactory 12 years ago, but not anymore,” Visa country risk manager Ian McKindley told SC. “They had their uncle who’s a web developer to build the systems or bought it from a shopping cart ... but we and the cybercriminals have moved on.”

These systems were operated by household-name companies and carried thousands of credit cards, yet some were older than the Payment Card Industry Data Security Standard (PCI DSS) introduced in 2006.

This meant that old systems may not have met the PCI DSS minimum information security standards to protect credit card data enforced on businesses by card schemes Visa, MasterCard, American Express and banks.

Of those higher risk businesses with integrated PoS systems, the most insecure operated older wi-fi and Bluetooth networks which often were inadequately protected, if at all.

Many were found to have outdated firewalls in place for up to a decade and multiple unpatched systems.

Background checks were also rare. Hardware, software, and processes were outdated and cracking the integrated PoS systems was often done by looking up online system manuals and testing default passwords, McKindley said.

The grim findings were reported in biannual progress reports issued from banks to Visa on the state of security in these 'level four' businesses, so-called because of their position on the PCI DSS sliding compliance scale.

That scale rated level one organisations as those processing more than six million online transactions and subjected them to the most stringent security measures.

Level four businesses were required to conduct self-administered checklist-style security audits, but it was well known in security circles that this process had so far failed because many small businesses had little knowledge or resources to improve information security.

“Ninety per cent of level four card present merchants have been provided with equipment which meets all card scheme and PCI DSS requirements. However, the remaining group are unlikely to be PCI DSS complaint,”Mckindley said.

While fraudsters made off with fewer card account details by cracking payment systems operated by level four business rather than those of higher levels, there were many more victims.

“The bad guys might get away with a thousand or so [card details] but it happens a lot more,” Mckindley said.

Harden up

In October last year, Visa pushed its 2009 Seven Point Security Plan into the level four business domain.

It would require Australian banks to audit the security of all level four businesses including PoS terminals and websites where online transactions were processed.

The campaign, targeting “high risk”, was estimated to be completed by the end of 2013.

Mckindley said the task of securing all level four merchants globally was almost akin to “boiling the ocean”.

While PCI DSS efforts to make compliant level three businesses had made “good progress” during 2008 and 2009, McKindley said the level four program occurred only in Canada and US prior to the launch of the Seven Point Security Plan.“It is a journey,” he said. “All 40,000 won’t be secured overnight.”

The program requires budget and time from banks. They must fund the effort and coordinate the audit strategy, while remaining answerable to Visa. Some 15 percent of those level four companies identified by the banks as being most at risk have already had their security tightened.

Yet the banks have a vested interest in the program: while the cost of online fraud in Australia was essentially unknown, it was soaring and banks almost always had to foot the bill.

“Improving the security of [level fours] protects the reputations of merchants because the last thing they want is customers pointing fingers," McKindley said.


A concurrent effort by PCI DSS card holders would see the end of magnetic stripe bank cards, replaced with the more secure chip and PIN system.

Card schemes say the chip – a gold square on the face of bank cards – dramatically reduces the amount of information available to fraudsters and cannot be replicated.

However magnetic stripe card data could be stolen to reproduce cards and was the number one method of defrauding US level four merchants.

All terminals that process Visa payments will be chip-enabled by April next year. All Visa cards will be chipped and customers provided with a PIN number which will see signatures abolished 12 months later.

Copyright © SC Magazine, Australia

40,000 small businesses at risk of fraud
Top Stories
Content, cost & constant innovation: How Foxtel plans to take on Netflix
Nell Payne inhabits the “brave new world of blue strings and networking”. Just don't ask her to put a TV screen on your microwave.
Sending in the drones
Margins are getting tighter in the industrial services industry, so Transfield Services' Stephen Phillips looks offshore - and to the skies - for the solutions he needs to keep pace.
Westpac fires starting pistol on core banking upgrade
St George readies itself for move to Celeriti.
Sign up to receive iTnews email bulletins
Latest articles on BIT Latest Articles from BIT
Microsoft launches Office for Android preview
May 22, 2015
Microsoft has launched a preview of Office for Android smartphones. Pre-release versions of ...
Microsoft is working on an iOS email chat feature called Flow
May 22, 2015
Microsoft is working on a new chat app, but at the moment we know more about what we DON'T know, ...
Windows 10 free upgrade: Microsoft details who gets what
May 22, 2015
Microsoft was meant to be streamlining its OS with Windows 10, so why is upgrading so confusing? ...
Windows 10 has an edition to suit everyone's needs
May 15, 2015
Microsoft unveils a mind-melting six editions of Windows 10 ahead of its Winter 2015 launch. ...
Firefox 38 FINAL released, debuts new tab-based preferences
May 13, 2015
Mozilla has unveiled the latest version of Firefox 38.0 FINAL for desktop, with Firefox for ...
Latest Comments
Should Optus make a bid for iiNet?

   |   View results