Banks find 40,000 small businesses at risk of fraud

Powered by SC Magazine

Visa, banks spearhead three-year security crackdown.

A Visa-led effort to tighten banks’ scrutiny of small businesses has identified some 40,000 businesses in Australia and New Zealand at high risk of fraud.

The findings were part of Visa’s October 2010 campaign to extend its decade-old Seven Point Security Plan to local ‘level four’ merchants, which processed less than 20,000 e-commerce transactions annually.

The campaign required Australian banks to audit the security of all level four businesses’ point-of-sale (PoS) terminals and websites where online transactions were processed.

It was expected to complete in 2014. Prior to the campaign, Visa’s level four security program occurred only in Canada and the US.

Visa country risk manager Ian McKindley said the task of securing level fours was almost akin to “boiling the ocean”.

“It is a journey,” he said. “All 40,000 won’t be secured overnight.”

The program required budget and time from banks, which funded the effort and coordinate the audit strategy, while remaining answerable to Visa.

Some 15 percent of those level four companies identified by the banks as being most at risk have already had their security tightened.

Yet the banks have a vested interest in the program: while the cost of online fraud in Australia was essentially unknown, it was soaring and banks almost always had to foot the bill.

“Improving the security of [level fours] protects the reputations of merchants because the last thing they want is customers pointing fingers," McKindley said.

At risk

Level four businesses were large enough to process just shy of 20,000 transactions a year, but were often too small to adequately protect their systems.

The most at-risk cases were businesses like independent supermarket chains, clubs and restaurants that processed PoS credit card and Eftpos transactions through backroom servers in batches.

Those so-called integrated PoS systems were favourites of fraudsters because they were scarcely or never updated and patched yet had internet access and were easy to crack.

“These merchants obtained their own integrated PoS systems that were good 12 years ago, but not anymore,” McKindley said.

“They’ve gotten their uncle who’s a web developer to build the systems or bought it from a shopping cart ... but we and the cybercriminals have moved on.”

These systems were operated by household-name companies and carried thousands of credit cards, yet some were older than the Payment Card Industry Data Security Standard (PCI DSS) introduced in 2006.

This meant that old systems may not have met the PCI DSS minimum information security standards to protect credit card data enforced on businesses by card holders Visa, MasterCard, American Express and banks.

Of those businesses with integrated PoS systems, the most insecure operated wi-fi and Bluetooth networks which often were inadequately protected, if at all.

Many were found to have outdated firewalls in place for up to a decade and multiple unpatched systems.

Background checks were also rare. Hardware, software, and processes were outdated and cracking the integrated PoS systems was often done by looking up online system manuals and testing default passwords, McKindley said.

Level four businesses were required to conduct self-administered checklist-style security audits, but it was well known in security circles that this process had so far failed because many small businesses had little knowledge or resources to improve information security.

“Level fours are almost never PCI DSS complaint,” Mckindley said.

While fraudsters made off with fewer credit cards by cracking payment systems operated by level four business rather than those of higher levels, there were many more victims.

“The bad guys might get away with a thousand or so [bank account details] but it happens a lot more,” Mckindley said.

Fraudsters have so far had a field day: Level fours accounted for 95 percent of the total merchants administered by the PCI DSS.


A concurrent effort by PCI DSS card holders would see the end of magnetic stripe bank cards, replaced with the more secure chip and PIN system.

Cardholders say the chip – a gold square on the face of bank cards – dramatically reduces the amount of information available to fraudsters and cannot be replicated.

However magnetic stripe card data could be stolen to reproduce cards and was the number one method of defrauding US level four merchants.

All terminals that process Visa payments will be chip-enabled by April next year. All Visa cards will be chipped and customers provided with a PIN which will see signatures abolished 12 months later.

Copyright © SC Magazine, Australia

Banks find 40,000 small businesses at risk of fraud
Top Stories
First look: Microsoft Outlook for iOS
[Update] Office productivity suite for iOS completed with Outlook.
NewSat defaults on $26m in overdue Lockheed payments
Jabiru-1 satellite build hits further hurdles.
IBM denies plans to cut 112k jobs
But admits to further restructuring.
Sign up to receive iTnews email bulletins
Latest articles on BIT Latest Articles from BIT
Microsoft Outlook is now on iPhone and iPad: why could this be useful?
Jan 30, 2015
Microsoft today released Office for Android and Outlook for iOS - complementing the other Office ...
Franchisees, here's something you should know about
Jan 23, 2015
You need to know the Code if you are a franchisee or franchisor as the penalties are significant.
Xero users rejoice! Quoting has finally arrived
Jan 23, 2015
It has taken years, but Xero has at last added integrated quoting to its online accounting software.
You can now get a no-contract wi-fi tablet from Telstra
Jan 17, 2015
Telstra has began selling wi-fi tablets out of contract without paying extra for cellular ...
Get your business ready for 2015: mobile payments
Jan 2, 2015
These handy apps from MYOB, Xero and others can reduce your administrative load and improve ...
Latest Comments
Who do you trust most to protect your private data?

   |   View results
Your bank
Your insurance company
A technology company (Google, Facebook et al)
Your telco, ISP or utility
A retailer (Coles, Woolworths et al)
A Federal Government agency (ATO, Centrelink etc)
An Australian law enforcement agency (AFP, ASIO et al)
A State Government agency (Health dept, etc)

Do you support the abolition of the Office of the Information Commissioner?

   |   View results
I support shutting down the OAIC.
I DON'T support shutting the OAIC.