The quarterly report belies the popular perceptions that using credit cards online is riskier than using them at a physical store and that large merchants' huge wealth of data make them primary targets for credit card fraud. Rather, it points a finger at traditional small merchants, such as storefronts and fast food outlets.
"What we've seen consistently over the past three years is that smaller merchants make up the majority that are compromised," Robert J. McCullen, chairman and CEO of Trustwave, told SCMagazineUS.com on Wednesday. “It's much easier to hack a brick-and-mortar company than an ecommerce retailer because the large ecommerce companies typically are more sophisticated and have better tools and more software in place.”
In fact, 92 percent of the 350 payment card compromises in 14 countries the company tracked in its report, which covers January 2006 to December 2007, were Level 4 merchants, he pointed out. Level 4 merchants are those who process fewer than 20,000 ecommerce transactions or fewer than one million transactions overall regardless of channel (online, phone or storefront) in which the transactions are processed.
“Small merchants often lack a firewall or intrusion protection, and don't have anti-virus or other anti-malware software," McCullen said. "If you go down the street, most of the merchants you see really haven't thought of adding that kind of security."
The small brick-and-mortar retailers traditionally have used dial-up point-of-sale (POS) terminals, which don't require firewall protection, he explained. "But more and more, they're IT-enabled with a DSL line, which gives hackers much easier access to their POS systems as well as the systems to which they're connected."
This connectivity can cause additional fraud-related problems for both small and larger organizations, he added. Vulnerable systems at small retailers can give an attacker access to the back-end systems of the company that processes their credit cards. And vulnerable systems at a franchise location can deliver access to systems within the private network of a parent company, McCullen said.
With more than half of the compromises that Trustwave investigated occurring in the food service industry, this segment is particularly vulnerable to attacks, McCullen added. Merchants in this niche, as well as smaller retail outlets, will also be challenged to meet new PCI DSS mandates that go into affect in October 2008, he said.
The new Payment Application Data Security Standard (PA-DSS), released April 15 by the PCI Security Standards Council, is intended to help ensure the security of POS devices. The PA-DSS, which is based primarily on Visa's Payment Application Best Practices (PABP) program and supported by the five major payment card suppliers, provides security requirements for payment applications, such as POS systems, and ensures payment systems don't store sensitive card data, such as card holder name and personal identification numbers (PINs).