This article appears in the January 15, 2008, edition of ISO&Agent Weekly.
Payment-industry leaders and their organizations clamor for improved security among merchants and other components of the payment system, but breaches continue to happen, giving forensic investigators plenty of work trying to determine how the hackers got in and what information they stole.
Recently, ISO&Agent Weekly met with investigators at one forensic lab, Trustwave, a payment-security company based in Chicago, to get a better understanding of what happens during a forensic investigation.
"Most of the cases we see are small merchants," says Michael Petitti, Trustwave chief marketing officer. And, from an analysis of 443 Trustwave breach investigations since 2001, hackers like to get to sensitive cardholder data from a merchant's personal computer running point-of-sale software.
Of these cases, 72% stemmed from unauthorized access to point-of-sale software. Trustwave says point-of-sale software attacks represent the majority of U.S. and Canadian compromises because many systems have built-in remote access.
Beginning An Investigation
Merchants typically call Trustwave investigators once they learn of the breach from their processor or bank that detected the malfeasance. In some cases, merchants discover a breach themselves if they notice irregular activity on their systems.
With small merchants, investigators more easily can see which equipment is involved, says Colin Sheppard, Trustwave forensics practice manager.
Once the investigator identifies the suspect equipment, the investigator connects a hard drive to the merchant's payment network to capture all of its data, including software programs.
Investigators take the disk image of the captured data to Trustwave's lab, dubbed SpiderLabs 0x2.
Benches ring the walls where technicians sit in front of laptop computers as they review the data captured from the breached system. Trustwave uses a dark, chest-high safe in one corner of the room to store all of the team's work.
The company strictly controls access to the room to a few individuals. The major card brands audit the entire operation to ensure investigations are uniform and information is secure.
Issuing A Report
A few days after the discovery of a breach situation—usually less than five—Trustwave issues a preliminary report to the banks, the ISO involved and the customer, Sheppard says. Trustwave uses the report's findings to help determine appropriate corrective measures.
ISOs counting restaurants among their merchant portfolios might take notice that of Trustwave's investigations, 56% of them have been food-service merchants, while 22% were at general retailers. Other merchant categories incurring breaches included financial, travel, entertainment, higher education, telecommunication, nonprofit, media, government, medical and construction. The percentage of breaches in these categories was significantly smaller than food service and retail.
Anecdotal evidence suggests ISOs also want to secure their merchant portfolios, says Petitti. Potential buyers may be attracted more to a portfolio that Trustwave certifies as compliant with security standards over one that is not certified.
Merchants will continue to experience breaches of their payment systems, but as the payments industry learns how fraudsters work, the shared knowledge could help ISOs better educate their merchants.