Many merchant payment systems lack the technology needed to safely store card data, resulting in 70% of merchants not meeting data security requirements, a new report says.
SecurityMetrics, an Orem, Utah-based payments security consultant, says merchants lack the proper technology because their merchant processors are not providing it.
Two-thirds of merchants aren't compliant with Payment Card Industry data security standards because "they store unencrypted credit card data and lack sufficient technology to eliminate sensitive information," the company says in its Payment Card Threat Report.
The issue even affects merchants that have upgraded from outdated point of sale systems, says Chris Taylor, SecurityMetrics' manager of channel marketing.
"The most cutting-edge payment processing solution can create significant security vulnerabilities when incorrectly configured," Taylor says. "The real problem is that most merchants — and acquirers for that matter — fail to implement security tools and protocols that would identify and remediate these vulnerabilities."
SecurityMetrics, a qualified security assessor for the Payment Card Industry security standards, claims more than 80% of merchants prefer their business to be covered by a program that includes prevention technology and financial stability tools in the event of a breach. However, many merchant processors do not provide that protection, the company says.
The 2012 Payment Card Threat Report sampled more than 2,700 e-commerce and brick-and-mortar merchants of varying sizes, Taylor says. The number of merchants storing unencrypted data, at 70.92%, has not varied much since 2011, declining by less than a half-percent for 2012, Taylor adds.
"PCI is a major safeguard against data compromise, but it isn't the only one," Taylor says. "PAN [personal account number] data detection tools are a great example of a valuable security solution."
When acquirers and merchants pair those tools with PCI, the industry will see its biggest reduction in merchant risk, he adds.
The shortcomings in data protection can be pinned to both merchants and processors, says Julie Conroy, senior analyst and fraud expert with Boston-based Aite Group.
"Some merchants want to use a new [fraud protection] product, but the processor doesn't support it because the merchant is on an old platform," Conroy says. "The technology is out there and available with all of these processors, but some merchants don't want to spend the money to upgrade an old platform."
Merchants view their systems as being capable of meeting basic payments needs, "so they don't see a need to change it," Conroy adds.
Many merchants cling to their payment terminals "because they don't break and they last forever," says security consultant and PCI expert Walter Conway of Milwaukee-based 403 Labs LLC.
"I think Jimmy Carter was president when these merchants got these things," Conway says of the systems he has seen. "So I completely agree that merchant providers should be checking the PCI website to learn about compliant technology."
Outdated PIN pads are as big a problem as outdated point of sale terminals or old software, Conway says. "You have to have compliant PIN entry devices."
However, merchants in the U.S. should make sure any new equipment they buy now meets EMV smart-card standards and can accept Near Field Communication contactless payments, Conway says.
"Some merchant acquirers or ISOs may be trying to sell some older stuff to clear it off their shelves, but you don't want to buy something you'll have to replace in a couple of years," Conway says, referring to the October 2015 card networks' deadline for merchant EMV compliance.
Merchants have to consider their payments system as advancing like any other technology, Taylor says.
"Do you still have the same computer you did 15 years ago?" Taylor asks. "How old is your cell phone?"
Just like those common technologies, POS terminals go through regular innovation cycles, Taylor says.
Those cycles lead to "faster, more reliable and, most importantly, more secure processing terminals," he adds.