Hackers seeking cardholder data most often find openings in a small merchant's payments network because of something a third-party vendor did or did not do when installing payment applications.
Merchant acquirers forming a Payment Card Industry Security Standards Council task force earlier this year considered that scenario a major issue in the payments industry, leading to the council's creation of training for application integrators and resellers, says Bob Russo, general manager of the PCI council.
The council, which announced in May its intent to create the training module, revealed specific details on Aug. 15 about the training schedule and what the council hopes to accomplish.
In reviewing breach reports and studies, the task force determined "that there is nothing exotic" about the problems related to installation and maintenance of payment applications, Russo says.
"It actually comes down to basic stuff like using [less secure] default passwords or using remote access for maintenance, but leaving a back channel open for hackers in the process," Russo says.
Still, the council reminds merchants and vendors that, according to a report Trustwave issued this year, 76% of breaches investigated in 2011 were a result of security vulnerabilities introduced by a third party responsible for payments system support, development or maintenance.
The council plans to begin training and certifying payment software integrators and resellers on Oct. 1 through its new Qualified Integrators and Resellers (QIR) Program. Interested vendors can register on the PCI website for webinars that take place Aug. 16 and 29. Vendors can also apply for the training on the website, Russo says.
The training consists of an eight-hour self-paced eLearning course, followed by a 90-minute exam that participants can schedule at one of more than 4,000 Pearson VUE testing centers worldwide.
The PCI Council will maintain an online list of vendors that complete the QIR training so merchants can see, Russo says.
"Any reseller not on the list would be conspicuous by his absence," Russo says.
Merchants sometimes make the mistake of assuming that if a vendor installs a Payment Application Data Security Standard-compliant product, then "everything is compliant," Russo says.
"Those products have to be installed properly, in a secure and compliant manner," Russo says.
Russo does not want merchants to feel the council discourages vendors' use of remote access to provide system service. "Remote access changes the paradigm of service costs, so all we are saying is that you have to use it securely," Russo says.
Education about risks and how to mitigate them are important "all along the value chain" in payments, says Julie Conroy McNelley, analyst with Boston-based Aite Group.
However, just because a reseller has checked a box for training doesn't alleviate the merchant from the obligation of verifying that the integrator has retained the lessons learned and is doing the work properly, McNelley says.
"Merchants are still ultimately responsible and should build in a process for validating that these installations are not leaving open security gaps," she adds.
As such, the PCI council would be wise to also create a checklist and a list of questions to use at the time systems are installed, McNelley says.