November 4, 2014
Executive Insight: Have You Actually Been Breached?
By Steve Sommers – Senior Vice President of Applications Development, Shift4 Corporation
This piece is part 2 of a series on the differences between fraud and breaches. The first article in the series can be found here.
Last month we talked about the difference between card fraud and a card data breach, and I warned you that they typically warrant very different responses. Today, I will lay out my recommendations as to how you should respond with a preliminary investigation if you suspect either may have occurred. Before I delve into this topic, let me make an immediate and complete disclaimer that Shift4’s advice does not replace the guidelines of your merchant services provider (MSP) or processor, nor does it supersede the requirements given by the PCI Council; this is simply advice based on my 20+ years in the payment processing industry.
First, a quick recap: Last month we defined that – at least in the payments space – fraud is any illicit method used to access or use another person’s credit card, while a breach is more narrowly defined as an exploitation of security measures to access and/or compromise a merchant’s cardholder data environment.
Do You Suspect a Breach May Have Occurred? Call Your MSP
Your first step when you suspect you might be the victim of either fraud or a card data breach is to contact your MSP. (An MSP is the person or organization that set up your merchant account.) Your MSP should then guide you through the other required steps. This initial call fulfills the reporting requirements that are usually written into your merchant services agreement and even if it’s as simple as “we’re seeing some unusual activity and just want to give you a heads up that we’re looking into it internally,” it can go a long way in helping you avoid future issues and potential fines.
Begin an Internal Investigation
Next, you will want to launch an internal investigation. Verify that your antivirus program is up-to-date and check for malware/virus alerts. Review all your audit records and see if you can spot anything unusual. Do you have any Fraud Sentry® alerts from Shift4 you might have overlooked? After that, watch for any suspicious trends. Were all the affected customers in your spa or retail location on the same day? Were they helped by the same employee(s)? Were the affected e-commerce customers shopping on a certain day noted with suspicious trends? In addition to your internal investigation, you will also want to review your surveillance videos.
Enlist Your Trusted IT Employees to Help Investigate
If you have trusted IT administrative staff, get them involved in reviewing your firewall and systems logs. They should also check if there are any rogue/unidentified application programs on your payment systems. This can be a tricky task because a rogue program, such as a memory scraper, typically won’t appear in your programs list. However, these are all steps that can help you to begin narrowing down the source of the problem and possibly rule out a full-scale breach.
Identify the Likelihood of Fraud or a Breach
What if you find no malware or rogue programs and no indication of a massive theft of your customers’ payment card data? Perhaps only a few customers have contacted you to report a potential issue. This is still something to take seriously, but experience tells me in these cases it is more likely to be internal fraud committed by one of your employees than a full-blown breach. Fraud is usually much more limited in scope than a data breach. While it is occasionally perpetrated by external crooks, most fraud in the industry today involves a rogue employee within your organization.
In case of a major breach, you would more likely be contacted by your MSP, your bank, or one of the card brands rather than by a handful of concerned customers. With a major breach, the first contact may occasionally come from law enforcement.
Be Wary of Phishing Scams
Now, I’m sad to report that there is a known phishing scam in which people call in, reporting to be from the bank or even the Secret Service, and claim they are investigating a breach. They will then ask for your merchant account information, which they can later use to defraud you. That’s why we recommend you do your homework when someone contacts you unexpectedly and makes these claims. You can request that law enforcement send a local officer out to meet with you in person. You can ask for an email or fax on company letterhead. A lot of times the easiest way is to ask if you can call them back. If you call the local Secret Service office or your MSP’s fraud department using the number listed on their website and they tell you they’ve never heard of the person who called you, then that tells you that it was probably a phishing scam.
Follow Appropriate Procedures for Fraud or Breach
So, whether it’s a call from the card brand or your own internal investigation that determines your environment has actually been breached, the response is the same. Your response to a breach is strictly regulated by PCI, the card brands’ procedures, and (in most cases) the state and federal government. When you contact your MSP, ask them if they will be contacting the card brands or if you need to do it. Likewise, work with them to inform the proper authorities. They will also advise whether you need to enlist the support of a PCI Forensic Investigator (PFI) to track down the source of the breach. Depending on the magnitude of a breach, one or more of the card brands may automatically direct a full investigation by a PFI.
With a fraud situation, you have a little more discretion in how you proceed. A dishonest employee stealing a handful of card numbers probably doesn’t warrant a call to the Secret Service or spending tens of thousands of dollars on a forensic investigation. You should inform your MSP and they will advise whether you need to inform the card brands, and – of course – you may also want to turn the evidence over to your local police. But, dealing with the problem on your own and alerting your MSP is usually sufficient unless your preliminary investigation points to a major compromise of your environment (either malware that has been taking card data out of your system or some other major theft of customer information).
One more point on these preliminary investigations: please do them. Before you panic and before you call in the cavalry, take the time to really look at what’s going on. A few years ago, we had a customer panic after receiving a few calls from concerned customers reporting suspicious activity on their cards after staying in their hotel. The hotel called the police, the card brands, their attorneys, and their PR team – all before they did any investigation into the problem. After careful examination, it turned out that they had not been breached at all; the restaurant a few miles up the road had been compromised, and many of their customers had eaten there. This company spent thousands of dollars to bring in significant outside resources that proved entirely unnecessary.
How Shift4 Can Help
Please note that this guidance is by no means intended to be a comprehensive to-do list. What I have provided are the vital questions you need to get answered and early steps to get you moving down the right road. Card data breaches are serious crimes and they can be costly and time consuming to recover from. This is why we are so diligent in encouraging our merchant customers to reduce their breach profile by implementing the TrueTokenization® and point-to-point encryption (P2PE) technologies that are included with our offering.
Next month I’ll delve deeper into the tools that Shift4 provides to prevent both card fraud and card data breaches. Most of you already have many of these tools implemented, but there may be a few tools you are not yet using, so I’ll help you figure out the next step toward complete security. In the meantime, be diligent. And, know that Shift4 is always here to help.