SMB PCI DSS Issues at the State Fair

Yesterday I was at the Iowa State Fair literally all day; from 8am to around 8:30pm. Despite the 95 degree extremely humid weather it was such a fun day! The cloudy skies and nice breezes helped a lot. We didn’t get to probably half of the exhibits and activities. And I was *VERY* disappointed I didn’t see any of the at least 4 presidential hopefuls who were on the grounds; the place is so big I guess we were always in the wrong place at the right time.

Something I noticed as I went by the hundreds of food and merchandise vendors was how almost all of them took credit card payments. Most from free-standing stands and tiny portable trailors sitting on the grass grounds. From the information provided on the Iowa State Fair site for merchandisers it does not appear that any centralized network is provided for the merchants to access their financial companies (the merchant’s “acquirer”) for credit card purchases. Given the set-up environment and characteristics across the grounds, that is understandable. I noticed most of the vendors likely were using stand-alone point of sale (POS) devices, with a few still using the somewhat nostalgic hand-swipe manual imprint machines.
The fair is very open, with many, many people all around, often right up next to and sometimes around all sides of the payment areas. Most, and possibly all, are Level 4 merchants under the payment card industry (PCI) data security standard (DSS) definition. Events such as these fairs are held year round.
Huge risks to credit card information exist in these situations; many from just the physical security aspects alone.
Despite the very large numbers of Level 4 merchants, and the very large number of risks that exist for these merchants, PCI DSS “validation requirements and dates are determined by the merchant’s acquirer.”
While the PCI DSS requires all merchants to perform external network scanning to achieve compliance, most of these very small Level 4 merchants do not have networks; only stand-alone computers they use to attach to their acquirers and also to public networks such as the Internet. Acquirers *may* require submission of scan reports and/or questionnaires by level 4 merchants, however I haven’t seen many actually do this.
There is a pretty good document Visa issued late last year, “Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness.”
While it certainly does not cover nearly all the risks that exist within exhibition type sales situations, acquirers should ensure their Level 4 merchants receive and understand the information.
In fact, I believe acquirers should be responsible for providing awareness and training to all their merchants about credit card transaction security and PCI DSS; and should be especially vigilant in providing awareness to the Level 4 merchants. Almost all these very small merchants have little to no background or knowledge of information security and privacy issues, but yet a very large number of security incidents and privacy breaches occur as a result of their mishandling or lack of security for credit card information and other personally identifiable information (PII).

Tags: , , , , , , , , , , ,

Leave a Reply