Dealing with multiple merchants throws up a unique set of security concerns

Posted by Marco Borza on Mar 27, 2020 12:23:06 PM
Marco Borza
Find me on:

Achieving PCI DSS is relatively complex for any organisation – particularly those who do not currently operate according to industry standards. The level of complexity is exponentially increased when dealing with heterogeneous merchants setups.

Every CISO understands that the more moving parts, the more complicated a system becomes. Similarly, every additional “part” becomes another potential attack surface, or opportunity for data loss.

For a standalone merchant with a single outlet, security is conceptually straightforward. Each store need only properly protect personal information between PoS, back office systems, and Issuer and Acquirer banks. For multi-site retailers, the network is larger in scale, but the basic touch points remain the same.

Standardised, homogenised, simplified

For organisations – including those operating multiple outlets or websites – security can be simplified by implementing common infrastructure elements. For example, using the same payment terminals, PoS, and systems dramatically reduces complexity and administrative overheads.

This is not rocket science; every CISO/CTO would standardise assets and processes as much as possible for any aspect of corporate IT infrastructure. Unfortunately this is not always possible. Acquisitions, mergers and organic network growth means that many multi-merchant organisations use a broad range of systems and services.

Diversity and merchants security

PCI DSS, GDPR and other industry standards make no allowances for the diversity of payment network infrastructure. Instead these frameworks are concerned with securing personal data, and outlining expectations and best practice – implementation is down to the merchant(s), effectively making every non-standardised environment a project on its own, increasing costs and effort dramatically.

Where standardisation of infrastructure is not an option, the CISO needs to be more creative in addressing security. Replacing key elements of the payment process with Cloud-based alternatives is an obvious move towards standardisation because it requires less on-site deployment and configuration for instance.

Again, this may not be an option, in which case attention must be directed towards securing what is already in place. Additionally PCI DSS requires regular testing of security provisions to identify shortcomings and opportunities to improve.

The most effective way to deal with multi merchants security is to “group” locations/brands based on commonalities. You can then create testing processes and documentation for each group without losing sight of the many “moving parts” involved.

When in doubt, seek help

In an ideal world the CISO and CTO would be able to replace existing infrastructure across multiple merchants with a view to creating a single common system design for each. In reality, the cost of such a strategy is prohibitive, forcing businesses to think laterally about how they collect and monitor security.

Faced with the day-to-day struggles of trying to manage several merchants’ security, the CISO can quickly lose sight of the larger picture. When this happens it helps to take a step backwards and seek advice from a third party who can offer a neutral opinion together with great technology, to help formulate and implement an action plan.

To arrange for an unbiased review of your merchants security provisions and to understand how ZeroRisk for Merchant Portfolio Authorities (MPA) can help you improve cyber security and resilience while reducing your cost, please get in touch.


Topics: Third-Party Risks