A July exposure of transaction records from 899 submerchants serviced by payment facilitator BlueSnap highlights an important lesson for PFs.
In addition to making sure their own houses are in order, they bear responsibility for their submerchants and service providers as well.
PFs who control all aspects of the card entry, where it’s impossible for a transaction to enter outside of their interface, may be able to certify compliance on behalf of all their submerchants. However, if any submerchant or service providers could conceivably get access to card data, the PF must ensure they are certified and registered. BlueSnap had to learn that the hard way.
The data loss was first reported by Troy Hunt, a security blogger based in Australia. According to his post, a link to a file containing the transaction records was posted on Twitter in July, where it stayed accessible for about a month. The file contained personal information including names, physical addresses, e-mail addresses, and details of purchases made using the exposed information, he said. It also included the last four digits of credit card numbers as well as card verification codes – a primary means of security for card-not-present transactions. Hunt traced the data to BlueSnap and one other company, ultimately identifying the exposure as a human error at Regpack, a third party that appears to have touched card data without the proper certification and registration.
When asked for comment by Hunt, BlueSnap, the payment facilitator in this case, denied being the source of the exposure. Initially, Regpack also denied any involvement. But later the company issued a statement to Hunt in which they described the source of the data loss as a “procedural human error” Regpack found after its initial forensic investigation had turned up no evidence of a breach.
“Regpack has confirmed that all payments information passed to the payment processor is encrypted on its databases. Nonetheless, periodically, this information is decrypted and kept internally for analysis purposes. We identified that a human error caused those decrypted files to be exposed to a public facing server and this was the source of the data loss,” the statement said.
So it appears that the exposure was not the result of a breach of BlueSnap’s transaction processing systems, a risk that payment processing companies are well aware of. However, the incident remains one that companies like it must learn from, as the responsibility for payments facilitators extends beyond their own walls.
“Payment facilitators must understand every party in between the cardholder and them, and ensure that those that are acting as service providers are [PCI] compliant and registered,” said Dr. Branden Williams, director of cyber security at MUFG Union Bank.
“Any company that touches transaction data is required to comply with PCI rules for storage and transmission, and to register their compliance with the card networks. Card network rules require payment facilitators to verify that all parties involved in a transaction, even third-party service providers, comply with those standards.”
Regpack is not listed on Visa’s Global Registry of Service Providers. And what is clear from its statement is that it had access to the data registrants were providing for the transactions. Regpack founder Asaf Darash told PaymentFacilitator.com that he is not giving any interviews at this time.
While BlueSnap’s listing on the Visa registry indicates that the company’s registration has expired, BlueSnap provided documented evidence to PaymentFacilitator.com of their current compliance and attributed the lapse to a clerical error in the process of being fixed.
In a statement to PaymentFacilitator.com, Scott Fitzgerald, senior vice president of marketing for BlueSnap, said, “We always want to ensure all our merchants are both compliant and secure. Any failure is one that we work hard to repair and ensure is prevented in the future. In that sense, we feel ownership and want to see this closed with minimal damage to consumers.”
Deana Rich, President of Rich Consulting and Publisher of PaymentFacilitator.com said, “We’ve attacked this as an industry with rules but we haven’t yet solved for it completely. We need education and solid processes, because as an industry, we continue to allow unregistered third parties to exist and flourish without being properly registered. PFs and acquirers do not universally understand how their actions affect the payment ecosystem. Rules are set up, but we fail on education.”
The lesson that PFs should take from this event is that they must know all parties that touch transactions, and whether or not each party is secure. PFs are responsible for ensuring proper PCI security and proper card brand registration of those third parties.