June 16th, 2016 by Elma Jane
Merchants and cardholders have been challenged by the perceived additional time to complete the EMV transaction.
To address concern over EMV checkout time Visa and MasterCard create an alternate EMV payment process that will improve the speed of transaction:
Quick Chip from Visa is available free-of-charge to acquiring banks, payment networks, and other payment processors to offer to merchants. The enhancement requires only a simple software update to the merchant’s card terminal or point-of-sale system.
M/Chip Fast from MasterCard merchants can easily integrate this with their current systems to provide both speed and security for all chip cards. Designed for select environments where fast transaction times, in addition to security, are at a premium.
The new card network options do not require the financial institution to reissue cards, or the merchants to re-certify their point-of-sale terminals.
Alignment in the payments industry and the ability to process a secure transaction in a timely manner for the consumer experience is important.
Keeping current on the payment industry news like Quick Chip and M/Chip Fast or discussion about EMV developments is a smart move for merchants and cardholder as well.
Posted in Best Practices for Merchants, Credit card Processing, EMV EuroPay MasterCard Visa Tagged with: banks, card, card network, cardholders, chip cards, EMV, financial institution, merchants, payment, payment networks, payment processors, payments industry, point of sale, Security, terminal, transaction
October 22nd, 2015 by Elma Jane
Adoption of EMV technology in the U.S is important, because it provides protection against losses from counterfeit cards.
EMV, or chip cards, are the standard for secure point-of-sale (POS) transactions. Unlike magnetic stripe cards, chip cards are very difficult to counterfeit because of an embedded microchip that exchanges unique, dynamic data with a terminal each time it’s used.
To encourage the timely adoption of EMV, the leading payment networks have implemented an EMV Fraud Liability Shift that began in October 2015.
Both parties, card issuer and the merchant need to invest with EMV technology. If only one party has adopted EMV technology, the party that didn’t make the investment will be held liable.
For the card issuer, they came out with the chip cards, where all credit and debit cards have this security chips that are harder to counterfeit than magnetic strips.
For the merchant, an EMV capable terminals or POS hardware that can take advantage of the card’s security chip is needed.
With any new technology, there is a learning curve, and here are the things that you need to know.
For cardholders – with a chip card instead of swiping your card, you are going to do what is called card dipping; by inserting your card face-up and chip-first into the terminal slot. Wait and follow the terminal prompts, and only remove your card once the transaction is complete.
If you did a swipe on a chip card, an EMV-enabled terminal should prompt you to insert the card instead. If the terminal is not enabled for chip, you can still be able to swipe your card.
Employees will benefit from training – Once a merchant enables their EMV terminals, it is important to train your staff with talking points about why chip cards benefit consumers with greater security, and how they are used by helping customers with the new checkout process.
New mobile payment methods leverage both EMV and NFC, so the industry is now seeing greater interest in mobile payments among merchants and consumers.
There’s a lot of resources out there to help businesses make the transition with this EMV technology.
Posted in Best Practices for Merchants, Credit Card Security, EMV EuroPay MasterCard Visa, Near Field Communication Tagged with: card issuer, chip cards, debit cards, EMV, magnetic stripe, merchants, microchip, Mobile Payments, nfc, payment networks, point of sale, POS, terminal slot
April 21st, 2015 by Elma Jane
An advanced strain of malware called “Punkey,” is capable of attacking Windows point of sale terminals, stealing cardholder data and upgrading itself while hiding in plain sight.
Researchers from Security vendor Trustwave discovered the new strain. The investigation found compromised payment card information and more than 75 infected, and active, Internet Protocol addresses for Windows POS terminals.
Punkey poses a unique threat to payment networks, particularly because it also can download updates for itself.
If the malware author has a new feature it wants to add or updates to get rid of bugs, it actually pushes the malware down from the command and control server, revealed by Trustwave’s SpiderLabs research center. Punkey operates like a typical Botnet.
The malware hides inside of the Explorer process, which exists on every Windows device and manages the opening of individual program windows. Punkey scans other processes on the terminal to find cardholder data, which it sends to the control server.
The malware performs key logging, capturing 200 keystrokes at a time. It sends the information back to its server to store passwords and other private information.
A year ago, security vendors warned retailers against using Windows XP at the point of sale, since Microsoft stopped supporting Windows XP security patches. However, even Punkey is not attacking Windows due to any vulnerability in the systems, so even merchants with newer versions of Windows are at risk.
Punkey just runs like any Windows binary would. Even if the system is upgraded or a new system is put in place, criminals are still getting malware on the POS in other ways.
Many retailers use remote desktop support software, which fraudsters take advantage of, they steal a password and install malware like a technician would install any software.
While Punkey represents a more sophisticated POS malware than Trustwave has seen previously, merchants can still protect themselves through attention to basic security best practices.
Merchants should update antivirus and firewall protections, monitor the remote access software, establish two-factor authentication and check network activity daily for anything out of the ordinary. Unfortunately, many organizations have neither the expertise nor the manpower to perform these tasks.
Posted in Best Practices for Merchants, Credit card Processing, Credit Card Reader Terminal, Credit Card Security, Mobile Point of Sale, Payment Card Industry PCI Security, Point of Sale Tagged with: card, cardholder, cardholder data, data, Malware, Merchant's, payment, payment networks, point of sale, POS terminals, retailers, terminals
August 7th, 2014 by Elma Jane
Recent high-profile cyberattacks at retail giants like Target and Neiman Marcus have highlighted the importance of protecting your business against point-of-sale (POS) security breaches. Often, the smallest merchants are the most vulnerable to these types of cyberthreats. The latest of these POS attacks is known as Backoff, a malware with such brute force that the U.S. Department of Homeland Security (DHS) has gotten involved. The DHS recently released a 10-page advisory that warns retailers about the dangers of Backoff and tells them how they can protect their systems. Backoff and its variants are virtually undetectable low to zero percent by most antivirus software, thus making it more critical for retailers to make sure their networks and POS systems are secure.
How Backoff works
Backoff infiltrates merchant computer systems by exploiting remote desktop applications, such as Microsoft’s Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2 and LogMeIn, among others. Attackers then use these vulnerabilities to gain administrator and privileged access to retailer networks. Using these compromised accounts, attackers are able to launch and execute the Backoff malware on POS systems. The malware then makes its way into computer and network systems, gathers information and then sends the stolen data to cybercriminals. The advisory warns that Backoff has four capabilities that enable it to steal consumer credit card information and other sensitive data: scraping POS and computer memory, logging keystrokes, Command & Control (C2) communication, and injecting the malware into explorer.exe. Although Backoff is a newly detected malware, forensic investigations show that Backoff and its variants have already struck retailers three times since 2013, the advisory revealed. Its known variants include goo, MAY, net and LAST.
Prevent a Backoff attack
To mitigate and prevent Backoff malware attacks, the DHS’ recommendations include the following:
Configure network security. Reevaluate IP restrictions and allowances, isolate payment networks from other networks, use data leakage and compromised account detection tools, and review unauthorized traffic rules.
Control remote desktop access. Limit the number of users and administrative privileges, require complex passwords and two-factor authentication, and automatically lock out users after inactivity and failed login attempts.
Implement an incident response system. Use a Security Information and Event Management (SIEM) system to aggregate and analyze events and have an established incident response team. All logged events should also be stored in a secure, dedicated server that cannot be accessed or altered by unauthorized users.
Manage cash register and POS security. Use hardware-based point-to-point encryption, use only compliant applications and systems, stay up-to-date with the latest security patches, log all events and require two-factor authentication.
Posted in Point of Sale Tagged with: (POS) systems, antivirus software, Apple Remote Desktop, Backoff, cash register, Chrome Remote Desktop, credit-card, cyber attacks, cybercriminals, data, data leakage, Department of Homeland Security, desktop applications, DHS, goo, LAST, LogMeIn, Malware, MAY, Merchant's, Microsoft's, Neiman Marcus, net, network security, network systems, networks, payment networks, point of sale, point-to-point encryption, POS, remote, retailer networks, retailers, security breaches, Splashtop 2, target
