Category: Credit Card Security
March 17th, 2014 by Elma Jane
Lots of talk has gone on since the recent spate of merchant data breaches on ways to potentially prevent hackers from gaining access to stored payment card data. Use of biometric information, such as a fingerprint, to access stored credentials is among the solutions often bandied about.
The prospects of using individuals’ biometric information for credentialing is fairly scary. Security may be what biometrics is trying to achieve, but it’s also its biggest flaw. Imagine having your fingerprint information stored at Target this holiday season, that information would now be in the hands of lots of people not intended to have access to it. Unlike a password, someone can’t change his or her fingerprint. So once someone has the print, they have it forever. So even if something is biometric based, it also has to have a lot of other security measures, and that could include GPS-based location services tied to an individual’s smartphone.
Biometrics alone won’t work. It’s very scary that that information could be stored in a way that someone could figure out how to get it. Even if encrypted, that’s a huge security concern. You can’t change your fingerprint.
Posted in Credit card Processing, Credit Card Security, Electronic Payments, Payment Card Industry PCI Security, Smartphone Tagged with: biometric, card data, credentialing, encrypted, fingerprint, gaining access, gps-based, merchant data breaches, password, prevent hackers, Security, security measures, smartphone, stored credentials
March 14th, 2014 by Elma Jane
Merchant and Consumer Groups Seek Senate Support To Forego EMV Chip and Signature As Breach Concerns Rise
There’s no shortage of answers in trying to put a stop to hackers set on throwing chaos into the way consumers transact at the point of sale, or online for that matter. Yesterday, the Banking, Housing and Urban Affairs subcommittee on national security and international trade and finance got its chance to hear some of them.
During the hearing, William Noonan, deputy special agent in charge, U.S. Secret Service, noted the advances in computer technology and greater access to personally identifiable information online, which have created a virtual marketplace for transnational cyber criminals to share stolen information and criminal methodologies. As a result, the Secret Service has observed a marked increase in the quality, quantity, and complexity of cyber crimes targeting private industry and critical infrastructure. These crimes include network intrusions, hacking attacks, malicious software, and account takeovers leading to significant data breaches affecting every sector of the world economy.
The recently reported data breaches of Target and Neiman Marcus represent only the most recent, well-publicized examples of this decade-long trend of major data breaches perpetrated by cyber criminals intent on targeting the nation’s retailers and financial payment systems. The increasing level of collaboration among cyber-criminals allows them to compartmentalize their operations, greatly increasing the sophistication of their criminal endeavors and allowing for development of expert specialization. These specialties raise both the complexity of investigating these cases, as well as the level of potential harm to companies and individuals.
So how should the industry react to prevent further breaches? Those opinions provided during testimony at the hearing varied widely, though both consumer and merchant groups would like the card networks to give up requiring only signatures for smart card purchases at the point of sale.
Consumer program director at the U.S. Public Interest Research Group, called for myriad of changes, citing that the greater risk from the recent breaches is less related to identity theft than it is to fraud on existing accounts, and he said it’s time for players on both sides of the transaction to focus more on protecting consumers than on managing their own risk.
Until now, both banks and merchants have looked at fraud and identity theft as a modest cost of doing business and have not protected the payment system well enough. They have failed to look seriously at harms to their customers from fraud and identity theft -including not just monetary losses and the hassles of restoring their good names, but also the emotional harm that they must face as they wonder whether future credit applications will be rejected due to the fraudulent accounts.
As a first step, Congress should institute the same fraud cap, $50, on debit/ATM cards that exists on credit cards, or eliminate the $50 cap entirely, since it is never imposed because of the zero-liability policies issuers have voluntarily have imposed. Congress also should provide debit and prepaid card customers with the stronger billing-dispute rights and rights to dispute payment for products that do not arrive or do not work as promised, just as many credit card users enjoy.
Congress should endorse a specific technology, such as EMV smart cards and if it does, require the use of PINs when initiating smart card transactions. The current pending U.S. rollout of chip cards will allow use of the less-secure chip-and-signature cards rather than the more-secure chip-and-PIN cards. Why not go to the higher-and-PIN authentication standard immediately and skip past chip and signature? There is still time to make this improvement.”
Retailers have spent billions of dollars on card-security measures and upgrades to comply with PCI card security requirements, but it hasn’t made them immune to data breaches and fraud. The card networks have made those decisions for merchants, and the increases in fraud demonstrate that their decisions have not been as effective as they should have been.
The card networks should forego chip and signature and go straight to chip and PIN. To do otherwise would mean that merchants would spend billions to install new card readers without they or their customers obtaining PINs’ fraud-reducing benefits. We would essentially be spending billions to combine a 1990’s technology chips with a 1960’s relic signature in the face of 21st century threats.
Posted in Best Practices for Merchants, Credit card Processing, Credit Card Reader Terminal, Credit Card Security, Digital Wallet Privacy, Electronic Payments, EMV EuroPay MasterCard Visa, Financial Services, Merchant Services Account, Payment Card Industry PCI Security, Point of Sale, Small Business Improvement, Visa MasterCard American Express Tagged with: banking, Breach, card networks, card-security, chip and signature, chip cards, chip-and-PIN cards, computer technology, credit applications, credit cards, critical infrastructure, cyber crimes, cyber-criminals, data breaches, debit atm cards, EMV, hackers, hacking attacks, international trade and finance, malicious software, managing risk, merchant, national security, netwrok intrusions, new card readers, online, payment system, pci card security requirements, PIN, point of sale, prepaid card customers, smart card transactions, technology chips, the secret service, transnational cyber criminals, virtual marketplace, world economy
March 3rd, 2014 by Elma Jane
A solution for mobile commerce will be needed eventually, whether you’re an ecommerce merchant or you run a brick-and-mortar shop.
There are mobile payment platforms for digital wallets, smartphone apps with card-reader attachments, and services that provide alternative billing options. Here is a list of mobile payment solutions.
Boku enables your customers to charge their purchases directly to their mobile bill using just their mobile number. No credit card information, bank accounts or registration required. The Boku payment option can be added to a website, mobile site, or app. Price: Contact Boku for pricing.
Intuit GoPayment is a mobile credit card processing app from Intuit. It accepts all credit cards and can record cash or check payments. Intuit GoPayment transactions sync with QuickBooks and Intuit point-of-sale products. Intuit GoPayment works with iOS and Android devices and provides a free reader. Price: $12.95 per month and 1.75 percent per swipe, or 2.75 percent per swipe and 3.75 per keyed transaction.
iPayment MobilePay is a mobile payment solution from Flagship Merchant Services and ROAMpay. The service accepts all major cards and can record cash transactions. To help build your customer database, the app completes customer address fields for published landlines. The app can handle taxes, tips, and can record transactions offline. You can use the service month-to-month. The app and the reader are free. Price: $7.95 per month; Each transaction costs $0.19 plus a swipe fee maximum of 1.58 percent, or a key fee between 1.36 and 2.56 percent.
ISIS mobile commerce platform enables brick-and-mortar stores to collect payments (via an NFC terminal) from the mobile devices of their customers. Provide your customers with a simplified checkout process through the contactless transmission of payments, offers, and loyalty integrated in one simple tap. Price: Isis does not charge for payment transactions in the Isis Mobile Wallet. Payment transaction fees will not be increased by working with Isis.
LevelUp is mobile payment system that uses QR codes on smartphones to process transactions. Use LevelUp with a scanner through your POS system, or use a standalone scanner with a mobile device. You can also enter the transaction through the LevelUp Merchant App, using your smartphone’s camera to read the customer’s QR Code and entering the amount to complete the transaction. LevelUp also provides tools to utilize customer data. Price: LevelUp charges a 2 percent per transaction fee. Scanner is $50; tablet is $200.
MCX is a mobile application in development by a group of large retail merchants. Details on the solution are vague, but MCX is intended to offer a customizable platform that will be available through virtually any smartphone. MCX’s owner-members include a list of merchants in the big-box, convenience, drug, fuel, grocery, quick- and full-service dining, specialty-retail, and travel categories. Price: To be determined.
mPowa is a mobile payment app to process credit and debit card transactions, and record cash and check sales. mPowa will soon launch its PowaPIN chip and PIN reader for the EMV (“Europay, MasterCard, and Visa”) card standard. (Developed in Europe, EMV utilizes a chip embedded in a credit card, rather than a magnetic strip.) The EMV standard is likely to gain footing to combat credit card fraud. mPowa is a good solution for merchants with a global presence. Price: 2.95 percent per transactions, or .25 percent or $0.40 per transaction when used as a current processor’s point-of-sale system.
PayAnywhere is a solution to accept payments from your smartphone or tablet with a reader. It features an automatic tax calculation based on your current location, discounts and tips, inventories with product images and data, and more. Bilingual for English and Spanish users. PayAnywhere provides a free credit card reader and free app, available for iOS and Android. Price: 2.69 percent per swipe, 3.49 percent plus $0.19 per keyed transaction.
PayPal Here gives you a variety of options for accepting payments, including credit cards, PayPal, check, record cash payments, or invoice. With PayPal Here, you can itemize sales totals, calculate tax, offer discounts, accept tips, and manage payment email notifications. Available for iOS and Android. The app and reader are free. Price: 2.75 percent per swipe and 3.5 percent plus $0.15 per manually-entered transaction.
Square is a simple approach to mobile credit card processing. Square provides a free point of sale app and a free credit card reader for iPhones and iPads. Square offers a selection of tools to track sales, taxes, top-purchasing customers, and more. Square’s pricing is on the higher end, but with no monthly fee Square may be a good fit if you have infrequent mobile transactions. Price: 2.75 percent per swipe and 3.5 percent plus $0.15 per manually-entered transaction.
Posted in Credit card Processing, Credit Card Reader Terminal, Credit Card Security, Digital Wallet Privacy, e-commerce & m-commerce, Electronic Check Services, Electronic Payments, EMV EuroPay MasterCard Visa, Financial Services, Internet Payment Gateway, Mail Order Telephone Order, Mobile Payments, Mobile Point of Sale, Near Field Communication, Point of Sale, Small Business Improvement, Smartphone, Visa MasterCard American Express Tagged with: accepts all credit cards, alternative billing, Android, bank accounts, brick and mortar, check payments, contactless transmission, credit and debit transactions, credit card reader, credit-card, database, Digital wallets, ecommerce merchant, EMV, free app, iOS, itemize, keyed transaction, mobile commerce, mobile credit card processing, mobile payment platforms, mobile site, mobile transactions, nfc terminal, point of sale, process transactions, qr codes, record transactions offline, smartphone apps card-reader attachments, transactions
February 20th, 2014 by Elma Jane
Android-iPhone-Credit-Card-Reader
Several options exist for mobile credit card processing.
Credit card processing on iPhone/ipad/Android/BlackBerry or Tablets – Using NTC’s portable credit card readers, merchants can now swipe credit cards on iPad or Android tablet devices. NTC’s Virtual Merchant solution allows users to download a secure application to interfere your smartphone with our merchant account services seamlessly. The application and credit card processing data on the carriers network or a WiFi connection to the internet.
NTC’s MagTek Bullet Swipe Credit Card Reader for Android Phones and Tablets.
Using any Android 2.2. or higher device you can process credit card transactions securely to the smartphone via Bluetooth and utilize wireless devices internet connection (WiFi or Carrier) to send the credit card processing data encrypted for processing approval.
Security anywhere. With the BulleT Secure Credit Card Reader Authenticator (SCRA), security comes with the flexibility and portability of a Bluetooth wireless interface. Small enough to fit into the palm of your hand, the BulleT enables secure wireless communications with a PC or mobile phone using the popular Bluetooth interface. Not only does the BulleT encrypt card data from the moment the card is swiped, but it also enables card authentication to immediately detect counterfeit or altered cards.
Ideal for merchant services accounts and financial institutions’’ mobile credit card processing, NTC’s BulleT offers MagnaSafe credit card processing security features with the convenience of a Bluetooth interface. This powerful combination assures credit card data protection, transaction security and convenience needed to secure mobile credit card processing with strong encryption and 2-factor authentication. The BulleT is specifically designed to leverage the existing magnetic stripe credit card reader as a secure token empowering cardholders with the freedom and confidence of knowing that their credit card transactions are secure and protected anytime, anywhere. Android Credit Card Swipe Reader for Android Phones and Tablets on your wireless mobile merchant account.
NTC’s MagTek iDynamo Credit Card processing swipe reader for iPhone and Ipad.
Credit card processing on an iPhone has never been easier. Simply attach NTC’s iDynamo card reader to your iPhone or iPad device, install our Virtual Merchant software from the App Store and you’re ready to go. Take advantage of lower credit card processing rates by processing swiped transactions instead of keying the credit card in later and get paid faster. From the company that leads with Security from the Inside MagTek has done it again with the iDynamo, a secure card reader authenticator (SCRA) designed to work with the iPhone and iPad. The iDynamo offers MagnasafeTM security and delivers open standards encryptions with simple, yet proven DUKPT key management, immediate tokenization of card data and MagnePrint card authentication to maximize data protection and prevent the use of counterfeit cards. Mobile merchants can now leverage the power of their iPhone/iPod Touch products without the worries of handling or storing sensitive card data at any time. Ideal for wireless mobile merchant accounts and mobile credit card processing, the iDynamo offers MagneSafe security features combined with the power of iPhone and iPod Touch products. This powerful combination assures convenience and cost savings, while maximizing credit card data protection and credit card transaction security from the moment the card is swiped all the way to authorization. No other credit card reader beats the protection offered by a MagnaSafe product.
Other credit card devices claim to encrypt data in the reader. NTC’s iDynamo encrypts the data inside the read head, closest to the magnetic stripe and offers additional credit card security layers with immediate tokenization of card data and MagnePrint card authentication. This layered approach to security far exceeds the protection of encryption by itself, decreases the scope of PCI compliance, and reduces fraud.
NTC’s iDynamo is rugged and affordable, so it not only withstands real world use, it performs to the high standards set by MagTek as the leader in magnetic credit card swipe reading products for nearly 40 years.
Posted in Credit card Processing, Credit Card Reader Terminal, Credit Card Security, Digital Wallet Privacy, e-commerce & m-commerce, Electronic Payments, Internet Payment Gateway, Merchant Services Account, Mobile Payments, Mobile Point of Sale, Payment Card Industry PCI Security, Smartphone Tagged with: Android, android phones and tablets, authenticator, blackberry, bluetooth, card authentication, credit card processing data, devices, encrypt card data, encrypted, internet, ipad, Iphone, magnetic stripe, magtek bullet, merchant account, merchant services accounts, Merchant's, mobile credit card processing, portable credit card readers, process credit card transactions, processing approval, secure, secure application, secure token, smartphone, swipe credit card reader, swipe credit cards, tablets, transaction security, virtual merchant, wifi, wireless devices internet connection
February 18th, 2014 by Elma Jane
Payment Tokenization Standards
Tokenization is the process of replacing a traditional card account number with a unique payment token that is restricted in how it can be used with a specific device, merchant, transaction type or channel. When using tokenization, merchants and digital wallet operators do not need to store card account numbers; instead they are able to store payment tokens that can only be used for their designated purpose. The tokenization process happens in the background in a manner that is expected to be invisible to the consumer.
EMVCo – which is collectively owned by American Express, Discover, JCB, MasterCard, UnionPay and Visa – has announced that it is expanding its scope to lead the payments industry’s work to standardize payment tokenization. EMVCo says that the new specification will help provide the payments community with a consistent, secure and interoperable environment to make digital payments when using a mobile handset, tablet, personal computer or other smart device.
Key elements of EMVCo’s work include adding new data fields to provide richer industry information about the transaction, which will improve transaction efficiency and enhance the consumer and merchant payment experience by helping to prevent fraudulent card account use. EMVCo will also create a consistent approach to identify and verify the valid use of a token during payment processing including authorization, capture, clearing and settlement.
EMVCo’s announcement follows an earlier joint announcement from MasterCard, Visa and American Express that proposed an initial framework for industry collaboration to standardize payment tokenization. EMVCo says it will now build on this framework with collective input from all of its members and the industry as a whole.
Posted in Credit card Processing, Credit Card Reader Terminal, Credit Card Security, Digital Wallet Privacy, Electronic Payments, Financial Services, Payment Card Industry PCI Security, Visa MasterCard American Express Tagged with: American Express, authorization, capture, card account numbers, clearing, data fields, device, digital payments, Digital Wallet, Discover, EMV, emvco, fraudulent card account, interoperable, jcb, MasterCard, merchant, mobile handset, payment, payment processing, payment token, secure, security standards, settlement, smart device, specification, standardize, tablet, token, tokenization, transaction, visa
February 17th, 2014 by Elma Jane
Facts about Chargeback
Merchants know chargebacks are bad, but many aren’t aware of simple facts that can help them better understand and guard against fraud accordingly.
Do you know which month is the worst for fraud charge backs?
which transaction amounts are the most likely to be disputed?
or which U.S. states are the biggest offenders?
If not, a Big Data fraud science firm – will help you prepare for a smoother 2014.
Facts you’ll learn:
The most common fraudulent chargeback amount.
The day of the week when chargebacks are most likely to occur.
The time of year charge backs are most likely to occur.
49% of all fraudulent chargebacks happen after 60 days or more from date of purchase.
$1,000 is the most common attempted unauthorized sales amount (followed by $2,500, $2,000, $1,500 and $5,000).
11% of all fraudulent transactions fall under the Merchant category “Code of 7299”.
Services. The word most often found in registered fictitious names for fraudulent merchant accounts is “Services”.
Wednesday Is the day of the week when the most chargebacks (19%) occur.
One-Third of all fraud chargebacks happen in the fall (September to November).
California Republic is the top state registered by fraudulent businesses, accounting for 14% of chargebacks the U.S. total.
Florida, Texas and New York round out the top four states with 12%, 9% and 7% respectively.
Posted in Best Practices for Merchants, Credit card Processing, Credit Card Security, Electronic Payments, Merchant Services Account, Payment Card Industry PCI Security Tagged with: big data, charge backs, chargeback, disputed, fraudulent businesses, fraudulent transactions, guard against fraud, merchant accounts, unauthorized sales
February 14th, 2014 by Elma Jane
News from Target, increasing the number of cards compromised to 70 million and the expansion of data loss to mailing and email addresses, phone numbers and names, affirms that we are in a security crisis.
Card data is from a brand and business perspective, the new radioactive material. Add personally identifiable information (PII) to the list of toxic isotopes.
The depressing vulnerabilities these breaches reveal are a result of skilled hackers, the Internet’s lack of inherent security, inadequate protections through misapplied tools or their outright absence. Security is very very hard when it comes to playing defense.
There is a set of new technologies that could, in a combination produce a defense in depth that we have not enjoyed for some time.
Looking at the Age of Context (ACTs)
Age of Context released, a book based on the hundreds of interviews conducted with tech start-up and established company leaders. A wide-ranging survey. They examine what happens when our location and to whom we are connected are combined with the histories of where and when we shop. Result is a very clear picture of our needs, wants and even what we may do next.
Combining the smartphone and the cloud, five Age of Context technologies ACTs, will change how we live, interact, market, sell and navigate through our daily and transactional lives. The five technologies are:
1. Big Data. Ocean of data generated from mobile streams and our online activity, can be examined to develop rich behavioral data sets. This data enables merchants to mold individually targeted marketing messages or to let financial institutions improve risk management at an individual level.
2. Geolocation. Nearly every cell phone is equipped with GPS. Mobile network operators and an array of service providers can now take that data to predict travel patterns, improve advertising efficiency and more.
3. Mobile Devices and Communications. These are aggregation points for cloud-based services, sending to the cloud torrents of very specific data.
4. Sensors. Smartphones, wearables (think Fitbits, smart watches and Google Glass) and other devices are armed with accelerometers, cameras, fingerprint readers and other sensors. Sensors enable highly granular contextual placement. A merchant could know not only which building we are at and the checkout line we are standing in but even which stack of jeans we are perusing.
5. Social. Social networks map the relationships between people and the groups they belong to, becoming powerful predictors of behavior, affiliations, likes, dislikes and even health. Their role in risk assessment is already growing.
The many combinations and intersections of these technologies are raising expectations and concerns over what is to come. Everyone has a stake in the outcome: consumers, retailers, major CPG brands, watchdog organizations, regulators, politicians and the likes of Google, Apple, Microsoft, Amazon, eBay / PayPal and the entire payments industry.
We are at the beginning of the process. We should have misgivings about this and as an industry, individuals and as a society, we need to do better with respect to privacy and certainly with respect to relevance.
Provided we can manage privacy permissions we grant and the occasionally creepy sense that someone knows way too much about us, the intersections of these tools should provide more relevant information and services to us than what we have today. Anyone who has sighed at the sight of yet another web ad for a product long since purchased or completely inappropriate to you understands that personalized commerce has a long way to go. That’s part of what the Age of Context technologies promise to provide.
ACTs in Security
ACTs role in commerce is one albeit essential application. They have the potential to power security services as well, specially authentication and identity-based approaches. We can combine data from two or more of these technologies to generate more accurate and timely risk assessments.
It doesn’t take the use of all five to make improvements. One firm have demonstrated that the correlation of just two data points is useful, it demonstrated that if you can show that a POS transaction took place in the same state as the cardholder’s location then you can improve risk assessment substantially. (based off of triangulated cell phone tower data).
Powerful questions of each technology that ACTs let us ask:
Data – What have I done in the past? Is there a pattern? How does that fit with what I’m doing now?
Geolocation – What building am I in? Is it where the transaction should be? Which direction am I going in or am I running away?
Mobile – Where does device typically operate? How’s the device configured? Is the current profile consistent with the past?
Sensors – Where am I standing? What am I looking at? Is this my typical walking gait? What is my heart rate and temperature?
Social – Am I a real person? Who am I connected to? What is their reputation?
Knowing just a fraction of the answers to these questions places the customer’s transaction origination, the profiles of the devices used to initiate that transaction and the merchant location into a precise context. The result should improve payment security.
More payments security firms are making use of data signals from non-payment sources, going beyond the traditional approach of assessing risk based primarily on payment data. One firm have added social data to improve fraud detection for ecommerce payment risk scoring. Another firm, calling its approach Social Biometrics, evaluates the authenticity of social profiles across multiple social networks including Facebook, Google+, LinkedIn, Twitter and email with the goal of identifying bogus profiles. These tools are of course attractive to ecommerce merchants and others employing social sign on to simplify site registration. That ability to ferret out bogus accounts supports payment fraud detection as well.
This triangulation of information is what creates notion of context. Apply it to security. If you can add the cardholder’s current location based on mobile GPS to the access device’s digital fingerprint to the payment card, to the time of the day when she typically shops, then the risk becomes negligible. Such precise contextual information could pave the way for the retirement of the distinction between card present and card-not-present transactions to generate a card-holder-present status to guide risk decision-making.
Sales First, Then Security
The use of ACT generated and derived signals will be based on the anticipated return for the investment. Merchants and financial institutions are more willing to pay to increase sales than pay for potential cost savings from security services. As a result, the ACTs will impact commerce decision making first-who to display an ad to, who to provide an incentive to.
New Combinations
Behind the scene, the impact of the ACTs on security will be fascinating and important to watch. From a privacy perspective, the use of the ACTs in security should prove less controversial because their application in security serves the individual, merchant and the community.
Determining the optimal mix of these tools will take time. How different are the risks for QR-code initiated transactions vs. a contactless NFC transaction? What’s the right set of tools to apply in that case? What sensor-generated data will prove useful? Is geolocation sufficient? Will we find social relationships to be strong predictor of payment risk or are these more relevant for lending? And what level of data sharing will the user allow-a question that grows in importance as data generation and consumption is shared more broadly and across organizational boundaries. It will be important for providers of security tools to identify the minimum data for the maximum result.
I expect the ACT’s to generate both a proliferation of tools to choose from and a period of intense competition. The ability to smoothly integrate these disparate tools sets will be a competitive differentiator because the difficulty of deployment for many merchants is as important as cost. Similar APIs would be a start.
Getting More from What We Already Have
The relying parties in a transaction – consumers, merchants, banks, suppliers – have acquired their own tools to manage those relationships. Multi-factor authentication is one tool kit. Banks, of course issue payment credentials that represent an account and proxy for the card holder herself at the point of sale or online. Financial institutions at account opening perform know your customer work to assure identity and lower risk.
Those siloed efforts are now entering an era where the federated exchange of this user and transactional data is becoming practical. Firms are building tools and the economic models to leverage these novel combinations of established attributes and ACT generated data.
The ACTs are already impacting the evolution of the payments security market. Payment security incumbents, choose just two from the social side, find themselves in an innovation rich period. Done well, society’s security posture could strengthen.
Posted in Best Practices for Merchants, Credit card Processing, Credit Card Security, e-commerce & m-commerce, Electronic Payments, Internet Payment Gateway, Payment Card Industry PCI Security, Point of Sale, Smartphone, Visa MasterCard American Express Tagged with: big data, breaches, card data, cardholders, checkout lines, commerce, data loss, data sets, digital, ecommerce, geolocation, GPS, inherent security, Merchant's, Mobile Devices, mobile network, online activity, personally identifiable information, pii, POS, Security, security crisis, sensors, smartphone, social networks, transaction, transactional, travel patterns, vulnerabilities
February 13th, 2014 by Elma Jane
Core Elements of PCI’s Data Security Standard
This organization provides an international platform for the ongoing development, enhancement, storage, dissemination and implementation of security standards for account data protection. It is impossible to be involved in the credit card processing industry and not be aware of the PCI Security Standards Council.
As such it is important to be aware of the core elements of the PCI’s Data Security Standard (DSS).
The following are the current fundamental principles and requirements:
Build and Maintain a Secure Network
Requirement a. Install and maintain a firewall configuration to protect cardholder data
Requirement b. Do not use vendor-supplied defaults for system passwords and other security parameters
Implement Strong Access Control Measures
Requirement c. Restrict access to cardholder data by business need-to-know
Requirement d. Assign a unique ID to each person with computer access
Requirement e. Restrict physical access to cardholder data
Maintain a Vulnerability Management Program
Requirement f. Use and regularly update anti-virus software
Requirement g. Develop and maintain secure systems and applications
Maintain an Information Security Policy
Requirement h. Maintain a policy that addresses information security
Protect Cardholder Data
Requirement i. Protect stored cardholder data
Requirement j. Encrypt transmission of cardholder data across open, public networks
Regularly Monitor and Test Networks
Requirement k. Track and monitor all access to network resources and cardholder data
Requirement l. Regularly test security systems and processes
Posted in Best Practices for Merchants, Credit card Processing, Credit Card Security, Payment Card Industry PCI Security Tagged with: account data protection, cardholder data, credit card processing, information security, open public networks, PCI Data Security Standard, secure network, secure systems and applications, security standards council, security systems and processes, vulnerability management
February 3rd, 2014 by Elma Jane
The migration to cards that use chips instead of magnetic strips, known as EMV technology, is well underway in the U.S. No government regulation is needed to make it happen. But the EMV migration and the Target breach are different things. It’s true that EMV chip cards can prevent criminals from producing counterfeit cards using stolen account numbers. But EMV doesn’t stop criminals using stolen cards online. So innovators are deploying new technologies to deter other forms of fraud.
Headline-grabbing events inevitably lead to calls for new laws. But in the case of our nation’s electronic payments systems, new government mandates would stifle marketplace innovations that hold great promise for providing consumer benefits and reducing criminal activities.
Financial institutions compete for customers by providing consumer protections even beyond requirements of current law. Many retailers also offer customers speedy transactions, such as “sign and go” and “swipe and go” for small transactions, while the payments industry ensures consumers still have zero liability. These protections and flexibility are why U.S. consumers are going cashless and carry more than one billion debit and credit cards. More than 70% of retail purchases are made with electronic payments, and our member companies process more than $4 trillion in electronic payments each year.
Fraud accounts for fewer than six cents of every $100 spent on payments systems – a fraction of a tenth of a percent. U.S. companies have made significant financial and technological investments, building sophisticated fraud tools that insulate consumers from liability. To build on this, Congress should foster greater international law enforcement cooperation to fight cybercrime, particularly in countries that harbor crime rings, and replace 46 divergent state breach notification laws with a uniform national standard.
The private sector is best positioned to address the constantly shifting tactics of criminals, and it is doing so without government mandates. Do Americans really want the government in charge of the security and monitoring of our payments?
Posted in Best Practices for Merchants, Credit card Processing, Credit Card Security, Electronic Payments, EMV EuroPay MasterCard Visa, Financial Services, Visa MasterCard American Express Tagged with: counterfeit cards, cybercrime, data breach, debit and credit cards, electronic payment systems, electronic payments, emv chip cards, emv technology, fraud, liability, magnetic strips, migration, online, security and monitoring of our payments, small transactions
January 30th, 2014 by Elma Jane
As many as 40 million Target customers hacked over the holidays when thieves got into their credit and debit card. If you shopped at Target between November 27 and December 15 while thieves were hacking data, you’re unlikely to lose a dime. Federal law and industry practices protect virtually all customers from any liability for fraudulent charges. So many breaches occur in the first place. Credit and debit card fraud has nearly quadrupled in the past decade, hitting $11.3 billion in losses worldwide last year. That hurts profits and raises the cost of goods. The U.S. accounts for more than its share of fraud, and hardly a month goes by when there isn’t a breach from some large U.S. retailer, in part because the U.S. lags other countries in card security.
After the Target breach, the stolen account information flooded underground markets that operate on the Internet, selling batches of data that allow thieves to counterfeit cards and shop till they drop. The best thing that could happen is if this latest megabreach forced the industry and Congress to fix some of the system’s most troubling vulnerabilities.
Cyberthieves are growing more sophisticated, and nothing can prevent every data breach. But when a company as big as Target can be hacked for 19 days to the tune of 40 million records, consumers deserve more modern and tougher protections.
Some ideas for curbing cybercrime:
Put stronger protections on debit cards. Credit cards carry the gold standard in protection against having to pay for fraudulent charges. Federal law limits losses to $50, and most issuers take that down to zero. After a data breach, debit cards are similarly protected. But if your debit card is lost or stolen, by law you could lose up to $500, and reimbursement may depend on how quickly you report the loss. There’s no sound reason for the gap. It should be eliminated.
Set federal standards to protect data. The industry, led by Visa and MasterCard, has always provided its own security standards to keep data safe. Obviously, they’re not working. Federal standards could help, especially if backed by sanctions for flouting them. The Federal Trade Commission has some authority, but the law is nearly 100 years old, and some companies have challenged the agency in court. Since the Target breach, several senators are calling for more federal authority.
Get with the 21st century. The U.S. is far behind Europe, which almost a decade ago replaced the magnetic strip on cards with a digital chip that prevents thieves from counterfeiting cards with stolen data. That’s one reason the U.S. has become a mecca for hackers. The U.S. industry is migrating to these “EMV” cards, but it has moved slowly. The players fight among themselves over everything from who pays to the type of security. Requiring cardholders to use PIN numbers would provide the best security. Whatever the decision, the industry needs to get moving to meet a self-imposed 2015 deadline.
Posted in Best Practices for Merchants, Credit Card Security, Digital Wallet Privacy, Electronic Payments, EMV EuroPay MasterCard Visa, Financial Services, Payment Card Industry PCI Security, Visa MasterCard American Express