Category: Credit Card Security
August 27th, 2014 by Elma Jane
Backoff malware that has attacked point of sale systems at hundreds of businesses may accelerate adoption of EMV chip and PIN cards and two-factor authentication as merchants look for ways to soften the next attack. Chip and PIN are a big thing, because it greatly diminishes the value of the information that can be trapped by this malware, said Trustwave, a security company that estimates about 600 businesses have been victims of the new malware. The malware uses infected websites to infiltrate the computing devices that host point of sale systems or are used to make payments, such as PCs, tablets and smartphones. Merchants can install software that monitors their payments systems for intrusions, but the thing is you can’t just have anti-virus programs and think you are safe. Credit card data is particularly vulnerable because the malware can steal data directly from the magnetic stripe or keystrokes used to make card payments.
The point of sale system is low-hanging fruit because a lot of businesses don’t own their own POS system. They rent them, or a small business may hire a third party to implement their own point of sale system. The Payment Card Industry Security Standards Council issued new guidance this month to address security for outsourced digital payments. EMV-chip cards, which are designed to deter counterfeiting, would gut the value of any stolen data. With this magnetic stripe data, the crooks can clone the card and sell it on the black market. With chip and PIN, the data changes for each transaction, so each transaction is unique. Even if the malware grabs the data, there not a lot the crooks can do with it. The EMV transition in the U.S. has recently accelerated, driven in part by recent highprofile data breaches. Even with that momentum, the U.S. may still take longer than the card networks’ October 2015 deadline to fully shift to chip-card acceptance.
EMV does not by itself mitigate the threat of breaches. Two-factor authentication, or the use of a second channel or computing device to authorize a transaction, will likely share in the boost in investment stemming from data security concerns. The continued compromise of point of sale merchants through a variety of vectors, including malware such as Backoff, will motivate the implementation among merchants of stronger authentication to prevent unauthorized access to card data.
Backoff has garnered a lot of attention, including a warning from the U.S. government, but it’s not the only malware targeting payment card data. It is not the types of threats which are new, but rather the frequency with which they are occurring which has put merchants on their heels. There is also an acute need to educate small merchants on both the threats and respective mitigation techniques.. The heightened alert over data vulnerability should boost the card networks’ plans to replace account numbers with substitute tokens to protect digital payments. Tokens would not necessarily stop crooks from infiltrating point of sale systems, but like EMV technology, they would limit the value of the stolen data. There are two sides to the equation, the issuers and the merchants. To the extent we see both sides adopt tokenization, you will see fewer breaches and they will be less severe because the crooks will be getting a token instead of card data.
Posted in Best Practices for Merchants, Credit Card Security, Payment Card Industry PCI Security, Point of Sale Tagged with: access, account, account numbers, anti-virus programs, authentication, Backoff, card, card networks, chip, credit, Credit card data, credit-card, data, data breaches, devices, digital payments, EMV, magnetic stripe, Malware, Merchant's, Payment Card Industry, payments, PCs, PIN, PIN cards, point of sale, POS, POS system, programs, Security, security standards, Smartphones, software, system, tablets, tokenization, tokens, transaction, Trustwave, websites
August 21st, 2014 by Elma Jane
Package delivery giant UPS has become the latest company to admit that customer payment card details may be at risk after it discovered malware at 51 of its US stores. In a statement, UPS says that customers who used credit and debit cards at 51 of its 4470 franchised sites between 20 January and 11 August are at risk. Names, postal and email addresses and payment card information may all be compromised, but UPS says that it has no evidence of any fraud, and that the malware has now been eliminated. Earlier this month the US government took the step of putting out an alert warning retailers about a new family of malware, dubbed Backoff, targeting point-of-sale systems. The UPS Store, received a bulletin from the government among many other US retailers that made them aware of the problem. As soon as they became aware of the potential malware intrusion, they deployed extensive resources to quickly address and eliminate the issue. Customers can be assured that they have identified and fully contained the incident. US merchants have found themselves under siege from hackers in recent months, with the most notable case seeing thieves use a vendor’s credentials to infect POS devices with malware and steal the details of around 40 million Target customer cards.
Posted in Best Practices for Merchants, Credit Card Security Tagged with: card, card details, card information, credit, customer, customer cards, debit cards, devices, fraud, Malware, Merchant's, payment, point of sale, POS, retailers
August 19th, 2014 by Elma Jane
In response to the third-party threat, the PCI Security Standards Council has published a guide to help organizations and their business partners reduce risk by better understanding their respective roles in securing card data.
The Third-Party Security Assurance Information Supplement provides guidance practical recommendations to help businesses and their partners protect data, including:
Conduct due diligence and risk assessment when engaging third party service providers to help organizations understand the services provided and how PCI DSS requirements will be met for those services.
Develop appropriate agreements, policies and procedures with third-party service providers that include considerations for the most common issues that arise in this type of relationship.
Implement an ongoing process for maintaining and managing third-party relationships throughout the lifetime of the engagement, including the development of a robust monitoring program.
Implement a consistent process for engaging third-parties that includes setting expectations, establishing a communication plan, and mapping third-party services and responsibilities to applicable PCI DSS requirements.
One of the big focus areas in PCI DSS 3.0 is security as a shared responsibility. This guidance is an excellent companion document to the standard in helping merchants and their business partners work together to protect consumers’ valuable payment information.
Posted in Best Practices for Merchants, Credit Card Security, Payment Card Industry PCI Security Tagged with: card, card data, consumers, data, Merchant's, payment, PCI, Service providers
August 8th, 2014 by Elma Jane
MasterCard’s latest Card Personalization Validation module in the Collis EMV Personalization Validation Tool qualified by MasterCard, including the U.S. Common Debit AID. The tool will be used to support EMV card issuers in the U.S., and specifically checks if MasterCard cards are correctly personalized according to the latest MasterCard specifications. It also includes specific personalization profiles to certify compliance with the Durbin Legislation. The Collis EMV Personalization Validation Tool is the most thorough and comprehensive test tool for issuers, card personalization bureaus and card manufacturers that want to validate the personalization of their contact/contactless payment cards and mobile payment applications. With the tool, issuers easily check the correctness of the personalization of any EMV card application according to the latest test specifications of the seven major worldwide payment schemes. He added that the Collis EMV Personalization Validation Tool fits also seamlessly to prepare for the MasterCard CPV Formal Approve Service that UL can deliver.
Posted in Credit Card Security, EMV EuroPay MasterCard Visa, Visa MasterCard American Express Tagged with: card, contactless payment, Debit AID, EMV, EMV card, MasterCard, mobile payment, payment schemes
August 8th, 2014 by Elma Jane
Visa Inc., the global leader in payments, is helping U.S. fuel retailers prevent credit and debit card fraud at the pump with intelligent analytics that identify higher-risk transactions that may be fraudulent. Visa Transaction Advisor uses sophisticated analytics based on the breadth and scale of VisaNet data to flag the riskiest transactions by working with fuel companies to understand their needs, creating a new service that builds on Visa’s predictive analytics capabilities, providing fuel merchants with more intelligence to prevent fraud and improve their bottom line. While global fraud rates across the Visa payment system remain near historic lows, less than 6 cents for every $100 transacted – fuel pumps can be targets for criminals because they are often self-service terminals. The new solution, Visa Transaction Advisor (VTA), enables merchants to use real-time authorization risk scores to identify transactions that could involve lost, stolen or counterfeit cards. A pilot test of the new service showed a 23 percent reduction in the rate of fraudulent transactions – all without costly infrastructure upgrades or disruption of the customer experience.
How It Works
After a cardholder inserts the card at the pump, Visa analyzes multiple data sets such as past transactions, whether the account has been involved in a data compromise and nearly 500 other pieces of data to create a risk score. This allows merchants to identify those transactions with a higher risk of fraud and perform further cardholder authentication before gas is pumped. The time and costs associated with resolving fraudulent transactions can be substantial for both merchants and financial institutions and inconvenient for cardholders, which is one of the reasons why fraud prevention is critical. Visa’s solution is easy to implement, using existing message fields and formats as well as pump software or hardware to ensure minimal impact to merchants and acquirers. Several fuel merchants who piloted the technology over the last several months noticed a decrease in fraud, without negatively impacting their consumers’ experience. VTA as a tool help mitigate fraudulent transactions. A 23 percent reduction in the rate of fraudulent chargebacks during a pilot program in Los Angeles. This was done with minimal impact to the customer experience, making secure payment at the pump as convenient as possible. Providing fuel to millions of customers each month through approximately 15,000 service stations in the United States, said US Credit Card Operations Manager, from Shell, considering new solutions and technology it has to have a clear business benefit, be customer-centric and easy to implement. With no infrastructure investment, testing VTA as part of proactive fraud prevention tool-set to better identify fraudulent card activity earlier in the transaction cycle, without inconveniencing customers.
Visa Transaction Advisor is available to merchants through participating U.S. acquirers. Visa has partnered with Vantiv and is also working with other acquirers to offer the service to its fuel clients. Ease of implementation is a critical requirement whenever talking about a new merchant service. Visa Transaction Advisor builds on existing payment infrastructure, is easy to implement and flexible enough to allow customization by merchants.
Posted in Credit Card Security, EMV EuroPay MasterCard Visa, Visa MasterCard American Express Tagged with: account, acquirers, analytics, authorization, card, cardholder, counterfeit cards, credit, Credit Card Operations, customer, data, debit, financial institutions, fraud, higher-risk transactions, Merchant's, payments, Rates, retailers, terminals, transactions, visa, Visa payment, Visa Transaction, Visa Transaction Advisor, VisaNet, VTA
June 24th, 2014 by Elma Jane
Compliance with a single set of regulations is often taxing enough, without other regulations causing a conflict, but this is exactly the situation that the insurance industry finds itself in with its contact centres.
PCI-DSS compliance insists that sensitive information in particular credit card numbers, must be protected and cannot be stored. However, the Financial Conduct Authority (FCA), the UK regulator for the financial services industry, demands that insurers keep sufficient detail of their transactions.
In insurance contact centres, FCA recommendations are met by recording calls. So in order to comply with PCI-DSS regulations, some contact centres simply pause recordings while the card information is read out, and resume recording once the payment process is complete. There’s a very big problem with this method, it undermines the very reason calls are recorded. The call recording is there to provide an unequivocal record of the circumstances under which the policy is granted. A gap in this record creates doubt. What was said during this time? If a customer is claiming a policy is mis-sold or they were misinformed in some way, a complete record to refute this claim no longer exists. Because of situations such as this, the insurance industry has an inherent dependence on contact centres and person-to-person interaction when selling policies, though in the process has to somehow comply with both regulations. But how? One way is to get the sensitive card information directly and securely to the bank’s payment gateway without storing it. Online, this is done quite easily, insurers can embed a secure payment page into a website and the customer can enter information securely that way. By phone a similar method can be used. A caller can input information directly on their telephone keypad and the tones are only transmitted to the credit card payment gateway not the contact centre. This solves the paradox of the conflicting regulations.
Insurance contact centres need to walk a very fine line, ensuring that they comply with all of the relevant regulations from multiple regulators – even those that, at first glance, contradict each other.
Posted in Best Practices for Merchants, Credit Card Security, Payment Card Industry PCI Security Tagged with: (FCA), card information, compliance, contact centres, credit card payment, credit-card, customer, Financial Conduct Authority, financial services industry, insurance industry, payment gateway, payment process, PCI-DSS, phone, regulations, secure payment, taxing, telephone keypad, transactions, website
June 13th, 2014 by Elma Jane
A couple of teenage boys spent one school lunch break last week hacking into a Bank of Montreal cash machine.
After finding an old ATM service manual online, Matthew Hewlett and Caleb Turon decided to head to their nearest BMO machine at a Safeway store in their hometown of Winnipeg, when the boys tried to get into the system they were asked for a password. Taking a punt on a commonly used default, they were shocked to see their attempt work. Instead of trying to clear the machine out, the pair made their way to the nearest BMO branch to flag the security risk but, staff did not believe them. So both went back to the ATM and got into the operator mode again, then started printing off documentation like how much money is currently in the machine, how many withdrawals have happened that day and how much it’s made off surcharges. The teenagers even changed the machine’s greeting screen from Welcome to the BMO ATM to Go away. This ATM has been hacked. When they returned to the BMO branch with documentation of their hack, the branch manager vowed to contact security. The bank has since taken steps to prevent a repeat but insists that customer data was never at risk.
Posted in Credit Card Security, Payment Card Industry PCI Security Tagged with: atm, Bank of Montreal, cash machine, customer data, hacking, password, Security, security risk
June 9th, 2014 by Elma Jane
Some American banks and financial institutions, like JPMorgan Chase, American Express and Citi, have already issued credit cards with new security technology. Other banks will do so by the end of the year. Often referred to as E.M.V. (short for Europay, MasterCard and Visa) or chip-and-PIN, these new cards use a combination of an embedded microchip and a personal numeric code to authorize payment transactions. Depending on the card issuer, some cards may have the chip but require just the old-fashioned signature instead of a PIN.
Most traditional credit cards in the United States today use a magnetic strip and a customer signature to seal a deal. The information embedded in the stripe can be easily cloned, however, and signatures can be forged. The chips in the newer E.M.V. cards which encode account information when transferring it to the merchant are harder to duplicate. The PIN must be entered for each charge, which helps make the cards more secure for in-person purchases. The cards are not infallible, though, criminals have still found ways to steal PINs and make fraudulent online purchases.
With new types of credit cards come new payment terminals, and many retailers must upgrade their equipment to make it compatible with E.M.V. cards. Instead of a slot to swipe the strip, the new credit card terminals typically need a chip reader. Most merchants will probably have the new equipment in place by October 2015, when new rules about fraud liability kick in. Under these rules, the bank or the merchant could be held accountable for any fraudulent charges if one of them has not upgraded to the new system. The party with the weaker security measures must pay.
Posted in Best Practices for Merchants, Credit card Processing, Credit Card Reader Terminal, Credit Card Security, EMV EuroPay MasterCard Visa, Visa MasterCard American Express Tagged with: account information, American banks, American Express, card issuer, cards, chip, Chip and PIN, chip reader, Citi, credit card terminals, credit cards, E.M.V., embedded microchip, EuroPay, financial institutions, fraud liability, JPMorgan Chase, magnetic strip, MasterCard, merchant, numeric code, payment terminals, payment transactions, PIN, Security, visa
June 3rd, 2014 by Elma Jane
Apple announced new Touch ID API better known among the masses as fingerprint ID, which will allow app developers to use fingerprint authentication for mobile payments and other applications.
This means that in addition to protecting the mobile device itself, the technology can now be used also to secure individual applications on the device against unauthorized use. Customers could potentially use prints from different fingers to control different apps. For instance, right thumbprint for access to the device, left index finger for access to the mobile bank app within the device.
The new feature for third party software developers provides a logical progression for the removal of password protection across a range of applications, including payments.
Financial services providers who offer the convenience of a mobile application for their customers can now also offer said customers an additional layer of security for the information that application holds.
Posted in Credit Card Security, Mobile Payments, Smartphone Tagged with: app, Apple, bank, device, financial services, Financial services providers, fingerprint authentication, fingerprint ID, mobile, mobile application, mobile bank app, Mobile Payments, payments, Security, software, software developers, Touch ID API
May 29th, 2014 by Elma Jane
A point-of-sale facial recognition system that uses NFC to help combat card fraud has been created during a recent company hack-a-thon, together with a group of engineers and designers from Logic PD. Hackathon was an opportunity for experts to explore the possibilities of useful solutions to today’s challenges, with the recent significant breaches in security at leading retailers, the need for this type of solution is particularly meaningful.
The solution, is a multi-modal security platform for card purchases, uses NFC authentication combined with camera imaging to protect users. When users make a mobile payment at the point of sale, the kiosk snaps a picture of the purchaser. This image can be incorporated via the cloud into the user’s digital transactional record, which was stored and distributed via SeeControl in this example, allowing users to identify who made each purchase, and easily identify those that are fraudulent even before banks and financial institutions.
Posted in Credit Card Security, Mobile Payments, Mobile Point of Sale, Point of Sale, Smartphone Tagged with: banks, breaches, card, card fraud, card purchases, cloud, digital, facial recognition system, financial institutions, mobile payment, nfc, NFC authentication, platform, point of sale, retailers, Security, security platform