Category: Payment Card Industry PCI Security
June 13th, 2014 by Elma Jane
A couple of teenage boys spent one school lunch break last week hacking into a Bank of Montreal cash machine.
After finding an old ATM service manual online, Matthew Hewlett and Caleb Turon decided to head to their nearest BMO machine at a Safeway store in their hometown of Winnipeg, when the boys tried to get into the system they were asked for a password. Taking a punt on a commonly used default, they were shocked to see their attempt work. Instead of trying to clear the machine out, the pair made their way to the nearest BMO branch to flag the security risk but, staff did not believe them. So both went back to the ATM and got into the operator mode again, then started printing off documentation like how much money is currently in the machine, how many withdrawals have happened that day and how much it’s made off surcharges. The teenagers even changed the machine’s greeting screen from Welcome to the BMO ATM to Go away. This ATM has been hacked. When they returned to the BMO branch with documentation of their hack, the branch manager vowed to contact security. The bank has since taken steps to prevent a repeat but insists that customer data was never at risk.
Posted in Credit Card Security, Payment Card Industry PCI Security Tagged with: atm, Bank of Montreal, cash machine, customer data, hacking, password, Security, security risk
May 8th, 2014 by Elma Jane
The complexity derives from PCI’s Data Security Standards (DSS), which include up to 13 requirements that specify the framework for a secure payment environment for companies that process, store or transmit credit card transactions.
Make PCI DSS Assessment Easier
Training and educating employees. Technical employees should obtain any certifications or training classes necessary so that they can operate and monitor the security control set in place. Non-technical employees must be trained on general security awareness practices such as password protection, spotting phishing attacks and recognizing social engineering. All the security controls and policies in the world will provide no protection if employees do not know how to operate the tools in a secure manner. Likewise, the strongest 42-character password with special characters, numbers, mixed case, etc. is utterly broken if an employee writes it on a sticky note attached to their monitor.
For an organization to effectively manage its own risk, it must complete a detailed risk analysis on its own environment. Risk analysis goal is to determine the threats and vulnerabilities to services performed and assets for the organization. As part of a risk assessment, organization should define critical assets including hardware, software, and sensitive information and then determine risk levels for those components. This in turn allows the organization to determine priorities for reducing risk. It is important to note that risks should be prioritized for systems that will be in-scope for PCI DSS and then other company systems and networks.
Once the risk assessment has been completed the organization should have a much clearer view of its security threats and risks and can begin determining the security posture of the organization. Policies and procedures form the foundation of any security program and comprise a large percentage of the PCI DSS requirements. Business leaders and department heads should be armed with the PCI DSS requirements and the results of the risk analysis to establish detailed security policies and procedures that address the requirements but are tailored to business processes and security controls within the organization.
Building upon the foundation of security policies, the committee of business leaders and department heads should now review the PCI DSS requirements in detail and discuss any potential compliance gaps and establish a remediation plan for closing those gaps. This is where it is important to have the full support of business leaders who can authorize necessary funds and manpower to implement any remediation activities.
This is also the time to schedule the required annual penetration testing. These are typically performed by third parties, but is not required to be performed by third parties, and can take some time to schedule, perform, and remediate (if necessary). The results of a PCI DSS assessment will be delayed until the penetration test is completed so now is the time to schedule the test.
At this point the organization is ready for a full-scale PCI DSS assessment and can now enter a maintenance mode where periodic internal audits occur and regular committee meetings are held to perform risk assessments and update policies, procedures, and security controls as necessary to respond to an ever changing threat landscape. PCI DSS must become integrated into the everyday operation of the organization so that the organization remains secure and to ease the burden of the annual assessments.
Payment Card Industry (PCI) compliance assessment is a major task for any size organization, but you can make it easier.
Posted in Best Practices for Merchants, Credit Card Security, Payment Card Industry PCI Security Tagged with: assets, card, card transactions, compliance, compliance assessment, credit card transactions, credit-card, data security standards, DSS, networks, password protection, payment, Payment Card Industry, PCI, Phishing, process, risk, risk analysis, risk assessment, secure payment, Security, security control, security policy, transactions, transmit
May 6th, 2014 by Elma Jane
Which fee structure works best remains unclear despite the recent high-profile data security breaches that are emphasizing the need for security measures. Acquirers charge fees – or not – based on what’s best for their business model and their security objectives
Some charge merchants that comply, others charge merchants that fail to comply and a few charge both. Some Independent Sales Organizations (ISOs) don’t charge merchants a fee for helping them comply with the Payment Card Industry data security standards (PCIS DSS).
If there is any trend, it’s that more banks are finding that some sort of funding is necessary to run a program that gets any results. That funding covers costs for security assessments and compliance assistance as well as internal resources for acquirers. When it comes to covering those costs and creating incentives for compliance, no one fee structure is ideal.
Non-compliance fees encourage merchants to comply so they can save money, but the fees may not accomplish that. Unless you charge exorbitantly, it’s not going to have the effect you want it to have, and by the time you charge that much, the merchant’s just going to move to a different ISO.
ISOs charging non-compliance fees often claim the fee revenue goes into an account designated for use in case of a breach. Non-compliance fees can also reward acquirers for doing nothing to increase compliance. You get this situation where a bank has a revenue stream. Their objective is not to increase the revenue stream but to increase compliance, when they increase compliance, the revenue stream goes down.
It is recommended to some acquirers that they consider charging merchants fees for doing things like storing card data, which could be checked with a scanning tool. Merchants that do store data or fail to run the scan would be charged a fee. That is something that could really decrease risk, because if you’re not storing card data, even if you are breached, there’s nothing to get.
Simplifying the compliance verification process, by making assessment questionnaires available on its merchant portal and by teaching merchants about PCI, will minimize the potential impact of fraud by increasing compliance, which saves the company money in the long run versus a more laissez-faire approach of fees without education and compliance tools.
It’s more important to educate the merchant, it’s the spirit and intent of PCI-DSS supported by the card associations. Visa and MasterCard support it because of the severe impact of a breach or other data compromise, not as a revenue source.
ISOs and other players in the payments chain that do not work to help merchants comply are also putting themselves at risk. Breached merchants may be unable to pay fines that come with a data compromise, potentially leaving ISOs responsible for paying them. Merchants that go out of business because of a data breach also stop providing the ISO with revenue.
Plus, when merchants ask why they’re being charged a non-compliance fee, point them to the questionnaire and explain that they’ll stop being charged as soon as they demonstrate they comply with PCI.
Posted in Best Practices for Merchants, Credit Card Security, Merchant Account Services News Articles, Payment Card Industry PCI Security Tagged with: card associations, card data, compliance, compliance fee, data, data security standards, ISOs, MasterCard, Merchant's, Payment Card Industry, portal, security breaches, visa
May 6th, 2014 by Elma Jane
Mobile commerce platform provider ROAM, an Ingenico company has expanded its mPOS solutions to include chip-and-PIN acceptance with the RP750x mobile card reader. The reader allows mPOS players to get to market quickly with their own custom-branded solution, providing merchants with a powerful set of features that include device and fraud management, remote application configuration, and an mPOS application that can be localized for any language and currency in any country. Features include: Backlit display, EMV PIN pad, magnetic stripe reader, NFC reader and smart card reader. Configurable through the cloud, enabling direct shipment from factory to any country. Connects with smartphones, tablets and feature phones via Bluetooth or audio jack. Customizable for branding and form factor. Just Slightly larger than a credit card, a compact form factor. PCI PTS 3.1 with SRED, EMV Level 1 and 2, Visa-ready (Compliant with the latest industry standards).
Posted in Best Practices for Merchants, Credit Card Reader Terminal, e-commerce & m-commerce, EMV EuroPay MasterCard Visa, Financial Services, Mobile Payments, Mobile Point of Sale, Near Field Communication, Payment Card Industry PCI Security, Point of Sale, Smartphone, smartSD Cards, Visa MasterCard American Express Tagged with: bluetooth, Chip and PIN, cloud, compliant, credit-card, currency, EMV, fraud, magnetic stripe reader, Merchant's, mobile card reader, Mobile commerce platform, mPOS solutions, nfc, PIN pad, smart card reader, Smartphones, tablets, visa
May 6th, 2014 by Elma Jane
MasterPass in-app payments is this latest offering from MasterCard to address the specific needs of the digital ecosystem. With MasterPass in-app payments, MasterCard is creating great experiences for consumers across all channels and all devices, and enabling merchants to reach new consumers in ways not possible in the pre-digital world.
MasterPass an in-app payments enabling consumers to make secure purchases within a mobile app has been announced by Mastercard. MasterPass in-app payments eliminate the need to store payment card credentials across numerous mobile apps, providing consumers with a fast and simple payment experience.
MasterCard is also developing a framework to make all payments using MasterPass as or more secure than anything, ensuring that consumers can benefit from the highest possible levels of security.
MasterPass in-app payments extend the capabilities of the current browser-based MasterPass digital service into the mobile app environment, and provide consumers with one secure direct relationship with their bank. Apps with MasterPass embedded in them enable consumers to complete a purchase with as few as one click or touch on their favorite connected device without leaving the app environment. MasterPass in-app payments will be made available to developers and merchants beginning in Q2 of this year.
Posted in Best Practices for Merchants, Digital Wallet Privacy, EMV EuroPay MasterCard Visa, Financial Services, Mobile Payments, Payment Card Industry PCI Security, Smartphone, Visa MasterCard American Express Tagged with: card credentials, consumers, digital service, in-app payments, MasterCard, MasterPass in-app payments, Merchant's, mobile app, payments, pre-digital, Security
May 6th, 2014 by Elma Jane
Bank of Lanzhou in China, has rolled out ATMs assimilating finger vein authentication technology from Japan’s OKI Vendor.
Bank of Lanzhou has deployed Recycler G7 machines – OKI’s ATM following a trial, which include a finger vein authentication module co-developed by Mofiria.
Japan’s OKI Vendor says that using vein patterns to identify customers is more secure than fingerprints and also minimises the calculations required for authentication.
The deal is OKI’s first for finger vein ATMs in China, but the technology is widespread in Japan, where tens of thousands of machines now require customers to scan their hands to access their cash.
Posted in Payment Card Industry PCI Security, Smartphone Tagged with: ATMs, authentication, finger vein authentication, fingerprints, Recycler G7 machines, scan, vein patterns
May 5th, 2014 by Elma Jane
The Payment Card Industry (PCI) Data Security Standard (DSS) has come under criticism as high profile data breaches continue to expose flaws in retailers’ data security systems. But telecommunications firm Verizon Wireless concluded that the PCI DSS is working.
Some Responses to Criticisms
Nilson Report research from August 2013 that said card fraud cost the global payments market over $11 billion in 2012. Verizon added that the frequency of fraud schemes that the PCI DSS was designed to avoid is in fact growing. And yet most businesses are not fully compliant at the time of assessment. Only 51.1 percent of the companies it had audited had passed seven of the 12 requirements of the PCI DSS and only 11.1 percent of said companies had passed all 12.
Verizon addressed some of the criticisms leveled at the PCI DSS. One concern is that the standard promotes compliance as a test to be passed and forgotten, which distracts companies from focusing on improving security. Verizon responded by stating that breached businesses were less likely to be PCI DSS compliant than unaffected companies. It also said businesses improve their chances of not being breached by having the standard in place, and of minimizing the damage of a breach should one occur.
Another common complaint leveled at the standard is that it is too cumbersome and slow moving in relation to the quickly evolving threat landscape and nimble fraudsters ready to try new tactics. Verizon countered that the PCI DSS is meant to be a set of baseline security protocols. Achieving compliance with any standard is simply not enough, organizations must take responsibility for protecting both their reputation and their customers. Most attacks on networks are of the simple variety, with 78 percent of hacking techniques considered low or very low in sophistication. Data Breach Investigations Report (DBIR) research shows that while perpetrators are upping the ante, trying new techniques and leveraging far greater resources, less than 1 percent of the breaches use tactics rated as high on the VERIS (Verizon’s Data breach Analysis Database) difficulty scale for initial compromise.
Recommendations
There’s an initial dip in compliance whenever a major update to the standard is released, so organizations will have to put in additional effort to prepare for achieving compliance with DSS 3.0.
The newest version of the standard, PCI DSS 3.0, went into effect Jan. 1, 2014. Businesses have until Jan. 1, 2015, to implement it. The updated standard has new requirements and clarifications to version 2.0 that will take time for businesses to understand and implement, and this will result in more organizations being out of compliance.
To help businesses deal with their PCI DSS compliance obligations the firm offered five approaches:
Don’t leave compliance to information technology security teams, but enlist application developers, system administrators, executives and other staff in helping further along the process.
Embed compliance in everyday business practices so that it is sustainable.
Integrate compliance programs into enterprise-wide governance, risk and compliance strategies.
Learn how to reduce the scope of organizations’ compliance responsibilities, chiefly by figuring out how to store less data on fewer systems.
Think of compliance as an opportunity to improve overall business processes, rather than as a burden.
Posted in Best Practices for Merchants, Credit card Processing, Credit Card Security, Electronic Payments, Payment Card Industry PCI Security, Visa MasterCard American Express Tagged with: attacks on networks, Breach, breached, business processes, compliance, compliant, data breach investigators, data breaches, data security systems, database, DSS, fraud schemes, global payments, hacking, information technology, Payment Card Industry, PCI, retailers, Security, security protocols, standard, system administrators, wireless
April 18th, 2014 by Elma Jane
Capital One joins existing stakeholders equally owned by Bank of America, JPMorgan Chase, and Wells Fargo. Member-owner of the ClearXchange network.
Capital One has taken a stake in ClearXchange, the US bank-backed clearing house for person-to-person online payments transfer.
ClearXchange is the first network in the U.S. created by banks that lets customers send and receive (P2P) person-to-person payments easily and securely using an email address or mobile number.
With only the recipient’s mobile number or email address, the ClearXchange network enables customers to send funds directly from their bank account to the recipient’s bank account without the need to pass on more sensitive account information.
EVP of digital at Capital One, says partnering with clearXchange is another way of bringing safe and secure payments through convenient, digital channels to their customers.
With membership open to banks and credit unions of all sizes, ClearXchange has so far signed up only FirstBank as its sole non-owner participant, although it nonetheless claims to represent more than 50 percent of the consumer online banking market.
Posted in Credit card Processing, Electronic Payments, Merchant Services Account, Mobile Payments, Payment Card Industry PCI Security, Small Business Improvement, Smartphone, Visa MasterCard American Express Tagged with: account, bank account, Bank of America, Capital One, consumer online banking, digital channels, JP Morgan, market, mobile, online payments transfer, p2p, payments, person-to-person, secure payments, securely, U.S. Bank, US Bank, Wells Fargo
April 15th, 2014 by Elma Jane
Amsterdam, Netherlands-based Cardis has been piloting its technology in Europe with Raiffeisen Bank in Austria and Sberbank in Russia. They are now focused on the U.S., as this is the fastest growing mobile payments market in the world, where there’s a huge opportunity. Integration of technology with a large U.S. processor and with a major U.S. retail brand, which will be launching a mobile site and mobile app using Cardis solution.
Cardis International is planning an April launch in the U.S. for its technology, which enables merchants to accept low-value contactless or mobile payments without incurring high processing charges. Cardis is able to bring down the processing cost of low-value payments, the company said, by aggregating multiple transactions into a single payment.
The problem
Contactless card and NFC-based mobile payments are typically for low amounts, and yet still use a card processing infrastructure that was designed 40 years ago when the average credit card transaction was $100.
Traditional card processing systems require each transaction to be individually processed through the payment system, including authorization, clearing and settlement. The resulting variable costs of processing each transaction are independent of the transaction amount and too high for low-value payments, particularly in low-margin industries such as quick-service restaurants. QSR restaurants often have a 3 percent profit margin, yet, for low-value contactless payments, the processing cost could be as high as 6-7 percent of the transaction value.
Mobile and contactless cards offer consumers a convenient form factor. But they don’t solve the problem that low-value card payments are very expensive for merchants.
As an ever-increasing percentage of transactions have become cashless, card processing fees have become a significant cost. Costs that are based on the number of transactions, rather than their value. With average per person expenditures of $5 or under, feels each swipe fee much more than a business where customers spend $50 or more. But not accepting credit/debit cards for low-value transactions isn’t an option as many of customers don’t carry cash anymore.
Aggregation
Cardis’ solution is to act as an aggregator of low-value payments, sending a single batched transaction through to a processor instead of multiple low-value transactions. As there is no per transaction processing of individual low-value purchases, the cost-per-transaction is significantly reduced.
Cardis provides its technology as a software plug-in to payment service providers for contact-based and contactless card payments, mobile wallet transactions and NFC payments.
There are two models. For card payments, it will aggregate multiple purchases by an individual cardholder at a single merchant on a post-paid basis up to a specific amount, for example $20. To guarantee payment to the merchant, since the aggregated transaction is processed at a later date, it will pre-authorize an amount, for example $15, the first time the customer makes a purchase at that merchant.
Alternatively, merchants can opt for Cardis’ prepaid system. This involves the consumer setting up a prepaid account hosted by Cardis’ sponsoring bank that is topped up via ACH (automated clearing house) transfers. Using the Cardis prepaid account on a smartphone provides the digital equivalent to cash.
With its post-paid solution, merchants will save 30-50 percent per transaction compared to conventional card processing fees, while its prepaid solution saves merchants 80 percent per transaction. With the post-paid solution, it will only aggregate a customer’s purchases at a single specific merchant. But, as the prepaid solution aggregates the customer’s purchases across multiple merchants, this enables to offer a much lower processing fee to the merchant.
Cardis provides an audit trail enabling consumers to track individual transactions that are aggregated using its technology. Consumers don’t lose any of their card protection rights and guarantees by agreeing to let a merchant aggregate their payments through Cardis. They can always charge back any disputed transactions.
Cardis sees opportunities for digital content providers such as online music stores and games providers to use its aggregation technology. It can integrate solution with existing digital wallets.
Raiffeisen
In 2012, Austria’s Raiffeisen Bank launched a pilot of Cardis technology for NFC-based Visa V Pay debit card payments in partnership with Visa Europe. Raiffeisen’s MobileCard mobile payment product uses a secure element stored on an NFC-enabled MicroSD card inserted in a mobile phone. Although Cardis supports secure elements stored on SIM cards as well as on MicroSD cards and on the cloud, Raiffeisen opted for MicroSD cards, as this is an easier solution to implement.
Raiffeisen cardholders participating in the pilot use MobileCard on average three times a week, with an average transaction value of ($5.70). Merchants accepting MobileCard are seeing 40 percent to 70 percent lower merchant processing fees for an average transaction value of ($5.43) to ($13.60).
Spindle
In October 2013, Spindle, a U.S. mobile commerce company, signed an agreement with Multi-max, a manufacturer of vending machines for mid-size and small offices throughout North America, Europe and Asia. Spindle will integrate its MeNetwork mobile commerce technology into Multi-max’s line of K-Cup vending machines for rollout across the U.S.
The MeNetwork solution will incorporate all card-based payment acceptance services, as well as mobile marketing services. Spindle’s partner Cardis will provide low-value payment processing services for purchases at K-Cup vending machines.
Posted in Credit card Processing, Credit Card Security, Digital Wallet Privacy, e-commerce & m-commerce, Electronic Payments, Gift & Loyalty Card Processing, Internet Payment Gateway, Mobile Payments, Mobile Point of Sale, Near Field Communication, Payment Card Industry PCI Security, Smartphone, smartSD Cards, Visa MasterCard American Express Tagged with: accept, ach, aggregated, aggregation, aggregator, authorization, automated clearing house, average transaction, batched, card payments, card processing infrastructure, card processing systems, card-based payment acceptance, cardholders, clearing, contactless, contactless payments, cost-per-transaction, credit card transaction, debit card payments, Digital wallets, high processing charges, low-value payments, merchant aggregate, Merchant's, microSD, mobile app, mobile commerce, mobile payment, Mobile Payments, mobile site, mobile wallet transactions, nfc-based, payment service providers, pre-authorize, prepaid, processed, Processing, processing cost, processing fees, processor, settlement, smartphone, transactions, transfers
April 11th, 2014 by Elma Jane
PCI DSS 3.0 standard, which took effect January 1st, introduces changes that extend across all 12 requirements, aimed to improve security of payment card data and reducing fraud. There will be some shakeups for many organizations when it comes to their day-to-day culture and operations. Transitioning to meet the new requirements will help e-business build a stronger, safer, lower-risk environment for their customers.
While the growing number of digital payment avenues offers convenience to customers, it also offers a larger attack surface for criminals.
As cloud technologies and e-commerce environments continue to grow, creating multiple points of access to cardholder data and online retailers will only become more appealing targets for hackers. Cybercriminals are cunning and determined. They understand payment card infrastructures as well as the engineers who designed them.
A scary proposition and it’s exactly why the payment card industry is so determined to help keep e-commerce organizations protected. Meeting the new standard, businesses will be better armed to fight evolving threats. Changes will also drive more consistency among assessors, help business reduce risk of compromise and create more transparent provider-customer relationships.
Transitioning to PCI DSS 3.0 will involve some work, but doing that work on the front end is going to save much work down the line. Adopting the new standard ultimately will drive your e-commerce business into a secure and efficient era.
Cultural Changes – One of the main themes of 3.0 is shifting from an annual compliance approach to embedding security in daily processes. Threats don’t change just once a year. They’re constantly evolving and that means e-commerce organizations must adopt a culture of vigilance. Only through a proactive business-as-usual approach to security can you achieve true DSS compliance. Realistically, this could mean the need to provide more education and build awareness with staff, partners and providers, so that everyone understands why and how new processes are in place.
Operational Changes – The 3.0 standard addresses common vulnerabilities that probably will ring a bell with many of you. These include weak passwords and authentication procedures, as well as insufficient malware detection systems and vulnerability assessments, just to name a few. Depending on your current security controls program, this could mean you’ll need to step up in these areas by strengthening credential requirements, resolving self-detection challenges, testing and documenting your cardholder data environment and making other corrections.
Overview Changes – How much work lands on your plate will depend on your current security program. Examining your current security strategies and program is a good idea. Below are the areas requiring your attention, which this series will explore in more detail in future installments.
Service Provider Changes – Some organizations made unsafe assumptions in the past when it comes to third-party providers. Some have paid the price, from failed audits to breaches. One reason that the new standard is designed to eliminate any confusion over compliance responsibilities. Responsibilities, specifically for management, operations, security and reporting all will need to be spelled out in detailed contracts. In addition to improved communication, an intensified focus on transparency means that you should have a clear view of your provider’s infrastructure, data storage and security controls, along with subcontractors that can impact your environment. So if your organization isn’t exactly clear on which PCI DSS requirements you manage and which ones your providers handle, prepare to get all of that hammered out.
The Compliance Rewards – The path to preparing for the 3.0 deadline in January 2015 sounds like it’s a lot of work. So to get started request your QSA’s opinion on how the changes will impact your organization, by doing the gap assessment and you’ll be able to address any shortcomings.
Meeting the new 3.0 requirements isn’t just about passing audits. In fast paced payment IT landscape, staying smart and protected is part of our commitment to our customers. Beefing up security game not only reduce audit headaches, but also enjoy stronger brand reputation as a safe and reliable e-commerce business.
Posted in Best Practices for Merchants, Credit card Processing, Credit Card Security, e-commerce & m-commerce, Electronic Payments, Financial Services, Payment Card Industry PCI Security, Small Business Improvement, Visa MasterCard American Express Tagged with: 3.0, attack surface, authentication, breaches, businesses, cardholder data, complance, compliant, credential, cybercriminals, digital payment, DSS, e-business, e-commerce, embedding, hackers, lower-risk, online retailers, passing audits, payment card infrastructures, PCI, processes, reducing fraud, requirements, risk of compromise, security controls, security of payment card data, security program, standards