January 23rd, 2015 by Elma Jane

Technology and software are among the most important investments a company can make, especially when it comes to security. Growing demand for IT services and security solutions prove that business owners know the threats that are out there and want to do something to guard themselves against cybercriminals.

With a well-rounded security solution a business might purchased, and with all the recommended features a business might need, was the investment really worth it? Security solutions provider Trustwave, found that organizations of all sizes are wasting their security dollars and none more so than small businesses.

Small businesses spent an average of $157 per user on security software, compared with $73 per user in larger companies. Nearly 30 percent of that investment ended up underutilized or never used due to non- or misuse of security controls and features. And yet, companies still increased their spending by 44 percent.

Why did businesses end up letting their security software go partially to waste, despite significant increases in IT spending?

Many organizations cited a lack of resources: Either IT staff was too busy to implement their security solutions properly, or didn’t have the manpower to do so.

With the alarming number of high-profile corporate breaches, businesses of all sizes are aware that they need to invest in top-of-the-line solutions. IT professionals expect a 43 percent increase in their use of cloud-based or managed security services. But the financial constraints many small companies face can prove to be an obstacle to proper security.

A few IT-related tips to help save money, which can then be reallocated toward the technological and staffing resources needed to protect a business.

Monitor software usage and eliminate solutions that aren’t being used.                                                         Seek out products that are designed for small business. Some companies offer free or discounted versions of their product to very small companies.                                                                                                               Track any IT/software purchases to ensure you’re within your budget.

Posted in Best Practices for Merchants Tagged with: , , , , , ,

September 9th, 2014 by Elma Jane

The use of customer data can help you make smarter decisions that can improve your store, enhance the shopper experience, and increase conversions. When used incorrectly, however, data can waste resources and alienate your visitors.

Ways that ecommerce merchants commonly misuse data.

Collecting Unnecessary Data

Big Data analytics and reporting tools can put a lot of information in your hands, but that doesn’t mean you should collect and track every single metric. Don’t waste space and bandwidth collecting information that is not essential in your business. Unnecessary data can create noise that slows down the analytics process. Gathering and analyzing information you don’t need can distract you from the metrics that matter. Collecting too much data can create security headaches. The best defense against breaches is to not have data to steal. If you don’t need it, don’t collect it.

Determine your store’s key performance indicators before collecting any information. A good way of doing this is to examine each metric and ask yourself whether it’s just  nice to know or is something that you can actually act on. While it may be nice to know that a particular customer has a high Klout Score, that metric probably won’t do anything for your bottom line. It’s better to not bother with it. Key metrics vary from one business to the next. For most ecommerce sites, the important metrics usually include conversion rate, traffic sources, and on-site browsing activities.

Creeping-out Shoppers

Most retailers do this inadvertently when they’re trying to customize the shopper experience. A certain amount of personalization can provide value and convenience to users, but you also have to draw the line between cool personalization and creepy. Sending emails with tailored product recommendations is a good way to increase conversions. But you have to be careful with how you execute it, so that you don’t appear too intrusive. The same goes for remarketing banner ads.

Ignoring Qualitative Information

Numbers can produce many insights, but focusing solely on that data can create an incomplete view of your company. Best data strategies make use of both quantitative and qualitative information. Go beyond the numbers to get the pulse of your customers by collecting feedback through social interactions, customer service logs, surveys with open-ended questions and more. Qualitative information can complement and validate the hard numbers.

Using Data to Justify a Decision or Hypothesis

When it comes to data collection, many merchants fall into the confirmation bias trap, wherein they interpret the information to confirm their existing beliefs or to justify their decisions. Using data this way causes you to ignore information or results that aren’t in line with your beliefs and could result in you missing opportunities. Say a company has so much faith in its new marketing strategy that when website traffic improves, the staff deems the campaign a success without looking at the conversion or retention rates. If the staff had ignored initial biases and looked at the big picture instead, they could have identified flaws and found ways to correct them. The key to addressing this is to have an open mind when interpreting information. This can be difficult, especially when you’re too close to your business. Consider a third-party specialist who can remain objective, to help make the right decisions.

 

Posted in Best Practices for Merchants, e-commerce & m-commerce Tagged with: , , , , , , , , , , , , , , ,

August 28th, 2014 by Elma Jane

Merchants are still using pedestrian passwords that crooks can easily break, security company Trustwave has found. Of the nearly 630,000 stored passwords that Trustwave obtained during penetration tests in the past two years, its technicians were able to crack more than half in just a few minutes and 92% within 31 days. Even though adding new information about weak passwords or ongoing malware investigations gets frustrating because the same problems facing the financial and payments industries persist, it does not surprise Trustwave researchers. For a lot of software or hardware developers, their main concern is availability of the service. They want to make sure their POS is available and running to accept credit cards, often at the cost of a lot of security controls. It is difficult to implement security and to do it correctly.

Trustwave recommends longer passwords with more characters, rather than shorter ones with letters and numbers. A longer password that is a phrase not easily figured out is better than a shorter, complex password. These findings have been added to an online version of the 2014 Trustwave Global Security Report. To accommodate the fast changing nature of security threats, Trustwave is regularly updating its research and making the information available to consumers and payments industry stakeholders on the company’s site. The criminals stealing data are a constantly moving target. It no longer made sense for those interested in our research to have to wait a year to see new statistics. Having access to updated security reporting should be helpful to merchants. They can see how trends are tracking over time, instead of constantly having to go online to see what is relevant to them or rely on the trade groups to keep them informed. This provides one switch to keep them in the know, so there is some value there and it’s a smart move on Trustwave’s part. Since the new Payment Card Industry security requirements call for security measures to be embedded in software development lifecycles, there is some utility in Trustwave’s new approach to sharing research information.

Trustwave said the trend of businesses detecting breaches continues to rise, with 29% of businesses doing so in 2013 compared to only 9% in 2009. Trustwave compiled that data from 691 post-breach forensics investigations conducted in 2013. The report also indicated e-commerce breaches are increasing, with 54% of all breaches targeting e-commerce sites in 2013, compared to only 9% in 2010. More regions, including the U.S., being in various stages of converting to EMV chip-based cards for card-present transactions fuels the criminals’ shift to e-commerce fraud. Additionally, the company is working with law enforcement officials after discovering a control center of eight servers behind what is being called Magnitude, an exploit kit of Russian origin that has led to thousands of attacks and millions of attempted malware attacks globally.

Posted in Best Practices for Merchants, Payment Card Industry PCI Security, Point of Sale Tagged with: , , , , , , , , , , , , , , , , , , , , , , , ,

June 5th, 2014 by Elma Jane

The days of salespeople peddling point of sale terminals by simply pulling hardware out of a box are numbered. That model is being replaced by integrated payments from software developers who add payment capabilities to applications that run at the point of sale, in the back office or on mobile devices.

Integrated payments are becoming common in the restaurant industry, where systems are developed to combine payment acceptance with the ability to manage orders, tables and food delivery. As integrated payments become more common, companies working in the payments industry will seek ways to offer marketing analytics. You tie that type of data to the payment mechanism and you can learn more about your business and your customers.

There is a place in the ecosystem for traditional payment acceptance, but today, when a retailer shops for a point of sale terminal or other business solutions, they expect payments to be part of the integrated bundle. Many of these systems are now delivered in a software-as-a-service model or through tablets, making them cost-effective for businesses of any size.

Integrated commerce includes mobile acceptance, offers, coupons and loyalty. It enables a merchant to buy a point of sale system for the physical store, website and mobile environment at the same time. Then the merchant can send out offers and begin running a loyalty program, while accepting NFC transactions all at once. Merchants can also review transactions from all channels directly from their offices to monitor against data breaches. With those integrated services becoming more readily available for merchants, it is not surprising that the topic comes up when executives discuss their company’s goals.

Relationships with merchants through integrated payments tend to be sticky because it is an embedded solution. You tend to get better pricing because it’s not necessarily an acquiring decision but a POS software/hardware decision and acquiring is part of that package. Payments as a service will be an important global product, selling a terminal now means selling data security, warranty and service, and numerous merchant tools.

Posted in Best Practices for Merchants, Credit Card Reader Terminal, Point of Sale Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

May 29th, 2014 by Elma Jane

A point-of-sale facial recognition system that uses NFC to help combat card fraud has been created during a recent company hack-a-thon, together with a group of engineers and designers from Logic PD. Hackathon was an opportunity for experts to explore the possibilities of useful solutions to today’s challenges, with the recent significant breaches in security at leading retailers, the need for this type of solution is particularly meaningful.

The solution, is a multi-modal security platform for card purchases, uses NFC authentication combined with camera imaging to protect users. When users make a mobile payment at the point of sale, the kiosk snaps a picture of the purchaser. This image can be incorporated via the cloud into the user’s digital transactional record, which was stored and distributed via SeeControl in this example, allowing users to identify who made each purchase, and easily identify those that are fraudulent even before banks and financial institutions.

Posted in Credit Card Security, Mobile Payments, Mobile Point of Sale, Point of Sale, Smartphone Tagged with: , , , , , , , , , , , , , , , ,

April 11th, 2014 by Elma Jane

PCI DSS 3.0 standard, which took effect January 1st, introduces changes that extend across all 12 requirements, aimed to improve security of payment card data and reducing fraud. There will be some shakeups for many organizations when it comes to their day-to-day culture and operations. Transitioning to meet the new requirements will help e-business build a stronger, safer, lower-risk environment for their customers.

While the growing number of digital payment avenues offers convenience to customers, it also offers a larger attack surface for criminals.

As cloud technologies and e-commerce environments continue to grow, creating multiple points of access to cardholder data and online retailers will only become more appealing targets for hackers. Cybercriminals are cunning and determined. They understand payment card infrastructures as well as the engineers who designed them.

A scary proposition and it’s exactly why the payment card industry is so determined to help keep e-commerce organizations protected. Meeting the new standard, businesses will be better armed to fight evolving threats. Changes will also drive more consistency among assessors, help business reduce risk of compromise and create more transparent provider-customer relationships.

Transitioning to PCI DSS 3.0 will involve some work, but doing that work on the front end is going to save much work down the line. Adopting the new standard ultimately will drive your e-commerce business into a secure and efficient era.

Cultural Changes – One of the main themes of 3.0 is shifting from an annual compliance approach to embedding security in daily processes. Threats don’t change just once a year. They’re constantly evolving and that means e-commerce organizations must adopt a culture of vigilance. Only through a proactive business-as-usual approach to security can you achieve true DSS compliance. Realistically, this could mean the need to provide more education and build awareness with staff, partners and providers, so that everyone understands why and how new processes are in place.  

Operational Changes – The 3.0 standard addresses common vulnerabilities that probably will ring a bell with many of you. These include weak passwords and authentication procedures, as well as insufficient malware detection systems and vulnerability assessments, just to name a few. Depending on your current security controls program, this could mean you’ll need to step up in these areas by strengthening credential requirements, resolving self-detection challenges, testing and documenting your cardholder data environment and making other corrections.

Overview Changes – How much work lands on your plate will depend on your current security program. Examining your current security strategies and program is a good idea. Below are the areas requiring your attention, which this series will explore in more detail in future installments.

Service Provider Changes –  Some organizations made unsafe assumptions in the past when it comes to third-party providers. Some have paid the price, from failed audits to breaches. One reason that the new standard is designed to eliminate any confusion over compliance responsibilities. Responsibilities, specifically for management, operations, security and reporting all will need to be spelled out in detailed contracts. In addition to improved communication, an intensified focus on transparency means that you should have a clear view of your provider’s infrastructure, data storage and security controls, along with subcontractors that can impact your environment. So if your organization isn’t exactly clear on which PCI DSS requirements you manage and which ones your providers handle, prepare to get all of that hammered out.

The Compliance Rewards – The path to preparing for the 3.0 deadline in January 2015 sounds like it’s a lot of work. So to get started request your QSA’s opinion on how the changes will impact your organization, by doing the gap assessment and you’ll be able to address any shortcomings.    

Meeting the new 3.0 requirements isn’t just about passing audits. In fast paced payment IT landscape, staying smart and protected is part of our commitment to our customers. Beefing up security game not only reduce audit headaches, but also enjoy stronger brand reputation as a safe and reliable e-commerce business.

Posted in Best Practices for Merchants, Credit card Processing, Credit Card Security, e-commerce & m-commerce, Electronic Payments, Financial Services, Payment Card Industry PCI Security, Small Business Improvement, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

February 14th, 2014 by Elma Jane

News from Target, increasing the number of cards compromised to 70 million and the expansion of data loss to mailing and email addresses, phone numbers and names, affirms that we are in a security crisis.

Card data is from a brand and business perspective, the new radioactive material. Add personally identifiable information (PII) to the list of toxic isotopes.

The depressing vulnerabilities these breaches reveal are a result of skilled hackers, the Internet’s lack of inherent security, inadequate protections through misapplied tools or their outright absence. Security is very very hard when it comes to playing defense.

There is a set of new technologies that could, in a combination produce a defense in depth that we have not enjoyed for some time.

Looking at the Age of Context (ACTs)

Age of Context released, a book based on the hundreds of interviews conducted with tech start-up and established company leaders. A wide-ranging survey. They examine what happens when our location and to whom we are connected are combined with the histories of where and when we shop. Result is a very clear picture of our needs, wants and even what we may do next.

Combining the smartphone and the cloud, five Age of Context technologies ACTs, will change how we live, interact, market, sell and navigate through our daily and transactional lives. The five technologies are:

1. Big Data. Ocean of data generated from mobile streams and our online activity, can be examined to develop rich behavioral data sets. This data enables merchants to mold individually targeted marketing messages or to let financial institutions improve risk management at an individual level.

2. Geolocation. Nearly every cell phone is equipped with GPS. Mobile network operators and an array of service providers can now take that data to predict travel patterns, improve advertising efficiency and more.

3. Mobile Devices and Communications. These are aggregation points for cloud-based services, sending to the cloud torrents of very specific data.

4. Sensors. Smartphones, wearables (think Fitbits, smart watches and Google Glass) and other devices are armed with accelerometers, cameras, fingerprint readers and other sensors. Sensors enable highly granular contextual placement. A merchant could know not only which building we are at and the checkout line we are standing in but even which stack of jeans we are perusing.

 

5. Social. Social networks map the relationships between people and the groups they belong to, becoming powerful predictors of behavior, affiliations, likes, dislikes and even health. Their role in risk assessment is already growing.

The many combinations and intersections of these technologies are raising expectations and concerns over what is to come. Everyone has a stake in the outcome: consumers, retailers, major CPG brands, watchdog organizations, regulators, politicians and the likes of Google, Apple, Microsoft, Amazon, eBay / PayPal and the entire payments industry.

We are at the beginning of the process. We should have misgivings about this and as an industry, individuals and as a society, we need to do better with respect to privacy and certainly with respect to relevance.

Provided we can manage privacy permissions we grant and the occasionally creepy sense that someone knows way too much about us, the intersections of these tools should provide more relevant information and services to us than what we have today. Anyone who has sighed at the sight of yet another web ad for a product long since purchased or completely inappropriate to you understands that personalized commerce has a long way to go. That’s part of what the Age of Context technologies promise to provide.

ACTs in Security    

ACTs role in commerce is one albeit essential application. They have the potential to power security services as well, specially authentication and identity-based approaches. We can combine data from two or more of these technologies to generate more accurate and timely risk assessments.

It doesn’t take the use of all five to make improvements. One firm have demonstrated that the correlation of just two data points is useful, it demonstrated that if you can show that a POS transaction took place in the same state as the cardholder’s location then you can improve risk assessment substantially. (based off of triangulated cell phone tower data).

Powerful questions of each technology that ACTs let us ask:

Data – What have I done in the past? Is there a pattern? How does that fit with what I’m doing now?

Geolocation – What building am I in? Is it where the transaction should be? Which direction am I going in or am I running away?

Mobile – Where does device typically operate? How’s the device configured? Is the current profile consistent with the past?

Sensors – Where am I standing? What am I looking at? Is this my typical walking gait? What is my heart rate and temperature?

 

Social – Am I a real person? Who am I connected to? What is their reputation?

Knowing just a fraction of the answers to these questions places the customer’s transaction origination, the profiles of the devices used to initiate that transaction and the merchant location into a precise context. The result should improve payment security.

More payments security firms are making use of data signals from non-payment sources, going beyond the traditional approach of assessing risk based primarily on payment data. One firm have added social data to improve fraud detection for ecommerce payment risk scoring. Another firm, calling its approach Social Biometrics, evaluates the authenticity of social profiles across multiple social networks including Facebook, Google+, LinkedIn, Twitter and email with the goal of identifying bogus profiles. These tools are of course attractive to ecommerce merchants and others employing social sign on to simplify site registration. That ability to ferret out bogus accounts supports payment fraud detection as well.

This triangulation of information is what creates notion of context. Apply it to security. If you can add the cardholder’s current location based on mobile GPS to the access device’s digital fingerprint to the payment card, to the time of the day when she typically shops, then the risk becomes negligible. Such precise contextual information could pave the way for the retirement of the distinction between card present and card-not-present transactions to generate a card-holder-present status to guide risk decision-making.

Sales First, Then Security        

The use of ACT generated and derived signals will be based on the anticipated return for the investment. Merchants and financial institutions are more willing to pay to increase sales than pay for potential cost savings from security services. As a result, the ACTs will impact commerce decision making first-who to display an ad to, who to provide an incentive to.

New Combinations  

Behind the scene, the impact of the ACTs on security will be fascinating and important to watch. From a privacy perspective, the use of the ACTs in security should prove less controversial because their application in security serves the individual, merchant and the community.

Determining the optimal mix of these tools will take time. How different are the risks for QR-code initiated transactions vs. a contactless NFC transaction? What’s the right set of tools to apply in that case? What sensor-generated data will prove useful? Is geolocation sufficient? Will we find social relationships to be strong predictor of payment risk or are these more relevant for lending? And what level of data sharing will the user allow-a question that grows in importance as data generation and consumption is shared more broadly and across organizational boundaries. It will be important for providers of security tools to identify the minimum data for the maximum result.

I expect the ACT’s to generate both a proliferation of tools to choose from and a period of intense competition. The ability to smoothly integrate these disparate tools sets will be a competitive differentiator because the difficulty of deployment for many merchants is as important as cost. Similar APIs would be a start.

Getting More from What We Already Have  

The relying parties in a transaction – consumers, merchants, banks, suppliers – have acquired their own tools to manage those relationships. Multi-factor authentication is one tool kit. Banks, of course issue payment credentials that represent an account and proxy for the card holder herself at the point of sale or online. Financial institutions at account opening perform know your customer work to assure identity and lower risk.

Those siloed efforts are now entering an era where the federated exchange of this user and transactional data is becoming practical. Firms are building tools and the economic models to leverage these novel combinations of established attributes and ACT generated data.

The ACTs are already impacting the evolution of the payments security market. Payment security incumbents, choose just two from the social side, find themselves in an innovation rich period. Done well, society’s security posture could strengthen.

Posted in Best Practices for Merchants, Credit card Processing, Credit Card Security, e-commerce & m-commerce, Electronic Payments, Internet Payment Gateway, Payment Card Industry PCI Security, Point of Sale, Smartphone, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

September 10th, 2013 by Admin

Verizon annually releases it’s Data Breach Investigation Reports which probes data breaches in various industries and studies the nature of fraud reported by merchants and other agencies. In the past Verizon has worked with the U.S. Secret Service, now the information gathered on the electronic payment breaches have expanded to Police Central e-Crime Unit, Australian Federal Police, the Dutch National High Tech Crime Unit, and the Irish Reporting & Information Security Service in addition to the United States Secret Service.

One area that Verizon broke out and performed independent studies on was the healthcare industry. In 2010 the Health Information Technology for Economic and Clinical Health (HI TECH) Act included a provision to report healthcare and medical data breaches to a variety of outlets including the Secretary of Health and Human Services. Medical record protections keep the casual cyber criminal at bay but the majority of security data breaches are in large part targeted at information attackers can profit from. The data cybercriminals target most often includes health insurance data, personal and electronic payment transaction data. Hardware is another assett that is targeted both because of the data on the hardware and the cost of the hardware itself.

Remote data breaches on health care providers were typically carried out through some form of hacking or malware. That is consistent with other industries in the report and is considered the favorites among cybercriminal organizations. Exploiting of default or guessable credentials rang in at the top of the chart. Of those, point of sale payment systems and desktop computers were the highest targeted areas of the health care industry. Although electronic medical records and transcriptions stored on file and database servers were a target, those criminals were more likely interested in indentity theft and fraudulent loans than what was actually in any individuals medical records.

Point of sale payment terminals are the most targeted assett with POS servers and gateways as the second most targeted. Like all other sectors, professional criminals tend to follow the money trail and that ends up being at POS payment systems. So much so that even desktop computers and emails try to get malware onto medical systems to render security policies inneffective. To find out how to better protect medical and healthcare records from cybercriminals and data breaches read the reports here and here.

Posted in Best Practices for Merchants, Credit Card Security, Point of Sale Tagged with: , , , , , , , , , ,