August 7th, 2014 by Elma Jane

8706521946_cfbc9e0e6f_o

Recent high-profile cyberattacks at retail giants like Target and Neiman Marcus have highlighted the importance of protecting your business against point-of-sale (POS) security breaches. Often, the smallest merchants are the most vulnerable to these types of cyberthreats. The latest of these POS attacks is known as Backoff, a malware with such brute force that the U.S. Department of Homeland Security (DHS) has gotten involved. The DHS recently released a 10-page advisory that warns retailers about the dangers of Backoff and tells them how they can protect their systems. Backoff and its variants are virtually undetectable low to zero percent by most antivirus software, thus making it more critical for retailers to make sure their networks and POS systems are secure.

How Backoff works

Backoff infiltrates merchant computer systems by exploiting remote desktop applications, such as Microsoft’s Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2 and LogMeIn, among others. Attackers then use these vulnerabilities to gain administrator and privileged access to retailer networks. Using these compromised accounts, attackers are able to launch and execute the Backoff malware on POS systems. The malware then makes its way into computer and network systems, gathers information and then sends the stolen data to cybercriminals. The advisory warns that Backoff has four capabilities that enable it to steal consumer credit card information and other sensitive data: scraping POS and computer memory, logging keystrokes, Command & Control (C2) communication, and injecting the malware into explorer.exe. Although Backoff is a newly detected malware, forensic investigations show that Backoff and its variants have already struck retailers three times since 2013, the advisory revealed. Its known variants include goo, MAY, net  and LAST.

Prevent a Backoff attack

To mitigate and prevent Backoff malware attacks, the DHS’ recommendations include the following:

Configure network security. Reevaluate IP restrictions and allowances, isolate payment networks from other networks, use data leakage and compromised account detection tools, and review unauthorized traffic rules.

Control remote desktop access. Limit the number of users and administrative privileges, require complex passwords and two-factor authentication, and automatically lock out users after inactivity and failed login attempts.

Implement an incident response system. Use a Security Information and Event Management (SIEM) system to aggregate and analyze events and have an established incident response team. All logged events should also be stored in a secure, dedicated server that cannot be accessed or altered by unauthorized users.

Manage cash register and POS security. Use hardware-based point-to-point encryption, use only compliant applications and systems, stay up-to-date with the latest security patches, log all events and require two-factor authentication.

 

Posted in Point of Sale Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

June 24th, 2014 by Elma Jane

Compliance with a single set of regulations is often taxing enough, without other regulations causing a conflict, but this is exactly the situation that the insurance industry finds itself in with its contact centres.

PCI-DSS compliance insists that sensitive information in particular credit card numbers, must be protected and cannot be stored. However, the Financial Conduct Authority (FCA), the UK regulator for the financial services industry, demands that insurers keep sufficient detail of their transactions.

In insurance contact centres, FCA recommendations are met by recording calls. So in order to comply with PCI-DSS regulations, some contact centres simply pause recordings while the card information is read out, and resume recording once the payment process is complete. There’s a very big problem with this method,  it undermines the very reason calls are recorded. The call recording is there to provide an unequivocal record of the circumstances under which the policy is granted. A gap in this record creates doubt. What was said during this time? If a customer is claiming a policy is mis-sold or they were misinformed in some way, a complete record to refute this claim no longer exists. Because of situations such as this, the insurance industry has an inherent dependence on contact centres and person-to-person interaction when selling policies, though in the process has to somehow comply with both regulations. But how? One way is to get the sensitive card information directly and securely to the bank’s payment gateway without storing it. Online, this is done quite easily, insurers can embed a secure payment page into a website and the customer can enter information securely that way. By phone a similar method can be used. A caller can input information directly on their telephone keypad and the tones are only transmitted to the credit card payment gateway not the contact centre. This solves the paradox of the conflicting regulations.

Insurance contact centres need to walk a very fine line, ensuring that they comply with all of the relevant regulations from multiple regulators – even those that, at first glance, contradict each other.

 

Posted in Best Practices for Merchants, Credit Card Security, Payment Card Industry PCI Security Tagged with: , , , , , , , , , , , , , , , , , , ,

June 16th, 2014 by Elma Jane

Credit card companies are racing against tech giants like Apple and Google to create what would thin our wallets forever. The race, which started to replace paper with plastic, is now entering a new phase of combining our cell phones and credit cards. Credit card giant American Express is working on developing a next generation app, which would let consumers shop using their virtual credit cards just like virtual boarding passes on an iPhone Passbook. Amex doesn’t stand alone in the race. Google, Square and Apple are some of the many companies in Silicon Valley, which are working on taking the leap. While Google Wallet and PayPal are some of the available products providing customers with a virtual wallet experience. The credit card companies still continue to benefit being the point of sale for these products. This puts Amex in a unique position, as it doesn’t have to struggle becoming the card customers choose to use. Amex is just a jump away in moving from customers’ wallet to cellphone.

Posted in Best Practices for Merchants, Visa MasterCard American Express Tagged with: , , , , , , , , , , ,

June 4th, 2014 by Elma Jane

The operator of a gold vault on the Isle of man is to issue a credit card made of solid gold that enables customers to draw down cash on their holdings of the valuable metal. The 14-carat Visa gold card from IMGold will be made available to clients who have at least £100,000 of the metal bars in their vault. The idea is that customers can use the card to borrow against their reserves, effectively hedging against a decline in the value of gold.

IMGold is currently inviting applicants for the blinged up store of wealth under the banner: The card that carries more weight.

The Isle of man is some way behind Kazakhstan’s oligarchs, who have been brandishing gold and diamond-encrusted cards for some year now. MasterCard and Kazkommertsbank introduced their own diamond-encrusted card in the province back in 2008. This was followed in 2012 by the launch of Visa Infinite Exclusive cards – made of pure gold, with pearl embossing and 26 diamonds – by Sberbank for its top 100 customers in the energy-rich country.

Posted in EMV EuroPay MasterCard Visa, Visa MasterCard American Express Tagged with: , , , , , , ,

May 21st, 2014 by Elma Jane

Mobile credit card processing is way cheaper than traditional point-of-sale (POS) systems. Accepting credit cards using mobile devices is stressful, not to mention a hassle to set up  and customers would never dare compromise security by saving or swiping their credit cards on a mobile device. Some of the many myths surrounding mobile payments, which allow merchants to process credit card payments using smartphones and tablets. Merchants process payments using a physical credit card reader attached to a mobile device or by scanning previously stored credit card information from a mobile app, as is the case with mobile wallets. Benefits include convenience, a streamlined POS system and access to a breadth of business opportunities based on collected consumer data. Nevertheless, mobile payments as a whole remains a hotly debated topic among retailers, customers and industry experts alike.

Although mobile payment adoption has been slow, consumers are steadily shifting their preferences as an increasing number of merchants implement mobile payment technologies (made easier and more accessible by major mobile payment players such as Square and PayPal). To stay competitive, it’s more important than ever for small businesses to stay current and understand where mobile payment technology is heading.

If you’re considering adopting mobile payments or are simply curious about the technology, here are mobile payment myths that you may have heard, but are completely untrue. 

All rates are conveniently the same. Thanks to the marketing of big players like Square and PayPal – which are not actually credit card processors, but aggregators rates can vary widely and significantly. For instance, consider that the average debit rate is 1.35 percent. Square’s is 2.75 percent and PayPal Here’s is 2.7 percent, so customers will have to pay an additional 1.41 percent and 1.35 percent, respectively, using these two services. Some cards also get charged well over 4 percent, such as foreign rewards cards. These companies profit & mobile customers lose. Always read the fine print.

Credit card information is stored on my mobile device after a transaction. Good mobile developers do not store any critical information on the device. That information should only be transferred through an encrypted, secure handshake between the application and the processor. No information should be stored or left hanging around following the transaction.

I already have a POS system – the hassle isn’t worth it. Mobile payments offer more flexibility to reach the customer than ever before. No longer are sales people tied to a cash register and counters to finish the sale. That flexibility can mean the difference between revenue and a lost sale. Mobile payments also have the latest technology to track sales, log revenue, fight chargebacks, and analyze performance quickly and easily.

If we build it, they will come. Many wallet providers believe that if you simply build a new mobile payment method into the phones, consumers will adopt it as their new wallet.   This includes proponents of NFC technology, QR codes, Bluetooth and other technologies, but given very few merchants have the POS systems to accept these new types of technologies, consumers have not adopted. Currently, only 6.6 percent of merchants can accept NFC, and even less for QR codes or BLE technology, hence the extremely slow adoption rate.  Simply put, the new solutions are NOT convenient, and do not replace consumers’ existing wallets, not even close.

It raises the risk of fraud. Fraud’s always a concern. However, since data isn’t stored on the device for Square and others, the data is stored on their servers, the risk is lessened. For example, there’s no need for you to fear one of your employees walking out with your tablet and downloading all of your customers’ info from the tablet. There’s also no heightened fraud risk for data loss if a tablet or mobile device is ever sold.

Mobile processing apps are error-free. Data corruption glitches do happen on wireless mobile devices. A merchant using mobile credit card processing apps needs to be more diligent to review their mobile processing transactions. Mobile technology is fantastic when it works.

Mobile wallets are about to happen. They aren’t about to happen, especially in developed markets like the U.S. It took 60 years to put in the banking infrastructure we have today and it will take years for mobile wallets to achieve critical mass here.

Setup is difficult and complicated. Setting up usually just involves downloading the vendor’s app and following the necessary steps to get the hardware and software up and running. The beauty of modern payment solutions is that like most mobile apps, they are built to be user-friendly and intuitive so merchants would have little trouble setting them up. Most mobile payment providers offer customer support as well, so you can always give them a call in the unlikely event that you have trouble setting up the system.

The biggest business opportunity in the mobile payments space is in developed markets. While most investments and activity in the Mobile Point of Sale space take place today in developed markets (North America and Western Europe), the largest opportunity is actually in emerging markets where most merchants are informal and by definition can’t get a merchant account to accept card payments. Credit and debit card penetration is higher in developed markets, but informal merchants account for the majority of payments volume in emerging markets and all those transactions are conducted in cash today.

Wireless devices are unreliable. Reliability is very often brought up as I think many businesses are wary of fully wireless setups. I think this is partly justified, but very easily mitigated, for example with a separate Wi-Fi network solely for point of sale and payments. With the right device, network equipment, software and card processor, reliability shouldn’t be an issue.

Posted in Best Practices for Merchants, Mobile Payments, Mobile Point of Sale, Smartphone Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

May 16th, 2014 by Elma Jane

National Transaction discussed about credit card underwriting today, a training twice a week given to our Sales Representatives together with our partner Elavon. Training outlined the following why Elavon needs guidelines, credit decision factors as well as which merchants are restricted vs. which merchants are prohibited. For company understanding, facts about fulfillment will be outlined allowing for a better understanding of the department that receives and processes new merchant applications. Application requirements will be identified and then why applications pend.

Fulfillment Services – The department who manages merchant applications through the process of: Data Entry, Underwriting, Deployment and Merchant Activation.

Best way to get an application to boarding Email and Fax.

The key to success is gathering the right information, such as data from a myriad of sources, including bank statements, credit reporting agencies, utility assessments, tax assessments and additional financial documentation. These are just some chunk of what we have discussed today. With the right tool and support from National Transaction Team closing a deal is feasible.

Posted in Best Practices for Merchants, Credit card Processing, nationaltransaction.com Tagged with: , , , , , , , , , , , ,

May 8th, 2014 by Elma Jane

NTC_JOURNEY_us

National Transaction Corporation Receives 2014 Best of Coral Springs Award

CORAL SPRINGS April 23, 2014 — National Transaction Corporation has been selected for the 2014 Best of Coral Springs Award in the Credit Card Service category by the Coral Springs Award Program.

Each year, the Coral Springs Award Program identifies companies that have achieved exceptional marketing success in their local community and business category. These are local companies that enhance the positive image of small business through service to their customers and the community. These exceptional companies help make the Coral Springs area a great place to live, work and play.

Various sources of information were gathered and analyzed to choose the winners in each category. The 2014 Coral Springs Award Program focuses on quality, not quantity. Winners are determined based on the information gathered both internally by the Coral Springs Award Program and data provided by third parties.

The Coral Springs Award Program is an annual awards program honoring the achievements and accomplishments of local businesses throughout the Coral Springs area. Recognition is given to those companies that have shown the ability to use their best practices and implemented programs to generate competitive advantages and long-term value.

The Coral Springs Award Program was established to recognize the best of local businesses in the community. The organization works exclusively with local business owners, trade groups, professional associations and other business advertising and marketing groups. Their mission is to recognize the small business community’s contributions to the U.S. economy.

 

Posted in Credit card Processing, Merchant Account Services News Articles, nationaltransaction.com Tagged with: , , , , , , ,

May 8th, 2014 by Elma Jane

The complexity derives from PCI’s Data Security Standards (DSS), which include up to 13 requirements that specify the framework for a secure payment environment for companies that process, store or transmit credit card transactions.

Make PCI DSS Assessment Easier  

Training and educating employees. Technical employees should obtain any certifications or training classes necessary so that they can operate and monitor the security control set in place. Non-technical employees must be trained on general security awareness practices such as password protection, spotting phishing attacks and recognizing social engineering. All the security controls and policies in the world will provide no protection if employees do not know how to operate the tools in a secure manner. Likewise, the strongest 42-character password with special characters, numbers, mixed case, etc. is utterly broken if an employee writes it on a sticky note attached to their monitor.

For an organization to effectively manage its own risk, it must complete a detailed risk analysis on its own environment. Risk analysis goal is to determine the threats and vulnerabilities to services performed and assets for the organization. As part of a risk assessment, organization should define critical assets including hardware, software, and sensitive information and then determine risk levels for those components. This in turn allows the organization to determine priorities for reducing risk. It is important to note that risks should be prioritized for systems that will be in-scope for PCI DSS and then other company systems and networks.

Once the risk assessment has been completed the organization should have a much clearer view of its security threats and risks and can begin determining the security posture of the organization. Policies and procedures form the foundation of any security program and comprise a large percentage of the PCI DSS requirements. Business leaders and department heads should be armed with the PCI DSS requirements and the results of the risk analysis to establish detailed security policies and procedures that address the requirements but are tailored to business processes and security controls within the organization.

Building upon the foundation of security policies, the committee of business leaders and department heads should now review the PCI DSS requirements in detail and discuss any potential compliance gaps and establish a remediation plan for closing those gaps. This is where it is important to have the full support of business leaders who can authorize necessary funds and manpower to implement any remediation activities.

This is also the time to schedule the required annual penetration testing. These are typically performed by third parties, but is not required to be performed by third parties, and can take some time to schedule, perform, and remediate (if necessary). The results of a PCI DSS assessment will be delayed until the penetration test is completed so now is the time to schedule the test.

At this point the organization is ready for a full-scale PCI DSS assessment and can now enter a maintenance mode where periodic internal audits occur and regular committee meetings are held to perform risk assessments and update policies, procedures, and security controls as necessary to respond to an ever changing threat landscape. PCI DSS must become integrated into the everyday operation of the organization so that the organization remains secure and to ease the burden of the annual assessments.

Payment Card Industry (PCI) compliance assessment is a major task for any size organization, but you can make it easier.

 

Posted in Best Practices for Merchants, Credit Card Security, Payment Card Industry PCI Security Tagged with: , , , , , , , , , , , , , , , , , , , , , , , ,

May 7th, 2014 by Elma Jane

NTC's Payment

NTC’s New Approach On Payment Processing brings Client Satisfaction

About NTC (National Transaction Corporation)
NTC is a credit card processing company that was built uniquely. Combining leading edge technology with passion for customer service, as well as service to help customers maximize the value of their merchant service program. NTC provides sales agents, financial institutions and merchants with benefits not available from other providers, such as next day funding with a late cut-off time and unparallel graphical and web-based reporting.
To learn more visit http://www.nationaltransaction.com or call 888-996-2273.
Marking a 65% increase over 2012 NTC now serves approximately 15,000 businesses.
This rapid growth was driven by the many unique benefits that NTC offers its merchants and sales partners, ranging from best technology to superior customer service.
The major differentiators made possible by NTC’s proprietary back-end processing system is the Next Day Funding Service. Because NTC connects directly to the following: Amex, Discover, MasterCard and VISA. This way sales partners and merchants are able to avoid the middleman and go straight to the source of all their processing needs. This also means that the merchants can batch out their terminal POS with one of the latest cut-off times in the industry by as late as 11:00 pm Eastern.
NTC’s another appealing factor to new sales partners and merchants is its merchant connect online reporting system. It provides 24/7 access to graphical account information through a system that is fast easy and secure. Merchants are now able to clearly see and understand their payment processing costs. ISO’s have access to sugar CRM to make notes and see Merchant Marketing Data. Card Numbers are secure on the banks server so our faculty has credentials to access the bank servers.
Independent sales organizations (ISOs) and Merchant sales professionals continue to choose NTC as their payment processing partner to obtain these unique benefits. In addition to industry-leading technology, NTC offers its merchants and sales partners a level of personalized support that is not easily found among other credit card processing companies. They get round the clock account and terminal support. Collective hard work and determination helped NTC grow faster in the industry, resulted in more loyal ISO sales partners who are submitting more applications. Looking forward for continued success for NTC, its sales partners and merchants.

 

Posted in Credit card Processing, EMV EuroPay MasterCard Visa, Financial Services, Merchant Account Services News Articles, nationaltransaction.com, Point of Sale, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , ,

May 6th, 2014 by Elma Jane

Mobile commerce platform provider ROAM, an Ingenico company has expanded its mPOS solutions to include chip-and-PIN acceptance with the RP750x mobile card reader. The reader allows mPOS players to get to market quickly with their own custom-branded solution, providing merchants with a powerful set of features that include device and fraud management, remote application configuration, and an mPOS application that can be localized for any language and currency in any country. Features include: Backlit display, EMV PIN pad, magnetic stripe reader, NFC reader and smart card reader. Configurable through the cloud, enabling direct shipment from factory to any country. Connects with smartphones, tablets and feature phones via Bluetooth or audio jack. Customizable for branding and form factor. Just Slightly larger than a credit card, a compact form factor. PCI PTS 3.1 with SRED, EMV Level 1 and 2, Visa-ready (Compliant with the latest industry standards).

Posted in Best Practices for Merchants, Credit Card Reader Terminal, e-commerce & m-commerce, EMV EuroPay MasterCard Visa, Financial Services, Mobile Payments, Mobile Point of Sale, Near Field Communication, Payment Card Industry PCI Security, Point of Sale, Smartphone, smartSD Cards, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , ,