September 23rd, 2014 by Elma Jane
Home Depot, US retail chain says that 56 million payment cards are at risk following a malware-laden cyber-attack on eftpos tills across its stores in the US and Canada.
The investigation into a possible breach began on September 2nd,Tuesday morning, immediately after Home Depot received reports from its banking partners and law enforcement that criminals may have breached its systems.
According to Home Depot’s security partners, the malware had not been seen previously in other attacks.
Criminals used unique, custom-built malware to evade detection. The cyber-attack is estimated to have put payment card information at risk for approximately 56 million unique payment cards, after lurking in the company’s eftpos tills for four months between April and September.
While the breach has been seen as a further proof-point in the US push to adopt Chip and PIN at the point-of-sale, the fact that the outbreak also hit the home improvement chain’s Canadian stores, where the EMV standard has been implemented, leaves pause for thought. Nonetheless, the retailer has committed to installing 85,000 PIN pads at its US outlets, well ahead of the national 2015 deadline.
Home Depot has set aside $65 million to cover the cost to investigate the data breach, provide credit monitoring services to its customers, increase call center staffing, and pay legal and professional services. Approximately $27 million of the projected outlay will be covered by the company’s insurance.
Posted in Best Practices for Merchants, EMV EuroPay MasterCard Visa, Point of Sale Tagged with: banking partners, Breach, call center, card information, cards, Chip and PIN, credit monitoring, credit monitoring services, customers, cyber-attack, data breach, EMV, EMV standard, Malware, payment, payment card information, payment cards, PIN pads, point of sale, risk
September 11th, 2014 by Elma Jane
Every year Americans take more than 59 million trips abroad. Yet many of us don’t know which questions to ask regarding the use of credit cards. Before you hit the road, let your card issuer know where and when you’ll be traveling, so it doesn’t mistake those overseas charges with fraudulent activity. Start asking some questions below:
Does my card charge a foreign transaction fee? Because these fees can run as high as 3% and can be quite costly.
Does my card have an EMV chip? A smart chip widely used in Europe and other places. Contact your credit card provider and see if they can provide you at no cost a chip-and-PIN card if you don’t already have one. Most of the card companies are moving this way, but typically you have to request it.
Does my card offer any travel perks? You may want to inquire about additional coverage your card may provide you when you’re abroad such as insurance for accidents, lost luggage or auto collision.
How can I get cash overseas? Reach out to the bank or credit card provider and find out what relationships they have in the local market you’re traveling to. This will be helpful for avoiding ATM fees. Additionally, if you need to access cash from your credit card, they’ll be very helpful if you do it through a banking institution that has a relationship with your provider.
Will my card be accepted at my destination? Thirty to sixty days before traveling contact your bank or credit card provider and ask some important questions. Find out if their card is going to be accepted or if there will be any restrictions for it to be used abroad.
The best thing to do is to have a plan before you travel. Know how to minimize your fees and protect your credit cards. Then you can enjoy your adventure.
Posted in Uncategorized Tagged with: atm, ATM fees, bank, banking, banking institution, card, card issuer, chip, Chip and PIN, chip-and-PIN card, credit card provider, credit cards, EMV, EMV chip, fee, fees, foreign transaction fee, institution, PIN, provider, transaction, transaction fee, travel
September 4th, 2014 by Elma Jane
EMV, which stands for Europay, MasterCard and Visa, and is slated to be mandated across the United States starting in October 2015 and automated fuel dispensers have until October 2017 to comply. Unlike magnetic swipe cards, EMV chip cards encrypt data and authenticate communication between the card and card reader. Additionally, chip card user is prompted for a PIN for authentication.
Why are those dates important? Companies lose $5.33 billion to fraud today, with card issuers and merchants incurring 63 and 37 percent of these losses, respectively. Under the EMV mandate, merchants who do not process chip cards will bear the burden of the issuer loss. By accepting chip card transactions, merchants and issuers should see a reduction in fraud.
Overcoming Barriers to EMV Adoption
Given the significant barriers to EMV adoption, it may be tempting for merchants to meet minimum requirements for accepting EMV payments. However, medium to large retailers should also consider the bigger picture of customer security and peace of mind.
Some key critical success factors for a payment initiative of this size include:
Business Continuity Architecture: As with all payment systems, it is imperative to have the EMV system running at all times. The solution should preferably have Active-Active architecture across multiple data centers and have a low Recovery Point Objective (the point in time to which the systems and data must be recovered after an outage).
Cost Benefit Analysis: Take a top down approach and decide accordingly on the scope of the analysis. This will ensure that decisions on scope are made on basis of quantitative data and not just qualitative arguments.
Phased Approach: To overcome time or cost overage in a project of this scope and complexity, retailers should try using an iterative approach for development. The rollout can be divided into multiple releases of six to seven months, which will provide the opportunity to review, capture lessons learnt, and improve subsequent releases.
Proactive Monitoring Alerts: Considering the criticality of business function carried out by EMV, tokenization and payment gateway, a vigorous supervising environment must be defined to perform proactive and reactive monitoring. It should take into consideration the monitoring targets, tools, scope and methods. This will provide advance visibility to the failure points and better ensuring maximum system availability.
Resilience Testing: Typically in a software project, the testing is limited to the unit, integration, performance and user acceptance. However, due to the critical nature of the applications and systems involved, robust resiliency testing is vital. This will ensure that there are no single points of failure and the system remains available when running in error conditions.
Stakeholder Identification: This is a key step to ensure that you have varied perspectives from all departments and their support. It will keep your organization from being blindsided and reduce the risk of disagreements in later stages of the program. Key stakeholders should include Store Operations, Card Accounting, Loss Prevention, Contact Center and IT & Data Security.
Organizations should adopt a five step approach to implement a secure, robust and industry-leading payment solution:
Encryption – Point to point encryption will ensure card data is secure and encrypted from the point of capture to the processor. Usually, merchants use data encryption that is not point to point, rendering their organization vulnerable to data breaches. Software encryption is the most common form of encryption, as it is easily installed and quires little or no hardware upgrades; however, it is less secure, may expose encryption keys, and is prone to memory scanning attacks. Hardware encryption is considered more secure but requires more costly terminal upgrades. Hardware encryption is designed to self-destruct the keys if tampered, but is not well-defined as very limited headway has been made in this space.
Tokenization – Build a Card Data Environment (CDE) that will host a centralized card data storage solution. Only limited applications with firewall access and capability to mutually authenticate via certificates can access CDE and receive card data. The rest of the applications will have tokens which are random numbers. This architecture will ease the merchant’s burden with existing and emerging PCI Data Security Standards.
Payment Gateway – Perform a risk assessment on the current payment gateway and identify gaps in functionality, manageability, compliance, scalability, speed to market and best practices. Determine the alternatives to mitigate the risks. Some of the important aspects of a leading payment gateway solution are support for all forms of credit, debit, gift cards and check transactions. Its ability to work with any acquirer, in-built encryption abilities, support for settlement and reconciliation must also be kept into consideration.
Settlement, Funding and Reconciliation – A workflow-based system to handle chargebacks and the automation of chargeback processing will greatly reduce labor-intensive work and enhance the quality of data used for settlement and reconciliation. Upgrades to the existing receipt retrieval system may be needed.
Card fraud is on the rise in the U.S., and merchants are the primary target for stealing information. With the EMV deadline just over a year away, the responsible retailer must take steps to prepare now. Although EMV implementation might seem overwhelming to merchants, they should start their journey to secure payments rather than wait for a looming deadline. Solutions such as data encryption and tokenization should be used in combination with EMV to implement a robust payment solution to better protect merchants against fraud. By proactively adopting EMV payment solutions, merchants can stay ahead of the regulatory curve and better protect their customers from fraud.
Posted in Best Practices for Merchants, Credit Card Security, EMV EuroPay MasterCard Visa, Payment Card Industry PCI Security, Visa MasterCard American Express Tagged with: authentication, automation, card, card data, Card Data Environment, card fraud, card issuers, card transactions, CDE, chargeback, chargeback processing, check, check transactions, chip, chip cards, credit, customer, customer security, data, data breaches, data encryption, data security, debit, EMV, emv chip cards, EuroPay, fraud, gateway, Gift Cards, host, integration, magnetic swipe cards, MasterCard, Merchant's, payment, payment gateway, payment solution, payment systems, PCI, PCI Data Security Standards, PIN, processor, retailers, Security, software, swipe, terminal, tokenization, tools, visa
August 27th, 2014 by Elma Jane
Backoff malware that has attacked point of sale systems at hundreds of businesses may accelerate adoption of EMV chip and PIN cards and two-factor authentication as merchants look for ways to soften the next attack. Chip and PIN are a big thing, because it greatly diminishes the value of the information that can be trapped by this malware, said Trustwave, a security company that estimates about 600 businesses have been victims of the new malware. The malware uses infected websites to infiltrate the computing devices that host point of sale systems or are used to make payments, such as PCs, tablets and smartphones. Merchants can install software that monitors their payments systems for intrusions, but the thing is you can’t just have anti-virus programs and think you are safe. Credit card data is particularly vulnerable because the malware can steal data directly from the magnetic stripe or keystrokes used to make card payments.
The point of sale system is low-hanging fruit because a lot of businesses don’t own their own POS system. They rent them, or a small business may hire a third party to implement their own point of sale system. The Payment Card Industry Security Standards Council issued new guidance this month to address security for outsourced digital payments. EMV-chip cards, which are designed to deter counterfeiting, would gut the value of any stolen data. With this magnetic stripe data, the crooks can clone the card and sell it on the black market. With chip and PIN, the data changes for each transaction, so each transaction is unique. Even if the malware grabs the data, there not a lot the crooks can do with it. The EMV transition in the U.S. has recently accelerated, driven in part by recent highprofile data breaches. Even with that momentum, the U.S. may still take longer than the card networks’ October 2015 deadline to fully shift to chip-card acceptance.
EMV does not by itself mitigate the threat of breaches. Two-factor authentication, or the use of a second channel or computing device to authorize a transaction, will likely share in the boost in investment stemming from data security concerns. The continued compromise of point of sale merchants through a variety of vectors, including malware such as Backoff, will motivate the implementation among merchants of stronger authentication to prevent unauthorized access to card data.
Backoff has garnered a lot of attention, including a warning from the U.S. government, but it’s not the only malware targeting payment card data. It is not the types of threats which are new, but rather the frequency with which they are occurring which has put merchants on their heels. There is also an acute need to educate small merchants on both the threats and respective mitigation techniques.. The heightened alert over data vulnerability should boost the card networks’ plans to replace account numbers with substitute tokens to protect digital payments. Tokens would not necessarily stop crooks from infiltrating point of sale systems, but like EMV technology, they would limit the value of the stolen data. There are two sides to the equation, the issuers and the merchants. To the extent we see both sides adopt tokenization, you will see fewer breaches and they will be less severe because the crooks will be getting a token instead of card data.
Posted in Best Practices for Merchants, Credit Card Security, Payment Card Industry PCI Security, Point of Sale Tagged with: access, account, account numbers, anti-virus programs, authentication, Backoff, card, card networks, chip, credit, Credit card data, credit-card, data, data breaches, devices, digital payments, EMV, magnetic stripe, Malware, Merchant's, Payment Card Industry, payments, PCs, PIN, PIN cards, point of sale, POS, POS system, programs, Security, security standards, Smartphones, software, system, tablets, tokenization, tokens, transaction, Trustwave, websites
August 11th, 2014 by Elma Jane
Tokenization technology has been available to keep payment card and personal data safer for several years, but it’s never had the attention it’s getting now in the wake of high-profile breaches. Still, merchants especially smaller ones haven’t necessarily caught on to the hacking threat or how tools such as tokenization limit exposure. That gap in understanding places ISOs and agents in an important place in the security mix, it’s their job to get the word out to merchants about the need for tokenization. That can begin with explaining what it is.
The biggest challenge that ISOs will see and are seeing, is this lack of awareness of these threats that are impacting that business sector. Data breaches are happening at small businesses, and even if merchants get past the point of accepting that they are at risk, they have no clue what to do next. Tokenization converts payment card account numbers into unique identification symbols for storage or for transactions through payment mechanisms such as mobile wallets. It’s complex and not enough ISOs understand it, even though it represents a potential revenue-producer and the industry as a whole is confused over tokenization standards and how to deploy and govern them.
ISOs presenting tokenization to merchants should echo what security experts and the Payment Card Industry Security Council often say about the technology. It’s a needed layer of security to complement EMV cards. EMV takes care of the card-present counterfeit fraud problem, while tokenization deters hackers from pilfering data from a payment network database. The Target data breach during the 2013 holiday shopping season haunts the payments industry. If Target’s card data had been tokenized, it would have been worthless to the criminals who stole it. It wouldn’t have stopped malware access to the database, but it would been as though criminals breaking into a bank vault found, instead of piles of cash, poker chips that only an authorized user could cash at a specific bank.
A database full of tokens has no value to criminals on the black market, which reduces risk for merchants. Unfortunately, the small merchants have not accepted the idea or the reality and fact, that there is malware attacking their point of sale and they are being exposed. That’s why ISOs should determine the level of need for tokenization in their markets. It is always the responsibility of those who are interacting with the merchant to have the knowledge for the market segment they are in. If you are selling to dry cleaners, you probably don’t need to know much about tokenization, but if you are selling to recurring billing or e-commerce merchants, you probably need a lot more knowledge about it.
Tokenization is critical for some applications in payments. Any sort of recurring billing that stores card information should be leveraging some form of tokenization. Whether the revenue stream comes directly from tokenization services or it is bundled into the overall payment acceptance product is not the most important factor. The point is that it’s an important value to the merchant to be able to tokenize the card number in recurring billing, but ISOs sell tokenization products against a confusing backdrop of standards developed for different forms of tokenization. EMVCo, which the card brands own, establishes guidelines for EMV chip-based smart card use. It’s working on standards for “payment” tokenization with the Clearing House, which establishes payment systems for financial institutions. Both entities were working on separate standards until The Clearing House joined EMVCo’s tokenization working group to determine similarities and determine whether one standard could cover the needs of banks and merchants.
Posted in Best Practices for Merchants Tagged with: account numbers, bank, billing, card, card brands, card number, card present, Clearing House, data, data breaches, database, e-commerce, EMV, emvco, fraud, ISOs, Malware, Merchant's, mobile wallets, network, payment, Payment Card Industry, Security, smart card, target, tokenization, transactions
August 8th, 2014 by Elma Jane
MasterCard’s latest Card Personalization Validation module in the Collis EMV Personalization Validation Tool qualified by MasterCard, including the U.S. Common Debit AID. The tool will be used to support EMV card issuers in the U.S., and specifically checks if MasterCard cards are correctly personalized according to the latest MasterCard specifications. It also includes specific personalization profiles to certify compliance with the Durbin Legislation. The Collis EMV Personalization Validation Tool is the most thorough and comprehensive test tool for issuers, card personalization bureaus and card manufacturers that want to validate the personalization of their contact/contactless payment cards and mobile payment applications. With the tool, issuers easily check the correctness of the personalization of any EMV card application according to the latest test specifications of the seven major worldwide payment schemes. He added that the Collis EMV Personalization Validation Tool fits also seamlessly to prepare for the MasterCard CPV Formal Approve Service that UL can deliver.
Posted in Credit Card Security, EMV EuroPay MasterCard Visa, Visa MasterCard American Express Tagged with: card, contactless payment, Debit AID, EMV, EMV card, MasterCard, mobile payment, payment schemes
June 20th, 2014 by Elma Jane
A recent survey said, 82 percent of e-commerce merchants who currently do not employ a consumer authentication solution are afraid that such solutions will scare off online shoppers, but with more and more fraud expected to migrate online in the coming years, the payments industry needs to do a better job of informing merchants why authentication in the card-not-present realm is crucial to data security.
While a majority of payment service companies employ some type of 3-D Secure online authentication, and most large merchants do likewise, the rest of the merchant population, especially in North America, apparently do not. 55 percent of merchants surveyed, a majority of which are U.S.-based, do not use online authentication, noting that North America is the only world region where less than half of merchants use the technology. The reason so many U.S. merchants eschew consumer authentication is they see it as a sales killer.
The main reason appears to be fear, uncertainty and doubt (FUD) about how consumer authentication will impact sales conversion and user experience, 43 percent of merchant respondents are FUD-preoccupied, with 20 percent concerned about the effect of the technology on sales conversion, 13 percent worried about changing the user experience and 10 percent simply want nothing to do with consumer authentication. Beyond the FUD concerns, there is also a very real perception with merchants and service providers that integration is long and difficult, adding that 21 percent of merchants who do not employ authentication, citing the time and/or cost of integration as the barrier.
End to FUD
The solution to merchant adoption of some form of 3-D Secure technology is apparently education. Many FUD concerns are related to a hangover effect caused by bad experiences with previous iterations of consumer authentication. But the report provides evidence that the FUD factor can be overcome because of the happiness factor that authentication-using merchants express. 81 percent of merchant respondents showing satisfaction with the solutions they have employed.
The report said nearly half of merchants surveyed said authentication had no effect on sales conversion, either positive or negative; however, almost 20 percent believe it has had a positive effect on sales. The positive result seems to be related to merchants who use authentication selectively, on specific transactions rather than on all of them. Additionally, the technology results in many merchants experiencing lower numbers of chargebacks. Amongst merchants, 59 percent overall say the authentication program brought a decrease in chargebacks and this is true for more than half of merchants from each geographic region.
FYI on FUD
The adoption is very low because not many people understand it. Online verification does retard the checkout process as a second screen pops up that consumers must navigate in order to proceed with the purchase. However, these barriers can be overcome with education and simply getting people comfortable with the technology. If we had this solution from day one on all e-commerce sites today nobody would be complaining because people would be used to doing it. It is a question of achieving ubiquity rather than taking a piecemeal approach to implementation. It is a matter of if you do it at one place or every place. If you have to do it at only one location that makes that site really secure. If all sites ask the same question, you get used to it.
Consumer authentication is also something that requires buy-in from issuers, acquirers and merchants. It is a participation solution where the issuer and the acquirer have to be participating in it. If you are an e-commerce site and you are certified with Verified by Visa the card brands proprietary version of 3-D Secure, if the card issuer has not embraced that, then the security will not happen.
Increasing number and frequency of breaches is slowly eroding consumers’ trust in the safety of e-commerce It’s not good for the whole ecosystem. At some point people will come back and say, this is too risky to do online transactions with cards. Before that point is reached, businesses should improve their online defenses, and consumer authentication is central to that defense. With the U.S. payments infrastructure in the process of transitioning to the Europay/MasterCard/Visa (EMV) chip card standard at the physical POS, fraud in the United States will sharpen its focus on the less secure online channel. EMV will do a lot of good in terms of card present security, but it does not do anything for card-not-present environments. So how are we going to contain the online fraud? We have to go to a 3-D Secure type solution
Posted in Best Practices for Merchants Tagged with: 3-D Secure online authentication, card, card present security, card-not-present, chargebacks, chip, chip card, consumer, data security, e-commerce, e-commerce merchants, EMV, Europay/MasterCard/Visa, fraud, Merchant's, online authentication, online channel, online fraud, online shoppers, online transactions, payment service, payments industry, POS, sales conversion, technology, Verified, visa
May 29th, 2014 by Elma Jane
New enhancements intended to provide its U.S. cardholders with greater protection from fraud and identity theft has been announced by MasterCard.
All MasterCard credit, debit, prepaid and small business cards issued in the U.S. will now carry Identity Theft Resolution assistance. MasterCard new program will provide help in canceling missing cards and alerting credit reporting agencies, as well as targeting searches to detect if stolen personal and confidential data appears online. The new Identity Theft coverage extension begins in July 2014.
MasterCard is also extending its zero liability policy in the U.S. to include all MasterCard PIN-based and ATM transactions. This is in addition to coverage already provided on signature debit and credit transactions. The Zero Liability coverage extension takes effect in October 2014.
Fraud prevention and detection is a 24/7 job at MasterCard. The changes in cardholder protection is a combined efforts to move the U.S. payments industry to EMV chip technology will help deliver safer shopping experiences to consumers. MasterCard noted that tanks and financial institutions issuing MasterCard-branded cards provide financial indemnity against fraud.
Posted in Credit card Processing, Credit Card Security, EMV EuroPay MasterCard Visa, Visa MasterCard American Express Tagged with: ATM transactions, business cards, cardholders, credit, credit reporting agencies, credit transactions, data, debit, EMV, EMV chip technology, financial institutions, fraud, Fraud prevention, identity theft, Identity Theft Resolution assistance, MasterCard, payments industry, PIN, prepaid, zero liability policy
May 23rd, 2014 by Elma Jane
State senate in California is advancing a bill SB 1351, mandates April 1, 2016, that would require California-based bankcard issuers and retailers to adopt Europay/MasterCard/Visa (EMV) chip card technology. SB 1351 bill is introduced March of 2014, passed out of committee on May 6 and may be voted on by the full senate as early as tomorrow, May 22nd.
Additionally, the bill specifies that any contracts entered into by financial institutions and card brands on or after Jan. 1, 2015, would have to include the provision that any new or replacement cards issued after April 1, 2016, be EMV compliant. The rationale for the bill comes from oft-cited evidence that EMV cards substantially reduce fraud.
In April 2014, Sen. Hill stated, My legislation holds all stakeholders accountable to protect consumers from scam artists who use fake cards to game the system.
The Electronic Transactions Association, however, does not see the issue the same way. Passing a single state technology standard will open the floodgate to additional state responses and create an expensive, unsafe and inefficient myriad of technology standards, the ETA said. The ETA is urging payment professionals in California to contact their legislators and let their opinions be heard.
The bill initially mandated Oct. 1, 2015, as the deadline for EMV implementation, which is the date set by Visa Inc. and MasterCard Worldwide for retailers to be EMV complaint or face potential fines in case of fraud. The bill also makes exceptions for small retailers and convenience stores/gas stations; they have until Oct. 1, 2017, to transition to EMV.
Posted in Best Practices for Merchants, Credit card Processing, EMV EuroPay MasterCard Visa Tagged with: bankcard, card brands, card technology, cards, chip, consumers, Electronic Transactions Association, EMV, EMV compliant, EMV implementation, ETA, Europay/MasterCard/Visa, fake cards, financial institutions, fraud, MasterCard, payment professionals, retailers, scam, small retailers, technology standards, Visa Inc.
May 12th, 2014 by Elma Jane
New iPhone and VeriFone-made shell combination that can accept chip and PIN card payments. Apple’s revamp in its in-store mPOS system
In 2009, Apple introduced its EasyPay mPOS technology. It consists of an iPod Touch and a shell made by Infinite Peripherals that includes a card swiper and a barcode scanner.
As first reported by 9to5mac,the iPod is now being replaced by an iPhone while VeriFone is being brought in to provide a new shell which will cater for chip and PIN payments as the US finally gets ready for the switch to EMV. The shell also has a spot above the PIN pad that opens the way for NFC contactless payments, according to Forbes. Apple has long been expected to equip the iPhone with NFC but has so far ignored the technology.
Separately, mPOS giant Square has ditched its Wallet app, pulling it from the Google and Apple stores. The app has failed to take off since its launch in 2011, despite the support of Starbucks. It has been replaced by Square Orders, which lets users order and pay ahead at participating merchants and then pick up their goods when they are ready.
Posted in Best Practices for Merchants, Mobile Payments, Mobile Point of Sale, Point of Sale, Smartphone Tagged with: app, Apple stores, Apple's, barcode, barcode scanner, card, card swiper, chip, contactless payments, EasyPay, EMV, Forbes, google, in-store mPOS, Infinite Peripherals, Iphone, iPod, iPod Touch, Merchant's, MPOS, mPOS giant, mPOS system, mPOS technology, nfc, NFC contactless payments, PIN, PIN card, PIN card payments, PIN pad, Square, Starbucks, swiper, verifone, Wallet app