October 8th, 2014 by Elma Jane

When the PCI Security Standards Council (PCI SSC) launched PCI DSS v3.0 in January 2014, businesses were given one year to implement the updated global standard. Now that the deadline is fast approaching, interest is picking up in what v3.0 entails. On Jan. 1, 2015, version 3.0 of the Payment Card Industry (PCI) Data Security Standard (DSS) will reach year one of its three-year lifecycle.

Trustwave, a global data security firm, is on the frontlines of helping secure the networks of merchants and other businesses on the electronic payments value chain against data breaches. As an approved scanning vendor, Trustwave is used by businesses to achieve and validate PCI DSS compliance.

PCI DSS v3.0 is business as usual for the most part, except for a few changes from v2.0 that considers impactful for large swaths of merchants. The top three changes involve e-commerce businesses that redirect consumers to third-party payment providers. The expansion of penetration testing requirements and the data security responsibilities of third-party service providers.

Penetration testing

Penetration testing is the way in which merchants can assess the security of their networks by pretending to be hackers and probing networks for weaknesses. V3.0 of the PCI DSS mandates that merchants follow a formal methodology in conducting penetration tests, and that the methodology goes well beyond what merchants can accomplish using off-the-shelf penetration testing software solutions.

Merchants that are self assessing and using such software are going to be surprised by the rigorous new methodology they are now expected to follow.

Additionally, penetration testing requirements in v3.0 raises the compliance bar for small merchants who self assess. Those merchants could lower the scope of their compliance responsibilities by segmenting their networks, which essentially walls off data-sensitive areas of networks from the larger network. In this way merchants could reduce their compliance burdens and not have to undergo penetration testing.

Not so in v3.0. If you do something to try to reduce the scope of the PCI DSS to your systems, you now need to perform a penetration test to prove that those boundaries are in fact rigid.

Redirecting merchants

The new redirect mandate as affecting some, but not all, e-commerce merchants that redirect customers, typically when they are ready to pay for online purchases to a third party to collect payment details. If you are a customer and you are going to a website and you add something to your shopping cart, when it comes time to enter in your credit card, this redirect says I’m going to send you off to this third party.

The redirect can come in several forms. It can be a direct link from the e-commerce merchant’s website to another website, such as in a PayPal Inc. scenario, or it can be done more silently.

An example of the silent method is the use of an iframe, HTML code used to display one website within another website. Real Estate on the merchant’s website is used by the third-party in such a way that consumers don’t even know that the payment details they input are being collected and processed, not by the e-commerce site, but by the third party.

Another redirect strategy is accomplished via pop-up windows for the collection of payments in such environments as online or mobile games. In-game pop-up windows are typically used to get gamers to pay a little money to purchase an enhancement to their gaming avatars or advance to the next level of game activity.

For merchants that employ these types of redirect strategies, PCI DSS v3.0 makes compliance much more complicated. In v2.0, such merchants that opted to take Self Assessment Questionnaires (SAQs), in lieu of undergoing on-site data security assessments, had to fill out the shortest of the eight SAQs. But in v3.0, such redirect merchants have to take the second longest SAQ, which entails over 100 security controls.

The PCI SSC made this change because of the steady uptick in the number and severity of e-commerce breaches, with hackers zeroing in on exploiting weaknesses in redirect strategies to steal cardholder data. Also, redirecting merchants may be putting themselves into greater data breach jeopardy when they believe that third-party payment providers on the receiving end of redirects are reducing merchants’ compliance responsibilities, when that may not, in fact, be the case.

Service providers

Service provider is any entity that stores, processes or transmits payment card data. Examples include gateways, web hosting companies, back-up facilities and call centers. The update to the standard directs service providers to clearly articulate in writing which PCI requirements they are addressing and what areas of the PCI DSS is the responsibility of merchants.

A web hosting company may tell a merchant that the hosting company is PCI compliant. The merchant thought, they have nothing left to do. The reality is there is still always something a merchant needs to do, they just didn’t always recognize what that was.

In v3.0, service providers, specifically value-added resellers (VARs), also need to assign unique passwords, as well as employ two-factor authentication, to each of their merchants in order to remotely access the networks of those merchants. VARs often employ weak passwords or use one password to access multiple networks, which makes it easier for fraudsters to breach multiple systems.

The PCI SSC is trying to at least make it more difficult for the bad guys to break into one site and then move to the hub, so to speak, and then go to all the other different spokes with the same attack.

Overall, v3.0 is more granular by more accurately matching appropriate security controls to specific types of merchants, even though the approach may add complexity to merchants’ compliance obligations. On the whole a lot of these changes are very positive.

 

Posted in Best Practices for Merchants, Credit Card Security, Payment Card Industry PCI Security Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

September 5th, 2014 by Elma Jane

Businesses are rapidly adopting a third-party operations model that can put payment data at risk. Today, the PCI Security Standards Council, an open global forum for the development of payment card security standards, published guidance to help organizations and their business partners reduce this risk by better understanding their respective roles in securing card data. Developed by a PCI Special Interest Group (SIG) including merchants, banks and third-party service providers, the information supplement provides recommendations for meeting PCI Data Security Standard (PCI DSS) requirement 12.8 to ensure payment data and systems entrusted to third parties are maintained in a secure and compliant manner.

Breach reports continue to highlight security vulnerabilities introduced by third parties as a leading cause of data compromise. The leading mistake organizations make when entrusting sensitive and confidential consumer information to third-party vendors is not applying the same level of rigor to information security in vendor networks as they do in their own. Per PCI DSS Requirement 12.8, if a merchant or entity shares cardholder data with a third- party service provider, certain requirements apply to ensure continued protection of this data will be enforced by such providers. The Third-Party Security Assurance Information Supplement focuses on helping organizations and their business partners achieve this by implementing a robust third-party assurance program.

Produced with the expertise and real-world experience of more than 160 organizations involved in the Special Interest Group, the guidance includes practical recommendations on how to:

Conduct due diligence and risk assessment when engaging third party service providers to help organizations understand the services provided and how PCI DSS requirements will be met for those services.

Develop appropriate agreements, policies and procedures with third-party service providers that include considerations for the most common issues that arise in this type of relationship. 

Implement a consistent process for engaging third-parties that includes setting expectations, establishing a communication plan, and mapping third-party services and responsibilities to applicable PCI DSS requirements.

Implement an ongoing process for maintaining and managing third-party relationships throughout the lifetime of the engagement, including the development of a robust monitoring program. 

The guidance includes high-level suggestions and discussion points for clarifying how responsibilities for PCI DSS requirements may be shared between an entity and its third-party service provider, as well as a sample PCI DSS responsibility matrix that can assist in determining who will be responsible for each specific control area.

PCI Special Interest Groups are PCI community-selected and developed initiatives that provide additional guidance and clarifications or improvements to the PCI Standards and supporting programs. As part of its initial proposal, the group also made specific recommendations that were incorporated into PCI DSS requirements 12.8 and 12.9 in version 3.0 of the standard.One of the big focus areas in PCI DSS 3.0 is security as a shared responsibility. This guidance is an excellent companion document to the standard in helping merchants and their business partners work together to protect consumers’ valuable payment information.

Posted in Best Practices for Merchants, Credit Card Security, Payment Card Industry PCI Security Tagged with: , , , , , , , , , , , , , , , , , , , , , ,

August 7th, 2014 by Elma Jane

8706521946_cfbc9e0e6f_o

Recent high-profile cyberattacks at retail giants like Target and Neiman Marcus have highlighted the importance of protecting your business against point-of-sale (POS) security breaches. Often, the smallest merchants are the most vulnerable to these types of cyberthreats. The latest of these POS attacks is known as Backoff, a malware with such brute force that the U.S. Department of Homeland Security (DHS) has gotten involved. The DHS recently released a 10-page advisory that warns retailers about the dangers of Backoff and tells them how they can protect their systems. Backoff and its variants are virtually undetectable low to zero percent by most antivirus software, thus making it more critical for retailers to make sure their networks and POS systems are secure.

How Backoff works

Backoff infiltrates merchant computer systems by exploiting remote desktop applications, such as Microsoft’s Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2 and LogMeIn, among others. Attackers then use these vulnerabilities to gain administrator and privileged access to retailer networks. Using these compromised accounts, attackers are able to launch and execute the Backoff malware on POS systems. The malware then makes its way into computer and network systems, gathers information and then sends the stolen data to cybercriminals. The advisory warns that Backoff has four capabilities that enable it to steal consumer credit card information and other sensitive data: scraping POS and computer memory, logging keystrokes, Command & Control (C2) communication, and injecting the malware into explorer.exe. Although Backoff is a newly detected malware, forensic investigations show that Backoff and its variants have already struck retailers three times since 2013, the advisory revealed. Its known variants include goo, MAY, net  and LAST.

Prevent a Backoff attack

To mitigate and prevent Backoff malware attacks, the DHS’ recommendations include the following:

Configure network security. Reevaluate IP restrictions and allowances, isolate payment networks from other networks, use data leakage and compromised account detection tools, and review unauthorized traffic rules.

Control remote desktop access. Limit the number of users and administrative privileges, require complex passwords and two-factor authentication, and automatically lock out users after inactivity and failed login attempts.

Implement an incident response system. Use a Security Information and Event Management (SIEM) system to aggregate and analyze events and have an established incident response team. All logged events should also be stored in a secure, dedicated server that cannot be accessed or altered by unauthorized users.

Manage cash register and POS security. Use hardware-based point-to-point encryption, use only compliant applications and systems, stay up-to-date with the latest security patches, log all events and require two-factor authentication.

 

Posted in Point of Sale Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

May 27th, 2014 by Elma Jane

The BACPAC Act, which establishes a site-neutral bundled payment model for Medicare post-acute care (PAC) introduced earlier this week. According to a press release from the Partnership for Quality Home Healthcare, the proposed payment structure would have PAC coordinators and their networks of post-acute care providers manage patient care through a 90-day, site-neutral bundled payment that would be initiated upon a patient’s discharge from the hospital.

CEO for The Partnership for Quality Home Healthcare, said in the company statement that the proposed legislation offers pro-patient solutions that are founded on years of research and analyses. Additionally, those solutions support a more effective and efficient delivery of quality post-acute care services.

As population ages, the need for well managed post-acute care will become a pressing necessity for the sustainability of our healthcare system. The BACPAC Act of 2014 represents positive Medicare reform that benefits patients, providers and taxpayer alike.

One of the major changes that the bill hopes to make is to reduce hospital readmissions. As the Partnership for Quality Home Healthcare explained, readmissions are a common cost-driver in PAC. However, the proposed legislation creates strong incentive for patients to be placed in the most clinically-appropriate, cost-effective setting. From there, it is more likely that patients would receive more efficient care through their treatment plan.

The bill stemmed from the BACPAC analysis that was proposed by the Alliance for Home Health Quality and Innovation in January. The analysis, compiled and explained the benefits of bundled payment options for post-acute care, as well as how providers can control costs. If implemented correctly, bundling payments for chronic care management, rehabilitative and other forms of post-acute care could lead to more efficiency across care settings and encourage care coordination among providers. In the current fee-for-service system, care coordination is often overlooked, resulting in unnecessary tests, procedures and costs to the Medicare program that often do not improve patient care or outcomes. Medicare could see up to $100 billion in savings over 10 years by moving patients into different settings and reducing spending by certain degrees.

 

Posted in Medical Healthcare Tagged with: , , , , , , , , , , , , , , , , , , , , , , ,

May 8th, 2014 by Elma Jane

The complexity derives from PCI’s Data Security Standards (DSS), which include up to 13 requirements that specify the framework for a secure payment environment for companies that process, store or transmit credit card transactions.

Make PCI DSS Assessment Easier  

Training and educating employees. Technical employees should obtain any certifications or training classes necessary so that they can operate and monitor the security control set in place. Non-technical employees must be trained on general security awareness practices such as password protection, spotting phishing attacks and recognizing social engineering. All the security controls and policies in the world will provide no protection if employees do not know how to operate the tools in a secure manner. Likewise, the strongest 42-character password with special characters, numbers, mixed case, etc. is utterly broken if an employee writes it on a sticky note attached to their monitor.

For an organization to effectively manage its own risk, it must complete a detailed risk analysis on its own environment. Risk analysis goal is to determine the threats and vulnerabilities to services performed and assets for the organization. As part of a risk assessment, organization should define critical assets including hardware, software, and sensitive information and then determine risk levels for those components. This in turn allows the organization to determine priorities for reducing risk. It is important to note that risks should be prioritized for systems that will be in-scope for PCI DSS and then other company systems and networks.

Once the risk assessment has been completed the organization should have a much clearer view of its security threats and risks and can begin determining the security posture of the organization. Policies and procedures form the foundation of any security program and comprise a large percentage of the PCI DSS requirements. Business leaders and department heads should be armed with the PCI DSS requirements and the results of the risk analysis to establish detailed security policies and procedures that address the requirements but are tailored to business processes and security controls within the organization.

Building upon the foundation of security policies, the committee of business leaders and department heads should now review the PCI DSS requirements in detail and discuss any potential compliance gaps and establish a remediation plan for closing those gaps. This is where it is important to have the full support of business leaders who can authorize necessary funds and manpower to implement any remediation activities.

This is also the time to schedule the required annual penetration testing. These are typically performed by third parties, but is not required to be performed by third parties, and can take some time to schedule, perform, and remediate (if necessary). The results of a PCI DSS assessment will be delayed until the penetration test is completed so now is the time to schedule the test.

At this point the organization is ready for a full-scale PCI DSS assessment and can now enter a maintenance mode where periodic internal audits occur and regular committee meetings are held to perform risk assessments and update policies, procedures, and security controls as necessary to respond to an ever changing threat landscape. PCI DSS must become integrated into the everyday operation of the organization so that the organization remains secure and to ease the burden of the annual assessments.

Payment Card Industry (PCI) compliance assessment is a major task for any size organization, but you can make it easier.

 

Posted in Best Practices for Merchants, Credit Card Security, Payment Card Industry PCI Security Tagged with: , , , , , , , , , , , , , , , , , , , , , , , ,

December 2nd, 2013 by Elma Jane

Europay, Mastercard, and Visa (EMV) standards. Considered safer and widely used across Europe and other nations, the chip-based cards require insertion of the card into a terminal for the duration of a transaction, a break here from our traditional swipe-and-buy behavior. That’s just one way in which EMV changes things here… but it’s not the only way, nor is it the most important way. By way of reminder, October 2015 is the date by which all restaurants and other merchants are due to have implemented these standards, or potentially be liable for counterfeit fraud, which primarily reflects a shift from magnetic-stripe credit cards to chip cards.

The main driver in the EMV migration is card-related financial fraud.  As an example, and traditionally, card fraud in the United Kingdom has always been considerably higher than here in the States, primarily because the U.K. previously used offline card authorization as opposed to the online card methodology used here. As losses due to fraud rose steadily in Europe, despite the best efforts of global law enforcement agencies to reduce it, the pressure to find a solution built around some alternative authentication strategy mounted. From this concern, EMV was born.

Is it working? Recent statistics from the European Central Bank (ECB) revealed that, despite growing card usage, fraud in the Single Euro Payments Area (SEPA) – a mature EMV territory that includes all 28 members of the European Union,  Finland,  Iceland ,  Liechenstein,  Monaco and Norway,  – fell 7.6% between 2007 and 2011. This decline is underpinned by a slowdown in the growth of ATM fraud as well as a 24% drop in fraud carried out at point of sale terminals. The 2008 Canadian roll-out of Chip and PIN had a dramatic impact on fraud there. Card Skimming had accounted for losses totaling $142 million, but that figure dropped to $38.5 million in 2009, according to figures provided by the Interac Association. Some critics point to the fact that most of this decrease comes in the form of face-to-face card fraud, and that criminals merely shift their focus onto some other area that is less anti-fraud focused. Still, there are positive gains and as technologies improve, more successes are sure to follow.

Part of the reason why the U.S. not embraced  EMV sooner is because our  fraud problem, while significant, has typically been among the lowest rates in the world among highly developed economically mature countries. Much of that is due to the online authentication methods at work here. Here at home, our online authentication methodology permits authorizations to be done in real-time, thus thwarting a significant percentage of the fraudulent attempts at the point-of-sale, the best place to stop fraud. Our online authentication methods also incorporate multiple fraud and risk parameters as well as advanced neural networks that are ‘built-in’ to the approval process. It’s been a highly effective system that works well, when compared to most alternatives. The effectiveness of our authentication processes has helped fuel the resistance to full EMV adoption here. However, the EMV migration has gained momentum to the point where it is only a matter of time. The truth is that, despite the gains in preventing credit card fraud, and despite the best efforts of EMV’s backers to push acceptance through, global adoption of the EMV standard is still considerably less than 100%.

In England’s old offline authentication method, credit card transactions were gathered together at specific times- typically, at the end of the business day- and then batched over to the card issuers for authorization. It’s a method that gave those committing fraud a significant time lag between the transaction and the authorization, and this time lag contributed greatly to the higher levels of fraudulent activities in England. However, for Europe and for much of the rest of the world, adoption of the EMV technologies changes things dramatically, at least in terms of authentication protocols for both online and offline purchases. During an offline transaction using the EMV chip card, the payment terminal communicates with the integrated circuit chip (ICC), embedded in the payment card. This is a break from the old method which involved using telecommunications to connect with the issuing bank. The ICC / terminal connection enables real-time card authentication, cardholder verification, and payment authorization offline. Alternatively, in an online EMV transaction, the chip generates a cryptogram that is authenticated by the card issuer in real time.

Posted in Electronic Payments, EMV EuroPay MasterCard Visa, Financial Services, Near Field Communication, Payment Card Industry PCI Security, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

October 18th, 2013 by Elma Jane
Ruby 2 Point of Sale by Verifone

Verifone Ruby 2 POS

VeriFone Systems, announced today the availability of Commander Site Controller, the company’s next generation site management solution, and Ruby2 a touch-screen point of sale (POS) solution, both designed to provide greater efficiency, faster payment acceptance and new management capabilities that maximize profit potential for convenience store retailers.

Commander Site Controller is purpose-built for rugged c-store environments and combines site, payment and forecourt control in one device, creating additional flexibility in store configuration. Its future-proof system architecture includes expansion slots and ports for additional capacity and functionality. Additionally, Commander Site Controller features 100 percent IP communication for increased speed of EMV transactions.

Ruby2 is the next evolution of VeriFone’s Ruby POS platform, a 20-year leader in the petroleum industry. It features a fully-touchscreen console that increases checkout speed by providing fast and efficient order and payment processing, and a smaller footprint for increased counter space.      Ruby2 is compatible with the latest VeriFone product offerings, including customer engagement media solutions, site management software to efficiently manage multiple locations seamlessly, and the latest in fuel control management.

VeriFone is taking petroleum retail and c-store operations to new heights of efficiency and manageability. These next-generation systems build on the success of  Sapphire site controller and original Ruby POS systems with the ability to expand in order to meet customers’ future needs.

Commander Site Controller’s cloud based management software platform – Commander Console—enables owners to remotely and simultaneously complete PLU price changes, tax rate adjustments, fuel price changes and promotional updates in real time for multiple site locations from any web enabled device or mobile app for iOS and Android tablets and smartphones.

Ruby2 will be available this fall on certain networks while Commander Site Controller is available today on certain networks.

 

Posted in Credit card Processing, Electronic Payments, Mobile Point of Sale, Point of Sale Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

October 3rd, 2013 by Elma Jane

Here’s how typical credit card transaction works:
When a consumer pays with a credit card, the merchant sends the details of the transaction along with the credit card information to the merchant’s bank. The merchant’s bank forwards the information to the cardholder’s bank for approval. If approved, the cardholder’s bank sends the required amount to the merchant’s bank, minus the merchant discount rate. The credit card companies don’t receive any revenue directly from interchange rates. Instead they make their money by charging the banks fees for networks, transactions and other kinds of services.

Up until April 2008, interchange rates were simple and inflexible. At that point, the company decided to move to a more dynamic system.

Interchange rates now vary from card to card, depending on the types of services and incentives offered. Typically, premium cards, which come with rewards for things like travel, cost merchants more to process. The rates also vary by type of transaction, and even by type of retailer. At times, the card companies have, for example, set special rates for grocery and gas retailers in a bid to boost credit-card use in locations where cash and debit traditionally dominated. The card companies have also introduced a growing number of premium and even super-premium cards that cost merchants more to process. The cards appeal to consumers because they contain a number of attractive incentives, such as travel and other rewards. The changes in the rate structure followed a change in the credit card companies’ business model in the mid 2000s.

Visa and MasterCard evolved from private associations owned mainly by the banks they serviced to publicly traded, profit-driven entities beholden to a wide range of shareholders. Merchants say the fees they pay to accept credit cards are rising as a result and have become increasingly unpredictable. Critics of the credit card companies say the merchant is a powerless middleman in a system that entices consumers to use their cards and banks to reap the benefits.

The credit card companies say the system benefits everyone, including merchants, by providing a rapid, secure form of payment.

Every time you use your credit card to make a purchase, the merchant pays what is called the “merchant discount fee.” The merchant discount fee is calculated as a percentage of the good or service purchased. It can range from 1.5 per cent to 3 per cent. On a $100 item, for example, the merchant could pay a fee of between $1.50 and $3.The merchant discount fee covers a number of things, such as terminal rentals, fraud protection and transaction slips. But the biggest component of it is based on the interchange rate, which is set by the credit card companies.

In a complicated twist, the credit card companies don’t make any money from the interchange rate. The banks do. The interchange rate is what makes the credit card system work.  This rate ensures the banks have a financial incentive to issue and accept credit cards.

Posted in Credit card Processing, Electronic Payments, Merchant Services Account, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , ,