August 28th, 2014 by Elma Jane
Merchants are still using pedestrian passwords that crooks can easily break, security company Trustwave has found. Of the nearly 630,000 stored passwords that Trustwave obtained during penetration tests in the past two years, its technicians were able to crack more than half in just a few minutes and 92% within 31 days. Even though adding new information about weak passwords or ongoing malware investigations gets frustrating because the same problems facing the financial and payments industries persist, it does not surprise Trustwave researchers. For a lot of software or hardware developers, their main concern is availability of the service. They want to make sure their POS is available and running to accept credit cards, often at the cost of a lot of security controls. It is difficult to implement security and to do it correctly.
Trustwave recommends longer passwords with more characters, rather than shorter ones with letters and numbers. A longer password that is a phrase not easily figured out is better than a shorter, complex password. These findings have been added to an online version of the 2014 Trustwave Global Security Report. To accommodate the fast changing nature of security threats, Trustwave is regularly updating its research and making the information available to consumers and payments industry stakeholders on the company’s site. The criminals stealing data are a constantly moving target. It no longer made sense for those interested in our research to have to wait a year to see new statistics. Having access to updated security reporting should be helpful to merchants. They can see how trends are tracking over time, instead of constantly having to go online to see what is relevant to them or rely on the trade groups to keep them informed. This provides one switch to keep them in the know, so there is some value there and it’s a smart move on Trustwave’s part. Since the new Payment Card Industry security requirements call for security measures to be embedded in software development lifecycles, there is some utility in Trustwave’s new approach to sharing research information.
Trustwave said the trend of businesses detecting breaches continues to rise, with 29% of businesses doing so in 2013 compared to only 9% in 2009. Trustwave compiled that data from 691 post-breach forensics investigations conducted in 2013. The report also indicated e-commerce breaches are increasing, with 54% of all breaches targeting e-commerce sites in 2013, compared to only 9% in 2010. More regions, including the U.S., being in various stages of converting to EMV chip-based cards for card-present transactions fuels the criminals’ shift to e-commerce fraud. Additionally, the company is working with law enforcement officials after discovering a control center of eight servers behind what is being called Magnitude, an exploit kit of Russian origin that has led to thousands of attacks and millions of attempted malware attacks globally.
Posted in Best Practices for Merchants, Payment Card Industry PCI Security, Point of Sale Tagged with: breaches, card, card-present transactions, company, credit cards, data, e-commerce, EMV chip-based cards, financial, fraud, Global Security, hardware, industry, Malware, Merchant's, online, passwords, payment, Payment Card Industry security, payments, payments industries, POS, Security, servers, software
August 21st, 2014 by Elma Jane
Package delivery giant UPS has become the latest company to admit that customer payment card details may be at risk after it discovered malware at 51 of its US stores. In a statement, UPS says that customers who used credit and debit cards at 51 of its 4470 franchised sites between 20 January and 11 August are at risk. Names, postal and email addresses and payment card information may all be compromised, but UPS says that it has no evidence of any fraud, and that the malware has now been eliminated. Earlier this month the US government took the step of putting out an alert warning retailers about a new family of malware, dubbed Backoff, targeting point-of-sale systems. The UPS Store, received a bulletin from the government among many other US retailers that made them aware of the problem. As soon as they became aware of the potential malware intrusion, they deployed extensive resources to quickly address and eliminate the issue. Customers can be assured that they have identified and fully contained the incident. US merchants have found themselves under siege from hackers in recent months, with the most notable case seeing thieves use a vendor’s credentials to infect POS devices with malware and steal the details of around 40 million Target customer cards.
Posted in Best Practices for Merchants, Credit Card Security Tagged with: card, card details, card information, credit, customer, customer cards, debit cards, devices, fraud, Malware, Merchant's, payment, point of sale, POS, retailers
August 19th, 2014 by Elma Jane
In response to the third-party threat, the PCI Security Standards Council has published a guide to help organizations and their business partners reduce risk by better understanding their respective roles in securing card data.
The Third-Party Security Assurance Information Supplement provides guidance practical recommendations to help businesses and their partners protect data, including:
Conduct due diligence and risk assessment when engaging third party service providers to help organizations understand the services provided and how PCI DSS requirements will be met for those services.
Develop appropriate agreements, policies and procedures with third-party service providers that include considerations for the most common issues that arise in this type of relationship.
Implement an ongoing process for maintaining and managing third-party relationships throughout the lifetime of the engagement, including the development of a robust monitoring program.
Implement a consistent process for engaging third-parties that includes setting expectations, establishing a communication plan, and mapping third-party services and responsibilities to applicable PCI DSS requirements.
One of the big focus areas in PCI DSS 3.0 is security as a shared responsibility. This guidance is an excellent companion document to the standard in helping merchants and their business partners work together to protect consumers’ valuable payment information.
Posted in Best Practices for Merchants, Credit Card Security, Payment Card Industry PCI Security Tagged with: card, card data, consumers, data, Merchant's, payment, PCI, Service providers
August 11th, 2014 by Elma Jane
Tokenization technology has been available to keep payment card and personal data safer for several years, but it’s never had the attention it’s getting now in the wake of high-profile breaches. Still, merchants especially smaller ones haven’t necessarily caught on to the hacking threat or how tools such as tokenization limit exposure. That gap in understanding places ISOs and agents in an important place in the security mix, it’s their job to get the word out to merchants about the need for tokenization. That can begin with explaining what it is.
The biggest challenge that ISOs will see and are seeing, is this lack of awareness of these threats that are impacting that business sector. Data breaches are happening at small businesses, and even if merchants get past the point of accepting that they are at risk, they have no clue what to do next. Tokenization converts payment card account numbers into unique identification symbols for storage or for transactions through payment mechanisms such as mobile wallets. It’s complex and not enough ISOs understand it, even though it represents a potential revenue-producer and the industry as a whole is confused over tokenization standards and how to deploy and govern them.
ISOs presenting tokenization to merchants should echo what security experts and the Payment Card Industry Security Council often say about the technology. It’s a needed layer of security to complement EMV cards. EMV takes care of the card-present counterfeit fraud problem, while tokenization deters hackers from pilfering data from a payment network database. The Target data breach during the 2013 holiday shopping season haunts the payments industry. If Target’s card data had been tokenized, it would have been worthless to the criminals who stole it. It wouldn’t have stopped malware access to the database, but it would been as though criminals breaking into a bank vault found, instead of piles of cash, poker chips that only an authorized user could cash at a specific bank.
A database full of tokens has no value to criminals on the black market, which reduces risk for merchants. Unfortunately, the small merchants have not accepted the idea or the reality and fact, that there is malware attacking their point of sale and they are being exposed. That’s why ISOs should determine the level of need for tokenization in their markets. It is always the responsibility of those who are interacting with the merchant to have the knowledge for the market segment they are in. If you are selling to dry cleaners, you probably don’t need to know much about tokenization, but if you are selling to recurring billing or e-commerce merchants, you probably need a lot more knowledge about it.
Tokenization is critical for some applications in payments. Any sort of recurring billing that stores card information should be leveraging some form of tokenization. Whether the revenue stream comes directly from tokenization services or it is bundled into the overall payment acceptance product is not the most important factor. The point is that it’s an important value to the merchant to be able to tokenize the card number in recurring billing, but ISOs sell tokenization products against a confusing backdrop of standards developed for different forms of tokenization. EMVCo, which the card brands own, establishes guidelines for EMV chip-based smart card use. It’s working on standards for “payment” tokenization with the Clearing House, which establishes payment systems for financial institutions. Both entities were working on separate standards until The Clearing House joined EMVCo’s tokenization working group to determine similarities and determine whether one standard could cover the needs of banks and merchants.
Posted in Best Practices for Merchants Tagged with: account numbers, bank, billing, card, card brands, card number, card present, Clearing House, data, data breaches, database, e-commerce, EMV, emvco, fraud, ISOs, Malware, Merchant's, mobile wallets, network, payment, Payment Card Industry, Security, smart card, target, tokenization, transactions
July 21st, 2014 by Elma Jane
European authorities dismantled a Romanian-dominated cybercrime network that used a host of tactics to steal more than EUR2 million. As a direct result of the excellent cooperation and outstanding work by police officers and prosecutors from Romania, France and other European countries, a key criminal network has been successfully taken down this week.
Hundreds of police in Romania and France, backed by the European Cybercrime Centre, carried out raids on 177 addresses, interrogating 115 people and detaining 65. Those held are suspected of participating in sophisticated electronic payment crimes, using malware to take over and gain access to computers used by money transfer services all over Europe. They are also accused of stealing card data through skimming, money laundering and drug trafficking.Proceeds of the crimes were invested in different types of property, deposited in bank accounts or transferred electronically, says the EC3. Large sums of money, luxury vehicles and IT equipment were seized during the raids.
Posted in Uncategorized Tagged with: accounts, bank, bank accounts, card, card data, cybercrime, data, electronic payment, host, Malware, money transfer, network, payment
July 14th, 2014 by Elma Jane
French financial services company LCL has introduced a service that securely issues payment card PIN codes to customers via SMS texting. The programme has been introduced initially for cardholders who forget their confidential code when out shopping or withdrawing cash. In a second phase, the bank intends to extend PIN issuance to coincide with the mail-out of newly-created cards.
LCL is using Gemalto’s Netsize platform, which offers direct connections to more than 160 mobile operators globally for message delivery. LCL recognizes the mobile channel as a new opportunity to support their continued drive to optimize card activation rates and be the top-of-wallet choice for payment. Enabling cardholders to get their PIN code on their mobile phone prompts them to start using their banking card as soon as they receive it.
Posted in Best Practices for Merchants, Mobile Payments, Smartphone Tagged with: bank, card, cardholders, codes, customers, mobile, mobile channel, payment, PIN, Rates, sms, wallet
June 19th, 2014 by Elma Jane
API Software Inc. has created an application ISOs can use to help merchants tabulate the best payment services deals. The Square Deal Pro app for the merchant services industry enables sales reps to compare their company’s rates to those of Square, PayPal, Stripe and other payments aggregators. Essentially, the application takes the mathematics burden off of the merchant and helps an ISO or agent compare bundled pricing with interchange-plus pricing.
Frank Haggar, a software developer, started asking merchants why they chose a certain provider and they just said the pricing was simpler. It might be more expensive, but it was easier for them to understand. That moved to develop Square Deal Pro. It’s a software that salespeople can have right on their phones and it makes a comparison and is easy to understand. Square Deal Pro, which operates on iPhones, Android devices and Windows phones, was established as a vendor-neutral tool that is also available for merchants to download if they were inclined to want to crunch numbers themselves. Service providers pay for the application and all of its sales features, but a free version for price comparisons only is available to merchants.
Merchants are experts in what they know how to do and they may not want something that includes math distracting them from that, but the sales rep can do it for them and use it along the lines of a calculator helping someone figure out mortgage rates. ISOs have various tools at their disposal and lock in key information in their brains to prepare for sales presentations, but most will likely find Square Deal Pro a valuable addition. Something that takes complicated pricing schemes and factors it all into an easy interface that puts out a clear comparison that is valuable, certainly out in the field.
API Software has to deliver something difficult or impossible to copy because that would set this permanently apart as opposed to being a lead to other similar products in the market. An ISO can change rates or make adjustments for a client if the numbers show that another provider is offering a less expensive option, but the numbers in the app don’t lie. The app will show how a bundled rate can work in your favor, such as if you are selling Girl Scouts cookies at $3 a box. Then use Square all day long, but an ISO can compare how his product works compared to others and the app can show, that at a certain time, it might be beneficial to switch over.
Square Deal Pro takes into account factors other than interchange rates, including merchant volume, average ticket price and whether transactions are keyed or swiped or both. All of those things determine where you fit in on the diagram of how your rate should be structured. There is a lot of analysis on minimal focal points. The application may also help defuse potential problems with merchants who sometimes feel their sales rep was not providing a fair assessment of pricing structure or comparisons.
As for the application’s name, Haggar doesn’t want any confusion over whether this might be a new Square product.
Posted in Best Practices for Merchants Tagged with: account, aggregators, Android, assessment, bundled pricing, developer, devices, interchange, interchange rates, interchange-plus pricing, iPhones, ISOs, market, merchant services, merchant volume, Merchant's, mortgage rates, payment, PayPal, phones, pricing, Pro app, products, provider, Rates, sales, Service providers, software, Square, Square Deal Pro app, Stripe, transactions, Windows phones
June 5th, 2014 by Elma Jane
The days of salespeople peddling point of sale terminals by simply pulling hardware out of a box are numbered. That model is being replaced by integrated payments from software developers who add payment capabilities to applications that run at the point of sale, in the back office or on mobile devices.
Integrated payments are becoming common in the restaurant industry, where systems are developed to combine payment acceptance with the ability to manage orders, tables and food delivery. As integrated payments become more common, companies working in the payments industry will seek ways to offer marketing analytics. You tie that type of data to the payment mechanism and you can learn more about your business and your customers.
There is a place in the ecosystem for traditional payment acceptance, but today, when a retailer shops for a point of sale terminal or other business solutions, they expect payments to be part of the integrated bundle. Many of these systems are now delivered in a software-as-a-service model or through tablets, making them cost-effective for businesses of any size.
Integrated commerce includes mobile acceptance, offers, coupons and loyalty. It enables a merchant to buy a point of sale system for the physical store, website and mobile environment at the same time. Then the merchant can send out offers and begin running a loyalty program, while accepting NFC transactions all at once. Merchants can also review transactions from all channels directly from their offices to monitor against data breaches. With those integrated services becoming more readily available for merchants, it is not surprising that the topic comes up when executives discuss their company’s goals.
Relationships with merchants through integrated payments tend to be sticky because it is an embedded solution. You tend to get better pricing because it’s not necessarily an acquiring decision but a POS software/hardware decision and acquiring is part of that package. Payments as a service will be an important global product, selling a terminal now means selling data security, warranty and service, and numerous merchant tools.
Posted in Best Practices for Merchants, Credit Card Reader Terminal, Point of Sale Tagged with: breaches, coupons and loyalty, data, data breaches, data security, global product, integrated bundle, Integrated commerce, integrated payments, integrated services, loyalty program, marketing analytics, merchant, merchant tools, mobile, Mobile Devices, NFC transactions, payment, payment mechanism, payments industry, point of sale, POS software/hardware, Security, tablets, terminal, terminals, traditional payment, warranty and service, website and mobile environment
May 27th, 2014 by Elma Jane
The BACPAC Act, which establishes a site-neutral bundled payment model for Medicare post-acute care (PAC) introduced earlier this week. According to a press release from the Partnership for Quality Home Healthcare, the proposed payment structure would have PAC coordinators and their networks of post-acute care providers manage patient care through a 90-day, site-neutral bundled payment that would be initiated upon a patient’s discharge from the hospital.
CEO for The Partnership for Quality Home Healthcare, said in the company statement that the proposed legislation offers pro-patient solutions that are founded on years of research and analyses. Additionally, those solutions support a more effective and efficient delivery of quality post-acute care services.
As population ages, the need for well managed post-acute care will become a pressing necessity for the sustainability of our healthcare system. The BACPAC Act of 2014 represents positive Medicare reform that benefits patients, providers and taxpayer alike.
One of the major changes that the bill hopes to make is to reduce hospital readmissions. As the Partnership for Quality Home Healthcare explained, readmissions are a common cost-driver in PAC. However, the proposed legislation creates strong incentive for patients to be placed in the most clinically-appropriate, cost-effective setting. From there, it is more likely that patients would receive more efficient care through their treatment plan.
The bill stemmed from the BACPAC analysis that was proposed by the Alliance for Home Health Quality and Innovation in January. The analysis, compiled and explained the benefits of bundled payment options for post-acute care, as well as how providers can control costs. If implemented correctly, bundling payments for chronic care management, rehabilitative and other forms of post-acute care could lead to more efficiency across care settings and encourage care coordination among providers. In the current fee-for-service system, care coordination is often overlooked, resulting in unnecessary tests, procedures and costs to the Medicare program that often do not improve patient care or outcomes. Medicare could see up to $100 billion in savings over 10 years by moving patients into different settings and reducing spending by certain degrees.
Posted in Medical Healthcare Tagged with: Alliance for Home Health Quality and Innovation, bundled payment, bundled payment options, care providers, chronic care management, costs, healthcare, Home Healthcare, Medicare, Medicare program, Medicare reform, networks, patient care, patient’s discharge, patients, payment, post-acute care, post-acute care services, procedures, provider's, Quality Home Healthcare, taxpayer, tests, treatment plan
May 23rd, 2014 by Elma Jane
Before making a purchase, there are several devices that consumers may use to help them make a decision: Use a specific store’s mobile app on their smartphones. Visit the store’s website on a tablet or computer, or just pick up the phone and call customer service to ask a question. Whatever the case, omnichannel is an important buzzword for merchants.
Here are ways to ensure a seamless and secure retail experience to turn browsers into loyal buyers.
Ensure Channels Work Together
Even in historically single-channel retail sectors such as grocery, more than half of customers now use two or more channels before completing a purchase, shown in a recent study. Retailers must therefore offer both traditional and digital channels. However, before investing in the latest mobile-optimized website feature or app, retailers should learn how existing online and physical channels can together enhance the customer experience. What customers value most is not the number of channels offered, but how these channels support each other.
A merchant’s website might encourage visitors to take advantage of a special event in-store, while sales assistants on the floor can use Wi-Fi enabled tablets to access additional product information.
Help Customers Find What They Want
With Internet access ubiquitous, cost-conscious customers are just a click away from being able to compare prices and find special offers. Many take out their smartphone or tablet in stores to compare prices, a trend called Showrooming.
Online retailers can take advantage of this trend by encouraging shoppers to compare prices in-store using a mobile app. In-store retailers, on the other hand, could provide greater value through targeted offers, price match guarantees, expert advice, convenient delivery choices and personalized customer care.
Optimize The Checkout Experience
Businesses must be sure to have a quick, streamlined checkout process once they have converted an online browser into a customer or else they risk facing shopping cart abandonment. This can be done in a few steps:
1. Assess how the checkout experience can be customized for its customers. Keep the mandatory information required from new or first-time online or mobile shoppers to a minimum and shorten the process for returning customers by securely storing their payment details and other personal information.
2. Develop a dedicated mobile app or other innovative functions that can increase long-term satisfaction and loyalty.
3. Test different payment methods to find those that are most convenient for customers. These payment options may include paying with reward points, using a digital wallet or providing a digital offer or coupon at checkout. There is a balance to be found between having additional payment methods to meet customer expectations and choosing methods appropriate to a merchant’s business model.
4. Establish a one-click online checkout process. Chase for example, is currently developing a Chase Wallet and Quick Checkout solution. The Chase Wallet will allow customers to store and access their Chase cards and ultimately, any branded card for a quick checkout. It will also update Chase-branded cards when a customer replaces an existing card and use tokenization to securely process payments with select merchants.
Merchants also face the challenge of ensuring that the online and in-store checkout experience is secure, while at the same time eliminating as many false positives as possible. False positives are a hindrance to any business as they may reduce sales, increase chargebacks and frustrate customers. A quick-checkout solution may help reduce false positives because customer information is automatically populated rather than manually keyed into the checkout page.
Acquirers should also work with online retailers to provide a conditional approval code for a transaction. This code allows the fulfillment process to move forward while authentication is taking place. The additional time for a thorough authentication also helps reduce the number of false positives.
Use Data to Build Loyalty
Customers will likely return to a retailer if product marketing reflects their past purchases or interests. Therefore, taking advantage of data including a customer’s purchasing history, loyalty, behavior or social media interests may help retailers to better understand their customers as well as personalize their shopping experience.
According to a study released in March 2013, Chase Paymentech found that 32 percent of merchants use their payment data to help craft their multi-channel sales strategy and 42 percent use it to improve the online customer experience. In addition, further analysis of payment methods, chargeback rates, fraud rates and authorization rates may improve the customer shopping experience and drive overall profitability.
Posted in Best Practices for Merchants Tagged with: approval code, authentication, branded card, chargebacks, Chase, Chase Wallet, checkout process, computer, customer service, data, digital channels, digital offer, Digital Wallet, In-store retailers, internet access, Merchant's, merchant’s website, mobile app, mobile-optimized website, omnichannel, online retailers, payment, payment data, phone, physical channels, Quick Checkout solution, reward points, shopping cart, Showrooming, single-channel retail, Smartphones, social media, tablet, tokenization, transaction, website, Wi-Fi