July 7th, 2015 by Elma Jane

Cashless society is about to happen, hard to believe for some. We are all unable to decide on the edge of a new, cashless world where mobile payments reign supreme. If so, is this a bad thing? For some people yes, because for them change can be scary.

Every revolution needs a good crisis in order to grow its seed. The cashless revolution is the same. Current global financial conditions serves as the potential crisis, and truly the cashless revolution is upon us. Society is on the brink of great economic change, which will likely usher in a new era of worldwide, electronic currencies. The cashless society is coming.

Advances in mobile payment options as evidence of this impending cashless society, consider the practical benefits of mobile payments for the consumer. The most obvious is convenience. Many people prefer to swipe their smartphone atop a scanner to carrying around a stack of cash. Electronic payments are traceable, which is useful for tracking one’s spending and can add a sense of security. Also, carrying around large stacks of cash isn’t always feasible or safe.

Mobile payments also offer interested individuals a way to incorporate social media into their purchases; they can check-in to a site and tell all their friends about an exciting new product they bought, or announce their presence at a new coffee shop, all with that same initial swipe of an NFC-enabled phone. Add to this the many practical benefits of mobile payments as far as business owners are concerned, and it’s easy to see why so the technology is becoming so widespread.

And yet for all the benefits of mobile payments and point of sale technology, the two don’t necessarily exclude cash.  Other company focuses on blending cash transactions with POS. This allows technologically savvy businesses to incorporate POS and mobile payment technology into their business, without excluding potential customers who prefer to use cash.

We aren’t necessarily evolving towards a cashless society, but towards a society with a plethora of payment options. POS technology is all about options. Want to pay with a swipe of your credit card? Swipe your credit card. Want to tap your NFC-enabled phone against a console. Tap and go. Want to pull a crisp twenty-dollar bill from your wallet and walk away from the counter with milk and eggs in your hand and a handful of coins jingling in your pocket? Go for it.

The question is: Will we ever become a truly cashless society? Maybe, maybe not, but as mobile payments become increasingly common, cash may very well fall into the retro category.

Posted in Best Practices for Merchants, Mobile Payments, Near Field Communication, Point of Sale Tagged with: , , , , , , ,

May 14th, 2015 by Elma Jane

The way customers Pay In Stores Is Changing.

Chip cards are here to provide advanced security with every transaction. Accepting chip cards could be as simple as changing your payment terminal.

What do you need to know about Chip Card and EMV? Chip cards are payment cards that have an embedded chip, which offers advanced security when you use the card to pay in store. Chip cards are based on a global card payment standard called EMV (Europay, MasterCard and VISA) currently used in more than 80 countries.

Why Is it More Secured? Chip card transactions offer you advanced security for in store payments by making every transaction unique,  and, more difficult to counterfeit or copy. If the card data and the one-time code are stolen, the information cannot be used to create counterfeit cards and commit fraud.

How do you know if a customer has a Chip Card? The customer’s card will have chip on the front of it, magnetic stripe remains on the back.

How to use Chip Card at the POS? Swipe the card as they normally would and follow the prompts. If the terminal is chip-enabled, it will prompt them to insert it instead. The customer should insert their card with chip toward terminal, facing up. The chip card should not be removed until the customer is prompted.

Customer will provide their signature or PIN as prompted by the terminal.

Some transactions may not require either.

When the terminal says the transaction is complete, the customer can remove their card.

Chip-enabled terminals will still accept magnetic stripe card payments for customers who do not have a chip card.

What does a chip-enabled terminal look  like? They have all of the features you are used to with a payment terminal, with the addition of a slot for the customer to insert their card. The slot is typically located at the bottom or the top of the payment terminal.

How will you know if a terminal accepts chip card? During the transition to chip, customers are being told to swipe their card as they normally would and follow the prompts. If the terminal is chip-enabled, it will prompt them to insert it instead. If you have chip-enabled terminals, you can tell your customer to insert their card for a chip transaction, if a customer has a chip card.

How can you get a chip-enabled terminal? Contact your acquirer or merchant service provider.

Show your customers that you care about their information security by making the move to chip. This will ensure that your business and your customers are protected from fraud. Start accepting chip cards!

You may be liable for fraud if you don’t make the change from chip terminal. Starting October 2015, rules are changing. Merchants that accept chip will be protected from fraud losses resulting from in store counterfeit magnetic stripe card transactions just as you are today. However, liability will shift from issuers to merchants if their payment terminals are not chip-enabled for in store transactions. Fraud liability for lost or stolen cards varies by payment network. Contact your acquirer or payment services providers for more information.

Posted in Best Practices for Merchants, Credit Card Reader Terminal, Credit Card Security, EMV EuroPay MasterCard Visa, Payment Card Industry PCI Security, Point of Sale Tagged with: , , , , , , , , , , , , , , , , , ,

March 10th, 2015 by Elma Jane

If you can’t accept credit cards for your business, you are losing out on potential revenue. Most people don’t carry more than $20 in cash with them at a time, and people who use credit cards tend to spend more than their cash-carrying counterparts.

These days you can turn your smartphone or tablet into a credit card reader, but which service should you choose? What do you need to consider when deciding?

NTC is here to help you understand all the intricacies of taking credit card payments with your smartphone or credit card.

Credit card reader or Wedge are useful in a variety of industries and for businesses of all sizes. Arts and crafts business accepting credit card payments at conventions and other events. A pub that gives its servers credit card readers rather than having to pay for everything at the bar. POS systems with a mobile integration can swipe your card on the spot rather than taking credit cards over the phone when ordering delivery.

If you work in one of these fields it might be time to think about getting a wedge:

Arts and crafts vendors: Do you sell your wares at conventions, art shows, and other big events? You could be a book reseller, an artist, a jewelry maker, a clothing retailer, or even a makeup seller.

Food Service: Food trucks were among the earliest adopters of mobile card readers, but there is no shortage of restaurants that are using them now. There are companies both offer POS systems in addition to their mobile card readers, which is perfect for delivery services.

Service providers: If you don’t have a brick-and-mortar office or base of operation where customers visit you, or if you conduct your business in your customers’ homes (carpet cleaners, plumbers, lawn care, mobile dog groomers, exterminators, etc.), a credit card reader/wedge gives you flexibility as well as credibility, as well as added security.

 

Understanding the Costs of Accepting Credit Card Payments

In the traditional business model, to accept credit card payments you would have to set up a merchant account. A merchant account typically entails a detailed look at your credit history and business.

Credit card companies assess a small fee to merchants for processing payments. With merchant accounts and card readers, the cost is built in and deducted automatically, so you don’t have to worry about paying it yourself. With a merchant account, you typically get lower rates because of the decreased risk.

It’s not just the standard fees that you need to worry about when you want to accept credit card payments. There are costs hidden everywhere, so let’s address some of these issues:

Internet Availability                                                                                                                            Typically, smartphone and tablet card readers need some sort of Internet connectivity, via a cellular signal or Wi-Fi. Most smartphones these days are capable of becoming Wi-Fi hotspots, so you can create your own Wi-Fi. However, this option relies on your phone’s data plan. The more transactions you make, the more data you use.

Compatibility                                                                                                                                    You also need to make sure that your devices are compatible with the card reader. Check the list of compatible devices before you commit to one service over another.

Also note that you’re going to usually have to enable location services on your phone.

Card Compatibility, Manual Entry Fees, Location                                                                           There are card readers that seems to work best with a specific device. You’re typically going to pay more    for manually entering credit card numbers because of the greater risk – the card doesn’t have to physically    be present to complete the transaction.

Likewise, you’re usually going to pay more for accepting international cards, and you’re not always going to be able to accept payments outside the U.S.

Taxes and Tips                                                                                                                               Several mobile credit card readers will let you add sales tax to the base purchase without requiring you to calculate it, which is handy if you’re not fond of math or just want the transaction to go more quickly.

As an alternative, you can build the sales tax into the listed prices, which some of your customers might appreciate.

Finally, depending on your industry, you may want to check that the credit card reader you use allows your customers to add a tip.

Time to Get Your Money                                                                                                                   The final cost to consider for credit card readers is more of a convenience fee than anything — it’s the time before you can access your money.

If you’re in a high-risk industry or have a high volume of business, you are probably better off obtaining a merchant account and using one of their mobile solutions.

You’re also going to want to worry about refunds and chargebacks. If, for whatever reason, a consumer complains to his or her credit card company and there’s a chargeback.

 

Features to look For in Your Credit Card Reader                                                                      Features-wise, you can at least expect the basics to remain consistent across smartphone credit card readers: you can swipe cards, manually key them in, and issue receipts. It’s the little things that will ultimately set one service provider apart from the rest. Some of the things you may want to look out for include:

Record-Keeping for Cash and Checks                                                                                             Sure, you can manage your cash intake the old fashioned way and let your bank deal with checks. But some credit card readers, (which doesn’t actually require you to swipe cards, but more on that later) will let you create digital receipts for cash and check transactions as well.

POS Integration                                                                                                                              Depending on your needs, you might want to look for a service that has easy POS integration.

E-Commerce Integration                                                                                                                Likewise, look for easy integration with an online store, if you have one. Easy integration is ideal for centralizing your accounts.

 

Accounting Integration & More                                                                                                           Do you use an accounting service? If so, you might prefer the ability to transfer your data directly from your card swiping service to your accounting software. 

Invoicing                                                                                                                                              If you do custom orders, offer services, or provide goods to a business, you’re all too familiar with invoices. With some services, you can generate invoices through them and send them to clients via email. The biggest advantage to this is simply that you get your money quicker because there’s no need to cut a check and send it through snail mail.

Voids and Refunds                                                                                                                                It’s unfortunate, but you do need to make accommodations to process refunds and void transactions. Sometimes your finger slips on a key and you don’t notice until afterward, and sometimes the customer just changes their mind. Make sure that you understand how to use these features in whichever service you choose.

Card Reader Design                                                                                                                      Needless to say there is more than a bit of awkwardness trying to balance a phone with a 5.1-inch screen in your hand while also stabilizing the card reader while swiping the card. Especially when you’re working with limited table space. It’s worth looking at the card reader and the device it’s attached to and making sure that the design works for you.

Permissions for Multiple Users                                                                                                          Do you have several employees? The ability to give permissions to multiple users comes in handy here. With it, you can enable employees (or your friends) to accept payments without giving them full access to your account. This is great if you happen to have multiple booths at events, or if you send multiple employees out on location and each one needs to be able to accept payments.

Accepting credit card payments doesn’t have to be a terrifying prospect, even if you’re running just a small-time business. You can get a mobile credit card reader for free in many cases, and while you won’t pay the lower fees associated with traditional merchant accounts, the costs are still readily manageable. What you need to consider are the hidden costs — not necessarily in the service providers, but the ones that come from using a data connection, or requiring Wi-Fi. How soon you get your money should also be a top priority.

 

 

Posted in Best Practices for Merchants, Credit Card Reader Terminal, Mobile Payments, Mobile Point of Sale, Smartphone, smartSD Cards Tagged with: , , , , , , , , , , , , , ,

January 12th, 2015 by Elma Jane

Mobile Point of Sale (POS) systems have rocked the retail world and the trending topic when it comes to POS is all about the mobile kind. When one searches the term POS, nearly every article that comes up is all about mobile, and many seem to believe it will change the retail industry.

Is traditional POS on its way out? Not so fast.

While mobile POS is indeed a hot topic, it is likely to be an enhancement, rather than a replacement, to traditional POS

There is definitely a need and a place, for both.

Everyone was certain that dot.coms would eradicate brick-and-mortar stores; they are still alive and well, and traditional brick-and-mortar stores have, like traditional POS, embraced the Internet and allowed it to serve them in the capacity of extension.

Retailers everywhere have incorporated the Internet into their business model by creating multi-channel sales strategies, such as e-commerce, digital marketing, social media marketing, online product information, specifications, reviews and online customer service.

In addition to their online presence, these same retailers have started to bring the Internet in-house by integrating such services as customer centric promotions at point of sale, introducing loyalty programs and member registration, facilitating digital signage, offering e-receipts via email, and self check out centers; all at the traditional POS kiosk.

Why bother with mobile POS anyway?

While it is true that traditional POS systems won’t be going anywhere soon, and with good reason, mobile POS systems have allowed retailers to make great strides when it comes to efficiency and customer service, as well as customer satisfaction.

Since the advent of Mobile POS, companies have made big changes in the way they handle customer transactions in-store, thus affording faster checkout, waiting line reduction, consultative selling, and more.

The list of mobile POS benefits goes on and on:

Email Receipts: Better for the environment, more convenient for customers and faster to process. A digital purchase receipts sent via email tells the customer that you care about the earth and about them.

Expanded Reach: With mobile POS, your sales are no longer confined within the four walls of your brick and mortar store. Sidewalk sales, seasonal mall kiosks, and special sponsorship events are just a few examples of all the places you can take your retail sales to, with a POS in hand.

Inventory and Price Search: When customers can be assisted with finding an item color, size or availability on the spot, rather than having to wait in line to do so, it makes them happier. The same can be said for pricing. POS in the hands of store reps can go a long way toward customer satisfaction.

Inventory Return Stations: There is always a certain volume of returns, but that volume increases for retailers particularly after the holidays. The implementation of mobile POS allows for retailers to set up additional return stations in order to avoid long lines and customer frustrations.

Mobile POS goes Mobile: Your investment in your company POS system doesn’t need to be one size fits all, regardless of store traffic volume in one location or another. Retailers may opt to have a blow out sale in one location, thus require additional checkout power for that location for a specific period of time. With mobile POS, devises and licensing can be utilized throughout different store locations on an as needed basis.

Optional Seasonal Subscription: The great thing about mobile POS is that you needn’t pay for a POS system year round if you’re not using it year around. Seasonal spikes in retail sales warrant the additional cost of extra POS licensing and hardware, but the rest of the year your budget shouldn’t need to encompass more than what is needed. Mobile lets you better manage your overall POS investment.

Storewide Promotion Opportunities: Mobile POS has allowed retailers to drive sales in various sections of the store by holding demonstrations or promotions in different departments to tout products or services. Customers can be marketed, and sold to, on the spot.

The growing industry of mobile payments doesn’t stop at in-store mobile POS. Digital wallets like Google Wallet and Apple Passbook, mobile-to-mobile cell phone transfers, Near Field Communication (NFC) payments, mobile device credit card swipe and other emerging technologies are quickly changing our cash and credit card world.

What about traditional POS?

Mobile payment systems are indeed terrific. So, when should you consider going with traditional POS? The reality is, in addition to the aforementioned benefits of traditional checkout kiosk functions, there times when mobile POS simply will not suffice.

Mobile POS is great when a customer wants to choose and pay for one item while on the sales room floor, but what about when the customer has a multitude of items? Ringing up and bagging groceries, removing anti-theft mechanisms, neatly folding and bagging clothing items and managing the sales of numerous agents, stations or departments are just a few examples of situations that often require the traditional POS checkout station.

By combining traditional POS strategies with mobile POS flexibility, retailers can leverage the command of a complex, and multi-dimensional, marketing and retail sales management system.

Posted in Best Practices for Merchants, Mobile Payments, Mobile Point of Sale, Point of Sale Tagged with: , , , , , , , , , , , , , , ,

September 10th, 2014 by Elma Jane

Merchant go into business to make a sale. They go to great length to advertise their business and then they make a sale and don’t track it… They don’t track the very customer they went into business to attract…That seems crazy…But now more companies are embracing the practice of collecting email addresses at the point of sale (POS) and they’re doing so with increasing regularity. An example, when customers are at the cash register, many brick-and-mortar stores now offer to email them receipts 

Confidently collect email addresses at POS:
Your email service provider should be able to implement a text-to-join acquisition program for you that executes quickly and can be built specifically to mitigate the risks around POS data collection.

Instead of relying on sales associates to accurately input email addresses, your customers can use SMS to text their email addresses to your short code.

Customers receive an immediate SMS reply message letting them know to check their email for their receipt.

A mobile-optimized receipt is immediately emailed to the address.

This can be followed by an email inviting customers to join your company’s email program. Offering a purchase discount can increase opt-ins. New joiners can be sent an age verification email, if relevant.

Your welcome email, including discount coupon, is sent and the relationship starts off on the right foot.

Increasing your confidence about POS email address collection, a text-to-join program can increase your acquisition rates. It can engage those customers who prefer to provide their information privately via their mobile devices. It can help protect companies against potential blacklisting because of typos and confirmed opt-ins. It can even reduce overhead costs by saving sales associates valuable time. Understanding these important email address collection issues and adopting the prescribed best practices are critical to ensuring customers have a safe, positive and valuable experience with your company at the point of sale and beyond. 

Virtual Merchant can collect data too, and as a provider we can help merchant use that data. We are committed to providing appropriate protection for the information that is collected from customers who visit the website and use the Virtual Merchant payment system. Policy Privacy is updated from time to time.The website is provided to our customers as a business service and use of the site is limited to customers only.

If the merchant never makes a sale before 10 why do they open at 9 ?? This is only one small example on how collecting data first and then analyzing that data can shape businesses and find money you may be throwing away ….

 

 

 

 

Posted in Best Practices for Merchants, Mobile Point of Sale, Point of Sale Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , ,

September 10th, 2014 by Elma Jane

If your businesses considering an iPad point-of-sale (POS) system, you may be up for a challenge. Not only can the plethora of providers be overwhelming, but you must also remember that not all iPad POS systems are created equal. iPad POS systems do more than process payments and complete transactions. They also offer advanced capabilities that streamline operations. For instance, they can eliminate manual data entry by integrating accounting software, customer databases and inventory counts in real time, as each transaction occurs. With these systems, you get 24/7 access to sales data without having to be in the store. The challenge, however, is knowing which provider and set of features offer the best iPad POS solution for your business. iPad POS systems vary in functionality far more than the traditional POS solutions and are often targeted at specific verticals rather than the entire market. For that reason, it’s especially important to compare features between systems to ultimately select the right system for your business.

To help you choose a provider, here are things to look for in an iPad POS system.

Backend capabilities

One of the biggest benefits of an iPad POS system is that it offers advanced features that can streamline your entire operations. These include backend processes, such as inventory tracking, data analysis and reporting, and social media integration. As a small business, two of the most important time saving and productivity-boosting features to look for are customer relationship management (CRM) capabilities and connectivity to other sales channels. You’ll want an iPad POS that has robust CRM and a customizable customer loyalty program. It should tell you which products are most and least frequently purchased by specific customers at various store locations. It should also be able to identify the frequent VIP shoppers from the less frequent ones at any one of your store locations, creating the ultimate customer loyalty program for the small business owner. If you own an online store or use a mobile app to sell your products and services, your iPad POS software should also be able to integrate those online platforms with in-store sales. Not only will this provide an automated, centralized sales database, but it can also help increase total sales. You should be able to sell effortlessly through online, mobile and in-store channels. Why should your customers be limited to the people who walk by your store? Your iPad POS should be able to help you sell your products through more channels, online and on mobile. E-commerce and mobile commerce (mCommerce) aren’t just for big box retailers.

Cloud-based

The functions of an iPad POS solution don’t necessarily have to stop in-store. If you want to have anytime, anywhere access to your POS system, you can use one of the many providers with advanced features that give business owners visibility over their stores, its records and backend processes using the cloud. The best tablet-based POS systems operate on a cloud and allow you to operate it from any location you want. An iPad POS provider, with a cloud-based iPad POS system, businesses can keep tabs on stores in real time using any device, as well as automatically back up data. This gives business owners access to the system on their desktops, tablets or smartphones, even when not inside their stores. Using a cloud-based system also protects all the data that’s stored in your point of sale so you don’t have to worry about losing your data or, even worse, getting it stolen. Because the cloud plays such a significant role, businesses should also look into the kind of cloud service an iPad POS provider uses. In other words, is the system a cloud solution capable of expanding, or is it an app on the iPad that is not dependent on the Internet? Who is the cloud vendor? Is it a premium vendor? The type of cloud a provider uses can give you an idea about its reliability and the functions the provider will offer.

Downtime and technical support

As a small business, you need an iPad POS provider that has your back when something goes wrong. There are two types of customer support to look for: Downtime support and technical support.

iPad POS systems are often cheaper and simpler than traditional systems, but that doesn’t mean you can ignore the product support needs. The POS is a key element of your business and any downtime will likely result in significant revenue loss. You could, for instance, experience costly downtime when you lose Internet connectivity. iPad POS systems primarily rely on the Web to perform their core functions, but this doesn’t mean that when the Internet goes down, your business has to go down, too. Many providers offer offline support to keep your business going, such as Always on Mode. The Always on Mode setting enables your business to continue running even in the event of an Internet outage. Otherwise, your business will lose money during a loss of connectivity. Downtime can also happen due to technical problems within the hardware or software. Most iPad POS providers boast of providing excellent tech support, but you never really know what type of customer service you’ll actually receive until a problem occurs.

Test the friendliness of customer service reps by calling or emailing the provider with questions and concerns before signing any contracts. This way, you can see how helpful their responses are before you purchase their solution. Your POS is the most important device in your store. It’s essentially the gateway to all your transactions, customer data and inventory. If anything happens to it, you’ll need to be comfortable knowing that someone is there to answer your questions and guide you through everything.

Grows with your business

All growing businesses need tech solutions that can grow right along with them. Not all iPad POS systems are scalable, so look for a provider that makes it easy to add on more terminals and employees as your business expands. Pay attention to how the software handles growth in sales and in personnel. As a business grows, so does it sales volume and the required software capabilities. Some iPad POS solutions are designed for very small businesses, offering very limited features and transactions. If you have plans for growth, look for a provider that can handle the changes in transactions your business will be going through. Find out about features and customization. Does the system do what you want it to do? Can it handle large volume? How much volume? What modules can you add, and how do you interface to third parties? You should also consider the impacts of physical expansion and adding on new equipment and employees. If there are plans in the future for you to open another store location, you’ll need to make sure that your point of sale has the capabilities of actually handling another store location without adding more work for you. If you plan on hiring more employees for your store, you’ll also want to know that the solution you choose can easily be learned, so onboarding new staff won’t take up too much of your time.

Security

POS cyber attacks have risen dramatically over the past couple of years, making it more critical than ever to protect your business. Otherwise, it’s not just your business information at risk, but also your reputation and entire operations. iPad POS system security is a bit tricky, however. Unlike credit card swipers and mobile credit card readers that have long-established security standards namely, Payment Card Industry (PCI) compliance — the criteria for the iPad hardware itself as a POS terminal aren’t quite so clear-cut. Since iPads cannot be certified as PCI compliant, merchants must utilize a point-to-point encryption system that leaves the iPad out of scope. This means treating the iPad as its own system, which includes making sure it doesn’t save credit-card information or sensitive data on the iPad itself. To stay protected, look for PCI-certified, encrypted card swipers.

 

 

Posted in Best Practices for Merchants, Mobile Point of Sale, Point of Sale Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

September 4th, 2014 by Elma Jane

The move to mobile point of sale (mobile POS) is radically changing the face of customer interactions and payments, as both customers and merchants grow increasingly comfortable with the concept of mobile payments. In the current, crowded marketplace most mobile payment solutions are not compatible with each other. Instead of unifying the payment experience they create islands separated by technology or usage that are tailored to individual providers in the market. Multiple devices are currently needed in-store to process different payment types and the challenge is how they can make payments unified in such a way that only one device is needed in store.

The use of cash by customers also adds a level of complication to the mobile POS story. The removal of IDM terminals, removal of customer queues and ability for customers to simply walk up and pay an assistant or to leave a store and have their bank card automatically debited certainly suits the expectations of customers today, however a large number of customers still use traditional cash methods to pay for goods and services. A number of stores that have gone down the route of implementing mobile POS now have a problem dealing with cash because the wandering shop assistants and personal shoppers can only accept card or web-based payment options. The future for mobile POS has potential to be bright, a dominant player will have to emerge in the market. This will break down the technology barriers and usage barriers between different players. The success to mobile POS lies in the payment process being truly unified with one device in one place and very seamless workflow. This will be very complicated thing to achieve, there have been a lot of attempts and a lot of false starts in the history of mobile POS. MPOS will be the future. Five years from now people will be amazed that they did transactions with landlines. NO child will ever see a telephone with a cord attached. Never a popcorn on top of the stove since we developed microwave ovens. Technology changes, and we are slow to adopt new stuff. Once we change we don’t know how we did without it.

Posted in Best Practices for Merchants, Mobile Payments, Mobile Point of Sale, Point of Sale, Smartphone Tagged with: , , , , , , , , , , , , , , , , , , ,

August 28th, 2014 by Elma Jane

Merchants are still using pedestrian passwords that crooks can easily break, security company Trustwave has found. Of the nearly 630,000 stored passwords that Trustwave obtained during penetration tests in the past two years, its technicians were able to crack more than half in just a few minutes and 92% within 31 days. Even though adding new information about weak passwords or ongoing malware investigations gets frustrating because the same problems facing the financial and payments industries persist, it does not surprise Trustwave researchers. For a lot of software or hardware developers, their main concern is availability of the service. They want to make sure their POS is available and running to accept credit cards, often at the cost of a lot of security controls. It is difficult to implement security and to do it correctly.

Trustwave recommends longer passwords with more characters, rather than shorter ones with letters and numbers. A longer password that is a phrase not easily figured out is better than a shorter, complex password. These findings have been added to an online version of the 2014 Trustwave Global Security Report. To accommodate the fast changing nature of security threats, Trustwave is regularly updating its research and making the information available to consumers and payments industry stakeholders on the company’s site. The criminals stealing data are a constantly moving target. It no longer made sense for those interested in our research to have to wait a year to see new statistics. Having access to updated security reporting should be helpful to merchants. They can see how trends are tracking over time, instead of constantly having to go online to see what is relevant to them or rely on the trade groups to keep them informed. This provides one switch to keep them in the know, so there is some value there and it’s a smart move on Trustwave’s part. Since the new Payment Card Industry security requirements call for security measures to be embedded in software development lifecycles, there is some utility in Trustwave’s new approach to sharing research information.

Trustwave said the trend of businesses detecting breaches continues to rise, with 29% of businesses doing so in 2013 compared to only 9% in 2009. Trustwave compiled that data from 691 post-breach forensics investigations conducted in 2013. The report also indicated e-commerce breaches are increasing, with 54% of all breaches targeting e-commerce sites in 2013, compared to only 9% in 2010. More regions, including the U.S., being in various stages of converting to EMV chip-based cards for card-present transactions fuels the criminals’ shift to e-commerce fraud. Additionally, the company is working with law enforcement officials after discovering a control center of eight servers behind what is being called Magnitude, an exploit kit of Russian origin that has led to thousands of attacks and millions of attempted malware attacks globally.

Posted in Best Practices for Merchants, Payment Card Industry PCI Security, Point of Sale Tagged with: , , , , , , , , , , , , , , , , , , , , , , , ,

August 27th, 2014 by Elma Jane

Backoff malware that has attacked point of sale systems at hundreds of businesses may accelerate adoption of EMV chip and PIN cards and two-factor authentication as merchants look for ways to soften the next attack. Chip and PIN are a big thing, because it greatly diminishes the value of the information that can be trapped by this malware, said Trustwave, a security company that estimates about 600 businesses have been victims of the new malware. The malware uses infected websites to infiltrate the computing devices that host point of sale systems or are used to make payments, such as PCs, tablets and smartphones. Merchants can install software that monitors their payments systems for intrusions, but the thing is you can’t just have anti-virus programs and think you are safe. Credit card data is particularly vulnerable because the malware can steal data directly from the magnetic stripe or keystrokes used to make card payments.

The point of sale system is low-hanging fruit because a lot of businesses don’t own their own POS system. They rent them, or a small business may hire a third party to implement their own point of sale system. The Payment Card Industry Security Standards Council issued new guidance this month to address security for outsourced digital payments. EMV-chip cards, which are designed to deter counterfeiting, would gut the value of any stolen data. With this magnetic stripe data, the crooks can clone the card and sell it on the black market. With chip and PIN, the data changes for each transaction, so each transaction is unique. Even if the malware grabs the data, there not a lot the crooks can do with it. The EMV transition in the U.S. has recently accelerated, driven in part by recent highprofile data breaches. Even with that momentum, the U.S. may still take longer than the card networks’ October 2015 deadline to fully shift to chip-card acceptance.

EMV does not by itself mitigate the threat of breaches. Two-factor authentication, or the use of a second channel or computing device to authorize a transaction, will likely share in the boost in investment stemming from data security concerns. The continued compromise of point of sale merchants through a variety of vectors, including malware such as Backoff, will motivate the implementation among merchants of stronger authentication to prevent unauthorized access to card data.

Backoff has garnered a lot of attention, including a warning from the U.S. government, but it’s not the only malware targeting payment card data. It is not the types of threats which are new, but rather the frequency with which they are occurring which has put merchants on their heels. There is also an acute need to educate small merchants on both the threats and respective mitigation techniques.. The heightened alert over data vulnerability should boost the card networks’ plans to replace account numbers with substitute tokens to protect digital payments. Tokens would not necessarily stop crooks from infiltrating point of sale systems, but like EMV technology, they would limit the value of the stolen data. There are two sides to the equation, the issuers and the merchants. To the extent we see both sides adopt tokenization, you will see fewer breaches and they will be less severe because the crooks will be getting a token instead of card data.

Posted in Best Practices for Merchants, Credit Card Security, Payment Card Industry PCI Security, Point of Sale Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

August 21st, 2014 by Elma Jane

Package delivery giant UPS has become the latest company to admit that customer payment card details may be at risk after it discovered malware at 51 of its US stores. In a statement, UPS says that customers who used credit and debit cards at 51 of its 4470 franchised sites between 20 January and 11 August are at risk. Names, postal and email addresses and payment card information may all be compromised, but UPS says that it has no evidence of any fraud, and that the malware has now been eliminated. Earlier this month the US government took the step of putting out an alert warning retailers about a new family of malware, dubbed Backoff, targeting point-of-sale systems. The UPS Store, received a bulletin from the government among many other US retailers that made them aware of the problem. As soon as they became aware of the potential malware intrusion, they deployed extensive resources to quickly address and eliminate the issue. Customers can be assured that they have identified and fully contained the incident. US merchants have found themselves under siege from hackers in recent months, with the most notable case seeing thieves use a vendor’s credentials to infect POS devices with malware and steal the details of around 40 million Target customer cards.

Posted in Best Practices for Merchants, Credit Card Security Tagged with: , , , , , , , , , , , , , ,