January 17th, 2023 by Admin

Mobile PaymentsMobile payment processing is getting heated competition as priority in the electronic payment industry begins to shift. Retailers and restaurants are switching to cheaper solutions like smartphones and tablets linked to a mobile point of sale system or MPOS. These MPOS applications have devices that connect to a smartphone or tablet via Bluetooth wireless interfaces or through a standard headphone jack on the device. Read more of this article »

Posted in Mobile Payments Tagged with: , , , , , , , , , , , , ,

April 21st, 2015 by Elma Jane

An advanced strain of malware called “Punkey,” is capable of attacking Windows point of sale terminals, stealing cardholder data and upgrading itself while hiding in plain sight.

Researchers from Security vendor Trustwave discovered the new strain. The investigation found compromised payment card information and more than 75 infected, and active, Internet Protocol addresses for Windows POS terminals.

 

 

Punkey poses a unique threat to payment networks, particularly because it also can download updates for itself.

If the malware author has a new feature it wants to add or updates to get rid of bugs, it actually pushes the malware down from the command and control server, revealed by Trustwave’s SpiderLabs research center. Punkey operates like a typical Botnet.

The malware hides inside of the Explorer process, which exists on every Windows device and manages the opening of individual program windows. Punkey scans other processes on the terminal to find cardholder data, which it sends to the control server.

The malware performs key logging, capturing 200 keystrokes at a time. It sends the information back to its server to store passwords and other private information.

A year ago, security vendors warned retailers against using Windows XP at the point of sale, since Microsoft stopped supporting Windows XP security patches. However, even Punkey is not attacking Windows due to any vulnerability in the systems, so even merchants with newer versions of Windows are at risk.

Punkey just runs like any Windows binary would. Even if the system is upgraded or a new system is put in place, criminals are still getting malware on the POS in other ways.

Many retailers use remote desktop support software, which fraudsters take advantage of, they steal a password and install malware like a technician would install any software.

While Punkey represents a more sophisticated POS malware than Trustwave has seen previously, merchants can still protect themselves through attention to basic security best practices.

Merchants should update antivirus and firewall protections, monitor the remote access software, establish two-factor authentication and check network activity daily for anything out of the ordinary. Unfortunately, many organizations have neither the expertise nor the manpower to perform these tasks.

 

Posted in Best Practices for Merchants, Credit card Processing, Credit Card Reader Terminal, Credit Card Security, Mobile Point of Sale, Payment Card Industry PCI Security, Point of Sale Tagged with: , , , , , , , , , , ,

September 18th, 2014 by Elma Jane

Americans love gift cards, but many of those pieces of plastic go partially or entirely unused. Some are lost or forgotten. Others simply are ignored once the balance drops to a few dollars or less.

A gift card’s unused value…known in industry parlance as spillage or breakage…long has meant big profits for the gift card industry .

But the Credit Card Accountability, Responsibility and Disclosure Act of 2009, better known simply as the Credit CARD Act, tightened rules on retailers, making it more difficult for stores to cancel unused cards or charge inactivity fees. That prevents retailers from quickly cashing in on breakage.

In addition, savvy consumers are catching on and appear to be finding ways to avoid losing breakage while getting the most out of their gift cards.

According to the most recent figures, about 1 percent of the total value of gift cards was predicted to go unused in 2013. That’s down from a record high of 10 percent in 2007. Some of the reduction in breakage is a result of growing cardholder realization that even though there’s only $2.12 on gift card, they got to find a way to use it.

However, even with the decline in breakage, around $1 billion worth of gift cards will be lost to fees and expiration dates or misplaced, shoved in a drawer or otherwise neglected this year. That’s a huge amount of money that consumers will not be able to use toward a new shirt, stuffed animal or bicycle.

Retailers love when people use gift cards because studies show that most customers spend more in the store than the card is worth. Breakage makes gift cards even more profitable: An estimated $127 billion in gift cards will be sold in 2014, even a small percentage of unused cards boost a company’s bottom line.

Those profits make it feasible for retailers to make some consumer-friendly moves, such as selling gift cards at a discount. However, most of the money goes toward other endeavors.

Wal-Mart may have a billion dollars (in unused gift cards) sitting there. Wal-Mart could go out and build 30 new superstores without borrowing a penny. They know those gift cards will come in eventually, but for now, they have the use of that money.

Ways to make sure you’re not ‘breakage’
The longer you let a card sit untapped, the less likely you are to use it. Here are eight ways to make sure your gift cards are not lost to breakage:

Give again. Instead of letting that last two bucks on a card go to waste, use it to make a donation. Stockpile cards and combine them into higher-value gift cards that are donated to the needy.

A Gift Card Giver founder, got the idea when he asked a group of acquaintances how many had unused gift cards sitting in their wallets. They literally started pulling out gift cards from their wallets, everyone had one.

The Gift Card Giver founder offered to redistribute the unused cards to the needy and a new nonprofit was born.

Give low-end cards as gifts. To make sure your gift card doesn’t languish in someone else’s wallet, consider purchasing cards at Walgreens and Wendy’s instead of Nordstrom and Saks. Practical gift cards, such as those for fast-food chains and discount retailers are used faster than cards to fine dining establishments and pricey department stores.

Corral your cards. Make sure you can quickly locate your cards by storing them all in the same place.

If you have too many cards to tuck into your wallet, stowing them in a durable plastic envelope. Or upgrade to a Card Cubby (about $24), which includes alphabetized tabs and is tiny enough to keep in a purse.

Plan your shopping ahead of time. Set up your e-mail program to send you a monthly reminder to use your gift cards. Think in terms of the week or month ahead, when will you be near the store? What items do you need there? Is there a gift you need for someone else? You are more likely to use the card if you know what you want ahead of time and can get in and out quickly.

Rethink general-purpose gift cards. Gift cards from credit card companies can be used anywhere you can use a credit card. But these cards also come with drawbacks.

Use-anywhere cards, known as open-loop cards  are more likely to come with startup fees and monthly inactivity fees that chip away at your balance. Many of these gift cards also include a valid through or good through date stamped on the front. Your card’s underlying value will not expire after that date, but you will have to call customer service for a replacement card, and that raises the risk that you will simply toss the card and your remaining balance.

Read the fine print. The CARD Act  prohibits gift card inactivity fees for the first year, and requires that gift cards cannot expire within five  years of when activated. State lawsmay extend additional gift card protections. That gives you a big, but not permanent cushion of time to use the cards.

Trade or sell your cards. If you get a card you know you will not use, a Hot Topic gift card, for instance, when you are more of an L.L.Bean type, use one of the many card-swapping and card-selling sites to get what you really want.

That is because with a Wendy’s and a Walgreens on practically every corner, such lower-end cards simply are more convenient to use. They also offer more value for your card. If you give a Wal-Mart gift card to your mailman, there are plenty of things to use it on.

Posted in Best Practices for Merchants, Gift & Loyalty Card Processing Tagged with: , , , , , , , , , , , , , , , , , , , ,

September 4th, 2014 by Elma Jane

EMV, which stands for Europay, MasterCard and Visa, and is slated to be mandated across the United States starting in October 2015 and automated fuel dispensers have until October 2017 to comply. Unlike magnetic swipe cards, EMV chip cards encrypt data and authenticate communication between the card and card reader. Additionally, chip card user is prompted for a PIN for authentication.

Why are those dates important? Companies lose $5.33 billion to fraud today, with card issuers and merchants incurring 63 and 37 percent of these losses, respectively. Under the EMV mandate, merchants who do not process chip cards will bear the burden of the issuer loss. By accepting chip card transactions, merchants and issuers should see a reduction in fraud.

Overcoming Barriers to EMV Adoption

Given the significant barriers to EMV adoption, it may be tempting for merchants to meet minimum requirements for accepting EMV payments. However, medium to large retailers should also consider the bigger picture of customer security and peace of mind.

Some key critical success factors for a payment initiative of this size include:

Business Continuity Architecture: As with all payment systems, it is imperative to have the EMV system running at all times. The solution should preferably have Active-Active architecture across multiple data centers and have a low Recovery Point Objective (the point in time to which the systems and data must be recovered after an outage).

Cost Benefit Analysis: Take a top down approach and decide accordingly on the scope of the analysis. This will ensure that decisions on scope are made on basis of quantitative data and not just qualitative arguments.

Phased Approach: To overcome time or cost overage in a project of this scope and complexity, retailers should try using an iterative approach for development. The rollout can be divided into multiple releases of six to seven months, which will provide the opportunity to review, capture lessons learnt, and improve subsequent releases.

Proactive Monitoring Alerts: Considering the criticality of business function carried out by EMV, tokenization and payment gateway, a vigorous supervising environment must be defined to perform proactive and reactive monitoring. It should take into consideration the monitoring targets, tools, scope and methods. This will provide advance visibility to the failure points and better ensuring maximum system availability.

Resilience Testing: Typically in a software project, the testing is limited to the unit, integration, performance and user acceptance. However, due to the critical nature of the applications and systems involved, robust resiliency testing is vital. This will ensure that there are no single points of failure and the system remains available when running in error conditions.

Stakeholder Identification: This is a key step to ensure that you have varied perspectives from all departments and their support. It will keep your organization from being blindsided and reduce the risk of disagreements in later stages of the program. Key stakeholders should include Store Operations, Card Accounting, Loss Prevention, Contact Center and IT & Data Security.

Organizations should adopt a five step approach to implement a secure, robust and industry-leading payment solution:

Encryption – Point to point encryption will ensure card data is secure and encrypted from the point of capture to the processor. Usually, merchants use data encryption that is not point to point, rendering their organization vulnerable to data breaches. Software encryption is the most common form of encryption, as it is easily installed and quires little or no hardware upgrades; however, it is less secure, may expose encryption keys, and is prone to memory scanning attacks. Hardware encryption is considered more secure but requires more costly terminal upgrades. Hardware encryption is designed to self-destruct the keys if tampered, but is not well-defined as very limited headway has been made in this space. 

Tokenization – Build a Card Data Environment (CDE) that will host a centralized card data storage solution. Only limited applications with firewall access and capability to mutually authenticate via certificates can access CDE and receive card data. The rest of the applications will have tokens which are random numbers. This architecture will ease the merchant’s burden with existing and emerging PCI Data Security Standards.

Payment Gateway – Perform a risk assessment on the current payment gateway and identify gaps in functionality, manageability, compliance, scalability, speed to market and best practices. Determine the alternatives to mitigate the risks. Some of the important aspects of a leading payment gateway solution are support for all forms of credit, debit, gift cards and check transactions. Its ability to work with any acquirer, in-built encryption abilities, support for settlement and reconciliation must also be kept into consideration.

Settlement, Funding and Reconciliation – A workflow-based system to handle chargebacks and the automation of chargeback processing will greatly reduce labor-intensive work and enhance the quality of data used for settlement and reconciliation. Upgrades to the existing receipt retrieval system may be needed.

Card fraud is on the rise in the U.S., and merchants are the primary target for stealing information. With the EMV deadline just over a year away, the responsible retailer must take steps to prepare now. Although EMV implementation might seem overwhelming to merchants, they should start their journey to secure payments rather than wait for a looming deadline. Solutions such as data encryption and tokenization should be used in combination with EMV to implement a robust payment solution to better protect merchants against fraud. By proactively adopting EMV payment solutions, merchants can stay ahead of the regulatory curve and better protect their customers from fraud.

 

Posted in Best Practices for Merchants, Credit Card Security, EMV EuroPay MasterCard Visa, Payment Card Industry PCI Security, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

August 21st, 2014 by Elma Jane

Package delivery giant UPS has become the latest company to admit that customer payment card details may be at risk after it discovered malware at 51 of its US stores. In a statement, UPS says that customers who used credit and debit cards at 51 of its 4470 franchised sites between 20 January and 11 August are at risk. Names, postal and email addresses and payment card information may all be compromised, but UPS says that it has no evidence of any fraud, and that the malware has now been eliminated. Earlier this month the US government took the step of putting out an alert warning retailers about a new family of malware, dubbed Backoff, targeting point-of-sale systems. The UPS Store, received a bulletin from the government among many other US retailers that made them aware of the problem. As soon as they became aware of the potential malware intrusion, they deployed extensive resources to quickly address and eliminate the issue. Customers can be assured that they have identified and fully contained the incident. US merchants have found themselves under siege from hackers in recent months, with the most notable case seeing thieves use a vendor’s credentials to infect POS devices with malware and steal the details of around 40 million Target customer cards.

Posted in Best Practices for Merchants, Credit Card Security Tagged with: , , , , , , , , , , , , , ,

August 8th, 2014 by Elma Jane

Visa Inc., the global leader in payments, is helping U.S. fuel retailers prevent credit and debit card fraud at the pump with intelligent analytics that identify higher-risk transactions that may be fraudulent. Visa Transaction Advisor uses sophisticated analytics based on the breadth and scale of VisaNet data to flag the riskiest transactions by working with fuel companies to understand their needs, creating a new service that builds on Visa’s predictive analytics capabilities, providing fuel merchants with more intelligence to prevent fraud and improve their bottom line. While global fraud rates across the Visa payment system remain near historic lows, less than 6 cents for every $100 transacted – fuel pumps can be targets for criminals because they are often self-service terminals. The new solution, Visa Transaction Advisor (VTA), enables merchants to use real-time authorization risk scores to identify transactions that could involve lost, stolen or counterfeit cards. A pilot test of the new service showed a 23 percent reduction in the rate of fraudulent transactions – all without costly infrastructure upgrades or disruption of the customer experience.

How It Works

After a cardholder inserts the card at the pump, Visa analyzes multiple data sets such as past transactions, whether the account has been involved in a data compromise and nearly 500 other pieces of data to create a risk score. This allows merchants to identify those transactions with a higher risk of fraud and perform further cardholder authentication before gas is pumped. The time and costs associated with resolving fraudulent transactions can be substantial for both merchants and financial institutions and inconvenient for cardholders, which is one of the reasons why fraud prevention is critical. Visa’s solution is easy to implement, using existing message fields and formats as well as pump software or hardware to ensure minimal impact to merchants and acquirers. Several fuel merchants who piloted the technology over the last several months noticed a decrease in fraud, without negatively impacting their consumers’ experience. VTA as a tool help mitigate fraudulent transactions. A 23 percent reduction in the rate of fraudulent chargebacks during a pilot program in Los Angeles. This was done with minimal impact to the customer experience, making secure payment at the pump as convenient as possible. Providing fuel to millions of customers each month through approximately 15,000 service stations in the United States, said US Credit Card Operations Manager, from Shell, considering new solutions and technology it has to have a clear business benefit, be customer-centric and easy to implement. With no infrastructure investment, testing VTA as part of proactive fraud prevention tool-set to better identify fraudulent card activity earlier in the transaction cycle, without inconveniencing customers.

Visa Transaction Advisor is available to merchants through participating U.S. acquirers. Visa has partnered with Vantiv and is also working with other acquirers to offer the service to its fuel clients. Ease of implementation is a critical requirement whenever talking about a new merchant service. Visa Transaction Advisor builds on existing payment infrastructure, is easy to implement and flexible enough to allow customization by merchants.

 

Posted in Credit Card Security, EMV EuroPay MasterCard Visa, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , ,

August 7th, 2014 by Elma Jane

8706521946_cfbc9e0e6f_o

Recent high-profile cyberattacks at retail giants like Target and Neiman Marcus have highlighted the importance of protecting your business against point-of-sale (POS) security breaches. Often, the smallest merchants are the most vulnerable to these types of cyberthreats. The latest of these POS attacks is known as Backoff, a malware with such brute force that the U.S. Department of Homeland Security (DHS) has gotten involved. The DHS recently released a 10-page advisory that warns retailers about the dangers of Backoff and tells them how they can protect their systems. Backoff and its variants are virtually undetectable low to zero percent by most antivirus software, thus making it more critical for retailers to make sure their networks and POS systems are secure.

How Backoff works

Backoff infiltrates merchant computer systems by exploiting remote desktop applications, such as Microsoft’s Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2 and LogMeIn, among others. Attackers then use these vulnerabilities to gain administrator and privileged access to retailer networks. Using these compromised accounts, attackers are able to launch and execute the Backoff malware on POS systems. The malware then makes its way into computer and network systems, gathers information and then sends the stolen data to cybercriminals. The advisory warns that Backoff has four capabilities that enable it to steal consumer credit card information and other sensitive data: scraping POS and computer memory, logging keystrokes, Command & Control (C2) communication, and injecting the malware into explorer.exe. Although Backoff is a newly detected malware, forensic investigations show that Backoff and its variants have already struck retailers three times since 2013, the advisory revealed. Its known variants include goo, MAY, net  and LAST.

Prevent a Backoff attack

To mitigate and prevent Backoff malware attacks, the DHS’ recommendations include the following:

Configure network security. Reevaluate IP restrictions and allowances, isolate payment networks from other networks, use data leakage and compromised account detection tools, and review unauthorized traffic rules.

Control remote desktop access. Limit the number of users and administrative privileges, require complex passwords and two-factor authentication, and automatically lock out users after inactivity and failed login attempts.

Implement an incident response system. Use a Security Information and Event Management (SIEM) system to aggregate and analyze events and have an established incident response team. All logged events should also be stored in a secure, dedicated server that cannot be accessed or altered by unauthorized users.

Manage cash register and POS security. Use hardware-based point-to-point encryption, use only compliant applications and systems, stay up-to-date with the latest security patches, log all events and require two-factor authentication.

 

Posted in Point of Sale Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

June 4th, 2014 by Elma Jane

Zavers, the online coupon program that was launched through Google 17 months ago, is just going to be one of those things that didn’t work out. Google announced yesterday that it is pulling the program, due to lack of interest. Zavers allowed users to clip coupons online and use them in-store. It was intended to help merchants’ build more targeted and effective loyalty and reward programs.

Zavers was basically a coupon program tied with the merchant point-of-sale system. The integration process with the POS systems were proving to be challenging and retailers were not too keen on sharing their data with Google.

Google has said it will continue to work closely with users through the transition away from Zavers and that it continues to move forward with greater focused on more successful areas of their initial entrance into payments such as product listing ads, Google Shopping Express and Google Wallet.

Posted in Uncategorized Tagged with: , , , , , , , , , , , , , ,

May 29th, 2014 by Elma Jane

A point-of-sale facial recognition system that uses NFC to help combat card fraud has been created during a recent company hack-a-thon, together with a group of engineers and designers from Logic PD. Hackathon was an opportunity for experts to explore the possibilities of useful solutions to today’s challenges, with the recent significant breaches in security at leading retailers, the need for this type of solution is particularly meaningful.

The solution, is a multi-modal security platform for card purchases, uses NFC authentication combined with camera imaging to protect users. When users make a mobile payment at the point of sale, the kiosk snaps a picture of the purchaser. This image can be incorporated via the cloud into the user’s digital transactional record, which was stored and distributed via SeeControl in this example, allowing users to identify who made each purchase, and easily identify those that are fraudulent even before banks and financial institutions.

Posted in Credit Card Security, Mobile Payments, Mobile Point of Sale, Point of Sale, Smartphone Tagged with: , , , , , , , , , , , , , , , ,

May 23rd, 2014 by Elma Jane

State senate in California is advancing a bill SB 1351, mandates April 1, 2016, that would require California-based bankcard issuers and retailers to adopt Europay/MasterCard/Visa (EMV) chip card technology. SB 1351 bill is introduced March of 2014, passed out of committee on May 6 and may be voted on by the full senate as early as tomorrow, May 22nd.

Additionally, the bill specifies that any contracts entered into by financial institutions and card brands on or after Jan. 1, 2015, would have to include the provision that any new or replacement cards issued after April 1, 2016, be EMV compliant. The rationale for the bill comes from oft-cited evidence that EMV cards substantially reduce fraud.

In April 2014, Sen. Hill stated, My legislation holds all stakeholders accountable to protect consumers from scam artists who use fake cards to game the system.

The Electronic Transactions Association, however, does not see the issue the same way. Passing a single state technology standard will open the floodgate to additional state responses and create an expensive, unsafe and inefficient myriad of technology standards, the ETA said. The ETA is urging payment professionals in California to contact their legislators and let their opinions be heard.

The bill initially mandated Oct. 1, 2015, as the deadline for EMV implementation, which is the date set by Visa Inc. and MasterCard Worldwide for retailers to be EMV complaint or face potential fines in case of fraud. The bill also makes exceptions for small retailers and convenience stores/gas stations; they have until Oct. 1, 2017, to transition to EMV.

 

 

Posted in Best Practices for Merchants, Credit card Processing, EMV EuroPay MasterCard Visa Tagged with: , , , , , , , , , , , , , , , , , , , , ,