August 11th, 2014 by Elma Jane
Tokenization technology has been available to keep payment card and personal data safer for several years, but it’s never had the attention it’s getting now in the wake of high-profile breaches. Still, merchants especially smaller ones haven’t necessarily caught on to the hacking threat or how tools such as tokenization limit exposure. That gap in understanding places ISOs and agents in an important place in the security mix, it’s their job to get the word out to merchants about the need for tokenization. That can begin with explaining what it is.
The biggest challenge that ISOs will see and are seeing, is this lack of awareness of these threats that are impacting that business sector. Data breaches are happening at small businesses, and even if merchants get past the point of accepting that they are at risk, they have no clue what to do next. Tokenization converts payment card account numbers into unique identification symbols for storage or for transactions through payment mechanisms such as mobile wallets. It’s complex and not enough ISOs understand it, even though it represents a potential revenue-producer and the industry as a whole is confused over tokenization standards and how to deploy and govern them.
ISOs presenting tokenization to merchants should echo what security experts and the Payment Card Industry Security Council often say about the technology. It’s a needed layer of security to complement EMV cards. EMV takes care of the card-present counterfeit fraud problem, while tokenization deters hackers from pilfering data from a payment network database. The Target data breach during the 2013 holiday shopping season haunts the payments industry. If Target’s card data had been tokenized, it would have been worthless to the criminals who stole it. It wouldn’t have stopped malware access to the database, but it would been as though criminals breaking into a bank vault found, instead of piles of cash, poker chips that only an authorized user could cash at a specific bank.
A database full of tokens has no value to criminals on the black market, which reduces risk for merchants. Unfortunately, the small merchants have not accepted the idea or the reality and fact, that there is malware attacking their point of sale and they are being exposed. That’s why ISOs should determine the level of need for tokenization in their markets. It is always the responsibility of those who are interacting with the merchant to have the knowledge for the market segment they are in. If you are selling to dry cleaners, you probably don’t need to know much about tokenization, but if you are selling to recurring billing or e-commerce merchants, you probably need a lot more knowledge about it.
Tokenization is critical for some applications in payments. Any sort of recurring billing that stores card information should be leveraging some form of tokenization. Whether the revenue stream comes directly from tokenization services or it is bundled into the overall payment acceptance product is not the most important factor. The point is that it’s an important value to the merchant to be able to tokenize the card number in recurring billing, but ISOs sell tokenization products against a confusing backdrop of standards developed for different forms of tokenization. EMVCo, which the card brands own, establishes guidelines for EMV chip-based smart card use. It’s working on standards for “payment” tokenization with the Clearing House, which establishes payment systems for financial institutions. Both entities were working on separate standards until The Clearing House joined EMVCo’s tokenization working group to determine similarities and determine whether one standard could cover the needs of banks and merchants.
Posted in Best Practices for Merchants Tagged with: account numbers, bank, billing, card, card brands, card number, card present, Clearing House, data, data breaches, database, e-commerce, EMV, emvco, fraud, ISOs, Malware, Merchant's, mobile wallets, network, payment, Payment Card Industry, Security, smart card, target, tokenization, transactions
August 7th, 2014 by Elma Jane
Recent high-profile cyberattacks at retail giants like Target and Neiman Marcus have highlighted the importance of protecting your business against point-of-sale (POS) security breaches. Often, the smallest merchants are the most vulnerable to these types of cyberthreats. The latest of these POS attacks is known as Backoff, a malware with such brute force that the U.S. Department of Homeland Security (DHS) has gotten involved. The DHS recently released a 10-page advisory that warns retailers about the dangers of Backoff and tells them how they can protect their systems. Backoff and its variants are virtually undetectable low to zero percent by most antivirus software, thus making it more critical for retailers to make sure their networks and POS systems are secure.
How Backoff works
Backoff infiltrates merchant computer systems by exploiting remote desktop applications, such as Microsoft’s Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2 and LogMeIn, among others. Attackers then use these vulnerabilities to gain administrator and privileged access to retailer networks. Using these compromised accounts, attackers are able to launch and execute the Backoff malware on POS systems. The malware then makes its way into computer and network systems, gathers information and then sends the stolen data to cybercriminals. The advisory warns that Backoff has four capabilities that enable it to steal consumer credit card information and other sensitive data: scraping POS and computer memory, logging keystrokes, Command & Control (C2) communication, and injecting the malware into explorer.exe. Although Backoff is a newly detected malware, forensic investigations show that Backoff and its variants have already struck retailers three times since 2013, the advisory revealed. Its known variants include goo, MAY, net and LAST.
Prevent a Backoff attack
To mitigate and prevent Backoff malware attacks, the DHS’ recommendations include the following:
Configure network security. Reevaluate IP restrictions and allowances, isolate payment networks from other networks, use data leakage and compromised account detection tools, and review unauthorized traffic rules.
Control remote desktop access. Limit the number of users and administrative privileges, require complex passwords and two-factor authentication, and automatically lock out users after inactivity and failed login attempts.
Implement an incident response system. Use a Security Information and Event Management (SIEM) system to aggregate and analyze events and have an established incident response team. All logged events should also be stored in a secure, dedicated server that cannot be accessed or altered by unauthorized users.
Manage cash register and POS security. Use hardware-based point-to-point encryption, use only compliant applications and systems, stay up-to-date with the latest security patches, log all events and require two-factor authentication.
Posted in Point of Sale Tagged with: (POS) systems, antivirus software, Apple Remote Desktop, Backoff, cash register, Chrome Remote Desktop, credit-card, cyber attacks, cybercriminals, data, data leakage, Department of Homeland Security, desktop applications, DHS, goo, LAST, LogMeIn, Malware, MAY, Merchant's, Microsoft's, Neiman Marcus, net, network security, network systems, networks, payment networks, point of sale, point-to-point encryption, POS, remote, retailer networks, retailers, security breaches, Splashtop 2, target
January 2nd, 2014 by Elma Jane
Online consumers generate an avalanche of data.Companies such as Amazon and Target have used Big Data for years. It’s the secret behind their highly personalized product recommendations and email promotions.
The good news is that smaller companies can use the power of Big Data in their businesses, too. But just because you can gather tons of data, doesn’t mean you should. For most small-to-midsize businesses, trying to harness Big Data can sometimes do more harm than good. It can slow down your website and cost time and money.
To make effective data-driven decisions in your business, control the types of information you collect. Focus only on the metrics that truly affect conversion rates and ignore the ones that don’t have much of an impact.
Tracking raw ad impressions regardless of whether they yield clicks or conversions is an example of monitoring low-impact data. The same thing goes for blindly monitoring Facebook Likes or Klout scores. Stop wasting resources on metrics like these. Devote your efforts on the data points that count.
Here are the most important ones for e-commerce merchants.
Number of Site Visitors and Where They’re Coming From
Online marketing is rarely cheap and quick. You have to determine the best strategies to spend resources on. There are several free and easy-to-use tools that can provide this information.
Google Analytics is an excellent tool that gives you insights on your traffic and traffic sources. To go deeper, such as which specific newsletter or which Facebook update sent visitors to your site, you can create Custom Campaigns and add special URL tags for each campaign. This lets you drill down on the specific source for your referral traffic.
Also, set up your online campaigns to make it easy to monitor. For example, having a different landing page for each guest post will allow you to quickly see which ones are sending traffic. Or, for social media, you can publish updates using a simple tool like Buffer so you monitor clicks each from each post.
Sales and Beyond
Tracking your sales is key. Aside from looking at your basic sales numbers, compute your average order value and compare it with your marketing and advertising budget. Viewing how much you’re spending on each customer versus how much they’re spending on you will help create the right budget for customer acquisition and retention.
Beyond gross sales, monitor item returns to obtain the net sales volume. Determine also the reasons behind refunds and exchanges to improve your merchandise.
Also, track sales from promotional offers, to know what promos or discounts to provide in the future. If, for example, you used a loss leader to attract customers into your store, closely monitor overall sales based on that offer to see if it generated profits.
Knowing this sales data will enable you to send out tailored promotions to users. And if you can combine those insights with other data such as the time they usually buy from you or what device they use you’ll be able to optimize your campaigns for maximum conversions.
What Visitors Are Doing on your Site
Tracking the pages that users viewed, the actions they took, and their exit points can give you tremendous insights about your site and your visitors. Analyzing these things will tell you which aspects of your site need improvement.
For example, say you discovered that while shoppers are clicking the “add to cart” button, most leave before they provide their credit card details. This could mean that there’s something wrong with your checkout page. Perhaps it’s confusing or you need a stronger guarantee. Regardless, you won’t be able to identify the problem if you don’t track what’s going on.
How you track user behavior will depend on what you want to measure. If you want to track your exit traffic, for example, to add outbound link-tracker code to your website. For WordPress sites, this can easily be done using the Ultimate Google Analytics plugin.
On the other hand, if you want to track how users react to specific site elements such as buttons, text size, forms, and other key elements use heat maps that give you a visual representation of user behavior. Crazy Egg offers a solution for this. It enables you to see how people are behaving on each page.
Posted in e-commerce & m-commerce, Electronic Payments, Internet Payment Gateway Tagged with: acquisition, Amazon, analytics, big data, campaigns, conversion, credit-card, data, data-driven, e-commerce, email, exchanges, Facebook, google, insights, online, personalized, refunds, resources, sales, target, wordpress
October 22nd, 2013 by Elma Jane
The best place to start understanding your customer is to put yourself into every step of a buying cycle and analyze what influences various purchase decisions.
Who is your customer?
Basic demographics and usually includes the following:
Age range Education level Gender Income level Location Marital status Profession
Many of these basic demographics can be inferred from your interactions with customers. In many cases, you can simply ask them.
Beyond the basics, you will also benefit from more personal data, such as the following:
Interests Activities Political affiliation
That data is harder to access, but there are databases that will allow you to target individuals based on those criteria. Facebook’s ad platform provides an incredible amount of targeting data. You can infer your customer profiles by the types of results you get by running ads aimed at specific target markets. That will help identify the interests of your customers.
What? consider what consumers need to know about a product to make a purchase.
Are there ongoing costs? Does it need anything else to make it work? How big is it? How does it function? How long will it last? How much does it cost? Is there a warranty? What are its specs? What does it look like? What options are there? What sizes and colors are available?
To find those details, shoppers will seek different sources: articles, websites, blogs, and actually looking at products and trying them on. Make sure you understand the “what” questions for your products. Then, provide answers to those questions.
Why? The “why” questions are important. Do you know why your customers buy your products?
It could be for the following reasons.
Address an immediate need or desire. Loyal to a particular brand or store. Need flexibility to return products. Need product occasionally or on a regular schedule. Purchase because product is cool or trendy. Seek bargains. Seek high-quality products Seek little or no shipping or sales tax. Seek the lowest price possible. Shop around every time they buy.
Answers will surely vary. Consider also, what motivates your customers to purchase the products you sell and also why they purchase them from your company versus your competitor. This will help you better refine your value proposition of why shoppers choose your company.
How? This area is the most significant change in a consumer’s shopping cycle. As recently as 15 years ago, most product research was done in stores or catalogs or magazines. Today, product research is done in many ways. In the living room, in the boardroom, at the hospital, you name it. Most shoppers start their search at Amazon.com or on Google by searching on a product.
Many searches start with an opportunistic email promoting a product. From there, we may find the shopper looking at the item on that store’s website.
Consumers likely check product reviews, from other consumers. They may read professional reviews. Browse the Internet on SmartPhone.
The point is to understand your customer’s research process. It will vary widely. But in many cases it’s something like this.
An event triggers an interest in a product. Check other brands or alternative products. Conduct research by looking at a product’s pictures, reading descriptions. Evaluate the product’s real value, and eventually make a purchase decision. Narrow your selection and shop for price. Seek out reviews or ask friends.
Where? That leads us to the where customers are researching. They could be reading relevant blogs, going to brick and mortar stores, checking comparison shopping engines, and reading trade publication articles. They may be looking at Pinterest boards, Facebook posts, and checking with their network of friends on Twitter.
They will be using tablets (increasingly the shopper’s preference), smartphones, laptops, desktops, Xboxes, and store visits.
Can an ecommerce merchant be in all of these places with your message? Likely no. But you can identify where your customers are looking for information as they move through their cycle and try to make sure you are seen. You can also ensure that your messaging and content are mobile friendly.
To compete in the future, your store needs to provide input and information to support all those steps. If you lack reviews, your customers will seek them out elsewhere.
Most ecommerce merchants can describe their customers in a general way. They likely know basic demographics – age range, gender, income level. But, do they understand the “why, where, when, and how” their customers make their purchases? These basic tenants of marketing are more important than ever.
The buying process has never been more complex. Consumers have hundred of places online to purchase products that meet their needs. They may shop at home, at work, in the grocery store. They may be using an Android phone, an iPhone, or an Xbox.
Posted in e-commerce & m-commerce, Electronic Payments, Internet Payment Gateway, Mobile Point of Sale, Point of Sale, Smartphone Tagged with: alternative, Android, brick and mortar, comparison, competitor, consumers, content, costs, customers, cycle, data, databases, desktops, ecommerce, Facebook's, flexibility, Iphone, laptops, leads, Merchant's, mobile, ongoing, online, phone, pinterest, platform, price, product, profiles, purchase, selection, shop, shoppers, smartphone, store's, tablets, target, trigger, value, websites, xbox