This is a great question. Should non-profits have a field on their mail order donor response cards? Reading the 2011 Visa Card Acceptance Guidelines for Visa Merchants, it’s still  open to interpretation as to whether to ask for CVV on mailings. Here’s the official excerpts:

General Card-Absent Transaction Procedures

Pg 46 “Always ensure that, at a minimum, you collect the following details from your customer:

• The card account number
• The name as it appears on the card
• The card expiration date as it appears on the card
• The cardholder’s statement address”

Pg 46 “If you are taking an order through the mail or via a fax:

• Obtain a signature on the order form .
•  Always retain a copy of the written order .
• Get proof of delivery”

Pg 48  “A cardholder’s CVV2 may never be stored as a part of order information or customer data . The storage of CVV2 is strictly prohibited subsequent to authorization.”

“An initial, or set-up, recurring transaction should be processed the same as any MO/TO or Internet transaction . If set up by mail or telephone, you should submit both AVS* and CVV2** queries with the authorization.

The sales receipt for an initial recurring transaction must include the following information:

• The phrase “recurring transaction.
• The frequency of the charges.
• The period of time the cardholder has agreed to for the charges.”

* In certain markets, CVV2 is required to be present for all card-absent transactions . ** In some markets, if the transaction is approved, but the CVV2 response is a no match, the merchant is protected against fraud chargebacks.

In summary, the merchant can leave the CVV off and reduce risk, but should use the correct indicator for authorizations, “You have chosen not to submit CVV2.”

If the merchant has a history of mail order fraud, then the merchant may want to collect the CVV2 using a lockbox service to reduce risk. If the merchant is retaining response cards, then the response card should be designed so that the CVV can easily be detached after the initial authorization, and securely shredded. If the response card is scanned, the fields with sensitive data cannot be scanned.

Please note PCI DSS compliance rules always take precedence over individual card network rules.

See also, new 2011 card absent receipt requirements.

 

Warning: preg_replace() [function.preg-replace]: Compilation failed: unknown option bit(s) set at offset 0 in /home/merch3d/public_html/blog/wp-includes/shortcodes.php on line 257

CenPOS, a fast-growing payment processing technology, released a new feature for merchants to enable the automatic collection of CVV at the point of sale for key entered transactions including a failed magnetic stripe read.  The update supports the new Visa rule for card present transactions.

Effective October 15, 2011, merchants that prompt for and validate the Card Verification Value 2 (CVV) on any Visa CPS Key entry transaction (not to be confused with CPS Card-not-present) will no longer be required to take an imprint of the card to prove that the consumer was present at the time of the transaction. More importantly, merchants that implement this new procedure will no longer be liable for charge-back reason code 81 (Fraud Card-Present Environment).

The CenPOS privilege in the Virtual terminal can be dynamically enabled or disabled by the merchant administrator. When enabled, the Virtual Terminal will automatically prompt for the CVV on any and ALL manually entered transactions. If in a retail environment with an attached signature capture terminal, the customer will still be prompted for their signature as usual.

Currently when the magnetic stripe fails during a face-to-face transaction, the merchant key enters the account number and must manually imprint the card to prove the card was present during the transaction for protection against fraud chargebacks. Effective for new transactions processed on or after October 15, 2011, merchants may include Card Verification Value 2 (CVV2) in the authorization request for Visa U.S. Domestic key entered face-to-face transactions when the magnetic stripe cannot be read by the terminal.
In order to qualify for chargeback protection against reason code 81 “Fraud-Card Present” the transaction must meet the following criteria:

• Authorization Approval
• U.S. Domestic Transaction
• Card Present with magnetic stripe failure only
• Transaction was keyed entered
• CVV2 was included in the authorization request
• Signature obtained on the sales draft and retrieval request properly fulfilled

The following transaction types are excluded from the chargeback protection:

• Quasi Cash
• Cash Back
• Manual Cash Disbursement
• Betting, including lottery tickets
• Casino Gaming Chips
• Off-Track Betting and Wagers at a Race Track
• Visa International transactions

These merchants must continue to obtain an imprint of the card when the magnetic stripe cannot be read by the terminal for the protection against fraud chargebacks.

Have you ever needed to check if a credit or debit card is valid, but you don’t want to authorize or charge yet? We’ve added a new feature for our CenPOS Virtual Terminal called Positive Card. CenPOS will go out to the networks with a zero authorization amount to validate the card with the issuer prior to being stored.

REVIEW OF ENCRYPTED PAYMENT STORAGE OPTIONS NOW AVAILABLE:
Positive Card- validates card. Merchant validate CVV, address and zip code passes fraud check and decide whether the answers are acceptable before storing. Why would you accept a card if it doesn’t pass everything? Only Canada and the UK participate in AVS check; If you know your customer, you may wish to allow the card anyway. This feature allows you to enter a card, then make an educated decision as to whether you want to store it for recurring billing.
Repeat Sale- Offered for check/ACH and credit/debit. Process a transaction and it creates a new token to use for future sales transactions. CVV not allowed per PCI Compliance. Later, check the Token Box, enter the Token ID, amount and invoice #. That’s it.
Recurring Payments Module: Offered for check/ACH and credit/debit. Set up client contracts and store multiple cards, payors, and payment methods for a single account. Regardless of where a token was issued (resale, recurring, positive etc) the token is the same for all.
Securely store any payment type for variable amount token billing or fixed recurring billing.

FAQ:
How do I get this feature? Administrators login to the Virtual Terminal and turn on for each user you want to have access. (This also applies to the other options.)
Will this also validate checks? No, It resides in the credit/debit. If you have a need, let us know.
Are there fees? Yes. 6/14/11 MasterCard charges $.03 for this service, effective with their announcement to support zero auth address verification (AVS), card verification code 2 (CVC 2) validation or both. Expect similar fees on all networks now or in the future. Standard CenPOS per transaction fees apply.
Can we use tokens for the EBPP/ E-invoice service? Not yet, but it’s in development. Currently customers will click the email and enter payment information for each invoice.

The tools are in place for you to eliminate faxed authorization forms that expose payment data and reduce PCI Compliance scope. If you need help using the features or how to deliver the token approval form for signature to your clients, please do not hesitate to call.

 

Visa is announcing plans to accelerate the migration to contact chip and contactless EMV chip technology in
the U.S. The adoption of dual-interface chip technology will help prepare the U.S. payment infrastructure for the
arrival of Near Field Communication (NFC)-based mobile payments by building the necessary infrastructure to
accept and process chip transactions.

Not only will chip technology accelerate mobile innovations, it is also expected to enhance payment security
through the use of dynamic authentication. Chip technology greatly reduces a criminal’s ability to use stolen
payment card data by introducing dynamic values for each transaction. Even if payment card data is
compromised, a counterfeit card would be unusable at the point of sale (POS) without the presence of the
card’s unique elements. By eliminating static authentication, we reduce the value of stolen cardholder data,
benefiting all stakeholders.

Visa’s plan includes merchant incentives to upgrade to EMV chip-enabled terminals, requirements for acquirer
processors to support chip acceptance and the introduction of U.S. liability shift policies.

Specifically, Visa will waive Payment Card Industry Data Security Standard (PCI DSS) compliance validation
requirements to encourage merchant investment in contact and contactless chip payment terminals. Visa will
also require acquirer processors to ensure that their systems support dynamic data acceptance (i.e., chip) and
will institute a domestic and cross-border counterfeit liability shift.

Visa’s Counterfeit Liability Shift Policies

Visa intends to institute a liability shift in the U.S. for domestic and cross-border counterfeit transactions
effective 1 October 2015. Visa’s global POS counterfeit liability shift policies are designed to encourage EMV
chip card issuance and acceptance in participating geographical regions, effectively creating a more secure
environment for transactions within and between each participating Visa region. Note: The liability shift
encourages chip transactions because any chip-on-chip transaction (i.e., a chip card read by a chip terminal)
provides dynamic authentication data, which helps to better protect all parties.

With this type of liability shift, the party that is the cause of a chip-on-chip transaction not occurring (i.e., either
the issuer or the merchant’s acquirer) will be financially liable for any resulting card-present counterfeit fraud
losses. When a transaction occurs using chip technology, any liability for counterfeit fraud, though unlikely,
would follow current Visa Operating Regulations.

The policy assigns liability for counterfeit fraud to the party that has not made the investment in EMV chip cards
(issuers) or terminals (merchants’ acquirers). The policy encourages wider deployment of EMV cards and
terminals.

EMV chip implementation is accelerating globally. Today, excluding the U.S., 44 percent of all cards are EMV
chip cards, and 74 percent of all terminals are EMV chip-capable, with 62 percent of cross-border transactions
conducted with a chip card at a chip terminal.

U.S. Participation Introduced in Global Counterfeit Liability Shift Policy

Visa plans that effective 1 October 2015, the U.S. will be included in the Global POS Liability Shift Policy, which
will apply to all issuers and merchants’ acquirers in the U.S., with the exception of transactions at Automated
Fuel Dispensers (AFDs). Transactions made at AFDs will be excluded from the liability shift for a period of two
(2) years due to the challenges faced by the petroleum industry in upgrading terminals to accept EMV chip
cards. Similarly, effective 1 October 2017, transactions made at AFD terminals will be included in the Global
POS Liability Shift Policy.

Note: This liability shift policy change excludes counterfeit fraud at U.S. ATMs. Visa will continue to evaluate
the potential for an expansion to include ATMs.

Preparing for Payment Technology Evolution

As the U.S. point-of-sale payment infrastructure continues to evolve from the static magnetic stripe to intelligent
devices such as EMV chip cards and Near Field Communication (NFC) mobile phones, this liability shift policy
change will help ensure that the acceptance infrastructure is ready. It will also allow acquirers, merchants and
issuers to invest in new technology to ensure that cardholders can continue to make secure and frictionless
transactions across all channels.

Results from the 2010 LexisNexis True Cost of Fraud study show that 20% of merchant fraud losses are attributed to friendly fraud, 42% to lost or stolen merchandise, 18% to identity fraud, and 20% to  fraudulent requests for a return/refund. Friendly fraud occurs when a consumer purchases an item online and receives the product but claims not to have received it, requesting a refund
or chargeback from the merchant or delivery of a duplicate item.

Prevention holds the greatest impact in minimizing fraud losses.

Fraud Loss by Company Size, Product Type, Channel and Industry, 2010 Company Size

	Small Company avg <$1M revenues	Medium Company Avg $5M revenues	Large Company Avg >$50M revenues
Average annual fraud  amount ($)	$2,145	$104,000	$6,767,000

For the complete study, get it free by registering at the Lexis Nexus web site:  2010 LexisNexis True Cost of Fraud.

Comments:

Friendly fraud- A small business owner was able to successfully defend against consumer claim that box was delivered empty by showing Fedex records of the weight. The difficulty with this going forward is that new rules have a 180 day chargeback period. Make sure your shipping company keeps those records for as long as you need them.

Identity fraud- Unless there is an issue of verifying ownership, such as when a customer is picking up a car left for repair, merchants cannot ask for a drivers license or other identification for a standard transaction. However, there are many other ways to prevent this type of crime. In the brick and mortar world, a mandatory check for the last 4 digits is a simple and effective way to block cloned credit cards. Due to the global nature of our society, requiring the zip code would frequently result in too many declines. However, you can add additional filters with our payment processing platform that sits in front of your existing processor. Essentially it is your fraud protection dashboard where you control in real-time the level of risk you’re will to accept either by blocking specific transactions entirely, or by sending automated email alerts to managers who then can assess the situation. This works very similar for online transactions.

 

In this first article of a series we explore insider theft, related to data breaches,  based on key elements of the Verizon 2011 data breach report.  The number of 2010 data breaches exploded in companies with 11 to 100 employees. A key commonality is simply the opportunity was there.

The 2011 Data Breach Investigations Report (DBIR) is a study conducted by the Verizon RISK team in cooperation with the U.S. Secret Service and the Dutch High Tech Crime Unit.

Who is behind the data breaches?

• 92% external agents
• 17% implicated insiders
• < 1% business partners
• 9% involved multiple parties

How do breaches occur? ?

• 50% involved some sort of hacking
• 49% incorporated malware
• 29% physical attacks
• 17% from privilege misuse
• 11% employe social tactics

What commonalities exist?

• 83% were victims of opportunity
• 92% were not difficult
• 76% of all data was compromised from servers
• 86% discovered by a third party
• 96% were avoidable through simple or intermediate controls
• 89% of victims subject to PCI-DSS had not achieved compliance

End of excerpt. Continue reading for blog author comments.

A healthcare company stores credit card data on servers, unencrpyted. Their excuse? It’s not connected to the actual credit card processing and access is restricted so it’s not a PCI Compliance problem.  See related article Shocking lack of payment processing security in healthcare industry. No data breach yet, but statistically, the company is at great financial risk, including up to  $1.5 million fine for violating the HITECH ACT.

Employees at a car dealer tape passwords next to their computer and in the first unlocked drawer of their desk. Their excuse?  It’s too hard to remember the password and they don’t acknowledge it’s a security issue.

Employees at a retail rental shop have a file folder in plain view of anyone entering the shop containing copies of drivers licenses and the front and back of credit cards. Their excuse? They didn’t know they couldn’t do it and didn’t know of an alternative method that would meet their needs to bill customers if they never returned with the goods.

Think these are exceptions? Businesses everywhere have these problems in some fashion. As each of these examples illustrate,  employee training is essential. Industry wide, merchants are completing  PCI Compliance Security Standards data worksheets. At that point in time, the merchant can be certified PCI Compliant. But without internal enforcement and training, the merchant is generally not compliant when a data breach occurs and thus is fully liable for all the associated fines, fees and damages.

In conclusion, the establishment of training procedures and distribution of data security expectations to employees is essential. Most employees are honest, right? But when companies have lax security policies, it presents an OPPORTUNITY for good employees to break the law.

Here’s three things you can do to mitigate internal employee risk:

1. Create a data security training checklist for all employees handling sensitive data. Update the training and content quarterly or at least once per year. The employee cannot accept credit cards or any sensitive data until they’ve completed training, plus sign and date the checklist.
2. Make data security a formal part of employee performance reviews. Require annual checklist review and signature at the time of performance reviews.
3. Implement a reward system for identifying vulnerabilities of real life practices- whether people, software, or hardware.

Bonus: Implement a hosted payment processing solution with extensive tools to prevent internal fraud. Call for information.

Cyber Criminals Shifting to Smaller, More Opportunistic Attacks; External Attacks, Especially Hacking, on Rise

April 19, 2011

NEW YORK – Data loss through cyber attacks decreased sharply in 2010, but the total number of breaches was higher than ever, according to the “Verizon 2011 Data Breach Investigations Report.” These findings continue to demonstrate that businesses and consumers must remain vigilant in implementing and maintaining security practices.

The number of compromised records involved in data breaches investigated by Verizon and the U.S. Secret Service dropped from 144 million in 2009 to only 4 million in 2010, representing the lowest volume of data loss since the report’s launch in 2008. Yet this year’s report covers approximately 760 data breaches, the largest caseload to date.

According to the report, the seeming contradiction between the low data loss and the high number of breaches likely stems from a significant decline in large-scale breaches, caused by a change in tactics by cybercriminals. They are engaging in small, opportunistic attacks rather than large-scale, difficult attacks and are using relatively unsophisticated methods to successfully penetrate organizations. For example, only 3 percent of breaches were considered unavoidable without extremely difficult or expensive corrective action.

The report also found that outsiders are responsible for 92 percent of breaches, a significant increase from the 2010 findings. Although the percentage of insider attacks decreased significantly over the previous year (16 percent versus 49 percent), this is largely due to the huge increase in smaller external attacks. As a result, the total number of insider attacks actually remained relatively constant.

Hacking (50 percent) and malware (49 percent) were the most prominent types of attack, with many of those attacks involving weak or stolen credentials and passwords. For the first time, physical attacks — such as compromising ATMs –appeared as one of the three most common ways to steal information, and constituted 29 percent of all cases investigated.

For the second year in a row, the U.S. Secret Service collaborated with Verizon in preparing the report. In addition, the National High Tech Crime Unit of the Netherlands Policy Agency (KLPD) joined the team this year, allowing Verizon to provide more insight into cases originating in Europe. Approximately one-third of Verizon’s cases originated in either Europe or the Asia-Pacific region, reflecting the global nature of data breaches.

“Through our Data Breach Investigations Report series, Verizon continues to provide the industry with a first-hand look at cybercrime around the globe,” said Peter Tippett, Verizon’s vice president of security and industry solutions. “This year, we witnessed highly automated and prolific external attacks, low and slow attacks, intricate internal fraud rings, countrywide device-tampering schemes, cunning social engineering plots and more. And yet, at the end of day, we found once again that the vast majority of breaches can be avoided without extremely difficult, expensive security measures.”

Tippett added: “It is important to remember that data breaches can happen to any business — regardless of size or industry — or consumer, at any place in the world. A good offense remains the best defense. It is imperative to implement essential security measures broadly throughout your security infrastructure, whether that is a small home setup or an expansive enterprise infrastructure.”

U.S. Secret Service Assistant Director A.T. Smith said, “Americans over the past several years have seen the significant impacts data breaches are having on our nation’s financial infrastructure. Today cyber criminals are operating in nearly every civilized nation in the world, exposing Americans’ personal information, either stored or transmitted, to substantial risk.”

Smith added, “By participating in the Verizon 2011 Data Breach Investigations Report, the Secret Service is working closely with our private-sector partners to educate Americans about the threats of cyber criminals. With the help of our Electronic Crimes Task Force partners, such as Verizon, we are studying technologies and trends to prevent and mitigate attacks against critical financial infrastructure.”

The Data Breach Investigation Report (DBIR) series now spans seven years and more than 1,700 breaches involving more than 900 million compromised records, making it the most comprehensive study of its kind.

(NOTE: Additional resources supporting the 2011 Data Breach Investigations Report are available, including high-resolution charts and an audio podcast. B-roll available upon request.)

Key Findings of the 2011 Report

Data from the 2011 report shows that:

• Large-scale breaches dropped dramatically while small attacks increased. The report notes there are several possible reasons for this trend, including the fact that small to medium-sized businesses represent prime attack targets for many hackers, who favor highly automated, repeatable attacks against these more vulnerable targets, possibly because criminals are opting to play it safe in light of recent arrests and prosecutions of high-profile hackers.
• Outsiders are responsible for most data breaches. Ninety-two percent of data breaches were caused by external sources. Contrary to the malicious-employee stereotype, insiders were responsible for only 16 percent of attacks. Partner-related attacks continued to decline, and business partners accounted for less than 1 percent of breaches.
• Physical attacks are on the rise. After doubling as a percentage of all breaches in 2009, attacks involving physical actions doubled again in 2010, and included manipulating common credit-card devices such as ATMs, gas pumps and point-of-sale terminals. The data indicates that organized crime groups are responsible for most of these card-skimming schemes.
• Hacking and malware is the most popular attack method. Malware was a factor in about half of the 2010 caseload and was responsible for almost 80 percent of lost data. The most common kinds of malware found in the caseload were those involving sending data to an external entity, opening backdoors, and keylogger functionalities.
• Stolen passwords and credentials are out of control. Ineffective, weak or stolen credentials continue to wreak havoc on enterprise security. Failure to change default credentials remains an issue, particularly in the financial services, retail and hospitality industries.

Recommendations for Enterprises

The 2011 report found again that the prescription for data breaches is to use simple, essential security practices such as:

• Focus on essential controls. Many enterprises make the mistake of pursuing exceptionally high security in certain areas while almost completely neglecting others. Businesses are much better protected if they implement essential controls across the entire organization without exception.
• Eliminate unnecessary data. If you do not need it, do not keep it. For data that must be kept, identify, monitor and securely store it.
• Secure remote access services. Restrict these services to specific IP addresses and networks, minimizing public access to them. Also, ensure that your enterprise is limiting access to sensitive information within the network.
• Audit user accounts and monitor users with privileged identity. The best approach is to trust users but monitor them through pre-employment screening, limiting user privileges and using separation of duties. Managers should provide direction, as well as supervise employees to ensure they are following security policies and procedures.
• Monitor and mine event logs. Focus on the obvious issues that logs pick up, not the minutia. Reducing the compromise-to-discovery timeframe from weeks and months to days can pay huge dividends.
• Be aware of physical security assets. Pay close attention to payment card input devices, such as ATMs and gas pumps, for tampering and manipulation.

A complete copy of the “Data Breach Investigations Report” is available for download.

About Verizon
Verizon Communications Inc. (NYSE, NASDAQ:VZ), headquartered in New York, is a global leader in delivering broadband and other wireless and wireline communications services to mass market, business, government and wholesale customers. Verizon Wireless operates America’s most reliable wireless network, serving 94.1 million customers nationwide. Verizon also provides converged communications, information and entertainment services over America’s most advanced fiber-optic network, and delivers innovative, seamless business solutions to customers around the world. A Dow 30 company, Verizon employs a diverse workforce of more than 194,000 and last year generated consolidated revenues of $106.6 billion. For more information, visit www.verizon.com.