This article on Virtual Terminal Solutions addresses credit card processing in a law firm or individual attorney practice. How can improve security, prevent fraud, improve PCI Compliance, and reduce time to collect payments from repeat clients?

Virtual terminals are accessed via a secure web page enabling merchants to key enter credit card or other payment information. I recently helped someone hire a specialized attorney. There was no need to meet the attorney in person, and as it turns out, the specialist wasn’t local anyway. Read this article and see if you find any similarities with your own legal practice.

SCENARIO:  Collecting payment with customer not present.
A prospective client contacts an attorney regarding a legal matter for a third party. The individual desires to pay the legal bills for the party needing the services. After a brief discussion, the attorney sends a questionnaire to be filled out. After reviewing the information, a conference call is to be scheduled. There is an initial consultation fee for research, review and conference call. If the client desires to move forward, additional payment(s) will apply.

The party paying the bill requested to supply credit card information immediately to avoid any future delays as the process moved forward.  The ‘regular staff’ wasn’t in due to the holidays and an assistant took the credit card information over the phone, including CVV security code, writing it down on paper.  The firm will charge the card on the conference call date. I know the assistant doesn’t normally handle this function, but how often does this scenario happen in your law firm?

AVOID HIGH RISK

Collecting and writing down CVV information is a risky practice, and is generally not acceptable for most PCI Compliance situations. Creating a policy for Storage of Credit Card Details both on and off your premises is an essential element of PCI Compliance. Your company should have a clear written policy and all employees with access to sensitive information should have at least an abbreviated version of the written policy and have had training.

See related article, “Should you require CVV or AVS for phone orders?”.

How can a virtual terminal improve data security?

The key to selecting the best virtual terminal for a law firm is understanding the entire process for how payments are made, knowing the differences in virtual terminals available, and understanding the steps to PCI Compliance.

CRITERIA FOR SELECTING CREDIT CARD PROCESSING VIRTUAL TERMINAL SOLUTION FOR A LAW FIRM

1. Must enable multiple users, each with their own login. This is so you can track who makes every transaction. (Risk Management)
2. Uniquely control user privileges- who can enter “sale”, “void”, “refund”. Each of these should be uniquely configurable. Most systems provide ALL privileges to all users, but to reduce risk, you shouldn’t provide refund capabilities to someone who is not normally involved in the billing process, as in the scenario above.
3. Token billing for variable amounts- if you want to re-bill a customer over and over again, require tokenization. There are two unique types of token billing. One is to charge a variable amount on demand; the other is to charge multiple payments of the same amount at specific intervals, also known as installment payments. The card data is key entered via a secure web page one time only. Most solutions have an installment option, but very few have a solution for variable amount, on-demand payments.

BONUS CRITERIA- these features are not required, but there are strong reasons to put them on your list.

1. Client/contract management. With this solution, the merchant can set up multiple contracts for the same client ID, and assign different billing periods, amounts etc.; enter the card data one time only. Each contract is given a unique token.
2. Least cost routing. This technology will automatically require AND pass all data elements needed to qualify for the lowest cost interchange for any given card type, on to your processor. Human error and specific technical knowledge are eliminated from the process. This feature can reduce costly downgrades; for example up to .70% extra on corporate credit cards. What’s unique about this?

• Not all virtual terminals collect the information needed.
• Not all virtual terminals REQUIRE the information needed so it’s easy to bypass.
• Not all virtual terminals pass on the data to the processor even if it’s collected; the merchant has no way of knowing what’s needed or what is passed on.
• Users are typically in control, rather than intelligent software.
• Most virtual terminals are simply gateways. There are input fields and data is passed forward. Our professional services virtual terminal solution is not just a gateway. It’s an intelligent switch that recognizes the card type and determines what is the least costly way to submit the transaction for processing. Then it collects and passes the necessary data.

3D MERCHANT SOLUTION- All of the above plus, these additional law firm friendly features:

Would you like data interaction between your credit card processing and your legal software? Via API or CSV Export, you can update your legal software application. You CANNOT export or see card data ever, but you can use last 4 digits, name, card type and other fields.

Executive Reporting: Who’s billing the most?  Eliminate wasted time creating reports and totaling data. Via the executive dashboard, you can see billing in real time, with up to 7 years data to pull from. Organize your reporting preferences by division, region, and or attorney.

See related article best virtual terminal for card not present for comparison.

FAQ for 3D Merchant recommended virtual terminal

How much does the virtual terminal cost?

The virtual terminal is very affordable. Pricing is based on volume, either dollars or transactions. Depending on your credit card processing fees now, it may even be net neutral. For a firm proposal, please submit at least 2 months merchant statements for review. (You can keep your processor or change, no difference in price.)

Are there computer requirements? High speed internet and updated browser with flash plugin. PC or MAC compatible.

How easy is it to use? After logging in and changing the temporary password, most users will figure out everything they need to know in about 5-10 minutes. There are dozens of short 15-30 second HELP video clips for instant answers.

What is the implementation time? Contract approval to account set up is usually 2-5 business days. If you’re switching processors, we’ll have everything ready for you to start accepting payments immediately. Just add users in a matter of minutes and you’re ready to go. You can even batch upload existing client data.

If you’re not switching processors, we’ll provide you with a form for your processor to complete so we can link to your existing merchant account.

Token Billing enables a merchant to store encrypted card data and then charge the card again at a later date. Unlike recurring billing, merchants can charge a VARIABLE AMOUNT to the same credit card. Tokenization is the process of collecting, storing, and rebilling encrypted credit card data. Our PCI Compliant solution enables you to control spiraling credit card fees, reduce fraud risk, and see real time cash flow reports.

B2B companies often need this service. Their customers sign faxed forms authorizing the merchant to bill their card on an ongoing basis. Lawyers, accountants, staffing and service companies with auto fleets are all examples of companies who can benefit.

TOP REASONS TO USE OUR TOKEN BILLING SOLUTION

• Enter customer profile data one time only, then simply enter the token ID and amount to charge for subsequent transactions. Save TONS of billing time.
• Unlimited customers – pay only when you charge a customer, plus a minimum monthly fee.

• Host based solution. No software to download.
• Always up to date with the latest parameters for interchange qualification (the wholesale cost of credit card processing).
• Least cost routing will identify the lowest cost method to process a transaction and pass all data needed to qualify for it. This is NOT just providing the standard level II data that 99% of other service providers deliver.
• Compatible with all major payment processors.
• PCI Compliant. No credit data is ever stored at your facility.

Certain industries may also be eligible for pinless debit. This enables merchants to qualify for pin-debit interchange rates, even though the customer is not present to enter their pin number. Given the closing gap on the merchant value of pin debit vs signature debit, our solution will route your transaction based on cost and risk factors that you choose.

Read more about token billing.

Which is the best virtual terminal for card not present merchant accounts? I’ve looked at and used many including Paypal, Orbital by Paymentech, authorize.net, and CenPOS. I created a spreadsheet to compare them, and it’s still hard to put into plain english why I like one so much more than all the rest.

I’m going to eliminate any small business discussion for detailed comparison because the needs are vastly different. Paypal Payments Pro Virtual terminal and authorize.net are fine for small businesses. Orbital can only be used if you have a Paymentech merchant account. CenPOS can be used with any merchant processor, but it was created for larger businesses so they have a high minimum to keep the client base on target.

In this article I show why I like CenPOS more than any other for day to day user management. Even where virtual terminals have the same function, I prefer the easy navigation and user interface of CenPOS.

Easily add, delete and modify users. Total control over what permissions each user has. You can decide who can perform voids, refunds, auths, force and much more. You can set parameters for dollar thresholds to alert management via email for refunds over a certain dollar amount. There are probably dozens of ways to set up a user, but most importantly, I can do the most common tasks- who has access, and resetting passwords, in about a minute.

SCREEN SHOTS

Figure 1. CenPOS Basic fields to add a new user, including security control for transaction types. Sale= card swipe. MOTO = key enter. There are more advanced controls on a second page if desired. This user is allowed to process key entered transactions, voids ( delete a transaction same day), look up past transactions, and pull a report of their sales dynamically for any date range.   This type of tight security is perfect for new employees and other scenarios where you want to limit job functions.

If you check Return, the user can only complete a refund if the original transaction (any user) is recognized, and it cannot be credited for more than the original charge.

Let’s compare the above to authorize.net.Figure 2. Authorize.net adding a new user with “User Role- Administrator”. The administrator adds new users by first adding what type of role the user will have.  The group of options are pre-determined based on the role. This image shows the permissions automatically assigned for the administrator role. There is no option to edit them.

How much protection do you have from internal fraud? In CenPOS, you can provide just the right access to data needed, without giving the users access to anything more. Certain controls are at the merchant level (not shown), not the virtual terminal administrator level. The controls can be set for all merchant accounts within an entire organization, within a division, or at the merchant account level.  Plus, with the CenPOS Executive Dashboard, management can also quickly identify potential internal fraud with dynamic graphic illustrations.

Figure 3. Authorize.net adding a new user with “User Role- Transactions”. Part 1, Select role type. Again, all checked boxes are standard- you can manually turn any of them off.

Figure 4. Authorize.net adding a new user with “User Role- Transactions”.  Part 2, enter the user information.

Note the significant differences between the level of permission choices for this type of user, vs even the basic permissions you have for the CenPOS user? Especially In a larger organizations, these types of controls are essential to reduce risk.

This is part one of a series on Virtual Terminals.

What is CenPOS? CenPOS is an innovative host-based payment processing platform. It is not a gateway and it’s compatible with all major processors. Although there are many features and benefits, at the heart of the technology is the intelligent switch. It routes payment processing via the least cost method by identifying what it is and knowing the least cost way to process it. This all happens faster than a traditional desktop credit card terminal.

Merchants have hit a wall in reducing credit card processing costs via negotiating reduced merchant discounts. Real cost management today is achieved through interchange management which CenPOS does intelligently and automatically. CenPOS resides virtually between the merchant and the Acquirer- ie the merchant payment processor (merchant account), Amex, check processor, loyalty card etc. All transactions hit CenPOS via high speed internet connection before being routed automatically. Real time cash flow reports, fraud prevention, and PCI Compliance are other key benefits.

Most medical billing solutions address HIPPA, but what about secure payments?  Our medical billing solution enables you to securely collect current payments and outstanding bills after insurance claims are completed. Additionally, there are many built in merchant controlled settings to help reduce and eliminate both internal and external fraud.

MEDICAL BILLING SOLUTIONS

Tired of getting paid weeks and months after services are rendered?

Do you have patients paying a co-pay on the visit, then after you’re paid by the insurance company, the patient ends up having a balance due?

How long on average does it take you to collect that balance? Are you paying a medical billing company to collect it for you?

Do you have patients that are billed the same amount every month?

Do you offer a payment plan in some situations?

SOLUTION: TOKEN ACCOUNTS.

1. Merchant accesses a secure payment processing platform and creates a TOKEN to enable rebilling the patient or to set up recurring billing. Card data is never stored at the merchant location and the token links only to remotely hosted encrypted data. To re-bill, the merchant enters the patient name, transaction amount, and the TOKEN ID.
2. Patients agree to have their card charged, usually up to a specified amount, at the time of the original transaction. Merchants can print a receipt, or have an email automatically sent with the receipt.

BENEFITS:

1. Improve cash flow.
2. Reduce or eliminate collections.
3. Simplify the billing process- reduce workload.
4. PCI Compliant- secure solution eliminates exposed card data.
5. Reduce opportunities for internal fraud by eliminating receiving card data within mailed billing responses.
6. Managed payment processing costs- eliminates costly human errors that result in interchange qualification downgrades.

FEATURES:

1. Optional Signature Capture stores patient opt-in agreement electronically indefinitely.
2. Access secure web page from any computer.
3. User control for all functions and reporting. You decide who can perform what type of transaction. Enable off site billing or accounting to access reporting.
4. Optional industry template to capture insurance policy number, account number etc. Export reports on demand.
5. Real- time cash flow. Enables management to see  multiple locations at a glance.
6. Multiple merchant accounts- Use the same system for multiple doctors within a location.
7. Minimal set- up. No major upfront investment.
8. Optional pay page- simple code you can add to your web site so patients can pay a bill.

SALES CONTACT: Christine Speedy 954-942-0483

SCREEN SHOTS

Figure 1. The customer is present and you swipe the card. The card number, expiration and name on card are automatically recognized, as with any swipe device. Confidential information will be x’d out and will not appear on the screen.  Enter the  sale amount, as usual.

Notes: Other required or optional fields are determined by the merchant prior at account set-up.  The merchant determines data capture preferences balancing speed at the cashier, information needs, and risk.  In all the figures shown, invoice is mandatory, but that is strictly a merchant decision.

FIGURE 2.  When the customer is not present, different data needs to be captured for risk and interchange qualification  ( how much a transaction costs the merchant) concerns. i

FIGURE 3. If the merchant wants to bill the same customer again, the repeat sale button is selected. Information is collected for both the initial sale and future sales. A token is automatically generated, or the merchant can specify one. We recommend you collect the email address so that you can send automatic receipts for future billing. (You can also ask the customer to opt-in or opt-out to marketing via email.)

FIGURE 4.  When you’re ready to go back and bill the patient, enter the TOKEN ID along with the amount to charge.

If you captured an email previously and set up automatic receipts, an email is automatically generated and sent. Email set up can be programmed with your own FROM and SUBJECT.

The benefits I’ve discussed are just the tip of the iceberg. This technology is leaps ahead of anything else on the market, including ease of use. Your staff can complete a repeat sale with less than 5 minutes of training. Setting up recurring billing, where the same amount is billed multiple times, is not shown here and is just as easy.

Protect your patient data. Protect your business from internal fraud. Improve your cash flow. Look at functional graphical reports that let you see and compare cash flow from multiple operations in minutes.

Questions? Need a demo? Call Christine at 954-942-0483.

Most medical and dental billing solutions address HIPPA, but what about secure payments?  Our dental billing solution enables you to securely collect current payments and outstanding bills after insurance claims are completed. Collecting payments in a secure manner is equally important to HIPPA. Most staff at medical practices don’t even know what PCI DSS is, even after having 6 years to comply.

DENTAL BILLING SOLUTIONS

Tired of getting paid weeks and months after services are rendered?

Do you have patients paying a co-pay on the visit, then after you’re paid by the insurance company, the patient ends up having a balance due?

How long on average does it take you to collect that balance? Are you paying a medical billing company to collect it for you?

Do you have orthodontia patients that are billed the same amount every month?

Do you offer a payment plan in some situations?

SOLUTION: TOKEN ACCOUNTS.

1. Merchant accesses a secure payment processing platform and creates a TOKEN to enable rebilling the patient or to set up recurring billing. Card data is never stored at the merchant location and the token links only to remotely hosted encrypted data. To re-bill, the merchant enters the patient name, transaction amount, and the TOKEN ID.
2. Patients agree to have their card charged, usually up to a specified amount, at the time of the original transaction. Merchants can print a receipt, or have an email automatically sent with the receipt.

BENEFITS:

1. Improve cash flow.
2. Reduce or eliminate collections.
3. Simplify the billing process- reduce workload.
4. PCI Compliant- secure solution eliminates exposed card data.
5. Reduce opportunities for internal fraud by eliminating receiving card data within mailed billing responses.
6. Managed payment processing costs- eliminates costly human errors that result in interchange qualification downgrades.

FEATURES:

1. Optional Signature Capture stores patient opt-in agreement electronically indefinitely.
2. Access secure web page from any computer.
3. User control for all functions and reporting. You decide who can perform what type of transaction. Enable off site billing or accounting to access reporting.
4. Optional industry template to capture insurance policy number, account number etc. Export reports on demand.
5. Real- time cash flow. Enables management to see  multiple locations at a glance.
6. Multiple merchant accounts- Use the same system for multiple doctors within a location.
7. Minimal set- up. No major upfront investment.
8. Optional pay page- simple code you can add to your web site so patients can pay a bill.

SALES CONTACT: Christine Speedy 954-942-0483

SCREEN SHOTS

Figure 1. The customer is present and you swipe the card. The card number, expiration and name on card are automatically recognized, as with any swipe device. Confidential information will be x’d out and will not appear on the screen.  Enter the  sale amount, as usual.

Notes: Other required or optional fields are determined by the merchant prior at account set-up.  The merchant determines data capture preferences balancing speed at the cashier, information needs, and risk.  In all the figures shown, invoice is mandatory, but that is strictly a merchant decision.

FIGURE 2.  When the customer is not present, different data needs to be captured for risk and interchange qualification  ( how much a transaction costs the merchant) concerns. i

FIGURE 3. If the merchant wants to bill the same customer again, the repeat sale button is selected. Information is collected for both the initial sale and future sales. A token is automatically generated, or the merchant can specify one. We recommend you collect the email address so that you can send automatic receipts for future billing. (You can also ask the customer to opt-in or opt-out to marketing via email.)

FIGURE 4.  When you’re ready to go back and bill the patient, enter the TOKEN ID along with the amount to charge.

If you captured an email previously and set up automatic receipts, an email is automatically generated and sent. Email set up can be programmed with your own FROM and SUBJECT.

The benefits I’ve discussed are just the tip of the iceberg. This technology is leaps ahead of anything else on the market, including ease of use. Your staff can complete a repeat sale with less than 5 minutes of training. Setting up recurring billing, where the same amount is billed multiple times, is not shown here and is just as easy.

Protect your patient data. Protect your business from internal fraud. Improve your cash flow. Look at functional graphical reports that let you see and compare cash flow from multiple operations in minutes.

Questions? Need a demo? Call Christine at 954-942-0483.

Hospitals Are Not Protecting Patient Data; Healthcare Industry Lagging Behind HITECH Standards

TRAVERSE CITY, Mich. and PORTLAND, Ore. — November 9, 2010 — The latest benchmark study by Ponemon Institute, sponsored by ID Experts®, finds that data breaches of patient information cost healthcare organizations nearly $6 billion annually, and that many breaches go undetected. The research indicates that protecting patient data is a low priority for hospitals and that organizations have little confidence in their ability to secure patient records, putting individuals at great risk for medical identity theft, financial theft and embarrassment of exposure of private information.

Today, Ponemon Institute, a privacy and information management research firm, and ID Experts, the leader in comprehensive data breach solutions, released Benchmark Study on Patient Privacy and Data Security. For a free copy, visit http://www2.idexpertscorp.com/ponemonstudy.

The passage of the HITECH Act in 2009 widened the scope of privacy and security protections under HIPAA to provide stronger safeguards for patient data. This includes notification to patients when their information is breached.

“Our research shows that the healthcare industry is struggling to protect sensitive medical information, putting patients at risk of medical identity fraud and costing hospitals and other healthcare services companies millions in annual breach-related costs,” said Dr. Larry Ponemon, chairman and founder, Ponemon Institute. “At this point one would hope to see that healthcare organizations have improved information security practices and come into compliance with HITECH, now that it’s been more than one year since it was enacted. Instead we found enormous vulnerabilities. The protection of patient data should be at the forefront of their efforts.”

Key findings of the research:

• Data breaches are costing the healthcare system billions. The total economic burden created by data breaches on the healthcare industry is nearly $6 billion annually. The impact of a data breach over a two-year period is approximately $2 million per organization and the lifetime value of a lost patient is $107,580. The average organization had 2.4 data breach incidents over the past two years. Major factors causing data breaches are unintentional employee action, lost or stolen computing devices and third-party error.
• Healthcare organizations are not protecting patient data. Organizations have little or no confidence in their ability to appropriately secure patient records (58 percent). Healthcare organizations have inadequate resources (71 percent) and insufficient policies and procedures in place (69 percent) to prevent and quickly detect patient data loss.
• Protecting patient data is not a priority. Seventy percent of hospitals stated that protecting patient data is not a top priority. Patient billing (35 percent) and medical records (26 percent) are the most susceptible to data loss or theft. A majority of organizations have less than two staff dedicated to data protection management (67 percent).
• HITECH has exposed the healthcare industry’s lax data protection practices rather than improved the safety of patient records. The majority (71 percent) of respondents do not believe the HITECH Act regulations have significantly changed the management practices of patient records. The findings indicate that there is a significant number of data breaches that go undetected, and therefore unreported.

“We talk with healthcare compliance people dealing with data breach risks every day and they just can’t get their arms around the problem of data exposure,” said Rick Kam, president and co-founder of ID Experts. “Unfortunately, in healthcare organizations, patient revenue trumps risk management.”
About Ponemon Institute
Ponemon Institute is dedicated to advancing responsible information and privacy management practices in business and government. To achieve this objective, the Institute conducts independent research, educates leaders from the private and public sectors and verifies the privacy and data protection practices of organizations in a variety of industries.
About ID Experts
ID Experts is the leader in comprehensive data breach solutions that deliver the most positive outcomes. The company has managed hundreds of data breach incidents, protecting millions of affected individuals, for leading healthcare organizations, corporations, financial institutions, universities and government agencies. In healthcare, the company contributes to relevant legislation and rules including HITECH and is a corporate member of HIMSS. ID Experts is active with organizations that advocate for privacy for Americans including ANSI/Identity Theft Prevention, Identity Management Standards Panel and the International Association of Privacy Professionals. For more information, visit http://www.idexpertscorp.com/.

Tokenization is now offered for resale of variable sales amounts. Enter card data one time only via PCI Compliant interface. The system will generate a token for you. To process future transactions, enter the TOKEN instead of card data, which can never be seen again.

The card data is encrypted and is never stored on your servers or computers. The token, which is worthless to others, is your way to submit future billing requests.

Tokenization and PCI DSS (payment card industry data security standards). PCI compliance is streamlined with tokenization and our end-to-end encryption solution.

The average user will submit cardholder data via the virtual terminal RESALE function. A token is automatically generated which you then store offline. To rebill, simply submit the token in lieu of the actual card number.

TYPICAL REPEAT SALE SET UP FOR RETAIL ENVIRONMENT:

- Merchant has customer fax a standard approval form with card data.

- The paper is filed in a locked drawer with limited personnel access. CVV is never stored.

- Merchant retrieves the information and key enters the transaction on a virtual terminal or desktop terminal when they need to rebill the customer.

- Merchant prints receipt and mails or faxes to the client.

TYPICAL REPEAT SALE SET UP FOR RETAIL ENVIRONMENT WITH CENPOS AND CARD IS NOT PRESENT:

- Merchant has customer fax a standard approval form listing the last 4 digits of the card only,  an email field, and with language about opting-in to receiving email from the merchant.

- Merchant gets card data over the phone and directly enters it into the secure virtual terminal using the RESALE button.

- Merchant copies the TOKEN  generated onto the merchant approval form which is then stored, in a locked drawer with limited personnel access.

- Merchant retrieves the token and key enters the transaction details on a virtual terminal or desktop terminal when they need to rebill the customer.

- Merchant uses the automated email function to send the customer a receipt, or prints receipts the old way.

What if the customer is in the store for the first order, but then won’t be there later when you bill more? You’ll swipe the card as usual, using the resale button. The cashier will be prompted for address and other data as if the customer is not present.

The first transaction will process via your retail swipe account. The future card not present transactions will process via your MOTO account, automatically, when you key enter the transaction later. This is a significant competitive product difference from any other solution you may looked at.

1. Merchants will qualify for the best interchange rate for each type of transaction, thereby lowering costs.
2. Merchants will meet the card association requirements for proper presentment to reduce risk of chargebacks from disputes. (Different rules apply about data submitted and signatures on swipe vs moto.)
3. Both transactions will be in a fully PCI Compliant environment, reducing risk of liability from improperly protecting card data.
4. Cashiers are removed from any decision making that can affect your rate qualification in every transaction. The system will automatically prompt for data needed based on transaction parameters.
5. Best of all, no terminal progamming updates! The hosted solution is always current and any terminal connected is simply a slave of the system.

Because they have no meaning by themselves, tokens or aliases are useless to criminals if your customer hard copy files were compromised. Per the PCI DSS standards for your organization, you’ll need to have your workstations scanned that you enter transaction on.

Ideal solution for any B2B companies with corporate customers. Sign up for RSS for more details on this feature. For a demo, call the hotline at the top of this web page.

Related articles: Can you store track data and be PCI Compliant?
Storing CVV codes so you can rebill

Expanded Study Finds More Insider Threats, Greater Use of Social Engineering, Continued Strong Organized Criminal Involvement

BASKING RIDGE, N.J. – July 28, 2010 –

The 2010 Verizon Data Breach Investigations Report, based on a first-of-its kind collaboration with the U.S. Secret Service, has found that breaches of electronic records last year involved more insider threats, greater use of social engineering and the continued strong involvement of organized criminal groups.

The study, released Wednesday (July 28), also noted that the overall number of breaches investigated last year declined from the total for the previous year – “a promising” indication, the study said.

The report cited stolen credentials as the most common way of gaining unauthorized access into organizations in 2009, pointing once again to the importance of strong security practices both for individuals and organizations.  Organized criminal groups were responsible for 85 percent of all stolen data last year, the report said.

Verizon Business investigative experts found, as they did in the company’s prior data breach reports, that most breaches were considered avoidable if security basics had been followed.  Only 4 percent of breaches assessed required difficult and expensive protective measures.

The 2010 report concluded that being prepared remains the best defense against security breaches. For the most part, organizations still remain sluggish in detecting and responding to incidents. Most breaches (60 percent) continue to be discovered by external parties and then only after a considerable amount of time.  And while most victimized organizations have evidence of a breach in their security logs, they often overlook them due to a lack of staff, tools or processes.

The collaboration with the Secret Service, announced in May, enabled this year’s Data Breach Investigations Report to provide an expanded view of data breaches over the last six years. With the addition of Verizon’s 2009 caseload and data contributed by the Secret Service – which investigates financial crimes – the report covers 900-plus breaches involving more than 900 million compromised records.

“This year we were able to significantly widen our window into the dynamic world of data breaches, granting us an even broader and deeper perspective,” said Peter Tippett, Verizon Business vice president of technology and enterprise innovation.   “By including information from the Secret Service caseload, we are expanding both our understanding of cybercrime and our ability to stop breaches.”

Michael Merritt, Secret Service assistant director for investigations, said: “The Secret Service believes that building trusted partnerships between all levels of law enforcement, the private sector and academia has been a proven and successful model for facing the challenges of securing cyberspace.  It is through our collaborative approach with established partnerships that the Secret Service is able to help expand the collective understanding of breaches and continue to augment our advanced detection and prevention efforts.”

(NOTE: Additional resources supporting the 2010 data breach report are available, including an audio podcast, video podcast and high-resolution charts and graphs.)

Key Findings of the 2010 Report

This year’s key findings both reinforce prior conclusions and offer new insights. These include:

• Most data breaches investigated were caused by external sources. Sixty-nine percent of breaches resulted from these sources, while only 11 percent were linked to business partners.  Forty-nine percent were caused by insiders, which is an increase over previous report findings, primarily due in part to an expanded dataset and the types of cases studied by the Secret Service.
• Many breaches involved privilege misuse. Forty-eight percent of breaches were attributed to users who, for malicious purposes, abused their right to access corporate information.  An additional 40 percent of breaches were the result of hacking, while 28 percent were due to social tactics and 14 percent to physical attacks.
• Commonalities continue across breaches. As in previous years, nearly all data was breached from servers and online applications. Eight-five percent of the breaches were not considered highly difficult, and 87 percent of victims had evidence of the breach in their log files, yet missed it.
• Meeting PCI-DSS compliance still critically important. Seventy-nine percent of victims subject to the PCI-DSS standard hadn’t achieved compliance prior to the breach.

The State of Cybercrime: 2010

The report said the decline in the overall number of data breaches may be due to a number of factors, including “law enforcement’s effectiveness in capturing criminals.”  The report cited the arrest of Albert Gonzalez, one of the world’s most notorious computer hackers, who pleaded guilty to helping run a global ring that stole hundreds of millions of payment card numbers and who was sentenced last year to 20 years in prison.

“The reduction in breaches is a positive sign that we are gaining some ground in the fight against cybercrime,” said Tippett.  “As we are able to share more information through the use of the VERIS security research framework to gather comparative security data such as the caseload of the Secret Service, we believe we will be even better equipped to arm organizations with best practices, processes, tools and services that will continue to make a difference.”

Data breaches continue to occur within all types of organizations. Financial services, hospitality and retail still comprise the “Big Three” of industries affected (33 percent, 23 percent and 15 percent, respectively) in the merged Verizon-Secret Service dataset, though tech services edged out retail in Verizon’s caseload.  A growing percentage of cases and an astounding 94 percent of all compromised records in 2009 were attributable to financial services.

More than half of the breaches investigated by Verizon in 2009 occurred outside the U.S., while the bulk of the breaches investigated by the Secret Service occurred in the U.S.  The report finds no correlation between an organization’s size and its chances of suffering a data breach.

“Thieves are more likely to select targets based on the perceived value of the data and cost of attack than victim characteristics such as size,” Verizon researchers noted.

Recommendations for Enterprises

The 2010 study once again shows that simple actions, when done diligently and continually, can reap big benefits. These actions include:

• Restrict and monitor privileged users. The data from the Secret Service showed that there were more insider breaches than ever before. Insiders, especially highly privileged ones, can be difficult to control. The best strategies are to trust but verify by using pre-employment screening; limit user privileges; and employ separation of duties. Privileged use should be logged and messages detailing activity generated to management.
• Watch for ‘Minor’ Policy Violations. The study finds a correlation between seemingly minor policy violations and more serious abuse. This suggests that organizations should be wary of and adequately respond to all violations of an organization’s policies.  Based on case data, the presence of illegal content on user systems or other inappropriate behavior is a reasonable indicator of a future breach. Actively searching for such indicators may prove even more effective.
• Implement Measures to Thwart Stolen Credentials. Keeping credential-capturing malware off systems is priority No. 1. Consider two-factor authentication where appropriate. If possible, implement time-of-use rules, IP blacklisting and restricting administrative connections.
• Monitor and Filter  Outbound Traffic. At some point during the sequence of events in many breaches, something (data, communications, connections) goes out externally via an organization’s network that, if prevented, could break the chain and stop the breach. By monitoring, understanding and controlling outbound traffic, an organization can greatly increase its chances of mitigating malicious activity.
• Change Your Approach to Event Monitoring and Log Analysis. Almost all victims have evidence of the breach in their logs. It doesn’t take much to figure out that something is amiss and make needed changes.  Organizations should make time to review more thoroughly batch-processed data and analysis of logs. Make sure there are enough people, adequate tools and sufficient processes in place to recognize and respond to anomalies.
• Share Incident Information. An organization’s ability to fully protect itself is based on the information available to do so.  Verizon believes the availability and sharing of information are crucial in the fight against cybercrime.  We commend all those organizations that take part in this effort, through such data-sharing programs as the Verizon VERIS Framework.A complete copy of the “2010 Data Breach Investigations Report” is available at http://www.verizonbusiness.com/go/2010databreachreport/.

About the United States Secret Service
Well known for protecting the nation’s leaders, the U.S. Secret Service also is responsible for protecting America’s financial infrastructure.  The Secret Service has taken a lead role in mitigating the threat of financial crimes since the agency’s inception in 1865.  As technology has evolved, the scope of the U.S. Secret Service’s mission has expanded from its original counterfeit currency investigations to also include emerging financial crimes.   As a component agency within the U.S. Department of Homeland Security, the U.S. Secret Service has established successful partnerships in both the law enforcement and business communities – across the country and around the world – in order to effectively combat financial crimes.

About Verizon Business
Verizon Business, a unit of Verizon Communications (NYSE, NASDAQ: VZ), is a global leader in communications and IT solutions. We combine professional expertise with one of the world’s most connected IP networks to deliver award-winning communications, IT, information security and network solutions.  We securely connect today’s extended enterprises of widespread and mobile customers, partners, suppliers and employees – enabling them to increase productivity and efficiency and help preserve the environment.  Many of the world’s largest businesses and governments – including 96 percent of the Fortune 1000 and thousands of government agencies and educational institutions – rely on our professional and managed services and network technologies to accelerate their business. Find out more at www.verizonbusiness.com.