FTC Takes Action Against CafePress for Data Breach Cover Up

Posted on by
Reply

March 15, 2022- Commission orders e-commerce platform to bolster data security and provide redress to small businesses.

The Federal Trade Commission today took action against online customized merchandise platform CafePress over allegations that it failed to secure consumers’ sensitive personal data and covered up a major breach. The FTC alleges that CafePress failed to implement reasonable security measures to protect sensitive information stored on its network, including plain text Social Security numbers, inadequately encrypted passwords, and answers to password reset questions. The Commission’s proposed order requires the company to bolster its data security and requires its former owner to pay a half million dollars to compensate small businesses.

“CafePress employed careless security practices and concealed multiple breaches from consumers,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “These orders dial up accountability for lax security practices, requiring redress for small businesses that were harmed, and specific controls, like multi-factor authentication, to better safeguard personal information.”

In a complaint filed against Residual Pumpkin Entity, LLC, the former owner of CafePress, and PlanetArt, LLC, which bought CafePress in 2020, the FTC alleged that CafePress failed to implement reasonable security measures to protect the sensitive information of buyers and sellers stored on its network. In addition to storing Social Security numbers and password reset answers in clear, readable text, CafePress retained the data longer than was necessary. The company also failed to apply readily available protections against well-known threats and adequately respond to security incidents, the complaint alleged. As a result of its shoddy security practices, CafePress’ network was breached multiple times.

According to the complaint, a hacker exploited the company’s security failures in February 2019 to access millions of email addresses and passwords with weak encryption; millions of unencrypted names, physical addresses, and security questions and answers; more than 180,000 unencrypted Social Security numbers; and tens of thousands of partial payment card numbers and expiration dates. Some of the information was later found for sale on the Dark Web.

After being notified a month later that it had a security vulnerability and that hackers had obtained consumer data, CafePress patched the vulnerability but failed to properly investigate the breach for several months despite additional warnings, the complaint alleged. This included a warning in April 2019 from a foreign government, which notified the company that a hacker had illegally obtained CafePress customer account information and urged the company to notify affected customers. The company, however, withheld this essential information, and instead only told customers to reset their passwords as part of an update to its password policy.

The complaint alleges CafePress did not inform affected customers until September 2019—one month after the breach was reported widely. The company’s lax security practices, however, still left many consumers at risk. For example, the company continued to allow people to reset their passwords on the website by answering security questions associated with customer email addresses—the same information that had been previously stolen by hackers.

According to the complaint, CafePress was aware of problems with its data security prior to the 2019 data breach. Through at least January 2018, when CafePress determined that certain accounts of shopkeepers had been hacked, CafePress closed the accounts and charged the victims a $25 account closure fee. The company also experienced several malware infections to its network prior to the 2019 hack but failed to investigate the source of such attacks.

In addition to its security failures, the FTC alleged the company misled users by using consumer email addresses for marketing despite its promises that such information would only be used to fulfill orders consumers had placed.

As part of the proposed settlement, Residual Pumpkin and PlanetArt will be required to implement comprehensive information security programs that will address the problems that led to the data breaches at CafePress. This includes replacing inadequate authentication measures such as security questions with multi-factor authentication methods; minimizing the amount of data they collect and retain; and encrypting Social Security numbers.

In addition, the proposed settlement requires Residual Pumpkin to pay $500,000 in redress to victims of the data breaches. PlanetArt will be required to notify consumers whose personal information was accessed as a result of CafePress’s data breaches and provide specific information about how consumers can protect themselves. Both companies will be required to have a third party assess their information security programs and provide the Commission with a redacted copy of that assessment suitable for public disclosure.

The Commission voted 4-0 to issue the proposed administrative complaint and to accept the consent agreement with the companies.

The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $46,517.

https://www.ftc.gov/news-events/news/press-releases/2022/03/ftc-takes-action-against-cafepress-data-breach-cover

Ethisphere honors U.S. Bank for 8th year

Posted on by
Reply

Elavon’s parent company, U.S. Bank has been named one of the World’s Most Ethical Companies by the Ethisphere Institute for the eighth consecutive year. Ethisphereis the global leader in defining and advancing the standards of ethical business practices that fuel corporate character, marketplace trust and business success

“Our employees have gone above and beyond to support our communities and customers.” said Andy Cecere, chairman, president and chief executive officer. “They work hard to earn and keep our customers’ trust, and this honor belongs to them.”

Ethisphere recognized 136 honorees that span 22 countries and 45 industries. U.S. Bank is one of five honorees in the banking category.

The World’s Most Ethical Companies assessment is based on Ethisphere’s Ethics Quotient® framework. It includes more than 200 questions on culture, environmental and social practices, ethics and compliance activities, governance, diversity and initiatives to support a strong value chain. The process captures and collects the leading practices of organizations across industries and around the globe. This year, the questions also gauged how applicants are adapting and responding to the global health pandemic, environmental, social, and governance factors, safety, equity, and inclusion and social justice.

“Today, business leaders face their greatest mandate yet to be ethical, accountable, and trusted to drive positive change,” said Ethisphere CEO Timothy Erblich. “We continue to be inspired by the World’s Most Ethical Companies honorees and their dedication to integrity, sustainability, governance, and community. Congratulations to U.S. Bank for earning the World’s Most Ethical Companies designation.”

About Ethisphere
Ethisphere® is the global leader in defining and advancing the standards of ethical business practices that fuel corporate character, marketplace trust and business success. Ethisphere has deep expertise in measuring and defining core ethics standards using data-driven insights that help companies enhance corporate character and measure and improve culture. Ethisphere honors superior achievement through its World’s Most Ethical Companies recognition program and provides a community of industry experts with the Business Ethics Leadership Alliance (BELA). More information about Ethisphere can be found at: https://ethisphere.com.

*By selecting this link, you will leave Elavon content and enter a third-party website. Elavon is not responsible for the content of, or products and services provided by this third party, nor does it guarantee the system availability or accuracy of information contained in the site. This website is not controlled by Elavon. Please note that the third-party website may have privacy and information security policies that differ from those of Elavon.

Notes to editors

About Elavon

Elavon is a leading global payments company with more than 4,300 employees and operations in 10 countries. A subsidiary of U.S. Bancorp (NYSE:USB), Elavon provides businesses with the technology needed to accept payments from customers, whether they are shopping in stores, at home or on the go. Its platform is distinctive in that it is common across countries, making it easier for businesses to get their payment system up and running quickly and securely.

Elavon Financial Services DAC, trading as Elavon Merchant Services, is regulated by the Central Bank of Ireland and the Prudential Regulation Authority and subject to limited regulation by the Financial Conduct Authority and Prudential Regulation Authority. Details about the extent of our authorization and regulation by the Prudential Regulation Authority, and regulation by the Financial Conduct Authority are available from us on request.

About U.S. Bank

U.S. Bancorp, with 74,000 employees and $488 billion in assets as of September 30, 2019, is the parent company of U.S. Bank National Association, the fifth-largest commercial bank in the United States. The Minneapolis-based bank blends its relationship teams, branches and ATM network with mobile and online tools that allow customers to bank how, when and where they prefer. U.S. Bank is committed to serving its millions of retail, business, wealth management, payment, commercial and corporate, and investment services customers across the country and around the world as a trusted financial partner, a commitment recognized by the Ethisphere Institute naming the bank a 2019 World’s Most Ethical Company. Visit U.S. Bank online or follow on social media to stay up to date with company news.

Visit U.S. Bank and Elavon online or follow on social media to stay up to date with company news. 

###

Note: 3D Merchant Services is an authorized reseller of Elavon merchant services and related products, including CenPOS.

3-D Secure 2.0 Merchant Overview 2021

Posted on by
Reply

How do businesses get started using 3-D Secure? Everything teams need to know to add 3-D Secure, a protocol providing an additional layer of security for eCommerce transactions prior to authorization. Think of it like a phone number or account number. 3-D Secure needs to be tied to your specific merchant account and then enabled on the payment gateway to be active.

  1. Unless the gateway provider is the same as acquirer, also known as credit card processor or merchant account provider, ask the gateway service provider for instructions for acquirer.
  2. Contact your merchant account sales relationship manager to request the service. If you don’t have one, call your merchant account customer support.
  3. The acquirer emails the response information to the requestor.
  4. The requestor then enables on the payment gateway or provides information to the end user for final enablement.

3-D Secure is a protocol providing an additional layer of security for eCommerce transactions prior to authorization. It enables the exchange of data between the merchant, card issuer and, when necessary, the consumer, to validate that the transaction is being initiated by the actual cardholder. Ecommerce transactions includes traditional shopping cart as well as any digital payment where the cardholder initiates and completes the payment process. For example, einvoicing or electronic bill presentment and payment are ecommerce transactions.

Each card network has a name for their product that uses 3-D secure, also referred to as 3D Secure, 3DS, 3-D Secure authentication or EMV 3-D Secure. Visa rebranded Verified by Visa to Visa Secure. MasterCard SecureCode (3DS 1.0) merchants are being encouraged to migrate to Mastercard Identity Check which uses EMV 3-D Secure 2.0. American Express SafeKey 2.0 is also available now. 3-D Secure 2.x helps reduce fraud and minimize the need for one-time passcodes, improving the user experience and reducing shopping cart abandonment.

What are merchant benefits for using 3-D Secure?

  • More authorization approvals. False declines are a significant source of lost revenue.
  • Some cards have reduced interchange rates when the authentication is invoked, which are usually over 90% of fees. American Express does reduce rates.
  • Less friction for customers at checkout.
  • Reduced risk of chargeback losses. Fraud liability for “it wasn’t me” automatically shifts to the issuer; Merchants do not have to defend those chargebacks, they never even see them.

How do merchants get started using 3-D Secure?

There are two elements- the payment gateway and the merchant account. Contact your payment gateway company to see if they support it and how to set it up. In most cases, this is simply a back office set up process. Merchants may also need to sign acceptance of pricing. The transaction fees are minimal and typically more than offset by the 11 to 20 basis point reduction in merchant fees on applicable cards.

Christine Speedy, Founder 3D Merchant Services, QIR certified, is a credit card processing expert with specialized expertise in card not present and B2B payment processing technology. Less than 1% of all merchant services sales representatives are QIR certified by the PCI Council. Christine is an authorized reseller for Elavon and CenPOS products and services, in addition to other solutions.

2021 Convenience Fee Rules Explained

Posted on by
Reply

Credit card convenience fees 2021 rules explained. Visa rules on convenience fees as outlined in Table 5-5 Convenience Fee Requirements remain unchanged since 2020.

What’s a convenience fee and when can I use it? Convenience fees can only be charged for a bona fide convenience in the form of an alternative payment channel outside the Merchant’s customary payment channels and not charged solely for the acceptance of a Card. If a merchant only accepts credit cards, it’s prohibited. Alternatively as an example, if a merchant gets 99% checks in the mail, ACH, and wire, they could be eligible to charge a convenience fee.

The following are all elements that can impact whether you can charge a convenience fee:

  • Federal law
  • State law
  • Rules of card acceptance, for example, Visa Core Rules
  • Merchant acquirer (credit card processor)

Who can and cannot charge a convenience fee?

  • If the Merchant operates exclusively in a Card-Absent
    Environment, cannot charge a convenience fee.
  • Convenience fee can only be charged by the merchant that provides the goods or services to the cardholder, not a third party.

Visa convenience fee rules excerpts:

  • Cannot be charged on a Recurring Transaction or an Installment Transaction.
  • Must be listed as a separate line item on the receipt.
  • Must be included with the total transaction. In other words, the receipt must split out the amount, but only one transaction is sent.
  • Added only to a domestic Unattended Transaction. In other words, customers self-pay.
  • Must be disclosed to customers as a charge for alternate payment channel convenience.

How much is allowed for a convenience fee?

Per Visa, the convenience fee must be a flat, or fixed amount, regardless of the value of the payment due. There isn’t a limit on the amount and a merchant may choose to dynamically generate the convenience fee amount. Regardless, the consumer must be able to opt-out prior to completing the transaction.

See Visa Core Rules Table 5-5: Convenience Fee Requirements for more information. Note, this is a change from the 2018 blog post.

Rules may vary by card brand, but typically, if a merchant complies with Visa rules, they’ll be compliant with the other brands. A convenience fee is not the same as a credit card surcharge for Visa, which also has another type called a service fee,which applies to government and education only.

Call Christine Speedy, PCI Council QIR certified, for simple solutions to complex payment transaction problems, 954-942-0483, 9-5 ET. CenPOS authorized reseller based out of South Florida and NY. CenPOS is an integrated commerce technology platform driving innovative, omnichannel solutions tailored to meet a merchant’s market needs. Providing a single point of integration, the CenPOS platform combines payment, commerce and value-added functionality enabling merchants to transform their commerce experience, eliminate the need to manage complex integrations, reduce the burden of accepting payments and create deeper customer relationships.

Please share your convenience fee insights for others and ask any questions below.

Chinese PAX payment terminal manufacturer raided by FBI in Florida

Posted on by
Reply

PAX Technology Warehouse in Jacksonville Florida was the subject of a search and investigation October 26, 2021 by the Federal Bureau of Investigation, the Department of Homeland Security, and several other agencies. PAX is a Chinese credit card terminal provider that significantly grew it’s global reach, including the US, during the transition to EMV chip terminals.

Brian Krebs, a cybersecurity investigative journalist, reported a major US payment processor noticed that PAX terminals were being used both as a malware “dropper” — a repository for malicious files — and as “command-and-control” locations for staging attacks and collecting information. Something didn’t add up and PAX didn’t give any good answers.

FBI Statement: “The FBI Jacksonville Division, in partnership with Homeland Security Investigations, Customs and Border Protection, Department of Commerce, and Naval Criminal Investigative Services, and with the support of the Jacksonville Sheriff’s Office, is executing a court-authorized search at this location in furtherance of a federal investigation. We are not aware of any physical threat to the surrounding community related to this search. The investigation remains active and ongoing and no additional information can be confirmed at this time.”

US vendors in the payments ecosystem were quick to respond. The sale and installation of PAX terminals has already been prohibited by some.