6 Ways To Increase Omnichannel Payment Security & PCI Compliance

Chip card acceptance has propelled companies to rethink how EMV compliance impacts overall PCI Compliance strategies. According to the Verizon 2015 PCI COMPLIANCE REPORT, 80% of companies fail an interim Payment Card Industry Data Security Standards (PCI-DSS) audit. CenPOS deploys multiple cloud solutions to reduce data security risk, and comply with EMV, while meeting top business priorities like improving customer engagement and the customer experience.

Point-to-Point Encryption (P2PE) – Working with Verifone and Ingenico, CenPOS Enterprise Payments Suite encrypts card data at the point of card swipe or insertion to prevent clear text information from traversing the network thereby protecting data in transit.

Electronic Bill Presentment and Payment (EBPP) – Key entering cardholder data into a computer without the use on an encrypting keypad introduces vulnerabilities that can be exploited by key logging malware.  EBPP allows you to push final invoices to consumer mobile devices via text and email so that they can complete the transaction—eliminating your staff’s need to enter data and reducing vulnerabilities.

Consumer Validation – As chip cards proliferate the United States, counterfeit card fraud rapidly migrates to online channels.  CenPOS Consumer Validation shifts risk to the consumer’s bank, reduces acceptance costs, and increases the approval rate for higher sales.

Chip Card Acceptance (EMV) – The deadline to avoid shifting liability associated with EMV acceptance was October 1, 2015.  Chip card transactions processed using legacy magnetic stripes could result in a chargeback to the merchant with no possibility of reversal.  CenPOS has certified the Verifone MX915 to all processing platforms to protect businesses from the liability shift. CenPOS has been processing chip transactions on multi-lane terminals since January 2015.

Tokenization – Sensitive cardholder data is replaced by a surrogate number, called a token, that eliminates the risk of storing customer information on internal systems.  Subsequent transactions and adjustments can be processed safely using the token to facilitate a transaction.  This service is automatically deployed.  Any attempt to store sensitive cardholder data evokes the tokenization system.

Encrypted Virtual Keypad (EVK) – In some instances, it is desirable to manually enter cardholder information into a system.  The CenPOS EVK uses advanced technology to secure data entry by clicking the numbers on an encrypted screen-based keypad.

encrypted virtual keyboard evk cenpos

The combination of these solutions reduces the risk of data loss along with the financial and brand damage associated with security breaches. Additionally, merchants also benefit from increased efficiency, cash flow and EBITDA.

Contact Christine Speedy for P2PE, EBPP, EMV and Customer Validation options, including integrated solutions,

4 Credit Card Processing Tips for Consultants & Accountants

profits Following several years of regulatory and technology credit card processing changes, 2015 has been another big year of changes. As we close out 2015, what are you advising clients to maximize profits? Every consultant to distributors, especially for building materials, including lumber and millwork, electrical, marble & stone, and plumbing supply, needs to update their merchant services knowledge. These businesses tend to have both a retail and a ‘to the trade’ component, making old solutions potentially outdated, risky, and costly.

  1. EMV liability shift October 2015, shifted liability for counterfeit card, and sometimes lost and stolen card, transaction losses from the issuer to the merchant, if the merchant does not support EMV chip card acceptance. Since businesses never saw this fraud, the financial risk is unknown, but guesses put it in the 1-2% of sales range. The first acquirer (Vantiv) announced penalties effective January 1 if a retail operation does not support EMV chip card transactions. These fees will grow throughout the payment chain in 2016, and be passed down to the merchant. If profit margins are important, EMV compliance is not optional. Between growth in credit card fraud losses and new penalties, distributors need to make the change ASAP.
  2. EMV terminal selection. Retail Distributors fall into two categories: Those who use countertop terminals, and those who use anything else, including mag swipe reader or signature capture terminal. Only the latter are even capable of supporting level 3 data, critical for qualifying for level 3 interchange rates, which makes up more than 95% of credit card processing, or merchant, fees. Yet, the vast majority of recommended EMV solutions are incapable of level 3, and or there is no certification for it. While updating, add NFC for ApplePay and newer payment methods, and P2PE, which encrypts at the terminal head, further mitigating data breach risk.  The best EMV terminal selection for distributors may reduce merchant fees an average of 32% and mitigate data breach risk. Conversely, the wrong choice will directly reduce profit margins. 
  3. PCI Compliance. Internal and external data breaches are a serious growing problem (Lowes and Home Depot both admitted), and best practices are being shared among peers that are ‘risky’ at best. Top areas of concern are paper credit card authorization forms and electronically storing card data (without certified compliant tokenization such as a payment gateway). Both should be eliminated. Online pay pages and other technology solutions have negated the need for employees to ever have access to credit card data, not even for a minute. Has your own company eliminated them?
  4. Quickbooks. For operations that used Intuit Merchant Services because there was no other integrated choice, that’s no longer an issue. Third party integrations empower businesses to use any acquirer. Look for one that supports all payment methods needed (ACH, check, wire, credit card etc). If processing more than $500k annually, fees may drop up to 50%.

CHRISTINE’S RECOMMENDATIONS FOR CLIENT ADVICE TO DISTRIBUTORS:

  • Implement EMV ASAP to avoid penalties and fraud losses.
  • Only implement an EMV solution certified for level 3 processing to maximize profit margins.
  • Get PCI 3.0 Compliant to mitigate risk of financial losses from a data breach- Replace all practices that include credit card access by any employee, even for a minute, with a technology solution.
  • Replace Intuit Merchant Services to maximize profit margins.

Note: this advice is applicable to any business that has a customer base which includes some business to business and retail, even if retail is a small part of the overall payment types accepted.

3 Private Duty Home Health Care Provider PCI Compliance Mistakes

As a business owner, PCI Compliance, or payment card industry data security standards, should be a priority, but too often owners are given poor advice or simply haven’t found a way to fix the problem of collecting and storing credit card data. Here’s 3 major mistakes and how to fix them.

credit card authorization form healthcare

MISTAKE 1: PATIENT CARE MANAGEMENT AGREEMENT & INTAKE PAYMENT FORM- PAPER

Most companies have an intake form with terms and conditions for payment, which includes fields for credit card authorization with full card data.

Employers entrust home health care provider staff and contractors with people’s lives, so surely they can be trusted with credit card information too, right? Not necessarily. Whether intential or by mistake, there are many ways the data can be compromised, and as an owner, the penalties in the event of a breach leading to identity theft could be crippling.

  • What if the forms are left in a car  (lunch breaks, forgot to bring them in house overnight etc) , and they’re stolen?
  • How are forms returned to the home office for processing? Are those methods secured every step of the way?
  • The form needs to be cross-cut shred. If the right shredder isn’t provided for home offices, how can one be sure the employee invested in one?
  • Merchants can never store the CVV or security code. If the form is needed for any purpose, can the sensitive payment data be cut off and shred without compromising the purpose of the document?

MISTAKE 2:  RECURRING BILLING PROCEDURES

 There’s a variety of excuses why the paper form is needed to be kept on file so the card can be charged for each billing period, but all of them are baseless if the provider does their homework for alternative solutions.

  • Stored paper forms present significant risk. Cleaning staff, vendors and trusted employees all have potential access to the data. A top reason cited for data breaches is, “it was easy”, and this tops them all.
  • Businesses with up to 100 employees are at extremely high risk for identity theft.

Additionally, it’s just plain inefficient to manage billing by key entering the same card data over and over again.

MISTAKE 3:  ENTERING DATA INTO COMPUTER SOFTWARE

Gathering the data digitally has the potential to be an excellent solution to paper methods.

  • Do not allow payment data to be entered into a spreadsheet or other non-secured form.
  • Is the payment application part of the private duty software, such that the software is in scope for PCI Compliance? Does the software need to be updated? Is the full card information ever available to users? The architecture of the solution strongly influences security. (Recall Target & Neiman Marcus data breaches).
  • Entering the card data directly into a cloud payment solution that is segregated from the business application software provides the optimal security. (Users should still follow all other PCI procedures.

3 METHODS TO IMPROVE PCI COMPLIANCE WITH FIELD PERSONNEL:

  1. Encrypt data at the point of acceptance either with a secure swipe device or key entered.
  2. Directly enter payment data into a secure payment processing platform.
  3. Use tokenization. Tokenization replaces sensitive PAN (Primary Account Number) data with a unique identifier known as a token, which is useless to anyone who may intercept it.

How can the provider get a written authorization on paper, that is safe for the customer and safe for the provider? Contact us for a FREE Credit Card & ACH Authorization form make- over, that can be used in combination with safe, secure, PCI Compliant technology.

Visa merchant security alert

This is information just received from Visa. You can join their email list too.

Visa is committed to helping merchants better understand how they can best protect their businesses and customers. As part of this commitment, Visa regularly posts data security alerts on www.visa.com/cisp. These alerts focus primarily on common security vulnerabilities, attack methods, and emerging risks identified in the payment system. Keep your organization informed by accessing alerts, bulletins, and webinars by subscribing to RSS Feeds at www.visa.com/cisp.

Visa also sent a bulletin about the Retail Merchants Targeted by Memory-Parsing Malware – UPDATE.  While not specified, this relates to the Target, Michaels, Neiman Marcus data breaches you may have read about.

As per my prior email to 3D Merchant news subscribers, CenPOS merchants will not be affected by the particular malware mentioned above.

 

 

Target credit card data breach: Facts, Resources and Risk Mitigation

The Target data breach, discovered December 15, impacts all credit and debit card transactions in the USA between Nov. 27 and Dec. 15. This article explores what happened, why it happened, what merchants can learn from the incident, and links to top stories.

THE DATA BREACH INCIDENT:
On December 15, 2013, Target discovered malware on their USA point of sale (POS) system and disabled the malware code. The impact is over 40 million cards. Notably, the breach impacted in store only.

From Business Insider,  “As shoppers swiped or punched in their numbers on the checkout keypad, the hackers copied every single number.” Read More: The Incredibly Clever Way Thieves Stole 40 Million Credit Cards From 2,000 Target Stores In A ‘Black Friday’ Sting

Stolen was the track data from the magnetic stripe, and equivalent data from chip cards. According to Target: The CVV data which is encoded on the magnetic stripe was stolen. The CVV2,  the three or four digit value that is printed on the back or front of the card, was not. CVV2 data is never on magnetic strips for security so it would have to have been manually entered to be stolen. (From Target…”No indication that CVV2 data was compromised.”)

Also stolen were 4 digit encrypted pin debit codes. This data is encrypted on the POS device and is simply passed through to the processor in the encrypted state. From Target, “The PIN information was fully encrypted at the keypad, remained encrypted within our system, and remained encrypted when it was removed from our systems.”

Summary: thieves have enough information to clone credit cards for retail sales

DAMAGES

The data quickly reached the black market with nefarious buyers taking advantage.

HOW COULD THE TARGET DATA BREACH HAPPEN?

In my opinion, and others, it’s likely related to system architecture. The thieves were able to get full track data needed to clone cards and increasing risk of the data being used. Target uses a custom POS application which requires Payment Application Data Security Standards (PA-DSS) in addition to Payment Card Industry Data Security Standards (PCI DSS) Compliance.

From Security: Dark Reading, Target Breach Should Spur POS Security, PCI 3.0 Awareness: Lyne says he believes the Target breach points to poor architectural and business practices. “It is critical that organizations handling such data take steps to protect it — such large volumes of data should never be accessible by one user or process — and should be encrypted to segment the data and should be detected if an export of such size occurs,” Lyne says.

An alternative workflow encrypts data at the point of sale by a payment gateway, which then delivers to the payment processor. This segregates point of sale data from payment data, reducing the scope for PCI compliance, and removing the POS application from scope for PA DSS. The payment application sends non-sensitive information, such as authorization code, back to the POS.

One way to spot potentially vulnerable systems as a consumer is whether or not the POS shows the item name and amount on the signature capture pad. This is an indication that the POS may be driving the payment application. When payment and POS are segregated, the signature capture pad shows only payment information.

PAYMENT GATEWAYS

Solutions fall into two categories: processor gateways and third party gateways. Merchants may be reluctant to integrate a processor gateway because it locks them into a specific vendor and can be very disruptive to operations to make a change in the future. Third party gateways provide increased flexibility, but also add extra cost to each transaction.  Factors included in choosing a solution include: single vs multi-store, USA or international, payment types, consumer or business to business, future purchase methods – need to store credit card information for recurring billing, multi-channel, and others.

THE IMPACT OF EMVemv chip card smart cardTarget was an early adopter of EMV, (Europay, MasterCard & Visa),  an open-standard set of specifications for smart card payments and acceptance devices. Credit and debit cards contain a small computer chip; This makes it harder to steal data on the point of sale device and to clone cards.

EMV  vs magnetic strip cards:  Traditional magnetic stripes contain “static” data consisting of the Primary Account Number, expiration date and other information; the same information is passed to the card issuer for every transaction. This makes it easy to clone cards.

EMV uses dynamic authentication.  In EMV transactions using dynamic authentication, the data changes with every transaction, thus any captured information is effectively useless to thieves. The chip is nearly impossible to counterfeit.

In the US, with low EMV merchant acceptance capabilities, cards may be issued with both magnetic stripe and chip. This means that thieves can still clone cards that contained a chip if the consumer uses the magnetic stripe in the transaction.

THIEVES AT WORK: HOW MERCHANTS CAN MITIGATE RISK

Without CVV2 data, using the card data for online transactions is unlikely because most ecommerce merchants verify that data. Retailers will be most at risk for cloned cards.

5 tips to prevent losses linked to cloned cards from Target or any other data breach:

  1. By card association rules, merchants can ask for identification, but they cannot deny a transaction if the cardholder will not provide it.
  2. Checking the zip code at the POS, where allowed by state law. *  The average thief doesn’t have this information and wouldn’t take the time to memorize it anyway. An intelligent system will decline the transaction if the zip code doesn’t match.  This may be inconvenient, especially in a fast paced environment. Some solutions allow merchants to validate the zip code only if over a certain dollar amount, reducing checkout burden while increasing risk management.
  3. Train cashiers to look at the cards for proper holograms and logos.
  4. Train cashiers to verify signatures.
  5. Require cashier to verify the last 4 digits at the POS.*  With cloned cards, the front of the card often does not match the magnetic stripe data. This is a highly successful fraud prevention tool to implement with minimal effort.

* Contact your processor to turn the zip code or last 4 digits flag on, or modify the payment gateway settings, whichever is appropriate.

TARGET DATA BREACH TRENDING STORIES AND LINKS

Kreb’s on Security:  Who’s Selling Credit Cards from Target? http://krebsonsecurity.com/2013/12/whos-selling-credit-cards-from-target/

Wall Street Journal: Target’s Data-Breach Timeline 

http://www.abullseyeview.com/ Target’s web site for an inside view. Includes http://www.abullseyeview.com/2013/12/target-data-breach-5-things-you-need-to-know/

https://corporate.target.com/about/shopping-experience/payment-card-issue-faq Target’s corporate web site. Everything consumers need to know. (Author note: Target advises monitoring for fraud.  I advised my daughter to request an immediate debit card replacement.