In this first article of a series we explore insider theft, related to data breaches,  based on key elements of the Verizon 2011 data breach report.  The number of 2010 data breaches exploded in companies with 11 to 100 employees. A key commonality is simply the opportunity was there.

The 2011 Data Breach Investigations Report (DBIR) is a study conducted by the Verizon RISK team in cooperation with the U.S. Secret Service and the Dutch High Tech Crime Unit.

Who is behind the data breaches?

• 92% external agents
• 17% implicated insiders
• < 1% business partners
• 9% involved multiple parties

How do breaches occur? ?

• 50% involved some sort of hacking
• 49% incorporated malware
• 29% physical attacks
• 17% from privilege misuse
• 11% employe social tactics

What commonalities exist?

• 83% were victims of opportunity
• 92% were not difficult
• 76% of all data was compromised from servers
• 86% discovered by a third party
• 96% were avoidable through simple or intermediate controls
• 89% of victims subject to PCI-DSS had not achieved compliance

End of excerpt. Continue reading for blog author comments.

A healthcare company stores credit card data on servers, unencrpyted. Their excuse? It’s not connected to the actual credit card processing and access is restricted so it’s not a PCI Compliance problem.  See related article Shocking lack of payment processing security in healthcare industry. No data breach yet, but statistically, the company is at great financial risk, including up to  $1.5 million fine for violating the HITECH ACT.

Employees at a car dealer tape passwords next to their computer and in the first unlocked drawer of their desk. Their excuse?  It’s too hard to remember the password and they don’t acknowledge it’s a security issue.

Employees at a retail rental shop have a file folder in plain view of anyone entering the shop containing copies of drivers licenses and the front and back of credit cards. Their excuse? They didn’t know they couldn’t do it and didn’t know of an alternative method that would meet their needs to bill customers if they never returned with the goods.

Think these are exceptions? Businesses everywhere have these problems in some fashion. As each of these examples illustrate,  employee training is essential. Industry wide, merchants are completing  PCI Compliance Security Standards data worksheets. At that point in time, the merchant can be certified PCI Compliant. But without internal enforcement and training, the merchant is generally not compliant when a data breach occurs and thus is fully liable for all the associated fines, fees and damages.

In conclusion, the establishment of training procedures and distribution of data security expectations to employees is essential. Most employees are honest, right? But when companies have lax security policies, it presents an OPPORTUNITY for good employees to break the law.

Here’s three things you can do to mitigate internal employee risk:

1. Create a data security training checklist for all employees handling sensitive data. Update the training and content quarterly or at least once per year. The employee cannot accept credit cards or any sensitive data until they’ve completed training, plus sign and date the checklist.
2. Make data security a formal part of employee performance reviews. Require annual checklist review and signature at the time of performance reviews.
3. Implement a reward system for identifying vulnerabilities of real life practices- whether people, software, or hardware.

Bonus: Implement a hosted payment processing solution with extensive tools to prevent internal fraud. Call for information.

There’s room for improvement in medical billing for card not present transactions. The lack of security in the healthcare industry with respect to payment processing is evident in nearly every business I’ve interviewed in the last two years. With all the effort put into HIPAA, you’d think they’d be more likely to be PCI Compliant than other industries, but in my experience talking to and interacting with healthcare  companies, I think 50% PCI DSS  (Payment Card Industry Data Security Standards) Compliance would be extremely optimistic.

So what’s got my gander up today? A widespread lack of security by healthcare suppliers with my HSA debit card data. Before giving out my credit card information, I always ask what they are going to do with it.  As a cardholder, I have a right to know. Like many Americans, I have an HSA account and funds for payments are accessible only via a debit card. That means any misuse could wipe out the account.  Under Visa’s Zero Liability policy  consumers are not held responsible for fraudulent charges made with the card or account information, but identity theft is another matter the consumer is left to deal with.

I talked to three different personnel for the story that follows. The last one said the first two didn’t entirely follow normal protocol, which does nothing to spare them from the liabilities associated with identity theft.

This article is about a medical industry merchant storing credit card data in a database and the misunderstanding of potential  liability exposure as a result. Storing card data even for 24 hours poses a huge risk both financially and criminally. In this article we’ll review their processes and solutions to mitigate risk.

First, let’s review the payments process.  Consumers receive invoices in the mail. They can mail a check or pay by Visa or MasterCard by returning a form, or call on the phone. The merchant then uses a multi-step process to collect the information and process it.

PAY INVOICE BY MAIL

This invoice format is quite common for medical billing.

RISK: Merchant collects the CVV code, listed as signature code above, and bills are sent to a their corporate office. Collecting and storing CVV codes is always a bad idea. The mail could be stolen by internal employees familiar with the billing process. Someone could copy or even quickly photo each billing form. It’s doubtful they could prove PCI Compliance and would likely have no safe harbor in the event of a data breach.

SOLUTION: Remove the security code from the form. Have all bills sent to a lockbox. Reduce mail payments by enabling customers to pay their bills online.

PAY INVOICE BY PHONE

The first person to take my payment was covering for someone who was on vacation or otherwise out of the office.

• She took down my invoice number and credit card information on a piece of paper. She entered something into their billing system so there was  a record of my call and payment.
• The paper went into an “in box”. It was Friday.
• The person emptying the “in box” and posting payments would be in Monday to complete the transaction.
• Monday the posting person key entered the transaction into a desktop terminal.
• Tuesday, presumably,  paper was shredded. The paper is held for a day to ensure the payment went through properly so the customer does not need to be called.

RISK:  The paper with full card data was exposed for up to 5 days. Was the ‘in box’ emptied and put in a locked drawer when not being worked on, including breaks? Do cleaning personnel have access to the facility on evenings and weekends?

SOLUTION: Enter the card information directly into our smart virtual terminal. Some flexible options include:

• Entering the card and customer data and instantly charging the account. In this case, you can enter the CVV for extra fraud protection.
• Creating a customer and entering the card information for later billing. Using a process called tokenization, the card data is stored encrypted on PCI Compliant servers, never at the merchant location.  CVV is NEVER stored, not even encrypted, since it’s against card association rules.
• Entering the card and customer information and obtaining an authorization only, for other personnel to charge later.

The seccond person to take my payment on a future date was the actual representative for my account.

• She entered information in the billing system so there was  a record of my call and payment.
• My card data, including CVV,  was entered into a ‘notes’ section of the billing database.
• The customer service representative has no access to see the card data after it is entered.
• An accounting person retrieves the card data for payment in bulk with others within 1 business day.
• The posting person key enters the transaction into a dial-up desktop terminal.
• The next business day, presumably,  the computer notes are deleted.

RISK:  Full card data is exposed on a computer network. It doesn’t matter that access is restricted to certain personnel. This data storage is certainly a violation of FACTA and PCI Compliance standards, and probably HIPAA too. The merchant is open to both criminal and financial penalties in the event of a data breach. Additionally, the merchant would need to securely wipe or destroy every associated hard drive removed from service in the future to eliminate data theft potential.

SOLUTION: Enter the card information directly into our smart virtual terminal, same as above.

What are the financial risks with this data exposure?

• Replacement cost per card compromised, $25.
• Mandatory consumer credit report service for one year, $12/mth per card holder.
• Reimburse all claims from card associations.
• Fines from FACTA, HIPAA, and PCI Compliance violations
• Your business could come to a screeching halt while a forensics team investigates.
• Bad PR could result in loss of business.

What are the criminal risks associated with card data exposure? Felony.

FINAL NOTES: There is some use of an online gateway within the organization, but those details are unknown. I spoke to staff that believes since the payment processing is via a dial up terminal and is not connected to the card data in the database, that there is no risk. That is completely untrue. The company would not only save time by reducing steps, but would tremendously reduce risk by key entering card data directly into a virtual terminal. Moreover, an intelligent VT would provide a boatload of other benefits.

Ignorance is not an excuse. PCI Compliance standards were established nearly a decade ago. A critical first step to compliance and mitigating risk is a solution that supports all your payment processing needs. We offer that solution.

See also related article, How to reduce time and money for outpatient procedure billing.

On a side note, based on the invoice billing form, the merchant is not accepting American Express cards, probably because they don’t want to pay the high fees associated with Amex. If managing costs to improve EBITDA is important, our hosted payment processing platform with intelligent switch is critical.

Cyber Criminals Shifting to Smaller, More Opportunistic Attacks; External Attacks, Especially Hacking, on Rise

April 19, 2011

NEW YORK – Data loss through cyber attacks decreased sharply in 2010, but the total number of breaches was higher than ever, according to the “Verizon 2011 Data Breach Investigations Report.” These findings continue to demonstrate that businesses and consumers must remain vigilant in implementing and maintaining security practices.

The number of compromised records involved in data breaches investigated by Verizon and the U.S. Secret Service dropped from 144 million in 2009 to only 4 million in 2010, representing the lowest volume of data loss since the report’s launch in 2008. Yet this year’s report covers approximately 760 data breaches, the largest caseload to date.

According to the report, the seeming contradiction between the low data loss and the high number of breaches likely stems from a significant decline in large-scale breaches, caused by a change in tactics by cybercriminals. They are engaging in small, opportunistic attacks rather than large-scale, difficult attacks and are using relatively unsophisticated methods to successfully penetrate organizations. For example, only 3 percent of breaches were considered unavoidable without extremely difficult or expensive corrective action.

The report also found that outsiders are responsible for 92 percent of breaches, a significant increase from the 2010 findings. Although the percentage of insider attacks decreased significantly over the previous year (16 percent versus 49 percent), this is largely due to the huge increase in smaller external attacks. As a result, the total number of insider attacks actually remained relatively constant.

Hacking (50 percent) and malware (49 percent) were the most prominent types of attack, with many of those attacks involving weak or stolen credentials and passwords. For the first time, physical attacks — such as compromising ATMs –appeared as one of the three most common ways to steal information, and constituted 29 percent of all cases investigated.

For the second year in a row, the U.S. Secret Service collaborated with Verizon in preparing the report. In addition, the National High Tech Crime Unit of the Netherlands Policy Agency (KLPD) joined the team this year, allowing Verizon to provide more insight into cases originating in Europe. Approximately one-third of Verizon’s cases originated in either Europe or the Asia-Pacific region, reflecting the global nature of data breaches.

“Through our Data Breach Investigations Report series, Verizon continues to provide the industry with a first-hand look at cybercrime around the globe,” said Peter Tippett, Verizon’s vice president of security and industry solutions. “This year, we witnessed highly automated and prolific external attacks, low and slow attacks, intricate internal fraud rings, countrywide device-tampering schemes, cunning social engineering plots and more. And yet, at the end of day, we found once again that the vast majority of breaches can be avoided without extremely difficult, expensive security measures.”

Tippett added: “It is important to remember that data breaches can happen to any business — regardless of size or industry — or consumer, at any place in the world. A good offense remains the best defense. It is imperative to implement essential security measures broadly throughout your security infrastructure, whether that is a small home setup or an expansive enterprise infrastructure.”

U.S. Secret Service Assistant Director A.T. Smith said, “Americans over the past several years have seen the significant impacts data breaches are having on our nation’s financial infrastructure. Today cyber criminals are operating in nearly every civilized nation in the world, exposing Americans’ personal information, either stored or transmitted, to substantial risk.”

Smith added, “By participating in the Verizon 2011 Data Breach Investigations Report, the Secret Service is working closely with our private-sector partners to educate Americans about the threats of cyber criminals. With the help of our Electronic Crimes Task Force partners, such as Verizon, we are studying technologies and trends to prevent and mitigate attacks against critical financial infrastructure.”

The Data Breach Investigation Report (DBIR) series now spans seven years and more than 1,700 breaches involving more than 900 million compromised records, making it the most comprehensive study of its kind.

(NOTE: Additional resources supporting the 2011 Data Breach Investigations Report are available, including high-resolution charts and an audio podcast. B-roll available upon request.)

Key Findings of the 2011 Report

Data from the 2011 report shows that:

• Large-scale breaches dropped dramatically while small attacks increased. The report notes there are several possible reasons for this trend, including the fact that small to medium-sized businesses represent prime attack targets for many hackers, who favor highly automated, repeatable attacks against these more vulnerable targets, possibly because criminals are opting to play it safe in light of recent arrests and prosecutions of high-profile hackers.
• Outsiders are responsible for most data breaches. Ninety-two percent of data breaches were caused by external sources. Contrary to the malicious-employee stereotype, insiders were responsible for only 16 percent of attacks. Partner-related attacks continued to decline, and business partners accounted for less than 1 percent of breaches.
• Physical attacks are on the rise. After doubling as a percentage of all breaches in 2009, attacks involving physical actions doubled again in 2010, and included manipulating common credit-card devices such as ATMs, gas pumps and point-of-sale terminals. The data indicates that organized crime groups are responsible for most of these card-skimming schemes.
• Hacking and malware is the most popular attack method. Malware was a factor in about half of the 2010 caseload and was responsible for almost 80 percent of lost data. The most common kinds of malware found in the caseload were those involving sending data to an external entity, opening backdoors, and keylogger functionalities.
• Stolen passwords and credentials are out of control. Ineffective, weak or stolen credentials continue to wreak havoc on enterprise security. Failure to change default credentials remains an issue, particularly in the financial services, retail and hospitality industries.

Recommendations for Enterprises

The 2011 report found again that the prescription for data breaches is to use simple, essential security practices such as:

• Focus on essential controls. Many enterprises make the mistake of pursuing exceptionally high security in certain areas while almost completely neglecting others. Businesses are much better protected if they implement essential controls across the entire organization without exception.
• Eliminate unnecessary data. If you do not need it, do not keep it. For data that must be kept, identify, monitor and securely store it.
• Secure remote access services. Restrict these services to specific IP addresses and networks, minimizing public access to them. Also, ensure that your enterprise is limiting access to sensitive information within the network.
• Audit user accounts and monitor users with privileged identity. The best approach is to trust users but monitor them through pre-employment screening, limiting user privileges and using separation of duties. Managers should provide direction, as well as supervise employees to ensure they are following security policies and procedures.
• Monitor and mine event logs. Focus on the obvious issues that logs pick up, not the minutia. Reducing the compromise-to-discovery timeframe from weeks and months to days can pay huge dividends.
• Be aware of physical security assets. Pay close attention to payment card input devices, such as ATMs and gas pumps, for tampering and manipulation.

A complete copy of the “Data Breach Investigations Report” is available for download.

About Verizon
Verizon Communications Inc. (NYSE, NASDAQ:VZ), headquartered in New York, is a global leader in delivering broadband and other wireless and wireline communications services to mass market, business, government and wholesale customers. Verizon Wireless operates America’s most reliable wireless network, serving 94.1 million customers nationwide. Verizon also provides converged communications, information and entertainment services over America’s most advanced fiber-optic network, and delivers innovative, seamless business solutions to customers around the world. A Dow 30 company, Verizon employs a diverse workforce of more than 194,000 and last year generated consolidated revenues of $106.6 billion. For more information, visit www.verizon.com.

At Holy Cross Hospital, technicians discovered that Emergency room employee Natashi Orr, 36, had printed basic computerized forms in patient files containing name, address, birth date, diagnosis and other details, officials said. Raushanah Bowleg, 33, Opa-locka, did the same on his job at an Aventura physician office.

At another hospital, the intake process requires all data be entered in the computer directly, and an electronic signature is captured. Yet to accept payment, the cashier walks to another area, out of view from the consumer, and next to a copier.  During this time the card could have been skimmed for the magnetic data or a copy made of the card, both posing considerable risk of identity theft.

While the latter situation has not resulted in a data compromise to my knowledge, the situation is equally dangerous.

3D Merchant Services has a payment processing solution with enhanced features created specifically for hospitals and medical billing companies. Here are a few highlights:

- User level security. Modify, add, and delete users and their permission levels for processing payments for phone/mail and in person. Combined with alerts and other features, prevent internal and external fraud.
- Tokenization. Would you like to re-bill a customer on their initial payment method? Set up recurring billing? Without storing their credit card data? Create a secure token to enable repeat billing. Even if stolen, the tokens are worthless.
- Least cost routing – Attach a signature capture terminal to your PC’s and eliminate human errors that create costly interchange (95% of your payment processing cost) downgrades, plus dynamically determines least cost method to process.

- Reporting. The number one reason CFO’s cite as the reason for implementing immediately. From downloadable financial data to dynamically created graphic reports that quickly show risk mitigation and treasury reports by organization or location, solution delivers what you want, when you want it.
There is no other technology on the market positively impacting compliance, costs, and fraud like this, which is why 98% of organizations that see a demo implement it.

Our solution can be integrated with traditional medical billing and intake systems. The technology platform sits in front of the existing processor.

See also related articles  virtual terminal for medical billing solutions providers and Red Flags Rule for Identity Theft Prevention Programs.

Merchants must scan computer systems at various intervals for Payment Card Industry Data Security Standard (PCI DSS), depending on their merchant type and other criteria.

Read our merchant data security sticky web page for further information and links.

PCI Security Standards Council maintains a list of certified scanning companies

Below is a select list of those I’ve had the most positive interaction with over the years.

Comodo CA Ltd
www.comodo.com HackerGuardian PCI Scanning Service

ControlScan
www.controlscan.com PCI 1-2-3

Digital Resources Group
www.drgsf.com DRG SecureScan

McAfee Inc.  McAfee Secure, formerly Hacker Safe (I knew Hacker Safe very well, but have had little experience with McAfee Secure)
www.mcafee.com

Qualys
www.qualys.com QualysGuard

This list does not infer the other companies would be less acceptable to work with, only that I’ve personally not dealt with the company or simply not had enough interaction to remember them. To protect your company from credit card processing fraud and the costly repercussions of it, all companies should have completed a PCI Compliance Certification whether you have standalone terminals or are connected to computers.

Expanded Study Finds More Insider Threats, Greater Use of Social Engineering, Continued Strong Organized Criminal Involvement

BASKING RIDGE, N.J. – July 28, 2010 –

The 2010 Verizon Data Breach Investigations Report, based on a first-of-its kind collaboration with the U.S. Secret Service, has found that breaches of electronic records last year involved more insider threats, greater use of social engineering and the continued strong involvement of organized criminal groups.

The study, released Wednesday (July 28), also noted that the overall number of breaches investigated last year declined from the total for the previous year – “a promising” indication, the study said.

The report cited stolen credentials as the most common way of gaining unauthorized access into organizations in 2009, pointing once again to the importance of strong security practices both for individuals and organizations.  Organized criminal groups were responsible for 85 percent of all stolen data last year, the report said.

Verizon Business investigative experts found, as they did in the company’s prior data breach reports, that most breaches were considered avoidable if security basics had been followed.  Only 4 percent of breaches assessed required difficult and expensive protective measures.

The 2010 report concluded that being prepared remains the best defense against security breaches. For the most part, organizations still remain sluggish in detecting and responding to incidents. Most breaches (60 percent) continue to be discovered by external parties and then only after a considerable amount of time.  And while most victimized organizations have evidence of a breach in their security logs, they often overlook them due to a lack of staff, tools or processes.

The collaboration with the Secret Service, announced in May, enabled this year’s Data Breach Investigations Report to provide an expanded view of data breaches over the last six years. With the addition of Verizon’s 2009 caseload and data contributed by the Secret Service – which investigates financial crimes – the report covers 900-plus breaches involving more than 900 million compromised records.

“This year we were able to significantly widen our window into the dynamic world of data breaches, granting us an even broader and deeper perspective,” said Peter Tippett, Verizon Business vice president of technology and enterprise innovation.   “By including information from the Secret Service caseload, we are expanding both our understanding of cybercrime and our ability to stop breaches.”

Michael Merritt, Secret Service assistant director for investigations, said: “The Secret Service believes that building trusted partnerships between all levels of law enforcement, the private sector and academia has been a proven and successful model for facing the challenges of securing cyberspace.  It is through our collaborative approach with established partnerships that the Secret Service is able to help expand the collective understanding of breaches and continue to augment our advanced detection and prevention efforts.”

(NOTE: Additional resources supporting the 2010 data breach report are available, including an audio podcast, video podcast and high-resolution charts and graphs.)

Key Findings of the 2010 Report

This year’s key findings both reinforce prior conclusions and offer new insights. These include:

• Most data breaches investigated were caused by external sources. Sixty-nine percent of breaches resulted from these sources, while only 11 percent were linked to business partners.  Forty-nine percent were caused by insiders, which is an increase over previous report findings, primarily due in part to an expanded dataset and the types of cases studied by the Secret Service.
• Many breaches involved privilege misuse. Forty-eight percent of breaches were attributed to users who, for malicious purposes, abused their right to access corporate information.  An additional 40 percent of breaches were the result of hacking, while 28 percent were due to social tactics and 14 percent to physical attacks.
• Commonalities continue across breaches. As in previous years, nearly all data was breached from servers and online applications. Eight-five percent of the breaches were not considered highly difficult, and 87 percent of victims had evidence of the breach in their log files, yet missed it.
• Meeting PCI-DSS compliance still critically important. Seventy-nine percent of victims subject to the PCI-DSS standard hadn’t achieved compliance prior to the breach.

The State of Cybercrime: 2010

The report said the decline in the overall number of data breaches may be due to a number of factors, including “law enforcement’s effectiveness in capturing criminals.”  The report cited the arrest of Albert Gonzalez, one of the world’s most notorious computer hackers, who pleaded guilty to helping run a global ring that stole hundreds of millions of payment card numbers and who was sentenced last year to 20 years in prison.

“The reduction in breaches is a positive sign that we are gaining some ground in the fight against cybercrime,” said Tippett.  “As we are able to share more information through the use of the VERIS security research framework to gather comparative security data such as the caseload of the Secret Service, we believe we will be even better equipped to arm organizations with best practices, processes, tools and services that will continue to make a difference.”

Data breaches continue to occur within all types of organizations. Financial services, hospitality and retail still comprise the “Big Three” of industries affected (33 percent, 23 percent and 15 percent, respectively) in the merged Verizon-Secret Service dataset, though tech services edged out retail in Verizon’s caseload.  A growing percentage of cases and an astounding 94 percent of all compromised records in 2009 were attributable to financial services.

More than half of the breaches investigated by Verizon in 2009 occurred outside the U.S., while the bulk of the breaches investigated by the Secret Service occurred in the U.S.  The report finds no correlation between an organization’s size and its chances of suffering a data breach.

“Thieves are more likely to select targets based on the perceived value of the data and cost of attack than victim characteristics such as size,” Verizon researchers noted.

Recommendations for Enterprises

The 2010 study once again shows that simple actions, when done diligently and continually, can reap big benefits. These actions include:

• Restrict and monitor privileged users. The data from the Secret Service showed that there were more insider breaches than ever before. Insiders, especially highly privileged ones, can be difficult to control. The best strategies are to trust but verify by using pre-employment screening; limit user privileges; and employ separation of duties. Privileged use should be logged and messages detailing activity generated to management.
• Watch for ‘Minor’ Policy Violations. The study finds a correlation between seemingly minor policy violations and more serious abuse. This suggests that organizations should be wary of and adequately respond to all violations of an organization’s policies.  Based on case data, the presence of illegal content on user systems or other inappropriate behavior is a reasonable indicator of a future breach. Actively searching for such indicators may prove even more effective.
• Implement Measures to Thwart Stolen Credentials. Keeping credential-capturing malware off systems is priority No. 1. Consider two-factor authentication where appropriate. If possible, implement time-of-use rules, IP blacklisting and restricting administrative connections.
• Monitor and Filter  Outbound Traffic. At some point during the sequence of events in many breaches, something (data, communications, connections) goes out externally via an organization’s network that, if prevented, could break the chain and stop the breach. By monitoring, understanding and controlling outbound traffic, an organization can greatly increase its chances of mitigating malicious activity.
• Change Your Approach to Event Monitoring and Log Analysis. Almost all victims have evidence of the breach in their logs. It doesn’t take much to figure out that something is amiss and make needed changes.  Organizations should make time to review more thoroughly batch-processed data and analysis of logs. Make sure there are enough people, adequate tools and sufficient processes in place to recognize and respond to anomalies.
• Share Incident Information. An organization’s ability to fully protect itself is based on the information available to do so.  Verizon believes the availability and sharing of information are crucial in the fight against cybercrime.  We commend all those organizations that take part in this effort, through such data-sharing programs as the Verizon VERIS Framework.A complete copy of the “2010 Data Breach Investigations Report” is available at http://www.verizonbusiness.com/go/2010databreachreport/.

About the United States Secret Service
Well known for protecting the nation’s leaders, the U.S. Secret Service also is responsible for protecting America’s financial infrastructure.  The Secret Service has taken a lead role in mitigating the threat of financial crimes since the agency’s inception in 1865.  As technology has evolved, the scope of the U.S. Secret Service’s mission has expanded from its original counterfeit currency investigations to also include emerging financial crimes.   As a component agency within the U.S. Department of Homeland Security, the U.S. Secret Service has established successful partnerships in both the law enforcement and business communities – across the country and around the world – in order to effectively combat financial crimes.

About Verizon Business
Verizon Business, a unit of Verizon Communications (NYSE, NASDAQ: VZ), is a global leader in communications and IT solutions. We combine professional expertise with one of the world’s most connected IP networks to deliver award-winning communications, IT, information security and network solutions.  We securely connect today’s extended enterprises of widespread and mobile customers, partners, suppliers and employees – enabling them to increase productivity and efficiency and help preserve the environment.  Many of the world’s largest businesses and governments – including 96 percent of the Fortune 1000 and thousands of government agencies and educational institutions – rely on our professional and managed services and network technologies to accelerate their business. Find out more at www.verizonbusiness.com.

To clarify the 2010 Debit Pin Entry Device standard merchants are expected to comply with by July 2010, not all merchants will need to change their pinpads. If you deployed a POS PED by December 31, 2007 AND it was on the 2004-2007 Visa PCI lab approved list, you have until December 31, 2014 to replace it.

If you do not meet that requirement, then you’ll need to replace your PED by July 1, 2010 with a unit that meets the new Triple Data Encryption Standard (TDES) standard. Look carefully. There are companies that will sell you units that do not comply with the new standard.

POS- Point Of Sale

PED – Pin Entry Device

POS PED- a device in a merchant location where the customer is present at the time of the transaction.

Pinpad – pin pad- another name for PED

Triple DES- Triple Data Encryption Standard

3DES – same as above

OVERVIEW OF THE 2010 PCI COMPLIANCE RULE FOR DEBIT PIN ENTRY DEVICES:

The new standard is to improve the security of customer debit cards. The technology has been widely implemented over a number of years in ATM’s and such, and merchant pinpads are the last piece to complete.

DEADLINES:

July 1, 2010 If your unit was deployed after 12/31/2007 and it does not have Triple DES encryption, then you need to replace it. Any unit deployed prior to 2004 needs to be replaced.

12/31/2014 If you deployed a POS PED by December 31, 2007 AND  it was on the 2004-2007 Visa PCI lab approved list, then you must replace with a PCI SSC POS PED by this date.

When you deployed your PED is a matter of record with your current service provider. Where is a copy of the 2004-2007 Visa PCI lab approved list? https://partnernetwork.visa.com/vpn/global/category.do?userRegion=1&categoryId=19&documentId=33

HOW DO I VERIFY IF I HAVE A PCI COMPLIANT PED?

The PCI Data Security Standards Council has an updated list for all merchant providers. List of PCI compliant PEDs

WHICH NEW PIN ENTRY DEVICE DO YOU RECOMMEND?

First, make sure the unit has Triple Data Encryption Standard (TDES) certification. Just because someone is selling it, doesn’t mean it’s TDES. The PED must be matched to your terminal and the merchant services provider. You can’t just pick any unit and attach it. A hugely popular unit is the

First Data FD-10 debit pin pad

because First Data is one of the largest payment processors in the country. Many merchant providers utilize the First Data system, therefore can use the unit. Additionally, it works with many different desktop terminals.

If you need to upgrade, now is the time to look at your entire system. Do you need a PED or would you be better off with a signature capture terminal that has an integrated PED? You can get a wireless, desktop or, or even a device that connects to a host based system like CenPOS that provides incredible benefits for organizations processing $1 million per month and up.  Take a look at the Ingenico i6580, a top of the line unit.

ingenico i6580 i6550

In summary, I like units that have in integrated Debit PED over a separate device that attaches. Oh, and this is another area that you have to be very careful reading product description text. Some product technical descriptions say they accept debit cards but they are not referring to accepting pin debit transactions! As if merchants don’t have enough to get confused about.

All debit PED’s must be encrypted. This is done via a process called an injection. There are a limited number of facilities in the USA that can perform the injection. That means you should not wait until the last minute because a lot of other people will.

3D Merchant Services is an authorized reseller for current equipment ONLY for major brands including Verifone, Hypercom, and Ingenico. We also offer Nurit, Way and other brands. Because of our high volume, we have wholesale prices compared to others. We’re independent- you can use our credit card processing or not. We don’t give free equipment- you’ll get a better deal on your processing and your equipment if you keep the transactions separate. Equipment is never really free.

Related article:

Which Verifone pin entry devices are pci compliant?

Non-receipt of PCI Validation fee for $19.95 showing up on your merchant statements? This is normally from failure to complete your required PCI Compliance paperwork at SecurityMetrics.com. What paperwork? If you’re one of my customers, below is what was sent in the mail from Security Metrics.

PCI compliance validation FAQ (PDF)
Security Metrics Enrollment (PDF)
Payment Processor Letter Security Metrics Overview (PDF)

DISCLAIMER:  Your documents and fees may vary. Newer documents may have been published since these. Please contact your processor for specific information about your PCI Compliance statement fees.

This subject was highlighted in the January 3D Merchant newsletter. First Data created a mandatory PCI Compliance Assistance Service Program in 2009. Since so many merchant processors have First Data relationships, the reach is huge. Security Metrics administers the program, which has a mandatory annual fee and compliance certification requirement. Merchants MUST return the PCI Compliance Validation form in a timely manner. If you do not return the form, or are not PCI Compliant, you’ll be charged $19.95/month. All fees are deducted from your merchant account. I’ve already seen this fee appear on a Sun Trust merchant statement from a non-customer as a non-receipt of PCI Validation so please turn in your paperwork per the instructions.

A few merchants I’ve spoken to said they didn’t receive the letter from Security Metrics  but they are getting billed. Unfortunately, this is basically a blind program. We don’t know when letters are sent, and don’t know there is a problem until the non-compliance fee shows up. Merchants should read the ALERT messages that appear on their statements. There is information about upcoming fee changes, and other critical messages.

WHO GETS THE LETTERS?

It’s delivered to the same name and address that merchant statements are sent to. If you have an old name on your merchant statement, update your records.

WHEN ARE THE LETTERS SENT? They are being sent at random until every merchant receives them.

WHAT IF I DON’T HAVE A LETTER, BUT I’M GETTING A MONTHLY Non-receipt of PCI Validation FEE? If you’re one of my customers, you can go straight to SecurityMetrics.com and register. Your company is in the database and you’re automatically billed on your merchant statements.

DO I NEED TO FAX OVER THE ENROLLMENT FORM? No. That is one of the options. I recommend that you simply start with the online form.

DO I NEED TO KNOW ALL THE ANSWERS BEFORE I START ONLINE? No, but I recommend you visit the PCI Security Standards web site first and download the appropriate SAQ (self assessment questionnaire). That way when you do online you can zip through the questions.

WHAT IF I’VE ALREADY BEEN CERTIFIED BY ANOTHER APPROVED VENDOR? You can submit your certification documentation via fax to 402-916-8240 or via email. Contact your processor or sales agent for details.

IS THE MONTHLY FEE PERMANENT? No. The fee is for non-receipt of materials. Once you are proven PCI Compliant, the fee will come off, however, it may not be immediate.

related articles:

First Data PCI Compliance fee

First Data Merchants Attain Record PCI Compliance