Massive Travel Industry Data Leak

Prestige Software’s main product Cloud Hospitality, the channel management software to the travel industries biggest consumer buying web sites, including Expedia, Hotels.com, and booking.com left data exposed for over 10 million log files, dating all the way back to 2013. At the November 6, 2020 breaking news, it was not yet known whether the data left open on a server was stolen or not. However, we know that criminals run scripts looking for data all the time so it won’t be a surprise if there was a breach.

A channel manager is used to manage bookings across multiple webs sites, including hotels and restaurants. For example with vacancy management, if there is one room left and someone buys it on booking.com, it will show unavailable on hotels.com. With millions of records exposed around the globe, there is sure to be fall out.

Because both personal and credit card data was exposed, I recommend consumers change their travel web site passwords, email passwords, and keep an on on credit card usage or set up alerts.

The data contained full card data and the security code. It’s a PCI Compliance and card network violation to store sensitive cardholder data, therefore, they could lose the ability to store, transmit, and handle all credit card data. While the booking platforms did not expose the data, there is certainly a weakness. For more information from the team that broke the news, see https://www.websiteplanet.com/blog/prestige-soft-breach-report/.

This incident demonstrates your security is only as good as your weakest link. What actions have you taken to remediate deletion of old records both paper and digital? What about your partners? I know of multiple solutions providers that enable merchants to create their own digital credit card authorization forms. This form is then reviewed or downloaded by an employee, with card data key entered then into some other system by the employee. There are so many things wrong with this, including the signature is not even a valid form of defense for card not present. 3-D Secure is the way to go.

  1. If your company uses a 3rd party for billing and or collections, ask questions.
  2. If you’re not using updated tools to keep card numbers out of employee hands, hardware and software, you’re at risk.
  3. Remember, if cardholder data can be decrypted and viewed, you’re at risk.
  4. If you can see the full card number and security code after authorization, that is not compliant.

Contact me for a FREE checkup for common problems IT and security professionals might miss.

If your company has card data that can be retrieved and viewed, you’re at risk too. I fix that.

Christine Speedy, Founder 3D Merchant Services, QIR certified, is a credit card processing expert with specialized expertise in card not present and B2B payment processing technology. Less than 1% of all merchant services sales representatives are QIR certified by the PCI Council. Christine is an authorized independent sales agent for a variety of merchant services and payment technology solutions.

3-D Secure 2.0 Merchant Overview 2020 2021

3-D Secure is a protocol providing an additional layer of security for eCommerce transactions prior to authorization. It enables the exchange of data between the merchant, card issuer and, when necessary, the consumer, to validate that the transaction is being initiated by the actual cardholder. Ecommerce transactions includes traditional shopping cart as well as any digital payment where the cardholder initiates and completes the payment process. For example, einvoicing or electronic bill presentment and payment are ecommerce transactions.

Each card network has a name for their product that uses 3-D secure, also referred to as 3D Secure, 3DS, 3-D Secure authentication or EMV 3-D Secure. Visa rebranded Verified by Visa to Visa Secure. MasterCard SecureCode (3DS 1.0) merchants are being encouraged to migrate to Mastercard Identity Check which uses EMV 3-D Secure 2.0. American Express SafeKey 2.0 is also available now. 3-D Secure 2.x helps reduce fraud and minimize the need for one-time passcodes, improving the user experience and reducing shopping cart abandonment.

What are merchant benefits for using 3-D Secure?

  • More authorization approvals. False declines are a significant source of lost revenue.
  • Some cards have reduced interchange rates when the authentication is invoked, which are usually over 90% of fees. American Express does reduce rates.
  • Less friction for customers at checkout.
  • Reduced risk of chargeback losses. Fraud liability for “it wasn’t me” automatically shifts to the issuer; Merchants do not have to defend those chargebacks, they never even see them.

How do merchants get started using 3-D Secure?

There are two elements- the payment gateway and the merchant account. Contact your payment gateway company to see if they support it and how to set it up. In most cases, this is simply a back office set up process. Merchants may also need to sign acceptance of pricing. The transaction fees are minimal and typically more than offset by the 11 to 20 basis point reduction in merchant fees on applicable cards.

Christine Speedy, Founder 3D Merchant Services, QIR certified, is a credit card processing expert with specialized expertise in card not present and B2B payment processing technology. Less than 1% of all merchant services sales representatives are QIR certified by the PCI Council. Christine is an authorized reseller for Elavon and CenPOS products and services, in addition to other solutions.

P2PE for Dynamics AX & D365

Microsoft Dynamics AX and D365 validated P2PE solution elements vary by vendor plugin and their certifications which can be researched on the PCI security standards council website here https://www.pcisecuritystandards.org/assessors_and_solutions/point_to_point_encryption_applications?reference=2017-00113.005. Merchants can choose either P2PE terminals or validated P2PE solutions with their terminals. The latter requires extra steps to implement and maintain.

A PCI P2PE solution can significantly reduce the PCI Data Security Standard (PCI DSS) validation effort of a merchant’s cardholder data environment as well as the cost of a third party assessor reviewing a merchant’s card data environment. Another benefit is simply the reduced risk of a data breach, and the potential millions in costs and lost reputation. An qualified assessor informed me at a conference, there has never been a data breach in an environment with properly implemented validated P2PE solution; The same cannot be said for merchants using P2PE terminals.

P2PE Applications are intended to be loaded onto PCI-approved point of interaction (POI) devices used as part of a P2PE Solution. Use of a P2PE Application on a PTS-approved POI device (outside of a listed P2PE Solution) does not constitute use of a P2PE Solution. I am frequently asked by consultants about other payment gateway compatibility with Cardconnect and the related CardConnect Bolt application dependency. Other payment gateways and or P2PE solutions, including CenPOS, are distinct solutions. Each has its own P2PE certification as documented on the PCI council website. Two different solutions cannot be used together; merchants must decide which is the better overall solution for their environment. Sidenote: CenPOS does not have any application dependencies for their P2PE certification.

Can you mix P2PE solutions, for example, for call centers vs retail? Excellent question. Certainly transactions would need to be run on different merchant accounts and each would be defined as to scope i.e. not entire business, but only part of an operation. This arrangement is not ideal, but maybe is a useful gap solution during a software or hardware migration.

Which P2PE application is best for your Microsoft Dynamics AX or D365 environment? This question is best answered by speaking with a payments consultant who is familiar with credit card processing rules, data security rules, and integration nuances. Differences in the integration methods and native features for the respective products often determine why to choose one vs another.

Christine Speedy, Founder 3D Merchant Services, is a credit card processing expert with specialized expertise in card not present and omnichannel technology. Christine is an authorized reseller for Elavon and CenPOS products and services, in addition to other solutions and is QIR certified by the PCI Council. Call Christine for all your Microsoft Dynamics payment gateway and payment processing needs.

Paay Alternative for EMV 3DS

Concerned about the Paay data breach and looking for an alternative EMV 3DS, specifically EMV 3-D Secure 2.2.0, solution for your card not present transactions? Ask Christine Speedy, a Qualified Integrator and Reseller certified by the Payment Card Industry Security Standards Council. Additionally, Christine has extensive experience in the card not present world offering merchants multiple solutions. The best card not present payment gateway is a critical decision and as an independent agent, I will guide you to both the best technology and credit card processing acquirer for your specific business needs.

QIRs are integrators and resellers specially trained by PCI Security Standards Council to address critical security controls while installing merchant payment systems. QIRs reduce merchant risk and mitigate the most common causes of payment data breaches by focusing on critical security controls. Level 4 merchants process 1 to 1 million transactions annually and are mandated to use only QIR certified people for POS systems or terminals, if not doing internally.

Why bring up QIR for card not present or bigger merchants? Wouldn’t you rather have one of the few QIR cloud security trained in payment processing on your team? Paay does not have anyone listed on the PCI Council web site, though like Christine Speedy, there may be certified salespeople under a different company name. That’s because the certification follows the individual, not the company. Additionally, there is no requirement to use QIR’s at this time for card not present so Paay doesn’t need to have anyone QIR trained. There’s no specific certification of any kind required for ecommerce developers and integrators. Kind of crazy given the risks, huh?

EMV 3DS is a global security protocol with three primary beneficial outcomes:

  1. Fraud liability shift to issuer for “it wasn’t me, I didn’t authorize.” Merchants do not need to respond to a chargeback, when 3DS is invoked on a transaction, it will automatically shift liability to the issuer.
  2. Merchants can potentially qualify for even lower interchange rates on some cards due to lower risk associated with cardholder authentication. For example, merchants can save .20% on average with MasterCard UCAF rate qualification vs Merit 1 on some credit cards.
  3. Increased approvals and profits. With cardholder authentication, merchants can expect increased approvals per the card networks advice. False declines are a significant problem for cart abandonment and resulting lost sales.

Think of it like having a chip card for card present transactions. EMV 3DS is a messaging protocol that promotes frictionless consumer authentication and enables consumers to authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce purchases. The additional security layer helps prevent unauthorised CNP transactions and protect the merchant from exposure to CNP fraud.

Level 3 purchasing expert for B2B credit card processing needs. HIPAA, GDPR, PCI and PSD2 and all the other compliance and security you need for your business are available.

Christine Speedy, Founder 3D Merchant Services, is a credit card processing expert with specialized expertise in card not present and omnichannel technology. Christine is an authorized reseller for Elavon and CenPOS products and services, in addition to other solutions. Call Christine for payment gateway, cloud technology, merchant services and check processing needs.

Need a QIR in South Florida?

A certified Qualified Integrator and Reseller (QIR) is required for any third party credit card point-of-sale solution installation. Qualified Integrators and Resellers are specially trained by Payment Card Industry (PCI) Security Standards Council to address critical security controls while installing merchant payment systems. Christine Speedy is located in South Florida and is QIR certified. After the sale, the same applies. No third party can modify or touch the system unless QIR certified.

The mandate is only for level 4 merchants, due to more frequent security problems. For example, 80 percent of small merchant breaches are associated with insecure POS implementation and servicing by integrators and resellers. Level 4 merchants are defined as less than 20,000 Visa or MasterCard e-commerce transactions annually, and all other merchants processing up to 1 million Visa or MasterCard transactions annually.

pci qir certified logo

The council changed the QIR certification requirements after my certification in an effort to reduce barriers to certification, both financially and with the depth of training. While QIR certification always was for individuals, they were tied to companies. The tie to companies has been removed so as QIR’s change jobs the certification is not disrupted. Due to this change, the PCI council recently updated the web site search navigation. My company used to be the first listing when you clicked on the QIR link. Now, the only way to find me or any other QIR certified person is to do a search. You can find Christine by searching for Christine Speedy in Florida.

Do you need a QIR in another state? Just ask.

Christine Speedy, Founder 3D Merchant Services, is a credit card processing expert with specialized expertise in card not present and omnichannel technology. Christine is an authorized reseller for Elavon and CenPOS products and services, in addition to other solutions.