Oracle Micros Data Breach

Posted on September 27, 2016 by Christine Speedy

Micros, a hugely popular restaurant and hospitality is the subject of a major data breach investigation. On Monday, 8 August 2016, Oracle Security informed Oracle MICROS customers that it had detected malicious code in certain legacy MICROS systems. Oracle is currently investigating the compromise.

Micros is used by many of the large hotel brands as well as restaurants. Over the last year, many in the hospitality industry have announced data breaches, though a link between the two has not been announced.

RESOURCES

Visa Compromise Notification (Micros)

Data Breach At Oracle’s MICROS Point-of-Sale Division (krebsonsecurity.com)

MAGENTO VULNERABILITIES IMPACT PCI COMPLIANCE

Posted on September 26, 2016 by Christine Speedy

Magento, a popular e-commerce platform, released multiple security patches this year, several addressing critical and high credit card data breach vulnerabilities. Merchants that haven’t deployed security patches, as required by PCI standards, are vulnerable to remote exploits that can compromise customer account and credit card data.

One cross-site scripting (XSS) flaw potentially allows an attacker to add malicious JavaScript code to a comment via the PayFlow Pro payment module. The JavaScript code is executed server-side when the targeted site’s administrator views the attacker’s order.

PCI Compliance Requirement 6: Develop and maintain secure systems and applications. All critical systems must have the most recently released software patches to prevent exploitation. The average merchant relies upon third party developers for web site maintenance, but unless specifically contracted to update the e-commerce software and add-on modules, don’t count on it.

Only 16.4% of organizations that had suffered a data breach were compliant with Requirement 6, compared to an average of 64% of organizations assessed by our QSAs in 2014- Verizon 2015 PCI Compliance Report.

Payment gateway implementation requirements have changed over time as a result of cross-site scripting and cross-site request forgery (CSRF) to meet current PCI Compliance standards. Merchants should verify all components of their ecommerce ecosystem are current, and have a system for ongoing monitoring and updating.

RESOURCES

Magento Security Center
VISA MAGENTO SECURITY ALERT, July 2016
Christine Speedy, 3D Merchant Services, offers Magento payment gateway module for merchants to improve their omnichannel customer experience and mitigate risk. B2B customer benefits include friction-less payments across all sales channels; text and email Express Checkout, customer invoice portal for 24/7 ACH, credit card, wire and more payment types, and US EMV with level 3 processing. Magento and ERP modules combine to provide a powerful array of solutions to improve cash flow and profits while maximizing security. 954-942-0483.

Payment Account Reference (PAR) Impact On Recurring Billing

Posted on July 28, 2016 by Christine Speedy

Payment Account Reference (PAR) will become a major force in changing in how recurring billing transactions are processed, and risks that merchants will bear. Swiped, key-entered, and e-commerce transactions are all impacted because merchants will need to tie subsequent token transactions to the original transaction that customer authorized. This raises questions as to what technology will be able to support it, and how quickly will companies be able to adopt it?

EMVco updated their EMV Payment Tokenization Specification Technical Framework earlier this year to include a new field for PAR. This field must transcend throughout the payment ecosystem to acquirers, issuers, and merchants by updating all those systems to support it. That means changes to payment terminals, gateways, processing systems, and potentially ERP and other integrated solutions. With the framework in place, the rest of the ecosystem can begin updating systems to take advantage of the benefits.

PAR enables the payment acceptance community to link a cardholder’s payment token with their PAN transactions without needing to use their underlying card account number.

Merchant Liability

Official announcement is not yet available, however, following the logic of similar security updates, the merchant would risk chargeback on any transaction that does not include the PAR value. The issuer or the acquirer could potentially initiate on the premise there’s no proof customer approved, and therefore there’s fraud liability risk. To reduce their risk, the merchant could be held liable. That means 3 months into a service, all prior transactions could be ACH’d right out of merchant bank account, plus there’d be chargeback fees for each transaction. Additionally, with multiple chargebacks with a single cardholder it’s foreseeable merchants could end up in oversight pool for excessive chargebacks.

Timeline for Compliance

Official announcement is not yet available, however, technical framework specifications for developers were released about 6 months ago. Changes impacting processing fees etc. are typically effective October and April of each year.

Why PAR now?

PAR enables the industry to move away from dependence on the PAN as the primary linkage between various payment processing and value-added services, for example, loyalty programs. As EMV grows increasing card present security, fraud tends to move online; PAR is intended to reduce card not present fraud, increase security, and create a consistent global framework for all participants.

Current Recurring Billing Compliance

Today, when a merchant processes a transaction for a card the customer has authorized to keep on file, the ‘recurring‘ transaction type indicator is required to be sent with each authorization request. A payment gateway is a required, since physical terminals are unable to meet requirements. For example, a retail store sends a SALE transaction type, while a company offering SaaS sends Recurring Payment indicator in authorization messages. Business to business merchants run into compliance, and risk of chargeback losses, when a customer agrees authorizes keep card on file, and they key enter the card number. As far as the issuer and acquirer are concerned, it’s a retail sale, and all the rules of acceptance, risk, and interchange rate qualification apply.

Some companies use paper credit card authorization forms, and they key enter into a retail terminal or virtual terminal each and every time; those transactions are NOT sent correctly with RECURRING indicator.

Future Recurring Billing Compliance

Tokens replace sensitive card data and are then used to perform future variable, fixed, or installment recurring billing. PAR cannot be used to initiate payment transactions nor reverse engineered to obtain PAN data. When a token is created, a PAR value will also be created. The PAR must be supplied with all future authorization requests.

Merchants using ‘dumb terminals’, i.e. terminals that are not payment gateway driven, are incapable of supporting such a service. For omnichannel merchants, partnering with a progressive technology company that meets all current and future payment needs is going to be essential to comply with PAR and more payment changes likely to come.

“If your current provider was late to market with EMV, if they don’t support 3D Secure, if they can’t provide one payment gateway for all sales channels, it’s probably time to start looking for another payment technology partner,” Christine Speedy, Global Reseller for CenPOS, a merchant-centric, enterprise payment solutions company.

Retailers Ask FTC to Investigate Credit Card Industry’s PCI Security Group for Antitrust Concerns

Posted on June 2, 2016 by Christine Speedy

WASHINGTON – The National Retail Federation today announced that it has asked the Federal Trade Commission to conduct an investigation into an organization founded by the credit card industry that sets data security standards, saying the group’s controversial practices raise antitrust concerns.

“We urge the FTC not to rely on PCI DSS for any purpose, particularly not as an example of industry best practices nor as a benchmark in determining what may constitute responsible data security standards in the payment system or any other sector,” NRF Senior Vice President and General Counsel Mallory Duncan said in a letter to FTC Chairwoman Edith Ramirez and other commission members.

The Payment Card Industry Security Standards Council is “a proprietary organization formed and controlled by a single industry sector – the major credit card networks” and “fails to meet any of the principles adopted by the federal government for voluntary standard-setting organizations,” Duncan said. “We believe you will conclude PCI itself is an inappropriate exercise of market power by the dominant U.S. payment card networks and PCI should not continue setting data security standards through its current processes.”

NRF’s request comes as the FTC is conducting an inquiry into how third-party companies perform assessments of PCI compliance by retailers and other businesses that accept credit cards. NRF understands that the FTC is also considering PCI requirements as an example of industry best practices.

The PCI council was formed in 2006 by the major credit card companies – Visa, MasterCard, American Express, Discover and JCB. It imposes its rules on millions of U.S. businesses but continues to be governed by an executive committee made up of representatives of only those five companies.

In a 19-page white paper submitted to the FTC, NRF said the card companies use their market power to “unfairly leverage their brands and proprietary technology through webs of closely controlled interdependent bodies and compliance regimes” including the council. While portrayed as voluntary, the Payment Card Industry Data Security Standard requirements set by the council are “forced upon businesses that cannot refuse to accept credit and debit cards.”

The council’s practices “raise antitrust concerns” for a number of reasons, including “general antitrust dangers when competitors collaborate on setting market standards” and “more targeted concerns insofar as they allow the networks to leverage their proprietary technology,” the paper said.

Among other concerns, PCI requirements act as “as an anticompetitive barrier to innovation” because they “exhaust” funds and other resources retailers have available for data security, the paper said.

NRF asked that the FTC investigate the council’s practices in general and particularly their impact on competition. The FTC should also reject government use of PCI standards as any benchmark for data security, and instead work with “legitimate U.S. standard setting bodies” such as the American National Standards Institute, NRF said.

NRF is the world’s largest retail trade association, representing discount and department stores, home goods and specialty stores, Main Street merchants, grocers, wholesalers, chain restaurants and Internet retailers from the United States and more than 45 countries. Retail is the nation’s largest private sector employer, supporting one in four U.S. jobs – 42 million working Americans. Contributing $2.6 trillion to annual GDP, retail is a daily barometer for the nation’s economy. NRF’s This is Retail campaign highlights the industry’s opportunities for life-long careers, how retailers strengthen communities, and the critical role that retail plays in driving innovation. NRF.com

Stopping Online Credit Card Testers

Posted on May 25, 2016 by Christine Speedy

Online credit card testing by fraudsters can dramatically drive up payment gateway fees. Historically, card not present financial fraud grows exponentially in countries after implementing EMV chip card processing, as thieves seek the weakest link for fake credit card purchases. Thieves use software to rapidly send cardholder data to payment web sites to verify if stolen cards are good, card testing, and since merchants pay a per transaction fee, regardless of approval, the financial impact can be devastating.

Companies with online pay pages are at increased risk. Since October 2015, online fraud attacks were up 11% 2015 Q4 Vs Q3, and up 215 percent from 2015 Q1. 83% of attacks involved botnets. Source: The Global Fraud Attack Index™, a PYMNTS/Forter collaboration. The preferred web pay pages have no login required, and provide detailed decline response reasons. I’m often asked by others in the industry to provide the latter, and for the same reason as for retail, it’s better than no one knows the reason for the decline. If you inform a criminal the expiration date is no good, they just need to figure out the right one.

PREVENTING ONLINE CARD TESTING

A layered approach is required to stop card testers since no single solution will stop fraudsters. Generally, the harder you make it, the more likely they will seek a path of less resistance.

Block known fraudulent incoming IP addresses. The bad guys also use hostile proxy servers, with dynamically changing IP addresses every authorization attempt, but this is still a first step everyone should employ.

For additional assistance, please contact us. I won’t make it easier for criminals by identifying all the tools here in the blog!

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Card Not Present, CenPOS, credit card processing

B2B Cloud payment processing technology blog about increasing profits, efficiency and security.

Category Archives: security