Insiders Cause More than 50% of Data Breaches, Reveals Netwrix IT Risks Report

Posted on October 4, 2018 by Christine Speedy

In terms of main threat actors, expectation rarely matches reality, because most incidents were caused by insider mistakes rather than hacker attacks, as assumed by most respondents.

IRVINE, Calif., Oct. 2, 2018 /PRNewswire/ — Netwrix Corporation, provider of a visibility platform for data security and risk mitigation in hybrid environments, today announced the release of its global 2018 IT Risks Report. This year, Netwrix conducted an in-depth study of the major IT risks that are significant for most organizations and assessed respondents’ readiness to withstand cyber threats.

The report is based on the feedback of 1,558 organizations of various sizes from many different regions and industries. It summarizes the experiences and plans the organizations have in regard to addressing six IT risks: physical damage, intellectual property theft, data loss, data breach, system disruption and compliance penalties.

The report reveals the following key findings:

Most companies consider hacker attacks to be the most dangerous threat, but in fact, insiders cause the majority of security incidents by either malicious or accidental actions.
Not all critical security controls are reviewed regularly as required by best practices. The most neglected controls include getting rid of stale and unnecessary data and conducting data classification. These controls are exercised rarely or never by 20% and 14% of organizations, respectively.
Although 70% of companies have done IT risk assessment at least once, only 33% re-evaluate their IT risks regularly.
44% of respondents either do not know or are unsure of what their employees are doing with sensitive data.
Nonetheless, over 60% of respondents think that their level of visibility is high enough, which lulls them into a false sense of security.
Only 17% of organizations have an actionable incident response plan; 42% have only a draft or have no plan at all.

“Our report illustrates that the foremost reason why the organizations fail to address major IT risks lies in a lax approach to security basics. They are giving priority to some controls and are leaving the most important ones out of scope. Haphazard approach to security basics and poor visibility into sensitive data gives IT pros a false sense of security. However, paying more attention to all security basics can help organizations manage IT risks with more success,” said Steve Dickson, CEO of Netwrix.

To learn more about the IT risks organizations face today, please visit: www.netwrix.com/go/it_risks_in_2018.

About Netwrix Corporation

Netwrix Corporation is a software company focused exclusively on providing IT security and operations teams with pervasive visibility into user behavior, system configurations and data sensitivity across hybrid IT infrastructures to protect data regardless of its location. Over 9,000 organizations worldwide rely on Netwrix to detect and proactively mitigate data security threats, pass compliance audits with less effort and expense, and increase the productivity of their IT teams.

Founded in 2006, Netwrix has earned more than 140 industry awards and been named to both the Inc. 5000 and Deloitte Technology Fast 500 lists of the fastest growing companies in the U.S.

For more information, visit www.netwrix.com.

Storing credit card for layaway plan prepayments rules

Posted on September 28, 2018 by Christine Speedy

What are guidelines for storing and using stored credit cards for layaway plans? What is solution for auto payment layaway plan? Credit card processing rules have changed.

The process for storing and using stored cards rules are largely set by the Payment Card Industry Data Security Standards (PCI DSS) and Card network acceptance rules. Huge changes went into effect in 2017, starting with the Visa Stored Credential Mandate, and more are coming.

For a layaway plan, you need a payment gateway that supports sending the correct transaction type indicator. That would be either installment or unscheduled credential on file, depending on the agreement with buyer. This is outlined in Visa Core Rules and Visa Product and Service Rules, section 5.9.9 Prepayments, Repeated Payments, and Deferred Payments. If accepting prepayments merchants must comply with Table 5-20, Requirements for Prepayments and Transactions Using Stored Credentials.

Visa specifies that when Cardholder gives their consent to items in table 5-20, it must be displayed separately from the general purchase terms and conditions. The Merchant must provide, and the Cardholder must consent to all of the following in writing at the time of the first or only partial prepayment:

Description of promised merchandise or services
Terms of service
Timing of delivery to Cardholder
Transaction amount
Total purchase price
Terms of final payment, including the amount and currency
Cancellation and refund policies
Date and time that any cancellation privileges expire without prepayment forfeiture
Any associated charges

In addition, for Installment Transactions, both:

Total purchase price
Terms of future payments, including the dates, amounts, and currency

Plus

How the cardholder will be notified of any changes to the agreement
How the Stored Credential will be used
The expiration date of the agreement, if applicable

In summary, merchants documents for compliance:

Sales agreement
Cardholder Agreement for Prepayment
Cardholder Agreement for Storing & Using Stored Cards

Traditional old credit card authorization forms are dead. Merchants cannot get them on paper, and most digital forms are also not compliant. Requirements are specified in Visa Table 5-20.

Merchants payment technology to comply with rules:

Inform the issuer via a transaction that payment credentials are now stored on file.
Identify transactions with appropriate indicators when using stored credentials. (Recurring, installment, or unscheduled credential on file.)

Not all payment gateways are capable of meeting current compliance rules for all transaction types. How much the payment gateway solution helps automate compliance varies widely. If you need a solution for automotive layaway plan, you need an expert in rules compliance to avoid penalty fees, issuer chargebacks, and other costly problems. For help choosing the best solution for your company, contact us.

Resources and documentation /blog/merchant-bulletins-downloads – bookmark it!. Join Christine Speedy’s email list.

DISCLAIMER: condensed and incomplete information! Information may be quickly outdated. Contact a lawyer for legal advice.

Need a solution? Call Christine Speedy, 954-942-0483, 9-5 ET, CenPOS authorized global reseller. CenPOS is an integrated commerce technology platform driving innovative, omnichannel solutions tailored to meet a merchant’s market needs. Providing a single point of integration, the CenPOS platform combines payment, commerce and value-added functionality enabling merchants to transform their commerce experience, eliminate the need to manage complex integrations, reduce the burden of accepting payments and create deeper customer relationships.

Christine Speedy on ITPalooza Data Breach Panel

Posted on September 26, 2018 by Christine Speedy

ITPalooza is a key event that brings together the entire South Florida IT community from CIOs through Tech User Groups to top local, national and international presenters and guests. ITPalooza has a long history of presenting the region’s top subject-matter experts with passion and knowledge that both entertains and educates. Christine Speedy will be on the 2018 data breach panel December 13, 2018 at The Greater Fort Lauderdale-Broward County Convention Center.

According to the nonprofit consumer organization Privacy Rights Clearinghouse, a total of 11,019,555,688 individual records containing sensitive personal information were involved in security breaches between January 2005 and May 2017. The data breach panel will be led by a knowledgeable moderator who will guide the panel guests to a variety of topics, including PCI Compliance.

About ITPalooza

ITPalooza is an annual gathering of South Florida’s nonprofit Technology User Groups featuring all day format, CIO only track, Marine Toys for Tots toy drive, and more. ITPalooza is about content and connecting you, the tech professional, with the information you need to make informed decisions about technology and trends. Over 2,000 attendees experienced the event in 2017.

About Christine Speedy

Christine Speedy is a Qualified Integrator and Reseller payments professional, certified by the Payment Card Industry Security Standards Council, and authorized CenPOS Reseller. Christine is a subject matter expert on PCI compliance and card network rules compliance, offering secure cloud payment technology to businesses, transforming the commerce and customer experience. South Florida Technology Alliance member.

Christine Speedy on Ask the Expert Panel in Boca Raton

Posted on September 25, 2018 by Christine Speedy

Christine Speedy will be on the BocaJS experts panel Tuesday, November 6, 2018 in Boca Raton, Florida. Christine’s background in ecommerce stems from when the internet first started. With skilled coding labor shortages, Christine learned html to help get stuff done for clients which included the Miami Dolphins, Blockbuster, the Florida Marlins and many others. While leaving serious work up to the coders and integrators today, her payment checkout insights are unparalleled for PCI Compliance and card network rules compliance. Get to know the industries best experts on everything from Development, Design, IT, DevOps, Recruiting, and Learning Tuesday, November 6, 2018 in Boca Raton, Florida.

See more details and sign up here https://www.meetup.com/BocaJS/

Boca Javascript Meetup

6:30 PM to 8:03 PM

Cendyn Spaces, in the Atrium

980 North Federal Highway · Boca Raton, FL

About The BocaJS group

The BocaJS group is here to represent the best that South Florida can bring to the world’s best Language (Javascript). And any else web related as well! In addition to vanilla java script, we’ll be looking at frameworks such as Node, AngularJS (1, 1.5 AND 2,4,5,6,…. 7 beta? ), Ember.js, jQuery, ReactJS and Ionic. Founded in September 2014 by Adam & Hector, and Run currently by Damian Montero and Jermbo Lawson this group continues to grow and thrive. Website: BocaJS.org (https://bocajs.org/)

About Christine Speedy

Christine Speedy is PCI Council QIR Certified

Posted on September 25, 2018 by Christine Speedy

Christine Speedy is Qualified Integrator and Reseller certified by the Payment Card Industry Security Standards Council. QIRs are integrators and resellers specially trained by PCI Security Standards Council to address critical security controls while installing merchant payment systems. QIRs reduce merchant risk and mitigate the most common causes of payment data breaches by focusing on critical security controls.

The council changed the QIR certification requirements after my certification in an effort to reduce barriers to certification, both financially and with the depth of training. While QIR certification always was for individuals, they were tied to companies. The tie to companies has been removed so as they change jobs the certification is not disrupted. Due to this change, the PCI council recently updated the web site search navigation. My company used to be the first listing when you clicked on the QIR link. Now, the only way to find me or any other QIR certified person is to do a search.

Before PCI QIR certification requirements change.

After PCI QIR certification requirements change.

While the Visa QIR mandate is for Level 4 merchants with card present transactions, I recommend that all merchants use QIR individuals for all transaction types. There’s a false sense of security that consultants and developers are guarding merchant security, but literally every day I find problems with companies of all sizes. Level 4 merchant is defined as less than 20,000 Visa or MasterCard e-commerce transactions annually, and all other merchants processing up to 1 million Visa or MasterCard transactions annually.

The Christine Speedy difference. PCI compliance is important to mitigate data breach risk, but equally important is compliance with complicated card network rules. Have you read any of the 1,000+ pages of Visa Rules? Or 300+ Mastercard transaction processing rules? Have any of the people you rely on? I’ve spent countless hours educating myself on them and learning about the nuances that impact your profit and risk. Technology directly impacts compliance. It doesn’t matter how big or how old a company is; the reality is most players in the payments industry fall behind with every new rule that comes out, even though these rules are usually announced years in advance so that they can prepare.

Resources:

Christine Speedy, QIR certified payments professional can be reached at 954-942-0483, 9-5 ET.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Card Not Present, CenPOS, credit card processing

B2B Cloud payment processing technology blog about increasing profits, efficiency and security.