2023 Merchant Credit Card Data Breach List

The 2023 credit card data breach was updated March 2023, and is not all inclusive. Is your business safe from a credit card data breach? The list below highlights some credit card data breaches and the primary cause at the time the data breach was announced. While malware reigns as a top cause of payment data breaches, employee theft is still a problem too. To make the list, typically companies are only listed if full card data is stolen.

Restaurants

January 2020 Chick-fil-A says less than 2% of customers affected by breach via website and mobile application between December 18, 2022 and February 12, 2023 using login credentials obtained from a third-party source. Name, email address, Chick-fil-A One membership number and mobile pay number, QR code, masked credit/debit card number, and the amount of Chick-fil-A credit (e.g., e-gift card balance) on your account (if any). In addition, if saved to your account, the information may have included the month and day of your birthday, phone number, and address. Importantly, unauthorized parties would only have been able to view the last four digits of your payment card number.

Retail & Ecommerce

January 2023: JD Sports– online store November 2018 and October 2020, announced January 2023. Among other shopper data for 10 million customers was the last four digits of card numbers. JD Sports is based in the UK and can expect fines up to the higher maximum permitted under Part 6 of the Data Protection Act 2018, so potentially £17.5 million or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

Technology

January 18, 2023: Paypal, about 35,000 customers exposed information included names, addresses, Social Security numbers, individual tax identification numbers, and dates of birth. Unauthorized access by credential stuffing.

Don’t be the next credit card data breach victim!

Christine Speedy is Qualified Integrator and Reseller certified by the Payment Card Industry Security Standards Council. QIRs are integrators and resellers specially trained by PCI Security Standards Council to address critical security controls while installing merchant payment systems. QIRs reduce merchant risk and mitigate the most common causes of payment data breaches by focusing on critical security controls. Call Christine for technology, merchant services and check processing needs.

Microsoft Dynamics 365 Embedded Payments Solution Featured in Digital Transactions magazine

Embedded payments are exploding and U.S. Bank has embedded payment solutions within Microsoft Dynamics 365. “The Rise of Embedded Payments“, in DIGITAL TRANSACTIONS January 2023 issue, highlights U.S. Bank’s embedded payments solutions and benefits for both sellers and buyers. The U.S. Bank AP Optimizer® was announced last year. Additionally, Elavon Inc.’s payment gateway provides a secure and end-to-end accounts receivable payment solution for Dynamics 365 Finance. Elavon, a wholly owned subsidiary of U.S. Bank, has been a global leader in payment processing for more than 30 years.

Looking for Microsoft D365 secure payment processing solutions? Call Christine Speedy, 3D Merchant services founder, for simple solutions to B2B transaction problems. 954-942-0483, 9-5 ET.

FTC Orders an End to Illegal Mastercard Business Tactics and Requires it to Stop Blocking Competing Debit Card Payment Networks

Company violated the Durbin Amendment to the Dodd-Frank Act and Fed regulations, agency alleges

The Federal Trade Commission is ordering an end to illegal business tactics that Mastercard has been using to force merchants to route debit card payments through its payment network, and is requiring Mastercard to stop blocking the use of competing debit payment networks.

Under a proposed FTC order, Mastercard will have to start providing competing networks with customer account information they need to process debit payments, reversing a practice the company allegedly had been using to keep them out of the ecommerce debit payment business and, according to the FTC, that violated provisions of the 2010 Dodd-Frank Act known as the Durbin Amendment and its implementing rule, Regulation II.

“This is a victory for consumers and the merchants who rely on debit card payments to operate their businesses,” said Holly Vedova, Director of the FTC’s Bureau of Competition. “Congress directed the FTC to enforce this part of the Dodd-Frank Act and prevent precisely this kind of illegal behavior. We take this responsibility seriously, as demonstrated by our action today.”

Debit Card Payment Networks

With more than 80 percent of American adults carrying at least one debit card and over $4 trillion in debit card purchases made every year, debit cards occupy a significant place in the current payment landscape. The popularity of debit cards has been growing especially quickly for purchases consumers make using their personal devices equipped with ewallet applications such as Apple Pay, Google Pay, and Samsung Wallet.

Payment card networks play a critical role in those debit card transactions. When a customer presents their debit card to make a purchase, the network transmits the payment information to the card’s corresponding bank for approval, and then transfers the payment approval or denial back to the merchant. Payment card networks compete for the business of banks that issue cards and for the business of merchants that accept card payments.

Mastercard, along with Visa, is one of the two leading payment card networks in the United States. The processing fees charged by networks total billions of dollars every year, affecting every purchase made with a debit card, according to the FTC. Most of these fees are paid by the merchants to the card-issuing banks and the payment card networks.

To spur more competition among payment card networks, Congress enacted a provision of the 2010 Dodd-Frank Act known as the Durbin Amendment, which required banks to enable at least two unaffiliated networks on every debit card, thereby giving merchants a choice of which network to use for a given debit transaction. The Durbin Amendment—along with its implementing rule, Regulation II—also bars payment card networks from inhibiting merchants from using other networks.

Mastercard’s Illegal Tactics

With the post-Durbin rise of debit ecommerce and ewallet debit transactions, Mastercard was flouting the law by setting policies to block merchants from routing ecommerce transactions using Mastercard-branded debit cards saved in ewallets to alternative payment card networks, including networks that may charge lower fees than Mastercard, the FTC alleged.

Specifically, Mastercard used its control over a process called “tokenization” to block the use of competing payment card networks, the agency alleged. Transactions commonly are “tokenized” by replacing the cardholder’s primary account number with a different number to protect the account number during some stages of a debit transaction.

Tokens are stored in ewallets such as Apple Pay, Google Pay, and Samsung Wallet and serve as a substitute credential to provide additional protection for a cardholder’s account number.

When a debit cardholder makes a debit purchase using an ewallet, the merchant receives a token from the cardholder’s device and sends it to the merchant’s bank, which in turn sends the token to a payment card network for processing. For the transaction to proceed, however, the network must be able to convert the token to its associated account number.

Mastercard’s policy requires use of a token when a cardholder loads a Mastercard-branded debit card into an ewallet, while banks issuing Mastercard-branded debit cards nearly universally use Mastercard to generate the tokens and store the corresponding primary account numbers in its Mastercard “token vault,” the FTC alleged. Since competing networks do not have access to Mastercard’s token vault, merchants are dependent on Mastercard’s converting the token to process ewallet transactions using Mastercard-branded debit cards.

According to the FTC, Mastercard refuses to provide conversion services to competing networks for remote ewallet debit transactions (i.e., online and in-app transactions, as opposed to in-person transactions made by the customer in a store), thereby making it impossible for merchants to route their ewallet transactions on a network other than Mastercard.

Under the FTC consent order, when a competing network receives a token to process a debit card payment, Mastercard is required to provide them with the customer’s personal account number that corresponds to the token. The order also bans Mastercard from taking any action to prevent competitors from providing their own payment token service or offer tokens on Mastercard-branded debit cards and requires Mastercard to comply with provisions of Regulation II.

The Commission vote to issue the administrative complaint and to accept the consent agreement was 4-0. The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment, after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments appear in the published notice. Comments must be received 30 days after publication in the Federal Register. Once processed, comments will be posted on Regulations.gov.

NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $46,517.

The Federal Trade Commission works to promote competition, and protect and educate consumers.

U.S. Bank’s first embedded payment solutions as part of Microsoft collaboration

One of the first banks to directly embed its own payment tools within Microsoft Dynamics 365, U.S. Bank delivers easy-to-implement, efficient payment capabilities.

MINNEAPOLIS (October 31, 2022) – U.S. Bank has embedded payment solutions within Microsoft Dynamics 365, the first of a strategic collaboration established to embed U.S. Bank payment capabilities across Microsoft platforms. The integration helps meet businesses where they are, with secure, fast and easy-to-implement payment capabilities.

U.S. Bank is one of the first banks to embed its own payment tools directly within Microsoft Dynamics 365. The direct integration into the enterprise resource planning (ERP) and finance solution makes it easier for businesses to click and start using the capabilities quickly. U.S. Bank has several more capabilities in the pipeline to embed additional payment tools within workflows across Microsoft platforms including Microsoft Teams and Microsoft Power Platform.

“We are committed to meeting clients wherever they are in their digital journey, bringing payments to businesses in a way that’s instant, embedded and connected to the technology they use every day,” said Shailesh Kotwal, vice chair and head of Payment Services, U.S. Bank. “Our integration with Microsoft – which businesses rely on daily to serve their customers – opens new possibilities for U.S. Bank clients to improve efficiencies and enable faster payments.”

“Embedded payments can deliver powerful, new ways for businesses to streamline processes, enhance visibility, deliver better experiences, and reduce risk,” said Bill Borden, Corporate Vice President, Worldwide Financial Services, Microsoft. “We are excited to build on our work with U.S. Bank, delivering integrated, easy-to-use digital payments capabilities to our customers through Microsoft Dynamics 365 with additional embedded solutions to come.”

Businesses using Microsoft Dynamics 365 can now easily use U.S. Bank AP Optimizer® directly from their business application. This will enable treasury management departments to automate invoice processing for business and consumer payment disbursement within Microsoft Dynamics 365. The solution allows for automated accounts payable workflows, including matching and reconciliation.

With Elavon’s Payment Gateway also now available to use within Microsoft Dynamics 365, businesses can easily enable a secure and end-to-end accounts receivable payment solution with their ERP. Directly integrated with the payments journal for accounting within Dynamics 365 Finance, the solution helps companies automate more of the accounts receivables process, speed up collections through multiple payments acceptance channels, and reduce errors.

Contact:

Todd Deutsch, U.S. Bank Public Affairs & Communications todd.deutsch@usbank.com | 612.303.4148

About U.S. Bank

U.S. Bancorp, with approximately 70,000 employees and $601 billion in assets as of September 30, 2022, is the parent company of U.S. Bank National Association. The Minneapolis-based company serves millions of customers locally, nationally and globally through a diversified mix of businesses: Consumer and Business Banking; Payment Services; Corporate & Commercial Banking; and Wealth Management and Investment Services. The company has been recognized for its approach to digital innovation, social responsibility, and customer service, including being named one of the 2022 World’s Most Ethical Companies and Fortune’s most admired superregional bank. Learn more at usbank.com/about.

CAPK expired error messages on VeriFone EMV terminals

Looking for solutions to fix CAPK errors on credit card terminals? In 2016, 3D Merchant blog explained about CAPK expired error messages on VeriFone EMV terminals and how to fix them. With credit card terminal lifespans of about 5 years, primarily due to security enhancements, the answers are different in 2022. Computers cannot be upgraded at some point and neither can credit card terminals.

The old article referenced the VeriFone EMV Vx520, FD55, Vx510, Vx570, among other terminals. A later blog post explained Verifone PCI 3 End of Life Terminals, which includes those and others. Merchants using the related desktop terminals, which typically require a manual download from the merchant acquirer to update, are unlikely able to get new updates due to the end of life process.

Previously Visa extended the EMV Certification Authority Public Keys (CAPK) key’s expiration date from 12/31/2015 to 2022, which required a terminal software update. Chip cards contain the issuers private keys which need to be verified by the card issuer’s public keys during online authorization requests.  The keys come from the Certification Authority Public Keys (CAPK), and they expire periodically. Card readers reject transactions (decline) when an incorrect or expired CAPK is used. When a terminal reaches a certain point at end of life, they can’t be updated and the CAPK error is just another symptom of the current problem: it’s time to replace the credit card terminal.

VX520 emv NFC verifone terminal

CURRENT RECOMMENDATIONS:

  1. If you want to keep your current acquirer, and are interested in exploring technology solutions to enhance business operations, security and your customer experience, contact 3D Merchant Services for cloud technology solutions and compatible terminals. If your acquirer, refers you to 3D Merchant Services to solve your CAPK problem, this is how it will be done- equipment and processes WILL change. For 3D Merchant clients, the benefits far outweigh the cost to replace.
  2. If you want to keep your current acquirer and keep your equipment, only your current acquirer can help you resolve CAPK issue, if feasible. If you do not know how to reach your acquirer, a phone number is provided on your merchant statement.

How to identify if terminal is end of life?

  1. If it’s more than 5 years old, it almost certainly is. Look for date on the terminal.
  2. Look for PCI PTS version on the terminal.
  3. Call your acquirer.
  4. If your terminal uses PCI PTS, which is rquired certification for devices that accept pin code entry, 3.x (expired now) or 4.x (expires 2023), the time to plan for their replacement is NOW. Do not wait. The sources below are not that great because PCI web site now says to refer to manufacturers for research and limits which are listed on their web site.
  5. Google your “terminal name specifications”. A PDF spec sheet will have the PCI PTS version or their might be a sticker on the terminal with a date and or P
  6. Search for devices here on the Official PCI Security Standards web site https://www.pcisecuritystandards.org/assessors_and_solutions/pin_transaction_devices?agree=true
  7. On manufacturer web sites, look up the terminal security specifications. For example, this shows PCI PTS 4.x approved for the MX 915 currently for sale. https://www.verifone.com/en/us/devices/multilane/mx-915. PCI PTS 4.x expires in April 2023.
    COVID ALERT: Due to supply chain problems, terminals are nationally in short supply for all manufacturers. 3D Merchant Services offers equipment sales only to customers. All terminals ship direct from certified facilities and are billed by the recommended solutions provider.

Call Christine Speedy, 3D Merchant Services owner and Authorized Reseller. Call for simple solutions to payment transaction problems. 954-942-0483, 9-5 ET.