U.S. data breaches Q3 2021

Posted on October 6, 2021 by Christine Speedy

Identity Theft Resource Center to Share Latest Data Breach Analysis with U.S. Senate Commerce Committee; Number of Data Breaches in 2021 Surpasses all of 2020

The number of data breach victims dramatically increased in Q3 2021 due to a series of data exposures during the quarter

SAN DIEGO, October 6, 2021 – Today, the Identity Theft Resource Center® (ITRC), a nationally recognized nonprofit organization established to support victims of identity crime, released its U.S. data breach findings for the third quarter?(Q3)?of 2021. According to the data breach analysis,?the number of data breaches publicly-reported in the U.S. decreased nine (9) percent in Q3 2021 (446 breaches) compared to Q2 2021 (491 breaches). However, the number of data breaches through September 30, 2021 has exceeded the total number of events in Full-Year (FY) 2020 by 17 percent (1,291 breaches in 2021 compared to 1,108 breaches in 2020). The trendline continues to point to a record-breaking year for data compromises (the all-time high of 1,529 breaches was set in 2017).

For Q3 2021, the number of data compromise victims (160 million) is higher than Q1 and Q2 2021 combined (121 million). The dramatic rise in victims is primarily due to a series of unsecured cloud databases, not data breaches. Also, the total number of cyberattack-related data compromises year-to-date (YTD) is up 27 percent compared to FY 2020. Phishing and Ransomware continue to be, far and away, the primary attack vectors.

Download the ITRC’s 2021 Q3 Data Breach Analysis and Key Takeaways

“While the total number of data breaches dropped slightly in Q3, we are only 238 data breaches away from tying the all-time record for data compromises in a single year,” said Eva Velasquez, President and CEO of the Identity Theft Resource Center. “It’s also interesting to note that the 1,111 data breaches from cyberattacks so far this year exceeds the total number of data compromises from all causes in 2020. Everyone needs to continue to practice good cyber-hygiene to protect themselves and their loved ones as these crimes continue to increase.”

Other findings in the analysis include:

There have been no publicly-reported data breaches to date in 2021 attributed to payment card skimming services.
Some organizations and state agencies are not including specifics about data compromises or reporting them on a timely basis. One state has not posted a data breach notice since September 2020.

Enhancing Data Security – U.S. Senate Committee Hearing – Oct. 6, 2021

The ITRC will testify before the U.S. Senate Committee on Commerce, Science & Transportation today to present the findings from our Q3 Data Breach Analysis. Watch the hearing on enhancing data security live at 10 a.m. EST/7 a.m. PST. ITRC COO, James E. Lee, issued a written statement for the record as part of a hearing with the U.S. Senate Committee.

For more information about recent data breaches, or?the increase in the number of?data breaches discussed in?the?latest?trend analysis, consumers and businesses should visit the ITRC’s data breach tracking tool,?notified.???

Anyone?can receive free support and guidance from a knowledgeable live-advisor by calling 888.400.5530 or visiting ?www.idtheftcenter.org to live-chat.??

About the Identity Theft Resource Center?

Founded in 1999, the Identity Theft Resource Center® (ITRC)?is a?national?nonprofit organization established to empower and guide consumers, victims, business and government to minimize risk and mitigate the impact of identity compromise and crime.?Through public and private support, the ITRC provides no-cost victim assistance and consumer education through?its website?live-chat?idtheftcenter.org?and?toll-free phone number 888.400.5530.?The ITRC also?equips?consumers and businesses?with?information about recent data breaches through its data breach tracking tool,?notified.?The ITRC offers help to specific?populations, including?the?deaf/hard of?hearing and?blind/low?vision?communities.?

CVV Card Verification Value vs 3-D Secure, D365, Dynamics Ax

Posted on September 15, 2021 by Christine Speedy

What’s the difference between Card Verification Value verification and 3-D Secure cardholder authentication? How can each be used in Microsoft D365 F&O or Dynamics AX 2012? Both are solutions to reduce chargeback risk for card not present transactions, but not much else is the same.

The CVV, or Card Verification Value, is a three or four-digit number on credit cards to add an extra layer of security for phone and online purchases to help protect against identity theft. CVV or CSC, or Card Security Code, and CVV2 have the same purpose. The “2” means it was created using a newer process to make the number more difficult to guess.

3-D Secure is a protocol providing an additional layer of security for eCommerce transactions prior to authorization. 3-D secure 1.0 is being retired October 1, 2021 and legacy integrations often require an update.

What are merchant benefits for using 3-D Secure vs CVV?

More authorization approvals. False declines are a significant source of lost revenue.
Some cards have reduced interchange rates when the authentication is invoked, which are usually over 90% of fees.
Less friction for customers at checkout because it’s more likely to get approved and no need to chat or call for help.
Reduced risk of chargeback losses. Fraud liability for “it wasn’t me” automatically shifts to the issuer; Merchants do not have to defend those chargebacks, they never even see them.

At this stage of massive data breaches and stolen data globally, the CVV is just not enough to mitigate chargeback risk because too many compromised cards with CVV data are available on the dark web. Additionally, merchants can experience issuer generated chargebacks even if an authorization was granted. What? Yes, and there is no recourse. A big issue is following authorization rules. Here’s some examples:

A merchant has customer card numbers on file (old school on paper). The merchant key enters each transaction. This fails the unscheduled credential on file rule, where after the initial authorization, a response code is submitted with each subsequent authorization.
A merchant has customer card numbers on file via stored tokens, no access to cardholder data. The merchant uses token to get new authorizations. This can fail the unscheduled credential on file rule, where after the initial authorization, a response code is required with each subsequent authorization, however, the technology used does not support those protocols.
A merchant gets a phone order and enters CVV. The merchant has higher risk of fraud because the customer must self-enter the card number to participate in 3-D Secure authentication.

If you have non-qualified, STD, and other classes of transactions on merchant statements, that usually means that an authorization rule was not followed. So while an authorization code may have been granted, the merchant is at higher risk of a chargeback and usually pays penalty fees.

How can Microsoft D365 and Dynamics AX users leverage the benefits of 3-D Secure 2.0 vs CVV verification? For B2B, I recommend all merchants require their customers self-manage their payment methods using a payment gateway that supports all the latest authorization rules. (Few do.) For cards that have been stored over multiple years, it’s unlikely that the token stored has the correct data (not visible to merchants) to send with newer transactions. For example, Authorize.net, a popular payment gateway, just started supporting unscheduled credential on file this year, and only on First Data. Ask about our integrated and standalone solutions that include a cloud portal for customers to self-manage payment methods, view payment history, and pay invoices, if applicable.

What payment gateways support customers self-managing payment methods in compliance with all the current rules? Contact us for stand alone, Dynamics integrated, Magento and other solutions. Remember, 3-D secure can only be invoked if the customer entered their cardholder data. For subsequent unscheduled credential on file transactions, CVV and 3-D secure are not needed, because the cardholder has already verified themselves.

Call Christine Speedy, PCI Council Qualified Integrator Reseller (QIR) certified, for all your card not present, Microsoft Dynamics AX and D365 payment processing needs from ACH to credit cards and more. Get a new merchant account or keep your existing. 954-942-0483, 9-5 ET.

Mandatory Visa logo update

Posted on September 1, 2021 by Christine Speedy

Do you display the Visa logo on your ecommerce web site or other online checkout? Visa mandatory deadline to implement updated logos was August 31, 2021. The merchant signage web page below includes all the logos and general requirements and guidelines for use of Visa brand artwork.

Visit Visa brand logos guidelines for partners, acquirers and online merchants, used across credential-on-file, stored credential and online transactions for immediate logo downloads.

When will I receive American Express deposits?

Posted on August 24, 2021 by Christine Speedy

American Express merchant services deposits are now faster. As of April 2021, merchants see deposits the next business day after the transactions are submitted Monday through Friday. As of October 2020, merchants are receiving separate payment deposits for Friday, Saturday and Sunday on Monday to help simplify payment reconciliation.

American Express receipts for small businesses now appear on merchant statements with other credit cards, depending on when the merchant account opened. Older merchant accounts that did not sign up for the new program, merchants that prefer separate, and those that do not meet the maximum processing limits receive separate statements from American Express instead of their acquirer.

Call Christine Speedy, PCI Council QIR certified, for all your credit card processing questions and services. 954-942-0483, 9-5 ET.

EMVCo Publishes EMV® 3-D Secure UI/UX Guidelines

Posted on August 15, 2021 by Christine Speedy

New interactive online resource to help card issuers, merchants and solution providers optimise the EMV® 3DS payment authentication experience for e-commerce consumers.

16 August 2021 – Global technical body EMVCo has published EMV® 3-D Secure (EMV 3DS) UI/UX Design Guidelines to help card issuers, banks, merchants and solution providers optimise the EMV 3DS payment authentication experience for e-commerce consumers. The guidelines are publicly available on the EMVCo website in an easy-to-use interactive format.
In e-commerce purchases where EMV 3DS solutions are used, EMV 3DS user interface (UI) and user experience (UX) design refers to the look and feel of the screen that consumers interact with on their device during authentication with their card issuer. This includes how visual components (e.g., logo, colour, iconography, etc.) are displayed in various device layouts, and how information is presented and communicated to guide them through the steps for verifying that they are the legitimate cardholder.
According to an EMVCo-commissioned global market research study1, consistent, familiar and efficient EMV 3DS UI/UX design is key to instilling consumer trust in the authentication process and optimising the checkout experience during shopping. The new guidelines are designed specifically to help card issuers, merchants and EMV 3DS solution providers achieve this objective and deploy user interfaces for EMV 3DS authentication that support a secure and seamless e-commerce checkout experience.
“Authenticating the individual making the payment continues to be key in the fight against e-commerce fraud. The EMV 3DS UI/UX Guidelines support the consistent implementation of EMV 3DS for fraud prevention to deliver an efficient and trusted e-commerce consumer experience, which benefits the entire payment ecosystem,” said Robin Trickel, EMVCo Executive Committee Chair.
The EMV 3DS UI/UX Guidelines are supplemental to the EMV 3-D Secure User Interface Templates, Requirements, and Guidelines chapter in the EMV 3DS Protocol and Core Functions Specification.
1 Methodology: Qualitative and quantitative usability study conducted in 2019-2020. Featured surveys with 650+ participants in UK, Brazil, China, France, Singapore and the U.S.

To learn more, view the EMV Insights post: Optimising the EMV 3DS Payment Experience: UI/UX Design Guidelines.
About EMV 3DS
EMV 3DS is a fraud prevention technology that enables consumer authentication, without adding unnecessary friction to the payment process that often leads to abandoned purchases. The EMV 3DS Specification provides a common set of requirements product providers can use to integrate this technology into their solutions to support seamless and secure e-commerce payments. View the EMV 3DS Press Kit to learn more.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Card Not Present, CenPOS, credit card processing

B2B Cloud payment processing technology blog about increasing profits, efficiency and security.