Prevent theft with Visa tips on merchant security at the point of sale

Increasingly, criminals with sophisticated tools are actively targeting vulnerable merchant  point-of-sale (POS) terminals to steal payment card data and PINs for counterfeit fraud purposes. Criminal gangs worldwide are illegally accessing active POS terminals and modifying them by inserting an undetectable electronic “bug” that captures cardholder data and PINs during normal transaction processing.

Visa has released an excellent bulletin all brick and mortar merchants should read.

Point-of-Sale Terminal Tampering (pdf download)
Is a Crime . . .
and You Can Stop It


Fraud Risks and methods to identify and prevent credit card fraud

Results from the 2010 LexisNexis True Cost of Fraud study show that 20% of merchant fraud losses are attributed to friendly fraud, 42% to lost or stolen merchandise, 18% to identity fraud, and 20% to  fraudulent requests for a return/refund. Friendly fraud occurs when a consumer purchases an item online and receives the product but claims not to have received it, requesting a refund
or chargeback from the merchant or delivery of a duplicate item.

Prevention holds the greatest impact in minimizing fraud losses.

Fraud Loss by Company Size, Product Type, Channel and Industry, 2010 Company Size

Small Company avg <$1M revenues Medium Company Avg $5M revenues Large Company Avg >$50M revenues
Average annual fraud 

amount ($)

$2,145 $104,000 $6,767,000

For the complete study, get it free by registering at the Lexis Nexus web site:  2010 LexisNexis True Cost of Fraud.


Friendly fraud– A small business owner was able to successfully defend against consumer claim that box was delivered empty by showing Fedex records of the weight. The difficulty with this going forward is that new rules have a 180 day chargeback period. Make sure your shipping company keeps those records for as long as you need them.

Identity fraud– Unless there is an issue of verifying ownership, such as when a customer is picking up a car left for repair, merchants cannot ask for a drivers license or other identification for a standard transaction. However, there are many other ways to prevent this type of crime. In the brick and mortar world, a mandatory check for the last 4 digits is a simple and effective way to block cloned credit cards. Due to the global nature of our society, requiring the zip code would frequently result in too many declines. However, you can add additional filters with our payment processing platform that sits in front of your existing processor. Essentially it is your fraud protection dashboard where you control in real-time the level of risk you’re will to accept either by blocking specific transactions entirely, or by sending automated email alerts to managers who then can assess the situation. This works very similar for online transactions.


2011 Data Breach report insider theft credit card processing

In this first article of a series we explore insider theft, related to data breaches,  based on key elements of the Verizon 2011 data breach report.  The number of 2010 data breaches exploded in companies with 11 to 100 employees. A key commonality is simply the opportunity was there.

The 2011 Data Breach Investigations Report (DBIR) is a study conducted by the Verizon RISK team in cooperation with the U.S. Secret Service and the Dutch High Tech Crime Unit.

Who is behind the data breaches?

  • 92% external agents
  • 17% implicated insiders
  • < 1% business partners
  • 9% involved multiple parties

How do breaches occur? ?

  • 50% involved some sort of hacking
  • 49% incorporated malware
  • 29% physical attacks
  • 17% from privilege misuse
  • 11% employe social tactics

What commonalities exist?

  • 83% were victims of opportunity
  • 92% were not difficult
  • 76% of all data was compromised from servers
  • 86% discovered by a third party
  • 96% were avoidable through simple or intermediate controls
  • 89% of victims subject to PCI-DSS had not achieved compliance

End of excerpt. Continue reading for blog author comments.

healthcare company stores credit card data on servers, unencrpyted. Their excuse? It’s not connected to the actual credit card processing and access is restricted so it’s not a PCI Compliance problem.  See related article Shocking lack of payment processing security in healthcare industry. No data breach yet, but statistically, the company is at great financial risk, including up to  $1.5 million fine for violating the HITECH ACT.

Employees at a car dealer tape passwords next to their computer and in the first unlocked drawer of their desk. Their excuse?  It’s too hard to remember the password and they don’t acknowledge it’s a security issue.

Employees at a retail rental shop have a file folder in plain view of anyone entering the shop containing copies of drivers licenses and the front and back of credit cards. Their excuse? They didn’t know they couldn’t do it and didn’t know of an alternative method that would meet their needs to bill customers if they never returned with the goods.

Think these are exceptions? Businesses everywhere have these problems in some fashion. As each of these examples illustrate,  employee training is essential. Industry wide, merchants are completing  PCI Compliance Security Standards data worksheets. At that point in time, the merchant can be certified PCI Compliant. But without internal enforcement and training, the merchant is generally not compliant when a data breach occurs and thus is fully liable for all the associated fines, fees and damages.

In conclusion, the establishment of training procedures and distribution of data security expectations to employees is essential. Most employees are honest, right? But when companies have lax security policies, it presents an OPPORTUNITY for good employees to break the law.

Here’s three things you can do to mitigate internal employee risk:

  1. Create a data security training checklist for all employees handling sensitive data. Update the training and content quarterly or at least once per year. The employee cannot accept credit cards or any sensitive data until they’ve completed training, plus sign and date the checklist.
  2. Make data security a formal part of employee performance reviews. Require annual checklist review and signature at the time of performance reviews.
  3. Implement a reward system for identifying vulnerabilities of real life practices- whether people, software, or hardware.

Bonus: Implement a hosted payment processing solution with extensive tools to prevent internal fraud. Call for information.

Shocking lack of payment processing security in healthcare industry

There’s room for improvement in medical billing for card not present transactions. The lack of security in the healthcare industry with respect to payment processing is evident in nearly every business I’ve interviewed in the last two years. With all the effort put into HIPAA, you’d think they’d be more likely to be PCI Compliant than other industries, but in my experience talking to and interacting with healthcare  companies, I think 50% PCI DSS  (Payment Card Industry Data Security Standards) Compliance would be extremely optimistic.

So what’s got my gander up today? A widespread lack of security by healthcare suppliers with my HSA debit card data. Before giving out my credit card information, I always ask what they are going to do with it.  As a cardholder, I have a right to know. Like many Americans, I have an HSA account and funds for payments are accessible only via a debit card. That means any misuse could wipe out the account.  Under Visa’s Zero Liability policy  consumers are not held responsible for fraudulent charges made with the card or account information, but identity theft is another matter the consumer is left to deal with.

I talked to three different personnel for the story that follows. The last one said the first two didn’t entirely follow normal protocol, which does nothing to spare them from the liabilities associated with identity theft.

This article is about a medical industry merchant storing credit card data in a database and the misunderstanding of potential  liability exposure as a result. Storing card data even for 24 hours poses a huge risk both financially and criminally. In this article we’ll review their processes and solutions to mitigate risk.

First, let’s review the payments process.  Consumers receive invoices in the mail. They can mail a check or pay by Visa or MasterCard by returning a form, or call on the phone. The merchant then uses a multi-step process to collect the information and process it.


credit card payment form

This invoice format is quite common for medical billing.

RISK: Merchant collects the CVV code, listed as signature code above, and bills are sent to a their corporate office. Collecting and storing CVV codes is always a bad idea. The mail could be stolen by internal employees familiar with the billing process. Someone could copy or even quickly photo each billing form. It’s doubtful they could prove PCI Compliance and would likely have no safe harbor in the event of a data breach.

SOLUTION: Remove the security code from the form. Have all bills sent to a lockbox. Reduce mail payments by enabling customers to pay their bills online.


The first person to take my payment was covering for someone who was on vacation or otherwise out of the office.

  • She took down my invoice number and credit card information on a piece of paper. She entered something into their billing system so there was  a record of my call and payment.
  • The paper went into an “in box”. It was Friday.
  • The person emptying the “in box” and posting payments would be in Monday to complete the transaction.
  • Monday the posting person key entered the transaction into a desktop terminal.
  • Tuesday, presumably,  paper was shredded. The paper is held for a day to ensure the payment went through properly so the customer does not need to be called.

RISK:  The paper with full card data was exposed for up to 5 days. Was the ‘in box’ emptied and put in a locked drawer when not being worked on, including breaks? Do cleaning personnel have access to the facility on evenings and weekends?

SOLUTION: Enter the card information directly into our smart virtual terminal. Some flexible options include:

  • Entering the card and customer data and instantly charging the account. In this case, you can enter the CVV for extra fraud protection.
  • Creating a customer and entering the card information for later billing. Using a process called tokenization, the card data is stored encrypted on PCI Compliant servers, never at the merchant location.  CVV is NEVER stored, not even encrypted, since it’s against card association rules.
  • Entering the card and customer information and obtaining an authorization only, for other personnel to charge later.

The seccond person to take my payment on a future date was the actual representative for my account.

  • She entered information in the billing system so there was  a record of my call and payment.
  • My card data, including CVV,  was entered into a ‘notes’ section of the billing database.
  • The customer service representative has no access to see the card data after it is entered.
  • An accounting person retrieves the card data for payment in bulk with others within 1 business day.
  • The posting person key enters the transaction into a dial-up desktop terminal.
  • The next business day, presumably,  the computer notes are deleted.

RISK:  Full card data is exposed on a computer network. It doesn’t matter that access is restricted to certain personnel. This data storage is certainly a violation of FACTA and PCI Compliance standards, and probably HIPAA too. The merchant is open to both criminal and financial penalties in the event of a data breach. Additionally, the merchant would need to securely wipe or destroy every associated hard drive removed from service in the future to eliminate data theft potential.

SOLUTION: Enter the card information directly into our smart virtual terminal, same as above.

What are the financial risks with this data exposure?

  • Replacement cost per card compromised, $25.
  • Mandatory consumer credit report service for one year, $12/mth per card holder.
  • Reimburse all claims from card associations.
  • Fines from FACTA, HIPAA, and PCI Compliance violations
  • Your business could come to a screeching halt while a forensics team investigates.
  • Bad PR could result in loss of business.

What are the criminal risks associated with card data exposure? Felony.

FINAL NOTES: There is some use of an online gateway within the organization, but those details are unknown. I spoke to staff that believes since the payment processing is via a dial up terminal and is not connected to the card data in the database, that there is no risk. That is completely untrue. The company would not only save time by reducing steps, but would tremendously reduce risk by key entering card data directly into a virtual terminal. Moreover, an intelligent VT would provide a boatload of other benefits.

Ignorance is not an excuse. PCI Compliance standards were established nearly a decade ago. A critical first step to compliance and mitigating risk is a solution that supports all your payment processing needs. We offer that solution.

See also related article, How to reduce time and money for outpatient procedure billing.

On a side note, based on the invoice billing form, the merchant is not accepting American Express cards, probably because they don’t want to pay the high fees associated with Amex. If managing costs to improve EBITDA is important, our hosted payment processing platform with intelligent switch is critical.