Because many merchants are on high alert for data breaches, I’m afraid some might be fooled by this phishing scam, which affects many merchants.I received this Flash news for First Data Retail merchants on the North platform.
“First Data has learned of a widespread phishing attack telling recipients that their merchant ID has been locked.
Unsolicited email containing errors should always raise a red flag, especially if combined with a call to action, such as calling a toll-free number or clicking on a link. If you receive an email similar to the one below, immediately delete it from your inbox and deleted items folder. Do not open any attachments. No further action is required on your part.
If you are a merchant who called the toll-free number below and gave your merchant ID, please call the contact center number on your statement so that First Data can help you monitor for fraudulent activity on your account.”
Below is a copy of the current message. Note indicators that this is a phishing scam email in red font.
From: FirstData [mailto:verifyaccount@
Sent: Monday, February 10, 2014 9:58 AM
Dear customer, ß not personalized with merchant contact information
We regret to inform you that your merchant account has been locked. ß no specific account number provided
To continue using our services please call our tool free number +18664103984 and update your information. ß misspelling and no specific merchant services listed
Please be ready with your Merchant ID and Terminal ID number. ß no description of process to unlock account
### End of phishing scam notice###
For your convenience, I’ve also included an image of what a typical real newsflash includes. NOTE: The yelllow highlights were from my email program, not from First Data’s actual email footer.
As always, merchants need to be vigilant and follow these tips for account security:
- Never give out information to someone who calls you.
- Always refer to the phone number on your merchant statement, not something in an email.
- Never click on an unsolicited email link to modify passwords, always go direct to the site.
- Read the newsflashes that are in the first part of merchant statements.
- Segment access to merchant data and permissions by job role.
Increasingly, criminals with sophisticated tools are actively targeting vulnerable merchant point-of-sale (POS) terminals to steal payment card data and PINs for counterfeit fraud purposes. Criminal gangs worldwide are illegally accessing active POS terminals and modifying them by inserting an undetectable electronic “bug” that captures cardholder data and PINs during normal transaction processing.
Visa has released an excellent bulletin all brick and mortar merchants should read.
Point-of-Sale Terminal Tampering (pdf download)
Is a Crime . . .
and You Can Stop It
Safe Harbor is a term used to describe the protection of business entities from significant financial liability related to payment processing and data breaches. The law and specific Safe Harbor Protection rules are continually evolving. What’s most important for MERCHANTS to understand is that by maintaining Payment Card Industry Data Security Standards (PCI DSS), also known as PCI Compliance for short, and being able to prove it, you are protecting not only your customer data and reputation, but the financial health of your company.
What is Safe Harbor?
Safe harbor is the outcome of the PCI certification process and provides members protection from fines and compliance exposure in the event of a data compromise. To attain safe harbor status:
- A member, merchant, or service provider must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation.
- A member, merchant, or service provider must demonstrate that prior to the compromise their merchant had already met the compliance validation requirements, demonstrating full compliance. Note: It is important to note that the submission of compliance validation documentation, in and of itself, does not provide the member safe harbor status. The entity must have adhered to all the requirements at the time of the compromise.
Below are links to more information on the subject:
Posted on March 10, 2010 by David Navetta A Closer Look at the PCI Compliance and Encryption Requirements of Nevada’s Security of Personal Information Law
Per 2006, this is a published MasterCard statement regarding Safe Harbor: MasterCard will fully exempt acquirers from data security-related noncompliance assessments, investigative costs, and issuer reimbursement costs if the compromised entity:
- Is found to have been compliant with the Payment Card Industry (PCI) Data Security Standard at the time of the compromise, and
- Was registered on MOL (in the MRP system) as compliant at the time of the compromise.
Visa defines safe harbor as the following:
“Safe harbor provides members protection from Visa fines and compliance exposure in the event its merchant or service provider experiences a data compromise.”
Visa Compliance Fines
If a member, merchant or service provider does not comply with the security requirements or fails to rectify a security issue, Visa may fine the responsible member. Visa may waive fines in the event of a data compromise if there is no evidence of non-compliance with PCI DSS and Visa rules. To prevent fines a member, merchant, or service provider must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation. Additionally, a member must demonstrate that prior to the compromise the compromised entity had already met the compliance validation requirements, demonstrating full compliance.
Here’s what’s on our North Carolina Government State Comptroller web site:
What is a Safe Harbor? Safe harbor is an element of Visa’s CISP that provides member banks a potential protection from Visa fines and compliance exposure in the event their merchant experiences a data compromise. MasterCard’s SDP has a similar program called SDP Program Registration. Since a merchant must maintain full compliance at all times, including at the time of breach as demonstrated during a forensic investigation, the safe harbor provision offers little protection.
Visa Cardholder Information Security Program (CISP)
Links to general Visa information, non-specific about Safe Harbor
PCI Security Standards – the official organization with everything you need to know to become compliant, non-specific about Safe Harbor.
Visa’s Top Five Data Security Vulnerabilities PDF download