Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

Posts Tagged ‘ POS security ’

…………………………………………………………………………………………………………………………………
Welcome to the Bi-Weekly Best of the Web – a great way to catch up on recent commentary and compelling content from across the Web.  Every other Friday, we’ll post insightful news articles, noteworthy blog posts and more related to the world of payments, payment data security and technology.
……………………………………………………………………………………………..………………………………….
Why Credit Card Fraud Grows 
Missing the Mark on Secure Card Tech Will Haunt Any Issuer
<Tweet this article>
by Tracy Kitten
Payments card fraud is a growing concern for U.S. card issuers, yet few have taken dramatic steps to fight it.  Last week’s announcement that major card brands and domestic issuers are joining forces to create an EMV Migration Forum reflects at least some interest in enhancing payment-card security…….Click here to read more

Starbucks/Square partnership: what does it mean? <Tweet this article>
by Javelin Strategy & Research
The Starbucks/Square partnership certainly is among the major recent announcements related to in-store mobile payments, and has the potential to significantly help jump start adoption. While I don’t agree with some of the more euphoric comments that this one move is the singular event that ushers in mobile payments, it is a big deal……. Click here to read more

RetailNOW: The High Cost of POS Security Failures <Tweet this article>         
by Vertical Systems Reseller
Solution providers were given a wake up call about the perils of point-of-sale security breaches, on Monday, at RSPA’s RetailNOW convention. Secret Services Agent Jason Berryhill, a POS fraud specialist, addressed the packed audience and dropped some very serious statistics……. Click here to read more

…………………………………………………………………………………………………………………………………

What other interesting content have you come across? Leave a comment below and join the discussion!
……………………………………………………………………………………………..………………………………….

With more than 25,000 guests visiting each month, Fantasy Springs Resort Casino, owned by the Cabazon Band of Mission Indians, is known for providing luxurious accommodations, the finest cuisine, exciting entertainment, and a world-class casino.

Fantasy Springs is also on the cutting-edge when it comes to payments and transaction security.  Following is an exclusive podcast with Don Lindsey, Fantasy Springs Resort Casino’s Director of Information Technology, who discusses transaction security trends and their use of tokenization.

By Sue Zloth

For years, we’ve been hearing about the mobile wallet.  The idea that you could scan your phone to pay for an item instantly without having to carry cash or plastic, is appealing.  It used to seem a bit futuristic, but mobile near-field communications (NFC) payments are here with Google at the forefront with their mobile wallet.

While it is exciting that mobile payments are here, most of us in the payments industry are still aware of the many unknowns that exist.  So I was pleased to see this blog post from Avivah Litan, of Gartner Group, which outlines all the major unknowns that come with mobile payments.

One of the unknowns not mentioned, but one that will be an issue for merchants is the security of payment data.  NFC or  traditional point of sale (POS) transactions require a layered approach to security.  Merchants who are struggling to secure transactions today, will need to consider how they will secure mobile transactions in the near future.

Read below to see what Avivah has to say:

I’m as excited as anyone about the prospects of mobile NFC payments, and it was good to see Google line up much-needed cooperation from MasterCard, Sprint, Citi, and some retailers with its new Google Wallet initiative. We just wrote a Gartner First Take that explores the benefits of Google Wallet as well as the hurdles to adoption.

In my opinion, the main hurdle is convincing retailers to accept these new payment types. In watching payment systems evolve over the past decade and more, I’ve come to strongly believe that it’s the sellers (or retailers) that drive new payment system adoption. And I just don’t see a strong enough value proposition for the retailers out of the gate to drive success here. Sure, in the long run, there is likely to be value with customer acquisition and retention generated via the Google Offers (advertising, coupons, loyalty, etc.) program. But it’s the short run that immediately matters because if we don’t get past the short run hurdles, there won’t be any significant adoption.

And in the short run – the expense and costs for this new program will probably outweigh the benefits for most retailers that consider it, unless of course Google and other Google Wallet participants PAY merchants to join (which is a common approach struggling new payment systems have taken in the past).

In my opinion, the big unknowns are:

a) why are merchants requiring signatures on these contactless transactions, which defeats the (albeit questionable) promise of speed and convenience at the check out lane?

b) what in fact are the interchange fees that the retailers will have to pay? Retailers pay more for signature based payment card transactions than they do for PIN ones, and even with low value debit payments that don’t require signatures, my understanding from talking with retailers is that contactless debit payments typically cost merchants more than debit card-swipes.

In fact, retailers have been known to shut off contactless payments over interchange disputes. For example Storefront Backtalk (www.storefrontbacktalk.com) reported early last year on BestBuy’s dispute with Visa over its contactless debit card payment interchange policies and fees, which led the mega-retailer to stop accepting Visa’s contactless transactions. The news group, a rich and well-respected source for retail industry information, also disclosed issues other large retailers had with the contactless fee structure.

Indeed, interchange fees paid for credit and debit card payment processing is a sizable chunk of many retailers’ balance sheets (the second largest line item at Target for example, right after labor costs).  It’s a constant source of friction between retailers and the banks, and is being hotly debated as part of the Durbin amendment which threatens to dramatically reduce bank debit card interchange fees.

So while mobile payments are not just about payments – they are trying to be about the entire customer shopping experience – fees play a critical role in merchant willingness to promote new payment types. Most retailers will already have to upgrade their POS equipment to accept the contactless payments. And now they have to be willing to forego lower interchange fees on PIN debit.

I’m just not sure this is going to fly, despite the mobility.

I’ve been reading the latest news about Michaels Stores, the arts and crafts retailer, point-of-sale (POS) breach where hackers appear to have replaced PEDs with their own terminals designed to skim card information and capture PINs.  Unfortunately, this is not an unfamiliar story.  Remember the Aldi breach from a few months ago?  Both of these are examples of multi-state coordinated attacks on POS systems.

Hackers are becoming smarter and are identifying and exploiting new weaknesses among merchants.  Furthermore this is just one more example demonstrating that PCI compliance alone, is not enough.  Neither the PCI DSS nor PIN Transaction Security (PTS) regulations require the payment terminal identification or other solutions that would have helped detect this attack. I have to assume a company with Michael’s reputation was PCI compliant so this may be another unfortunate example of compliance falling short of good security practice.

We don’t know all of the details of these particular breaches, but from what we do know, if point-to-point encryption (P2PE) was implemented, transactions would have failed to decrypt and error codes would have been returned to the POS, alerting the merchant to the problem at transaction 3 or 4 instead of month 3 or 4.

The fact is that hackers will continue to prey on the weakest link to achieve the greatest results.  By attacking POS systems and PIN pads, they can gain access to a gold mine of payment data if a higher level of security isn’t implemented.

The moral to this story?  PCI compliance is needed…but it is just a start.  Increased security is a must.

Originally featured on Tnooz

Day Two: Easy things you can do that cost little or no money

credit card2

Merchants are easily overwhelmed when it comes to achieving PCI compliance and securing credit card information.

Most already know that they must do more when it comes to protecting their customers’ data, but most feel they don’t have the time or money to do it properly.

Still, without security and trust, customers will start to disappear. But let’s be honest – hotel owners and operators are not security experts.

In today’s economy, most operators are more concerned with keeping their doors open.

So as the PCI Council continues to add more steps and requirements to the standards, most of these operators clearly aren’t able to spend the time, resources nor do they have the expertise to ensure that they are compliant.

So let’s start with some easy steps that can help you adhere to the standards without costing you too much time or money. These are the basics:

  • Block the unwanted: Install a firewall to block unauthorized access to your computer systems.  Consumer-grade firewalls require minimal configuration and cost very little.
  • Patch your systems: When a POS application or system vulnerability is identified, a patch is typically released by the vendor to protect your systems from being exploited.  Most patches can be downloaded and installed automatically and are free.
  • Use strong passwords: Change passwords on a regular basis and ensure you are using a combination of letters, numbers, and special characters.  Passwords should be easy to remember but hard for others to guess.  This is an easy, cost-free security measure.
  • Know where the data is: Determine where credit card data is stored on the network. Is there an inventory? When is it essential to have it stored? Most organizations can probably eliminate 50% of credit card data they store. If credit card data is not stored on your systems, the scope of your PCI compliance audit can be significantly reduced.

Using a multi-layered approach to secure critical assets needs to be a priority. If the hotel’s systems are secure, compliance will fall into place.