Merchant Link SecurityCents

A blog that comments on the latest developments in the world of payments, payment data security and technology, PCI compliance, and more.

Posts Tagged ‘ VISA ’


…………………………………………………………………………………………………………………………………
Welcome to the Bi-Weekly Best of the Web – a great way to catch up on recent commentary and compelling content from across the Web.  Every other Friday, we’ll post insightful news articles, noteworthy blog posts and more related to the world of payments, payment data security and technology.
……………………………………………………………………………………………..………………………………….

Researchers: Chip and PIN Enables ‘Chip and Skim’
 <Tweet this article>
by KrebsonSecurity
Researchers in the United Kingdom say they’ve discovered mounting evidence that thieves have been quietly exploiting design flaws in a security system widely used in Europe to prevent credit and debit card fraud at cash machines and point-of-sale devices
At issue is an anti-fraud system called EMV (short for Europay, MasterCard and Visa), more commonly known as “chip-and-PIN.”……….
Click here to read more

Bricks to Benefit from Clicks as Multichannel Rises <Tweet this article>
by Campbell Phillips
Multichannel retailing is set to complement, rather than compete, with bricks-and-mortar over the next two years, according to a new study from CBRE.
Investing in new or currently existing stores is a major priority for international retailers, with many indicating a requirement for more physical outlets and increased shop space as a result of their multichannel strategies……….
 Click here to read more

61 percent of IT security professionals fear Anonymous, hacktivist attacks
 <Tweet this article>         
by Suzanne Choney
Nearly two-thirds of IT security professionals worldwide believe their companies will be the target of a cyber attack in the next six months, and 61 percent say that Anonymous and other hacktivist groups will be most likely the ones to target their organizations.
Cyber criminals, then “nation states,” including  China and Russia, are considered next on the list of likely attackers by 55 and 48 percent, respectively, according to the survey done by security firm Bit9……….
 Click here to read more

…………………………………………………………………………………………………………………………………
What other interesting content have you come across? Leave a comment below and join the discussion
……………………………………………………………………………………………..………………………………….

By Yu-Ting Huang, Director, Global Product Marketing at Voltage

Regardless of whether the year 2012 will end the way the Mayans had predicted, retailers are moving forward with initiatives that can continue to grow their business. The general mood of the retailers at the National Retail Federation’s Big Show in New York earlier this month was a few rungs above cautious optimism. In addition to investing in ways to expand sales channels and understanding customer needs to increase revenues, corporations were also looking to build social stewardship into their businesses.

The buzz on the EXPO show floor was clearly about new devices that allow acceptance of mobile sales and payments, and the technologies that facilitate the management of store displays, supplies and analytics.

While the shiny new toys were eye-catching and inspiring, other aspects that are just as crucial to the success of a retail business were conspicuously missing from the conversation. I found it interesting that the security of customer data such as personal information, purchase history and preferences, and even payment data are not yet top of mind. There were a handful of vendors showing secure point-of-sale devices at the EXPO, but the coverage from the session presentations on this topic was thin.

Perhaps data security has been relegated to the “basic requirement of doing business” category and has become a non-topic. According to Visa, over 90% of both Level 1 and Level 2 merchants are PCI-DSS compliant. However, we continue to hear reports of data breaches, including the recent one from Zappos, which, incidentally, was a finalist for the ARIL Customer Service Award at the conference. (The breach notification went out to customers the day before the award luncheon.)

This goes to show that hackers never rest, and, therefore, as an industry we shouldn’t either. As we continue to invest in growing our businesses, it’s always good practice to take a moment to assess the integrity and security of what you have in place first. Making security a forefront topic in your business’ management can mean staying a step ahead of hackers– and this is where you should always strive to be.

For more information about Voltage Security visit www.voltage.com or follow them on Twitter at www.twitter.com/voltagesecurity.

The cost of a data breach for retailers and merchants is rising every day, both in terms of dollars and brand reputation, taking into account costs for internal investigation, notification/crisis management and response. And soon, there may be another cost being levied on merchants from a different source: the government.

According to a recent article in the Financial Times, the European Union is considering a stiff fine for retailers if they fail to secure sensitive customer data. The size of the fine amounts to more than just a simple slap on the wrist. In fact, retailers breaching European Union privacy rules could be on the hook to pay a fine up to 5 percent of their annual revenue.

Although these rules are still in their infancy and, if passed, wouldn’t go into effect for as long as two years, they should still be a frightening proposition for all retailers. And it’s not just European retailers that should be concerned since the rules are expected to also apply to European subsidiaries of foreign companies.  It could also be an indicator of what may happen in the U.S.

If you think the rules may go without being enforced, you should think again. StorefrontBacktalk’s Evan Schuman wrote about this issue in a recent column, and speculated that the EU is likely to strictly enforce this legislation since they’re starved for cash and these fines could be a good way to raise money. Also, unlike credit card companies and other stakeholders that threaten to punish retailers, the government doesn’t necessarily have anything to lose from fining a retailer.

For example, Visa would probably think twice about punishing or terminating its relationship with Wal-Mart simply because the retail giant wasn’t on the cutting edge of data security. The loss of revenue from credit card transaction fees would simply be too great.

Although these rules could be years in the making, or never even see the light of day, they’re evidence that governments are starting to crack down on companies that aren’t making data security a priority. With 2011 being a banner year for cyber attacks and data theft, and the potential for the cost of a breach to continue to increase, the time is now for retailers to take a more serious look at their security posture.

With tokenization and encryption solutions available to retailers via the cloud, there is no reason why any company should not be PCI compliant and protected from data breaches. The costs are too high, both to the company’s coffers and its reputation.

Don’t let your company wait until it has to part with 5 percent of its annual revenue before you start to reevaluate how you store and protect payment card data.

By Michael Ryan

As the world’s largest retail trade association, National Retail Federation (NRF) is not afraid to hunt big game.  In late November, NRF and other industry leaders took a stand and sued the Federal Reserve Board over their alleged failure to comply with the Durbin amendment requirements. Specifically, the suits alleges that the Fed did not act in accordance with the law setting debt card interchange higher than the “reasonable and proportional” mandate in the amendment and by not providing sufficient network flexibility for merchants.

I’m not a lawyer, judge or jury, so I won’t attempt to debate whether or not they complied with the law. In fact, I support the NRF’s attempts to lower processing fees in general but as I have mentioned before the execution has led to all sorts of unintended consequences. Price fixing will always produce unintended results and even negatively affect some segments of the population it intends to help.

Case in point: Convenience stores, vending machine businesses and other merchants with a small average ticket.  The intent of the Durbin amendment was to lower rates for all but in the end it actually raised rates for these groups. USA Technologies, a provider of card solutions for the vending industry, was affected and it was announced a few weeks ago that they struck a deal with Visa to normalize their rates post-Durbin.  While not every merchant has the size and power to secure a deal like this one on their own, I applaud their efforts to use negotiation instead of litigation.

And this is nothing new.  For over 30 years, the card associations have worked with large merchants and industry groups to negotiate and adjust interchange rates to meet the market’s needs. We’ve seen this in the grocery, convenience and small ticket markets, each of which managed to persuade the associations to create industry-specific interchange categories and lower their rates. While those efforts may not have reduced the issuers’ margins to zero, they have been effective. Yet, the government mandate negates all previous negotiation by applying a one-size-fits-all method, wiping away any past progress made by small ticket merchants and other groups.

That brings us to network exclusivity the second major allegation in the suit. This is where the law can help level the playing field by introducing real competition. The associations wield a lot of power when it comes to signature debit.  Had the Fed required multiple PIN and signature network affiliations on each card, as was discussed early in the negotiations; merchants might have really gained some negotiating power. That almost certainly would allow them to affect price adjustments more naturally through competition rather than price fixing.

Who knows what will come out of the lawsuit but let’s hope it gets us closer to natural market competition than the first attempt has.

By Mike Ryan

As anticipated, Visa announced the extension of the Technology Innovation Program (TIP) originally announced for non-U.S. markets back in February.  Reading through the document, it is clear that this is an attempt to get the market moving on two major Visa initiatives: near-field communications (NFC) and EMV.

As several analysts and my fellow bloggers have pointed out, this program says at least as much about Visa’s focus on NFC as it does about EMV. But, I’m more interested in what it doesn’t say.

First, the announcement doesn’t say that to qualify for PCI exemptions, 75 percent of the traffic needs to be EMV transactions.  It only says that the terminal must be EMV and NFC capable.  U.S. payment processors don’t support the standard today, so clearly no merchant would qualify. Obviously this is not an attempt to make the industry more secure or reduce fraud in the short term.

Second, you may have also noted that there are no liability shifts or protections from data breach penalties as there were in the global version of the program.  It seems that Visa knows that this program will not enhance security or prevent fraud, so while merchants may get a temporary reprieve from regulation they will still be subject to fines and penalties if they are breached

I’ll be honest…a part of me wants to applaud the effort to accelerate the NFC roll out because I want to use my phone to make purchases at the point-of-sale (POS).  However, I can’t do this with a clear conscience because my job is to help merchants become more secure and avoid the high cost of a data breach.

The reality is that EMV is still several years away.  While it will eventually help prevent some types of card-present fraud, it does nothing to protect cardholder data from being stolen from merchants’ networks.  The EMV message still sends card numbers in the clear — without point-to-point encryption (P2PE) and/or tokenization — so it essentially does nothing to protect data.

That data, if stolen, can still be used at the POS until EMV is widely adopted several years from now — or for the foreseeable future in card-not-present (CNP) fraud.  According to Javelin Strategy & Research’s most recent Identity Fraud Survey Report, CNP has outpaced card-present fraud for the first time ever.

Visa’s program doesn’t offer any new protection, so the penalties will continue to rest with the merchant.  So let’s start preparing for EMV and NFC, but don’t be fooled…unless you render the data useless, criminals will still try to steal that data and someone will ultimately pay the price when a breach occurs.

By Michael Ryan

Recently, Gartner Group, surveyed U.S. retailers looking at the spending levels for PCI compliance.  The findings reflect much of what we’ve seen in the market as we have discussions with major retailers.  Most big brands have already taken steps to achieve PCI compliance and so 89 percent of Level 1 merchants surveys were compliant while 57 percent of merchants that  that fall between Level 2-4 were compliant.  But interestingly, the survey found that Level 2-4 merchants are spending more on compliance.

So what gives?

Of course, the spending increase for lower level merchants could just be basic math.  There are far more retailers at the lower levels than at Level 1, half of which still need to take steps to become PCI compliant.

One of the motivations that Gartner analyst, Avivah Litan, points to is that the merchant-acquiring banks that enforce PCI compliance on behalf of the card brands like Visa, MasterCard etc., have been contacting Level 1 merchants, reinforcing the message that they must be in compliance with PCI standards.  Fines and threats are usually effective motivators.

The costs increases for Level 2 merchants are just the associations’ long term plans playing out. They started with e-commerce merchants, moved to the largest retailers and are now increasing pressure on the next level of retailers who are currently not meeting compliance standards.

The pressure is good and we do hope that retailers realize that becoming PCI compliant is necessary, but only a baseline.  It’s necessary but it is only the baseline.  In fact, Gartner predicts that by the end of 2012, 75 percent of the retailers that are breached will be PCI compliant.

So what is a retailer to do?

Use PCI standards as a baseline for protection but understand that newer technologies are available to remove the sensitive data from their systems altogether and ensure that they have a layered approach to securing their networks.  From encryption to tokenization, retailers must realize the benefits of implementing these technologies including reductions in the scope of PCI audits as well as minimizing card data exposure, making retailers a less attractive target for attacks.

By Beth McGarrity

Recently, Javelin Strategy & Research released a study that analyzes how consumers’ credit details are secure.  The Seventh Annual Card Issuer’s Safety Scorecard dives into existing trends related to card fraud, mitigation against these threats and evaluation of card issuers that have consumer-facing prevention, detection and resolution capabilities.

The study focused on the top 20 card issuers such as American Express, MasterCard, Visa, Bank of America, JP Morgan Chase, Capital One and more. The results found that card issuers do a good job resolving fraud problems once they occur, but ultimately fall short on prevention and detection.

In light of the number of recent breaches that have impacted big brands, as well as financial institutions like Citigroup, consumers need to be aware of how their payment information is protected and take proactive steps to ensure their own credit protection.

By Michael Ryan

Earlier this year, I wrote about how legislation could affect debit transactions and specifically, the impact of the Durbin Amendment, which is aimed at debit card interchange fees and increasing competition in payment processing. Nearly six months later and we now have the official rules.

The big banks can breathe a sigh of relief. Fee caps are now 21 cents plus five basis points. This is still a hit of roughly 50 percent on a $40 transaction but it certainly looked much bleaker (max of 12 cents per transaction) just a couple months ago.

The network routing rules are also a bit simpler. Cards must carry bugs from two unaffiliated networks but they do not need to offer the same authentication service. In most cases that likely should mean one network for signature-based and one for PIN- based. With the elimination of rate differences between the two options we may actually see real competition in the form of new offerings from the networks.

So who won?

The issuers traded draconian cuts for merely drastic cuts but it would be hard to categorize that as victory. Certainly large merchants who are able to negotiate interchange plus type rates will see the biggest short term gain. Ostensibly that will lead to reduced prices for consumers who were supposed to benefit most from this legislation. We may see some trickle down but I wouldn’t expect any sweeping price reductions.

So of the groups most often cited in Durbin discussions – issuers, merchants and consumers – each may have come away with something.

But I believe the real beneficiaries are a third group not often mentioned in this discussion, acquirers/ISOs. The regulation caps the interchange that issuers can collect but it says nothing about acquirer’s margins on top of interchange.

So while large savvy merchants who have negotiated interchange plus rates will see decreases there is no reason to believe that acquirers will cut debit fees in the short term for small merchants who pay more traditional rates. This could be a huge windfall for the acquirer community.

As we have seen with other examples of regulatory price fixing, the unintended consequences may ultimately be more pronounced than what is actually intended.

By Beth McGarrity

Here on SecurityCents, we are often blogging about attacks on restaurants, retail or lodging where the attacker has one main purpose:  stealing payment information for monetary gain.  But as we’ve seen during recent months, the attackers’ motive is shifting and evolving.

Just ask Sony

Or the CIA and FBI

Or Mastercard and Visa

Each of these organizations have been faced with a different sort of attack during the year where groups like Anonymous and Lulz Security have attacked servers to bring down the site and embarrass the organization for lack of security controls.

It may be different than the stories we’ve told in the past, but the moral of the story is the same.  And these new threats shouldn’t detract from what we already know.

The focus on stealing payment data has not been lost.  A few months back, Citigroup disclosed that over 210,000 accounts in North America alone were breached and information was stolen.  It was one of the most significant attacks on a financial institution.

So while the rise of hactivism is currently in the spotlight, don’t forget that cyber criminals who are seeking monetary gain continue to lurk in the shadows, slowly and consistently tapping into networks and determining the vulnerabilities that exist and can be exploited.  It is critical that merchants continue to stand guard and ensure that they have the security controls in place to protect customer payment data.

By Michael Ryan

Black Friday typically is the biggest shopping day of the year. This year, retailers are getting started early with door buster savings before the Black Friday holiday.  Hopefully, even before a big turkey dinner, shoppers will be crowding the stores with the goal of getting an early start on the big sales.

From the retailers’ perspective, this week marks the beginning of the holiday shopping season, one of the busiest times of the year.  The number of sales often predicts shopping trends, consumer confidence and the state of the economy.

Yet, this is the perfect timing for the Grinch to come out and try to steal away all the holiday cheer.  In fact, it is prime timing for attackers to try to steal credit card information from retail systems.

While PCI compliance is a good start and the standards developed have played a significant role in improving card data security, compliance alone does not equate to a complete security strategy.  Many of the major data breaches from the past couple of years were perpetrated against merchants who had been PCI certified before the breach. Compliance and security must be a year-round commitment and go beyond the minimum requirements.

So how can you go beyond the minimum to prevent a data breach this holiday season?  First and foremost do an inventory to catalog where your cardholder data is stored and remove it.

It sounds obvious but most merchants still store credit card data on their systems unnecessarily.  PCI has mandated that stored data be encrypted or masked, which is great but it doesn’t mean you should hang on to any more data than absolutely necessary.

One of the most common uses of card data is to help with chargeback disputes.  Visa’s recent PAN Truncation Guidelines has shattered the myth that full card numbers are needed for this purpose. Ask the tough questions of the data owners: Do they truly need it or is it just the way it has always been done?

The bottom line is that the more locations you have where data is stored, the more potential attack vectors there are for hackers.  We believe the ideal solution is to remove all data to a hosted third party vault and store only tokens locally so there is nothing of value for the crooks to go after.

Merchants must also understand that protecting themselves against attack goes beyond technology.  People and processes are just as important and everyone from the security administrator to the cashier is responsible for securing your systems.  Just look at the recent Aldi breach.  The hackers weren’t invisible Internet raiders but perpetrated their schemes from inside the store by swapping out terminals.

Everyone in the company should be aware of security threats, trained to spot suspicious activity and have a clear method of reporting it.  Processes need to be in place to enhance security.  Don’t assume you can just securitize old processes. The processes themselves need to be evaluated and those that do not promote a secure environment eliminated.  Just because it’s the way things have always been done, doesn’t means it’s the best way.

Just remember, as you prepare for a flurry of activity, constant vigilance is required to ensure you are evolving with and hopefully ahead of the bad guys.