As 2012 approaches, and companies continue to pursue compliance with the PCI DSS, the threat of data theft still looms large for merchants. On December 12, 2011, CNN, and other news organizations, ran a story announcing that US authorities arrested four Romanian Nationals in connection with a data theft scheme that had been active since 2008. The four individuals would hack into Point of Sale (POS) systems and install Trojans and key-stroke loggers to capture payment card data. This data was then used to make fraudulent purchases, primarily in Europe. 150 Subway restaurants, as well as over 50 other retailers, were victimized and an estimated 80,000 cards were compromised.
While a tragic story, the interesting part of this is the acknowledgment that the attacks had been ongoing since 2008--nearly four years before detection. This story is yet another example of how difficult it can be for retailers to protect data from theft and highlights the need for constant vigilance. PCI DSS compliance is simply not enough any longer to prevent data thieves from stealing data. TrustCommerce TC SMART products are designed to provide security for retailers and online merchants. By removing the data from merchant environments, there is nothing for the data thieves to steal. To learn more about TC SMART Products, please contact us at: 800.915.1680.
You can read the full article here: http://on.msnbc.com/tOF4ef
TC SMART Product
Life was simpler way back when. Some of you may remember when televisions only had three channels. A pencil or typewriter was your primary means of written communication. When you made a purchase or paid a bill, you mailed a check or paid cash at the register. Choices were limited, but simplicity appeared to make everything a little more manageable.
Innovations have lead to more choices and greater convenience—especially in our payments world. Think of all the ways consumers pay today: cash, check, credit cards, ACH/e-check, debit cards, gift cards, etc. Merchants also have a multitude of ways to accept payments: POS, online, automated recurring billing, SMS, mail order/telephone order, kiosks, integrated voice recognition (IVR), mobile devices—you name it.
Staying on Top
To remain competitive, merchants must support the traditional methods of payment, while moving forward and accommodating early adopters of the latest technology. However, the breadth of payment acceptance options can seem like an opening for greater risk and exposure. How does a merchant make sure all of the payment data entry points are secure? How do you integrate with existing systems for ease of reporting and reconciliation? Here's how:
1. When choosing a payment acceptance solution, look for a partner who is PCI compliant. Next, find a solution that reduces your compliance burden. Merchants who do not store, process or transmit Account Data (Cardholder Data and Sensitive Authentication Data), as defined by the PCI DSS, can dramatically reduce the cost of compliance and the risk associated with accepting payments. TC SMART products accomplish that goal and provide a clear path for compliance, data security, and fraud reduction.
2. Don't get caught up in all the features and benefits and lose sight of the big question: Will this integrate with my existing systems and solutions and allow me to grow? TrustCommerce's secure API, TCLink, allows merchants to integrate multiple transaction entry points and is open source. This gives merchants more control and flexibility.
A comprehensive payment acceptance solution provider can make it easier to embrace change. The convenience that comes with offering choice makes it worthwhile.
Small businesses are the heart and soul of the U.S. economy. From local mom and pop shops to innovative web start ups, we rely on these merchants daily for goods and services. In the payments world, small businesses are referred to as Level 4 merchants, those processing less than 20,000 e-commerce transactions annually and up to 1 million transactions annually. There are more than 6 million Level 4 merchants in the U.S.
PCI compliance is a vital component of merchants overall, ongoing security program. However, Level 4 merchants have not always been well educated or encouraged by their acquiring bank to become compliant.
If your business transmits cardholder data, you must also be PCI compliant. The Payment Card Industry Data Security Standard (PCI DSS) is a security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This definition may sound intimidating, but the overall goal is to help organizations proactively protect customer account data.
All merchants must be PCI DSS compliant
Regardless of how small your business is, you must be compliant. PCI DSS compliance is required of all entities that store, process, or transmit cardholder data, including financial institutions, merchants and service providers. Cardholder data is any personally identifiable information associated with a cardholder, such as an account number, expiration date, name, address, social security number, etc.
Although PCI DSS is not a law, failure to meet compliance standards can result in fines from credit card companies and banks, brand and reputation damage, and even the loss of the ability to process credit cards.
What are risks of accepting card holder data?
Small businesses and home-based businesses are vulnerable to hackers simply because they are usually not well protected. Home-based businesses account for 53 percent of all small businesses. Intruders see these businesses as easy targets and exploit their broadband connections, which are always on, and programs such as online games and file-sharing applications. Other typical ways merchant environments are breached include: SQL injection attacks, malicious code attacks, insecure remote access, or insecure wireless.
Sensitive cardholder data can be stolen from many places:
- Compromised card reader
- Paper documents stored onsite
- Data in a payment system database
- Hidden camera recording entry of PIN or other authenticating data
What are the costs?
Oftentimes it takes numbers, and fear of loss, to push merchants to take the compliance leap. Merchants can expect to pay approximately $50,000 for PCI compliance violations. In addition, the bank will also most likely terminate your relationship or charge higher transaction fees. These penalties can be hard to overcome.
In addition, if cardholder data becomes exposed, be aware that more than 38 states have laws requiring data breach notifications to the affected parties resulting in incalculable losses to brand, reputation and customer base. Refer to www.privacyrights.org for detail on state laws.
Summary
PCI compliance is a must. Take advantage of the resources and reputable partners that can make the process more efficient. By creating a safe environment for processing your customer’s transactions, you will keep them coming back and ensure your business thrives.
To learn more, read TrustCommerce's whitepaper on PCI Compliance for Small Merchants.
On May 13, 2011 news broke of Michaels arts-and-crafts stores falling victim to debit-card data theft.
"Thieves tampered with the retailer's debit-card processing equipment at about 80 stores from Massachusetts to Washington, according to the chain's corporate parent, Michaels Stores Inc.
The thefts apparently involved the use of electronic devices called skimmers that allowed crooks to record information from shoppers' debit cards and steal their personal identification numbers, or PINs.1"
News outlets understandably identify the cardholders as victims in this type of attack, but retailers suffer, too. Damage to the brand, consumer confidence, and the cost of device replacement are all side effects that are to be dealt with.
"The company said it is working with federal and state law-enforcement authorities, and is replacing all of its 7,200 card-processing terminals as a precaution. The U.S. Secret Service, which investigates financial fraud, said that it is investigating the Michaels incident.2"
Michaels is not alone in being forced to respond to attacks of customer card data. As long as there is a point of sale device and an Internet connection everyone is at risk. We live in the information age where how-to-hack[ing] guides are only keystrokes away. Thieves stealing sensitive data can range from the casual passers-by to the highly sophisticated computer whiz.
Implement an Anti-Skimming Plan
Staying secure for a retailer may seem like an uphill battle, and it is. The Michael’s theft, however, is one that could have been avoided. Replacing a piece of hardware in a merchant environment is a battle that can be won with anti-skimming planning. At TrustCommerce, we take the security of sensitive customer data and the integrity of our merchants seriously. That is why every device that TrustCommerce resells is able to avoid the type of attack that Michaels experienced.
If a TrustCommerce merchant is unaware of devices being swapped out for “skimmers,” they are protected. With our integrated software solution, payment processing is not possible without the TrustCommerce key-injected point-of-sale (POS) device. Thieves won’t be able to capture payment data on their non-injected POS device.
At TrustCommerce we partner only with device vendors that are industry leaders when it comes to offering encrypted devices that allow us to capture and transfer data securely. A TrustCommerce device purchase offers value to any merchant looking for an integrated security solution. Not only are the devices we’ve selected secure, but the TrustCommerce security software offers invaluable features including the ability to track transactions with our advanced reporting, transfer responsibility of storing credit card data, restrict user access levels in complex environments, and much more. With our dedicated staff and vast industry-specific security knowledge, we continue to make credit and debit card processing an option both consumers and merchants can Trust.
--N. Medellin, Product Manager
1 http://finance.yahoo.com/banking-budgeting/article/112735/thieves-debit-card-data-michaels-wsj
2 http://finance.yahoo.com/banking-budgeting/article/112735/thieves-debit-card-data-michaels-wsj
It’s the start of a New Year and, naturally, businesses begin prioritizing projects. “What can we accomplish this year? What projects can we take on that will deliver the most bang for the buck.” Each division jockeys for position and vies for scarce time and resources.
The single most important business decision merchants can make this year centers on data security. All the hard work your teams put in every day is rendered useless in the event of a data breach. Progress stops and all attention shifts toward survival.
How are you securing your data? Better yet, where is it?
When evaluating whether you are confident in your data security strategy, begin by looking at where your data resides. Start scratching the surface and you might find private cardholder information in unusual places, such as marketing and even human resources. Merchants can greatly reduce exposure and expenses by eliminating the data from their environment and rely on a third-party vendor to secure the information. This becomes a strong foundation for protecting their brand and reputation.
TC SMART Products® encrypt, secure, and warehouse your cardholder data using E2EE and tokenization.
Tokenization replaces sensitive cardholder information with unique identification symbols that retain the necessary information in a meaningless format to hackers. In a payment card transaction, a token typically consists of alphanumeric characters that represent cardholder data specific to the transaction in progress and contains only the last four digits of the card number. When an authorization request is made to verify the transaction, the card number is used only in the initial request. The token is returned to the requester instead of the card number along with approval or rejection of the transaction. The merchant can access the token for recurring payments but the credit-card number is stored in TrustCommerce’s PCI compliant data storage service.
In support of tokenization, Visa has released a paper discussing best practice recommendations. You may read the full document here: http://usa.visa.com/download/merchants/tokenization_best_practices.pdf
End-to-end Encryption refers to a complete protection of data that flows between two points in a network, in which the data is encrypted when it leaves its source, leaving it encrypted while it passes through any intermediate computers (such as routers), and decrypting only when the data arrives at the intended destination.
In a recent Aite Group report, “Card Fraud in the United States: The Case for Encryption,” they determined end to end encryption would have the greatest impact on reducing fraud. “We estimate that a national E2EE deployment would cut 90% of card-not-present and counterfeit cards in the United States.”
As the pioneer of these technologies since 2001, TrustCommerce payment processing solutions are proud to have led the way in innovation by leveraging tokenization and E2EE. TrustCommerce created the security needed for the industry, before most addressed such concerns. This powerful combination, in conjunction with other secure technologies, allows merchants to defer much of the cost, risk, and threat, involved in handling sensitive cardholder information. Our leading solutions include:
TC POS Vault uses industry proven key injection management and encryption technologies to quickly and safely process transactions from the customer swipe. This solution also mitigates card-not-present browser cache vulnerabilities.
TC Citadel is a powerful e-billing application designed for recurring, installment, subscription and utility payments. TC Citadel securely stores cardholder payment information and privacy data within the TrustCommerce data storage service. Merchants exchange credit card numbers and other privacy data elements for TrustCommerce issued Billing IDs.
Affordable and easy to integrate secure solutions
You may perceive that implementing a data security solution is expensive and as resource intensive as maintaining PCI compliance. Fortunately, making a large stride toward stronger data security can be done rather easily (and lessen your PCI compliance burden). TrustCommerce payment processing solutions leverage these powerful technologies and can be implemented quickly. The TrustCommerce professional services team can also develop custom integrations for merchants with unique environments or needs.
So, as you tackle your business’s “To-Do” list this year, place data security at the top. Then, feel that sense of accomplishment when you can quickly mark it complete.
We love the TC Payment Portal and so do our customers. It is a versatile product that makes it easy, affordable and convenient for merchants of any size to offer online payment options to their customers. Allowing integration support for customer bill presentment, users can securely log into a website and have immediate access to their account information.
What makes the solution ideal is that it puts the power in the hands of the customer. From a single login, customers can initiate real time payments or setup a recurring payment cycle using credit cards, online debit cards, and ACH for all of their enrolled accounts. Reporting is available so merchants can view payment history and proactively manage their account(s). The TC Payment Portal also removes the financial data from you environment, making PCI compliance easy!
By empowering customers, Merchant’s benefit in many ways:
• Allows customers to pay directly to the business 24 hrs a day
• Reduces costs associated with live customer service/Bill Pay
• Allows merchants to send customers notifications, auto-confirmation of payment emails, and more.
• Lets merchants batch upload payment amounts due and updates to customer’s user accounts
• And more
