Security

Money Laundering in Payments: What You Need to Know

goEBT Blog — Tue, 05 Mar 2019 10:00:00 +0000

Think money laundering, and you might picture bags of cash and back alley deals. But that’s not the real picture at all. Money laundering is an increasingly prevalent, dangerous and expensive problem in the US payments industry. Transaction laundering is responsible for a shocking $200 billion in fraud in the US alone every year.

As AML (anti money laundering) regulators focus their efforts on FI-based money laundering, criminals are simply stepping outside of banks to get the job done. Digital payments, with their complexity, provide a perfect medium – and a perfect cover – to launder money.

Here are 4 common schemes that affect merchants, payment providers and brands today.

1. Transaction Laundering

The most common scheme is transaction laundering, in which illicit merchants use an approved merchant’s payment credentials in order to process ecommerce transactions. It’s easy enough to set up an online storefront for illicit sales, and then reroute transactions through a legitimate merchant. And it’s seldom noticed by regulators.

Transaction laundering can be used for a variety of purposes, from under-reporting sales to avoid taxes, to far worse designs. Transaction laundering provides funding of the ugly underbelly of counterfeit products, human trafficking, illegal drugs and unregistered weapons.

2. Digital Payment Platforms

Micro laundering refers to transactions that are small enough not to flag AML (anti money laundering) alerts. In micro laundering, criminals can use everyday digital payment platforms to move money. For instance, a Paypal transaction of $10,000 would flag AML alerts. But 100 Paypal transactions of $100 each would attract no notice from watchdogs. In fact, it’s estimated Paypal is used to move 10% of laundered money. Other digital payment platforms such as Venmo are also commonly used to move illegal funds.

3. Online Bid Sites

Thieves also use online bid sites for micro laundering. From fraudulent auctions on Ebay to imaginary job postings on Fiverr, money can be transferred easily and quickly. Actually, this method hits awfully close to home. In 2017, the FBI thwarted a terrorist attack on American soil. They found that the perpetrator received his funding by posting fraudulent auctions on eBay that were “purchased” by ISIS agents.

Some criminal enterprises take transaction laundering to almost-corporate levels. Individuals may be hired as “mules” to apply for online job postings, only to transfer the money back to the employer later, minus a commission. It’s the Nigerian price scheme writ large.

4. Gift Card Fraud

Smurfing prepaid cards is yet another means of micro laundering. In this scheme, fraudsters may load cash onto a variety of prepaid cards, such as Visa gift cards or store cards. With a little legwork, those amounts can be extracted into cash deposits into bank accounts. While it may not seem like much to load a $200 Visa card here or there, in the hands of an organized criminal, these amounts can add up quickly.

What’s Next?

Over the past several years, transaction laundering and the various forms of micro laundering have been thriving underneath the radar of AML regulations. But that is starting to change as regulators become more aware of the scope of the situation.

The good news is that we have the technology in place to make some meaningful inroads. Just as AI and machine learning have revolutionized fraud control at the point of sale and in traditional ecommerce, regulators will be turning these tools toward combating money laundering. Payment providers, retailers and ecommerce sites can certainly expect new regulations and compliance standards. But considering the urgency of combating money laundering in payments, it will be well-spent effort.

Real Time Payments: A Fresh Angle for Fraud

goEBT Blog — Thu, 15 Nov 2018 10:00:00 +0000

One year ago today, The Clearing House debuted RTP, its Real Time Payments system for the US financial market. Supported by all the member banks of The Clearing House, RTP is off to a strong start. It’s estimated that 50% of eligible demand-deposit accounts will be able to receive an RTP transaction by year end.

The purpose of RTP is to provide instant transfer of funds between member banks, reducing expenses and streamlining reconciliation. Faster and simpler than ACH transactions, RTP brings the convenience and speed to banking transactions that businesses expect in today’s instant-digital world. And in the case of card transaction settlement, RTP provides a vastly superior means for merchants to receive their money fast. However, while RTP is a system long overdue in the US, it comes with its own set of risks.

Oftentimes, increased transaction speed goes hand in hand with decreased fraud controls. And fraudsters are quick to jump on opportunities. That’s just what has happened in the UK, which has had an RTP system since 2008. Invoice fraud has become a serious problem for consumers. Fraudsters manage to trick consumers into paying a valid-appearing invoice from a trusted vendor. Keep in mind that with RTP, money is transferred instantly, and once it’s gone, it’s really gone. Thieves are quick to move funds, making it nearly impossible to recover.

In addition to invoice fraud, thieves are taking advantage of transaction speed to take over and drain consumer accounts using stolen credentials. Again, because it’s so easy to transfer funds, fraudsters can quickly move money through multiple burner accounts until it’s no longer possible to track. Really, all forms of money laundering are made easier with RTP.

So what are FIs in the US doing to combat this risk? RTP security requires a multi-step approach. Since RTP eliminates the opportunity for manual risk evaluation, member FIs are turning to advanced machine learning and behavioral analytics that can spot questionable transactions much more effectively than the old system ever could. Another area of risk is account number theft. While we’ve made great strides safeguarding consumer account data for credit and debit cards, with RTP it’s imperative to secure bank account numbers. Fortunately, just as tokenization has cut fraud for card account purchases, tokenization can also protect bank account data.

While FIs are stepping up their fraud-prevention game in response to RTP risk, it’s a shift that needed to happen anyway. Investing in cutting edge fraud control technology can only help clear the way for additional innovation in B2B and C2B transactions in the future.

Managing Risk in IoT: 4 Key Approaches

goEBT Blog — Tue, 09 Oct 2018 08:00:00 +0000

The rise in internet-connected devices brings terrific benefits to retailers: easier inventory management, increased data collection, targeted customer promotions and much more. But this same connectivity can leave retailers vulnerable to data breaches due to hackers and malware. When considering implementing IoT applications in a business setting, retailers need to manage risk with these 4 approaches.

1. Manage Remote Access

Most major data breaches happen through remote access. Thieves manage to hitch a ride into a retailer’s network using the access gained from a third party. That’s how the infamous Target breach of 2013 was accomplished: thieves used an HVAC vendor’s remote access to break into the network and steal 41 million customer payment card accounts.

Eliminating remote access isn’t the answer. Remote access is an essential tool for business productivity. As IoT continues to expand, remote access applications will only increase. Any business using remote access must take the necessary steps to segment their network to protect cardholder data and limit vendor access to only pertinent areas of the network. Securing remote access isn’t a place to take shortcuts.

2. Regulate Connectivity

Between IoT connectivity, remote vendor access, work from home employees and much more, a business might have countless devices accessing their network on any given day. And there’s no way to know what sorts of security standards these devices were (or weren’t) built with. Therefore, policing has to happen on the retailer’s end. It’s crucial to develop a company-wide security policy, providing for secure connections and delineating which devices are permitted to connect. In the largely unregulated world of IoT, anything less is an open invitation to thieves.

3. Maintain Compliance

Take it from the experts: the best thing a business can do to protect itself from risk is to follow established security protocols to the letter. PCI standards are complex, but they’re both effective in protecting payment data, and regularly updated to combat new threats. Europe’s rigorous GDPR standards protecting personal privacy will likely make their way to our shores over the coming several years as well. In the meantime, by following best practices such as minimizing storage of sensitive data, securing data in silos or other approved means, and transmitting data only through approved encryption methods, businesses can minimize opportunities for breaches.

4. Watch and Wait

Over time we can expect the wildly unregulated world of IoT to be brought in line. As manufacturers pay more attention to the security they’re programming into their IoT devices (and as they’re penalized for failure to do so) we’ll see more uniformity and control in the ways devices connect and in the services they can perform. Until then, businesses need to exercise extreme caution in protecting themselves and their customers from IoT related breaches.

Unattended Payments: 3 Fraud Risks for Your Retailers

goEBT Blog — Wed, 22 Aug 2018 08:00:00 +0000

Unattended retail is a great way for your retailers to cut labor costs and build efficiency. From grocery self checkout to payment kiosks, unattended retail is growing in popularity every year. But it’s important to realize that unattended retail comes with some unique fraud risks. Be aware of these risks so that you can help your merchants develop wise loss prevention strategies.

Unattended retail fraud risks come from three distinct angles:

Thieves using the technology to steal products directly
Thieves using the technology to steal data
Thieves using stolen data to buy products

First let’s look at the risks of direct product theft:

1. The Five-Finger Discount

If you think self checkout is a tempting opportunity for thieves, you’d be right. Retail self checkout is a major source of shrink. Some of the theft schemes are so common, they even have names. There’s the banana trick, where an expensive item like steak is weighed with a cheap produce code like bananas. With the pass-around, customers pretend to scan an item before dropping it into the bag. And finally, there’s the switcheroo – just as it sounds, replacing an expensive item’s barcode with a cheap one.

While these names might make you smile, they’re a real problem for merchants. Some studies ^{1, 2} have shown that up to 20% of shoppers admit stealing items at self checkout.

To reduce shrink, your retailers need more than a staff member monitoring the self checkout corral. Consider adding a layer of technology. Developers are producing AI that can visually recognize products and verify whether scanned prices are accurate.

Some providers offer video-based solutions ready to be implemented today. Take a look at Stoplift, which boasts ease of POS integration as well as PCI compliance. And what’s more, they provide several entertaining (and alarming!) real-life videos of self checkout thieves in action.

2. Skimming for profit

Now let’s consider how unattended retail can be mined for data theft. Skimmers are an ongoing problem for fuel pumps and ATMs. Recently, this risk has expanded to other unattended retail providers such as car wash payment kiosks, vending machines and even grocery checkout units.

Bluetooth skimmers can be inserted deep into a card reader slot, undetectable to the eye. In the past, thieves would have to physically pull a skimmer from a card reader to access data, but these days technology makes it awfully convenient. Called blue skimming, thieves can simply park nearby and download data in real time via bluetooth.

So how can your merchants prevent skimming? To start, you should instruct merchants to check their equipment regularly for signs of tampering. Measures such as security tape on fuel pumps can keep thieves from disassembling equipment and installing skimmers.

But with skimmers inserted into the card reader, merchants need to fight fire with fire. For Android and iOS, your merchants can easily download apps such as Skimmer Scanner or Card Skimmer Locator (on the iOS app store) to check their machines for common bluetooth skimmers.

However, keep in mind that these solutions are just a patch on the problem. The underlying problem remains the use of mag stripe transactions. For the ultimate fix, urge your merchants to upgrade to chip technology, even if they are in a vertical currently exempt from EMV penalties.

3. NFC: Bypassing EMV security

While EMV upgrades will prevent mag stripe skimming, clever thieves have still found a way to bypass EMV security using NFC (tap and pay.) Since the EMV shift, most retailers have upgraded their POS hardware with NFC technology. It’s ironic that this move meant to increase security has left a back door wide open.

As it turns out, it can be easy to add stolen credentials to Apple Pay, Samsung Pay and Google Pay. While large issuers like Citi require two step verification before allowing a card to be added to a payment service, thieves have learned that many smaller issuers don’t bother. Thieves simply snap a photo of a counterfeit card, or even enter the data manually. And within minutes, they’re in business.

By using unattended retail, thieves don’t have to worry about showing a matching photo ID to a cashier. Depending on the issuing bank’s alertness, thousands of dollars can be siphoned away before the fraud is noticed. Are your merchants liable for these fraudulent transactions? They shouldn’t be, but it may be a hassle to convince the issuing bank otherwise.

Final Thoughts

Without doubt, unattended retail is the way of the future. And while this sector cuts labor costs, it still requires a level of retail supervision. From minimizing shrinkage to staying on top of equipment upgrades, unattended retail is not necessarily effortless retail. Help your retailers take the right steps to manage this payment environment, and you’ll make it as frictionless and profitable as it can be.

Payment Security: Cutting Through the Terms

goEBT Blog — Wed, 23 May 2018 08:00:00 +0000

Merchants are intensely concerned about payment security. And rightly so, considering the destructive costs of data breaches. However when you try to explain PCI compliance, you probably notice their eyes glazing over.

If you want a busy merchant’s cooperation, you’ve got to be able to explain payment security in terms that are simple and direct. Unfortunately, in the busyness of merchant services, security terms and concepts can be sometimes become a little fuzzy for all of us.

Let’s review some data security terms and what they mean to you. By understanding the foundations of payment security, acquirers can communicate the priority of PCI certification to your merchants, as well as making sure your payment solutions are meeting merchants’ needs.

Here’s What You Need to Know:

PCI SSC: PCI SSC (Payment Card Industry Security Standards Council) is an independent group that sets, develops and modifies globally accepted payment card industry security standards. PCI is supported by all the major brands, although merchants may not be quite so enthusiastic about the work involved in meeting requirements. Remember that the PCI SSC website is an invaluable resource for merchants and acquirers alike: you can find everything from basic information pamphlets to in-depth technical requirements.

PCI DSS: PCI DSS is the list of data security standards merchants must follow. PCI DSS standards vary based on the merchant’s payment scenario. As security risks and payment technologies evolve, these standards are regularly revised, so it’s important to make sure your merchants remain in compliance with changes.

PCI SAQ: The PCI SAQ (self assessment questionnaire) is a document merchants are required to complete annually and submit to their acquirer. This document, along with a signed AoC (Attestation of Compliance) certifies that the merchant is in compliance with PCI standards. There are several different SAQ categories based on a merchant’s payment scenario. It’s important for your merchant to follow the applicable SAQ.

EMV: Standing for Europay, Mastercard, Visa, EMV is a consortium supported by the 5 major payment brands that governs standards for chip card payments. EMV is responsible for the widespread adoption of tokenization as an encryption form for chip card transactions, and the resultant 75% drop in card-present transaction fraud.

Encryption: Encryption is the general term referring to the process of converting data to a code using an algorithm and a key. Secure encryption of PAN data is critical for payment security, and there are several methods by which it is accomplished depending on the processing environment. Encryption and tokenization are both effective means of protecting cardholder data, but in general tokenization is preferred due to faster processing times. Which leads us to…

Tokenization: Tokenization is a cryptographic method by which sensitive data is replaced with a token. The data can’t be decrypted without a token key, stored securely in at the processing end. Tokenization is used quite successfully in EMV chip card transactions, as it renders stolen data useless. Tokenization is also used in CNP channels, though not exclusively. Visa Checkout, Masterpass and Paypal all utilize tokenization for ecommerce payments.

P2PE: Point to Point Encryption is a data security standard that ensures the encryption of cardholder data at the point of the transaction terminal. Developed by PCI, P2PE is the gold standard for data security. Merchants who meet P2PE standards are ensuring the greatest security for themselves and their customers, although meeting these specifications is no walk in the park for acquirers or merchants.

E2EE: End to End Encryption is a catch-all term for various encryption solutions used in the market that encrypt data from the merchant’s terminal. E2EE is not the same as P2PE. E2EE is not supported by PCI and does not qualify merchants for a PCI scope reduction. E2EE effectiveness depends largely on the compliance of the providers involved in the transaction chain, and there is no group providing oversight or ensuring implementation.

When possible, P2PE is a better security option for your merchants; however P2PE is not available for all payment scenarios. In these cases, it is reasonable to offer merchants an E2EE solution.

Merchant services is no job for slackers. It’s a juggling act of processing, billing, customer service and marketing. And when you throw in ever-changing security requirements? It’s easy for the details to get lost in the shuffle. With a good understanding of data security, you can explain these concepts effectively to your merchants. In the long run, clear communications will mean better security for your merchants. Make sure the facts aren’t being obscured by the buzzwords.

Keep Merchants Informed About Payment Security

goEBT Blog — Tue, 27 Feb 2018 10:00:00 +0000

Next to price, the top factor in a merchant’s POS decision is payment security. Data breaches and fraudulent transactions present deadly risks to both businesses and their customers. Your merchants expect their payment service providers to keep this payment information secure.

However, as we all know, protecting your merchants can be a bumpy road. Merchants need security, but they don’t welcome any extra work to make it happen. How can you keep your merchants informed about payment security in a way that gets their attention, and most importantly, earns their buy in?

While fraud threats are continually increasing and evolving, maintaining a secure payments environment is entirely manageable. The key to success is educating your merchants about the threats they face and getting them on board with PCI standards.

Compliance Failure

Merchants may not maintain secure payment standards for several reasons: a failure to understand compliance requirements, a failure to understand the impact of compliance failure, and a shortage of staffing in implementing standards. But what it all boils down to is this: merchants don’t follow best practices because they don’t actually view them as best practices.

Let’s face it, compliance isn’t fun. It’s dry, tedious, and takes your merchants’ precious time and attention away from the glittering ball of profit. PCI standards can seem like excessive and burdensome paperwork, but they’re truly the key to keeping your merchants on the rails.

Focus on the Bottom Line

Remember, your merchants care about making money. Merchants need to understand that failure to maintain secure standards will cost them this hard-earned money, either in fines or fraud (or both.)

Thieves know that while large businesses have dedicated IT departments to maintain compliance and detect fraud, small businesses are often under-protected. And these unguarded targets are often easy pickings. Last year 61% of data breaches were targeted toward small businesses. According to First Data, the average cost of a data breach for small business was $36,000. And that’s not even factoring in the cost of forensic examinations, compliance fines, the loss of customers or damage to your merchant’s reputation.

No More Free Lunch

As we’ve moved through the EMV migration, merchants have been largely shielded from liability for noncompliance. Chargebacks under $25 were waived, multiple fraudulent transactions per account were limited, etc. Merchants found not in compliance have mostly received a slap on the wrist. But that free ride is coming to an end. As Visa is tightening up exemptions in April 2018, non-compliant merchants should expect to feel a pinch quite soon.

Significant fines may be coming down the pike as well. The payment brands have the right to fine acquiring banks $5,000 to $100,000 per month for PCI compliance violations. ControlScan explains, “the banks will most likely pass this fine along until it eventually hits the merchant. Furthermore, the bank will also most likely either terminate (the) relationship or increase transaction fees.”

Start on the Right Foot

Payment security requires cooperation at all points in the chain, from brand to bank to merchant. When signing a new merchant, take time to highlight penalties in the merchant account agreement – along with explaining the reasons for them. While it’s more pleasant to downplay penalties, merchants need to know the stakes they’re facing with payment security.

PCI Council has a wide library of merchant educational materials freely available for you to distribute. These materials should help make the compliance process a little easier for your merchants to understand.

By communicating the need for payment security, you will play a vital role in making sure your merchants continue to process transactions securely and profitably.

The End of Chip and Signature: What’s Next?

goEBT Blog — Thu, 15 Feb 2018 10:00:00 +0000

The POS industry is being disrupted at a head-spinning rate. Every season, manufacturers and software providers are rolling out new payment options that don’t just tweak previous methods, but completely eclipse them. And changes don’t just rest with hardware. Acquirers and merchants continually have to adjust their procedures to meet evolving data standards.

While new technology is great, and data security is essential, this pace is beginning to leave merchants clutching their wallets and saying “no more.” After all, we’ve just gotten over the EMV hurdle. Changes are expensive: hardware costs are a drain on the bottom line. And when you factor in the uphill haul of employee training, you can’t blame merchants for flat-out lack of interest.

As a payment service provider, it’s your obligation to get your merchants ready to meet industry changes. And there’s a big one coming up in just a few months: the evolution away from chip and signature. Here’s the story:

Don’t Sign on the Dotted Line

First, the great news (from a convenience perspective, anyway.) In April 2018, all the major credit card brands are dropping the signature requirement for POS purchases. As we all know, the signature is pretty much useless for fraud prevention. Anyone can scribble a squiggle using a stolen card. It’s great that brands have taken action to eliminate this unnecessary step.

Dropping the signature, combined with much faster chip processing speeds, means that consumers will be practically dancing through the checkout line. From this perspective, it’s a win for retailers. We should all expect to enjoy reduced friction. However, in the long run, issuers and acquirers may be shooting themselves in the foot. Here’s why.

Objections to Chip and PIN

During the EMV transition, the US payments industry missed a great opportunity to settle security once and for all by implementing chip and PIN. After all, the rest of the developed world uses a chip and PIN standard. But banks didn’t push for chip and PIN out of fear that friction would drive away consumer business. No one wanted to be the card that was sticky to use. While that’s understandable, the adoption of chip and signature has limited fraud prevention.

Now with the elimination of signature capture, transactions will be easier than ever. That’s a great outcome, but it’s guaranteed that consumers will object mightily to adding PINs to the process in the future, should that requirement arise.

Banks will likely object too. Card issuers just took an expensive hit provisioning chip cards to millions of Americans. For PIN readiness, they’ll have to reissue millions more. And since stolen card fraud pales in comparison to other sources of data breaches, there’s really not enough incentive for banks to force the issue.

Chip and PIN: What If?

Let’s imagine that chip and PIN does get passed in the US. What would that mean for your merchants’ transaction terminals? Fortunately, not a thing! EMV terminals are fully equipped to accept chip and PIN payments. In the long run, it would be preferable to invest in terminals with a shield to guard typed PINs from view. But for now, you could outfit your merchants with inexpensive add-on PIN shields for this purpose. They may look a little clunky, but they get the job done.

Alternate Solutions

Back to reality now. It’s obvious that improved card authentication is necessary. But if chip and PIN isn’t the answer, then what is? Biometrics may provide a great solution, once technology catches up with scale. Biometrics are passive, requiring little to no effort from consumers. And at least for now, they’re highly unlikely to be stolen.

While it may seem like biometrics belongs in Mission Impossible rather than your local grocery store, it’s becoming increasingly prevalent. We’ve already seen the widespread adoption of biometrics in personal tech. Apple iPhone uses thumbprint scans to authorize purchases. Samsung Galaxy offers retina scans to unlock the phone. Laptop computers use facial recognition to open user accounts. Right now, fingerprint readers are in widespread use in state agencies for functions like driver licenses, food stamps and social security. Even local daycares and churches have jumped on the bandwagon, using biometrics for door entry.

Biometrics in POS Systems

For payments, biometrics are not yet a viable option. Visa and Mastercard have performed some pilots, but the technology is not quite there to issue biometric cards affordably on a mass basis. However, biometrics are incredibly valuable on the business backend. Fingerprint readers can be easily integrated into tablet POS systems. They enable a number of practical functions that your merchants can use today.

Biometrics is an excellent way to tighten up operations and cut fraud internally. Passwords, entry cards, and physical keys can easily be shared among employees, leaving employers without accurate record keeping. For time and attendance, biometrics requires each employee to be present to sign in, eliminating “buddy punch” fraud. Biometrics helps cut fraudulent returns, voids and gift card sales, as each employee is accountable for their actions via an undeniable, unique login. And best of all, with improved record keeping, biometrics can help merchants meet PCI compliance standards for data security.

It’s clear that merchants are not interested in new technology for technology’s sake. But the fact remains that new security technology – from tokenization to biometrics – brings a real, measurable benefit to your merchant’s bottom line.

We all pay for fraud losses. Even though PCI compliance may enable merchants and acquirers to avoid fraud charges, these costs don’t simply disappear. They just get pushed farther down the line, and they come back to your merchants in the form of greater transaction and settlement fees. By promoting better security at the point of sale through chip and PIN, biometrics, and various forms of tokenized payments, we can reduce costs for everyone in the payments ecosystem in the long run. Encourage your merchants to embrace these changes.

Noticing Patterns: 3 Ways Breaches Happen

goEBT Blog — Tue, 13 Feb 2018 10:00:00 +0000

POS systems are a hot target for data thieves. The complexity of payment systems makes it difficult to block all threats. Much like a game of Whack-A-Mole, by the time one weak spot is patched, hackers are already on to the next con.

As a payment service provider, you need a security solution that takes care of you and your merchants. With attention to fraud trends and some smart planning, that’s a goal you can achieve. Three top causes for POS data breaches are stolen credentials, insecure remote access, and merchant carelessness. Read on to find out how you can protect your merchants.

1. Stolen Credentials: Watch Where You Click

In 2017, 65% of retail breaches involved stolen credentials. Keeping login credentials secure is critically important, but it remains a weak spot. Despite publicity and educational efforts, people continue to fall for phishing emails. Last year, 7% of phishing email recipients opened a fraudulent attachment. While not all these incidents resulted in breaches, it still shows a lack of risk awareness. HR and accounting departments are particular targets for phishing emails, as these employees are accustomed to opening attachments in their normal line of work. Do your best to make your merchants aware of the risks of phishing.

2. Remote Access: Lock the Back Door

While remote product management is a great tool for all sorts of vendors, it can be dangerous in the wrong hands. Here’s a terrifying statistic: In 95% of breaches involving stolen credentials, hackers took their credentials and used vendor remote access software to gain entry to customer POS systems. In fact, the Target breach of 2013, involving 40 million accounts, was caused by this very situation. Hackers infiltrated through an HVAC company login, and found themselves in a virtual candy store, as Target’s network was set up without proper segmentation to keep payment data separate.

Let that sink in for a moment. Basically, if fraudsters can figure out a password to get into a vendor system, and that vendor uses remote access software to connect with a customer, the risk exists that they can slip into a customers’ network – but only if conditions are right (or in this case, if conditions are very wrong.) Sloppy network security, failure to set strong passwords, establish firewalls, or control access can lead to devastating results.

Falling prey to remote access hacks is entirely preventable. PCI standards were developed for a reason, and full compliance will protect your merchants from the very real threat of remote access breaches. As a PSP, if you use remote access tools to manage your merchant base, it’s crucial to make sure your own housekeeping is in order. Be sure to follow all PCI regulations to the letter. Never cut corners on network security. And make sure your merchants know to set the same expectation for all their vendors.

As an additional fail-safe, advise your merchants to limit vendor access on a need-to-know basis. In the payments industry, these controls can be built in, as POS remote access software can be fully integrated or semi-integrated. At CDE Solutions, we use a semi-integrated platform. With semi-integration, we can troubleshoot, push files and manage a merchant’s tablet, but we do not have access to payment data on the merchant’s terminal itself. This separation of functions, combined with adherence to all PCI data standards, keeps payment data secure.

If you provide fully-integrated solutions, the situation can be a little more complex. In this case, strict adherence to PA-DSS regulations, combined with a dynamic IT team to install, monitor and control network interactions, is the solution to pursue.

3. Merchant Carelessness: Pay Attention to Details

Carelessness is another preventable source for breaches. While you may provide your merchants with the most sophisticated processing tools, if they don’t use the technology, the terminals might as well be doorstops. Clothing chain Forever 21 is just now coming off the tail end of a major breach. Hackers sneaked in through network access, and then were able to harvest customer card data because – get this – many stores never turned the encryption on their POS devices. While Forever 21 is being tight-lipped about the scale of the breach, its seven month duration makes it clear that many thousands of consumer accounts were compromised.

With proper store education and a little IT oversight, breaches caused by carelessness can often be prevented. Basic security measures are common sense to those of us in payments, but they might not be to your merchants. Don’t presume that merchants know the standards they should maintain. As a payment service provider, consider it part of your duty to provide ongoing education and access to industry resources to help your merchants maintain secure business operations.

Plan for the Best, Prepare for the Worst

Just as it’s important to have a disaster response plan for incidents such as flood and fire, merchants should also prepare a breach response plan. When a breach happens, panic is generally the natural response, but it’s not the most effective one. By planning in advance, merchants can minimize the impact and damage of a breach.

Depending on the scope of a merchant’s business, breach plans can be quite complex and may include contracting with a breach response provider to account for all contingencies. If that’s out of your merchants’ reach, a simple, do-it-yourself plan is far better than nothing. A Google search will lead your merchants to several online resources and templates for breach response plans. You might consider this guide from Experian for a head start.

So that’s it for our “big picture” overview of large-scale breaches. Next month, we’ll cover some new individual fraud tactics your merchants may face. To minimize fraud losses, your merchants need a well-rounded awareness of risk from both scenarios.

Your Call Center Should Be Aware of Payment Security

goEBT Blog — Wed, 06 Dec 2017 10:00:00 +0000

Is your call center ready to face new threats to data security in 2018? It’s important to understand the risks call centers face, and make a plan to protect your business and your customers.

2017 was a banner year in payment security – both good and bad. While EMV has slashed retail card fraud, fraudsters quickly turned their efforts to new channels. Last fall saw the worst data breach in US history with Equifax, which placed uncounted millions of consumer files into the hands of criminals. These two trends – the need for alternate avenues of payment fraud, combined with wide access to personal consumer information – have converged on the call center.

Since retail fraud is becoming less and less profitable, fraudsters have turned to call centers with alarming results. Research shows that call center fraud rose by 113% in 2016. Fraudulent attacks run the gamut, from individual attempts to gain control of a consumer’s identity and drain bank accounts, to mass infiltration of a company’s network through the installation of malware. Combined, these efforts bring a major threat that requires a multifactor approach.

Inside Risk

As with most businesses, call center data security risks come from both inside and outside the organization. Considering the high turnover, low compensation environment of many call centers, employees may pose an attractive target for compromise. According to Semafone, 11% of call center staff report being approached by people either within or outside their organization to access or share sensitive customer information.

It’s crucial to follow PCI DSS best practices to set up a secure operational environment to prevent opportunities for data theft. Consider setting up a clean room environment, excluding cell phones and locking out personal access to email and internet browsers. Monitor for signs of unusual employee activity, such as printing extra copies of customer information or downloading files to a USB drive. Common sense oversight can go far in maintaining data integrity.

Outside Risk

Mitigating outside risk must be approached on two separate fronts: inbound calls and IT systems.

Inbound Calls: Considering the recent data breaches, call centers are finding inbound calls to be an increasing source of fraud. Caller authentication is growing more difficult. Armed with stolen personal data, fraudsters are often quite capable of answering security questions. Verifying inbound phone numbers is little help, as it’s easy to spoof caller IDs, particularly when using VOIP. Multi-layer authentication is the key to weeding out fraudulent callers. It’s wise to partner with outside experts to help manage this process. Of course, call centers should adhere rigorously to PCI DSS requirements, which are regularly updated to reflect best practices.

Keep in mind, fraudsters that dial your call center might not be trying to bilk your customers out of cash outright, but rather seeking to gain additional personal information, in order to build a more complete consumer profile for future fraudulent attempts. Don’t participate in their game. Educate your employees about what information they can and cannot provide. An educated workforce is less likely to fall prey to scams.

IT Systems: Smart IT systems provide the best defense against data breaches due to malware or information theft. Take the time to set up proper firewalls, antivirus software, and intrusion monitoring systems. These steps seem like common sense, but too often, corners may be cut in IT. Call Center Management reports, “IT system development or maintenance of call centers do not always deploy the right security technologies, which introduces a number of network deficiencies that could easily be exploited by hackers.”

Human error remains a common entry point for malware infections – from accidentally downloading an attachment to visiting a compromised website. By excluding personal emails or browsers from inside-facing systems, you can provide a wall of separation to catch any resulting attacks before they have a chance to rob you.

Today more than ever, call center data security is paramount. Considering the threats to payment security that have evolved over the past year, you can’t afford to neglect this aspect of your business. It’s vital to look both outside and inside for possible weak links. By following PCI DSS requirements, and carefully managing your call center staff, software and IT systems, you can go far in protecting your business and customers from threats.

Secure Hardware Storage: Why It Matters for Your Merchants

goEBT Blog — Tue, 24 Oct 2017 08:00:00 +0000

What’s the first word that comes to mind when you think about PCI compliance? Most likely “security” (or perhaps the word “headache”). But in either case, hardware storage is probably not your top consideration. And yet, PCI compliant hardware storage is absolutely crucial for your merchants’ data security.

Protect Your Merchants

Unsecured encryption keys, PIN pads and POS terminals can be a gold mine for data thieves and a nightmare for merchants. Thus, PCI has put a number of stringent requirements in place regarding device management, including how equipment is “produced, controlled, transported, stored and used.” These standards ensure that at all points in the life cycle, devices are protected from unauthorized access.

Look for Qualified Vendors

So what should payment service providers look for to protect your merchants’ devices? Work with vendors that are PCI-PIN validated. Approved vendors, including CDE Solutions, have done the rigorous work involved in establishing dual-control secure storage and chain-of-custody tracking that meets PCI specifications. Bottom line, by partnering with a PCI compliant support partner for hardware storage, payment service providers can greatly reduce the risk of equipment compromise prior to merchant deployment.

Meeting Security Standards

Wondering what makes hardware storage secure? Here’s an overview of the specifications:

POIs are kept in locked storage with dual access control.
POI access is highly employee restricted.
POIs are both stored and shipped with tamper-evident security features
The vendor documents the POI’s complete chain of custody.

For more in depth details, you can review the standards here. These measures, and more, are designed to protect device integrity, ensuring optimal function in the field and protection for merchants and consumers.

When considering the runaway disaster of data breaches, secure hardware storage is absolutely crucial for your merchants. By partnering with a PCI compliant hardware storage provider, you can help your merchants avoid this danger. After all, PCI standards are not just paperwork, they’re truly best practice.