February 3rd, 2012
A Canadian man, Adekunle Adetiloye, was sentences to almost 18 years in prison, for what people are calling one of the most high tech bank robberies in the history of the United States.
Adetiloye is accused of coming up with the idea, of opening hundreds of fraudulent bank accounts and stealing the identities of thousands for various other illegal activities. Fake names were used to open credit cards, and even mailboxes.
Erickson, the federal judge, said in court documents ahead of the sentencing that the evidence “indisputably demonstrates” that Adetiloye was a leader or organizer of the scheme. The judge calculated losses to banks at about $1.5 million, but said it could have been as high as $5 million if credit limits had been maxed out.î
Read more: http://www.foxnews.com/us/2012/01/23/canadian-man-faces-up-to-22-years-for-credit-fraud-766748891/
February 2nd, 2012
One thing that people may not have thought of a few years ago is the tablet at the table. IPads are being utilized for many different reasons by people all over the world. But for one California-based company, they are the menu! Stacked began using the iPad as a way for customers to be able to fully customized what is on their dinner plate.
Using the iPads, guests can add or omit ingredients on each burger, pizza or salad. And unlike most restaurants that charge the same for any cheeseburger, even if you hold the cheese, guests at Stacked only pay for what they specifically order.
Ideally, this chain is allowing customers to get exactly what that want, while paying for only what they are getting, and the Ipad is allowing them to do this!
Read more: http://nrn.com/article/game-changers-ipads#ixzz1l3hwWi15
February 2nd, 2012
In March 2010, a state date breach law provision went into effect. This March, all businesses that store personal data of MA cardholders need to make sure that they are fully compliant. The law is in place to ensure security of cardholder data. Most of the law is already in fully force. This final step is regarding third party data.
March 1st, 2012 is a very important date for merchants.
After that date, all companies with personal data on Massachusetts residents will be required to have specific language in third-party contracts that obligates their vendors to employ reasonable measures for protecting personal information. The law doesnít mean that companies are going to have to audit the third party vendors that they choose to use, it simply means that they need a contract stating that the data is secure, and by what means.
For more information, see http://www.computerworld.com/s/article/9223709/Final_phase_of_Mass._data_protection_law_kicks_in_March_1?taxonomyId=19
October 11th, 2010
If you are a business owner, chances are that you have gotten the run around from a credit card processing provider. Below are some tips to go by when choosing your provider.
Do not agree to an account that has a cancellation fee. Make sure you read all of the fine print in the application and processing agreement. Some companies have cancellation fees ranging from $250 to thousands of dollars. This is to make sure you stay with the company, regardless of the service they provide for you.
Compare companies. Find at lest three possible companies, and then compare all of their pricing. Make sure the processing companies know that you are comparing, to insure that they give you their lowest pricing.
Paypal is okay on the beginning, but as your business grows you will need a merchant account. Paypals fees will eventually outweigh profits. If you expect a good traffic flow, a merchant account is the way to go.
Avoid leasing equipment. You can get a terminal for less than $200 outright, which would pretty much be the first, last, and shipping payment of your lease. Avoid spending $1000 extra by purchasing your terminal outright. It is beneficial to get a standard terminal and upgrade when you have the funds to do so, rather than being stuck in a lease and paying 10x the price of the equipment.
Remember, credit card processing rates and fees are flexible. Most companies have the option to change a few things around to suit your business type.
September 17th, 2010
For businesses, it is unacceptable to charge customers a higher price when paying by credit card or imposing a minimum sale price to utilize a credit card.
When a business transacts business by credit card, the credit card processing company charges a percentage of that purchase, as a service fee. This fee helps pay for the services of the bank. If a business imposes a high price to credit card customers, they are passing down the fee that they incur.
While Visa/Mastercard have their own terms, some states even have laws against surcharging. Surcharging is against the rules of Visa/Mastercard and is highly frowned upon by American Express. American Express has a discrimination policy in effect as well. If a business accepts Visa/Mastercard, they cannot impose a fee to customers using an American Express card.
Some businesses require a customer to purchase a minimum amount of products in order to use a credit card. It’s usually $10-$20 dollars worth. They don’t feel that it is worth it to process small amounts through the terminal because of the fees that they will incur.
This minimum defeats the purpose of credit cards- convenience. Minimum charges vary from business to business and there are no regulations in regards to disclosing the terms. This is why minimum charge amounts are prohibited. If a merchant accepts Visa/Mastercard and follows their no minimum charge policy, they cannot make American Express customers purchase a minimum amount of products.
In short, Visa/Mastercard DO NOT allow merchants to impose higher prices to charge card customers, and DO NOT allow merchants to impose minimum purchase requirements.
Customers can inform card issuers and action will be taken against businesses that to not practice in accordance to these policies.
September 17th, 2010
Whether you are a small, midsized, or large business, odds are that you will benefit by accepting credit card payments. Merchant accounts get your online businesses running, and your brick-and-mortar businesses increased sales.
In order to decide which merchant service provider is right for you, you need to know exactly what you want. Most merchant service providers offer more plans and services than you could ever imagine. Look at your options before deciding on a provider.
A huge advantage to getting a merchant account is the ability to accept credit cards. People expect that they can pay with a credit card anywhere they go nowadays. If you don’t accept credit cards, the customer will find another place with the same product that does. The time to get on board with processing is now, as card use is only expected to increase in the future.
There are a few different ways that your company can accept credit cards. The most common type of account is the retail, or swiped, account. This type of account allows the customer to swipe their card through the terminal when making a purchase. Processing fees are minimal on this account type because it is a low risk account.
Another way to accept credit cards is through your website. Your customers will have the ability to key in their own credit card information to make a purchase through your website. The information is then sent to the processor for processing.
If you are an “on site” business, taking a manual imprint of the card is probably your most cost efficient option. Take the imprint while you are on site, and key in the card information when you are back at the office through a landline terminal.
Lastly, there’s the virtual terminal option. This feature allows you to go to the processors website and key in card information yourself. This option is good for phone orders and on-site sales. Log on from any computer.
So, take some time to look around and see which option would benefit your business. Remember to check with different providers as rates and fees vary by processor.
January 4th, 2010
Many ISO’s and MLSs do not fully understand the initiative for enhanced pinpad security, which is now being managed by the PCI Security Standards Council (PCI SSC), PIN Transaction Security program. Normally, it’s not that merchants and those servicing their accounts don’t want to comply; it is that they do not know where to start in the process. There are many terms and acronyms used to speak about the process, which makes it all the more confusing.
Compliance dates are approaching fast. In this article, I will explain a basic understanding of PCI compliance.
What’s the big deal?
Cyber thieves are continuously targeting credit card data, but it is the data along with the pin numbers that is the goldmine. Why is this?
Counterfeiting credit cards and making multiple purchases can definitely provide a criminal with a decent living, but the pin number gives the thieves information that can deplete the cardholder’s bank account.
New tools have been developed by criminals, like memory scraping malware, to snatch pin numbers of consumers.
A Verizon Business webinar reported that a Russian gang of criminals offers a data encryption cracking device for a fee. If you ship a POS PED to the gang, they will return the keys within two days for $250,000, or you get your money back, according to a RetailPayments blog.
It is almost unimaginable for decoding to take place in such a short amount of time, but with rising demand and new technology these decoding devices are rising at an alarming rate.
What is this all about?
The PED security requirements issued by Visa apply to all hardware that accepts pin entry card transactions. It is designed to ensure security of these transactions. A PED usually consists of a screen display, keypad, a processor, storage, and firmware for PIN processing.
Data is kept secure by not allowing the device to produce a clear text PIN. If the device fully meets all security requirements, it reduces the chance of the device being embedded with a bug that would disclose PIN information.
The security requirements also have guidelines for the management of devices up to the point of initial loading of the acquirers secret encryption keys.
Device management includes its manufacturing, encryption, delivery, and even storage. During its lifecycle, these guidelines are made to reduce unauthorized modifications to the device.
How has the PED security standard become enhanced?
The PED standard was restructured along with the PCI data security standard. In 2004, the Visa company mandated that all POS PEDs had to support triple data encryption, and be approved by Visa directly. MasterCard and JCB followed and joined Visa to come up with joint security and approval requirements.
The PCI SSC gained full responsibility in 2007 to be the source of information for all PED requirements and the PCI PED approval list.
What are the different kinds of PEDs?
-Unattended devices: Made for self-service situations, like pay-at-the-pump, ATMs, and kiosks.
-Attended devices: Sales clerk managed: retail stores, delis, etc.
-Hardware security modules: Support various debit features. Not customer facing.
How to merchants comply with POS PED requirements?
Merchants must ensure that they are using PCI PED approved pinpads with their terminals. Devices that aren’t approved need to be out of use by July 1, 2010, if it has not been upgraded to the new security standards.
You can check your device against one of two lists. Visa has a list of all approved devices, as does PCI SSC.
The lists can be found at:
www.pcisecuritystandards.org/security_standards/ped/pedapprovallist.html
https://partnernetwork.visa.com/vpn/global/category.do?categoryId=19&documentId=33&userRegion=1
What is the TDES in regards to PED security?
In addition to ensuring that your pin devices are all approved, Visa mandates that all devices be enabled with TDES by July 1, 2010. TDES is an encryption standard that greatly strengthens the encryption and reduces the risk of a compromise from an attack.
Acquirers can be assessed fines for having merchants that are using non compliant PIN devices by August of 2012. Even though it seems far away, the July 1st mandate should not be ignored.
If a PIN is compromised resulting in a data breach, the acquirer may not be protected by Visa’s liability protection program. The acquirer could be liable for penalties associated with the breach.
Although the acquirers are not being fined until 2012, Visa reserves the right to fine the merchant directly at any time.
How do merchants comply with TDES?
A merchant must determine if the pinpad used it Triple DES capable. Most pin pads purchased in the last five years are capable of this feature.
If you already have a Triple DES capable pinpad, you can make arrangements with your provider to have the pinpad injected.
Older devices were only made to support single DES. These terminals must be upgraded to new devices. External pinpads are also an option.
Start planning!
July 2010 is not that far away.
November 25th, 2009
On October 8, 2009, people opposing the interchange status quo had another chance to get support of congress with a hearing held before the US House Financial Services Committee. The hearing was held in order to accept a testimony on the Credit Card Interchange Fees Act of 2009, HR2382, and the Expedited CARD Reform for Consumers Act of 2009, HR3639. Instead of a serious attempt to address interchange legislation, the hearing seemed to be more of a formality in regards to HR2382.
During the hearing, Committee Chairman Barney Frank, D-Mass., made it clear that he didn’t want to enact legislation that would move up the implementation date on parts of the Credit Card Accountability, Responsibility and Disclosure Act of 2009.
Strict limits were established on how and when banks can increase rates on credit card holders with the Credit CARD Act of 2009. In February of 2010, these limits are supposed to take hold. Frank and many other want to move it to December 2009 because many banks are hiking up rates now in an attempt to make a last minute profit.
Legislation Consideration
Last week, Rep. Peter Welch, D-Vt., the person that introduced HR2382, appeared before the House Financial Services committee. He urged congress to consider the struggle of the small business owner. Kathy Miller joined Peter Welch at the witness table. She is a constituent that owns a small country store in Elmore, Vermont. She complained to the panel that interchange charges cause her to lose money on small purchases. She insisted that business owners “just can’t keep absorbing fees and survive through these tough economic times.”
The Credit Card Interchange Fees Act, drafted by Peter Welch and sponsored in part by a bipartisan group consisting of 13 other house members, would let merchants impose a minimum purchase amount if consumers are paying by credit card. Visa and Mastercard would be prohibited from charging different interchange rates for rewards cards, public disclosure of merchant agreements would be required, and the FTC would have oversight authority for the merchant acquiring space.
October 6th, 2009
Experts in the payment industry believe that lack of education and inactivity are the two biggest challenges when it comes to bringing Level 4 merchants into PCI (Payment Card Industry) DSS (Data Security Standard) compliance. Most small and medium sized merchants are still perplexed in regards to the purpose and language of PCI compliance, despite efforts by ISOs and MLSs (Merchant Level Salespeople).
In order to rectify this situation, ControlScan Inc., a PCI security and solutions provider, The National Retail Federation, and PCI Knowledge Base, a research firm, released a report called What Small Merchants Know (And Don’t Know) About PCI Compliance. Level 4 merchants are those that process less than a million transactions annually, or 20,000 transactions annually for web based businesses. The report was based on a survey of 220 merchants that were classified as Level 4.
The founder of PCI Knowledge Base, David Taylor, says that since PCI DSS was introduced in 2005, awareness has increased by 86 percent; however, a lack of intelligence has hindered a large number from taking action and becoming PCI DSS certified.
According to Taylor, many people that he has spoken to don’t believe that PCI is worthwhile, and they don’t feel that just because you are PCI compliant you are secure against a data beach. Payment security organizations are getting frustrated because the level of action and knowledge they are seeing is minimal. Positive feelings don’t just appear because you’re aware of something, a fact that Taylor has acknowledged.
Based on the survey eighty five percent of breaches occur with small businesses and eighty one percent of businesses that are breached and are subject to PCI compliance, were not compliant at the time of the breach. Fines that occur when small businesses are breached are much higher than the cost of upgrading terminal systems and getting certified- $5,000.00 to $25,000.00 for every month of noncompliance!
All three organizations are offering the report on their websites at no charge. Determining the knowledge of merchants when it comes to acceptance and understanding, level of confidence in their PCI programs, risks associated with being breached, and money spent on compliance were the surveys main goal.
The Vice President of Marketing for ControlScan, Heather Varian Foster, voices her concern by saying “My main worry is that these merchants think that they know more than they really do… they view PCI and security very high, but they don’t see how much risk they face, and that’s the dichotomy. And certainly through our partnership with the NRF and PCI Knowledge Base we are working to help educate all those involved.”
Heather goes on to say that by merchants expressing their thoughts on PCI compliance, it means that they are willingly opening the doors for PCI services and products. She states “Most Level 4 merchants’ compliance rates are very low, so I think this is huge progress and something we can use as a platform to help them fine tune what they need to know and provide better service and instruction as an industry to keep them from being a statistic.’ She believes that the merchants are asking for assistance and guidance in securing their businesses without it being too much to handle.
Helping merchants complete the Security Assessment Questionnaire and explaining the requirements in terms that are easily understood, for knowledge of what PCI compliance entrails, can give way to ISOs and MLSs to take initiative in administering PCI compliance programs, according to Heather Foster. Merchants want to be informed, but they want their service providers to be their #1 resource.
Foster goes on about PCI education by saying “There really has to be specific training, so that what we’ve done through this partnership is to really drill down and target a focused education program so those ISOs and acquirers can position their PCI service as a value that ties to that level of support and have the opportunity to really distinguish themselves.”
As part of their product development process, many ISOs are starting to include PCI. Getting PCI beyond the check-the-box approach may be a challenge, but there are certainly ways to do it. The process has been made as simple as possible with the help of the NRF and PCI Knowledge Base.
October 6th, 2009
According to the third edition of The North American Market for 3rd Party Payroll, Payment & Healthcare Transaction Processing, a published report by Packaged Facts, a research firm and a part of Market Research Group LLC, the 3rd Party Processing market jumped in growth by more than eleven percent in the year 2008 to 61.9 billion. By 2013, it is anticipated to grow by another 57 percent!
Back-office tasks such as customer service, record management, accounts payable and receivable, payroll, transaction processing, human resources, and accounting are being contracted to third party services according to the report. To boost business, many major third party processors are offering mobile transactions and human resource outsourcing, among other new ideas.
Three sectors were focused on in regards to the outsourcing of data and payment transactions: payroll, electronic, and healthcare transaction processing. The Publisher of Packaged Facts, Tatjana Meerman, says “The drive for healthcare reform is helping to train public attention on using technology to streamline healthcare for patients and providers, a shift that won’t come overnight, but is likely.”
