As we prepare to celebrate Halloween this weekend, we often think about how to keep our kids safe while they are trick or treating.  We make sure that they stay in our neighborhood and only visit the houses of people that we know.  We make sure that they can be seen after dark with reflective strips, flashlights, and glow sticks.  We encourage our older kids to stay with the group and we even inspect our kids candy before we let them eat it.  Many of these practices are things that we learned from our parents and are based on our experience and common sense. Unfortunately, one of the greatest dangers to our kids often lurks right in our home…their computers.

With apologies for the sensationalism, it is imperative that we take the same precautions with our kids in the virtual world as we do in the real world.  In an open letter to parents in the FBI’s “A Parent’s Guide to Internet Safety,” Louis J. Freeh states, “Unfortunately the same advances in computer and telecommunication technology that allow our children to reach out to new sources of knowledge and cultural experiences are also leaving them vulnerable to exploitation…”

There are laws designed to protect children’s privacy online. Children’s Online Privacy Protection Act, or COPPA, is perhaps the best known.  This law regulates the information practices of websites that target children under 13 years of age.  While this law is good tool to protect our kids, it really only impacts those businesses that are trying to market to kids.  The truly scary stuff is much more difficult to pinpoint and target for regulation.  Fortunately, there are a number of tips that parents can use to help protect their kids online, just as they would in the real world.  Some of those tips include:

1. Place the computer in a common, family area. This allows parents to keep an eye on what their kids are doing online.
2. Limit the time that children are allowed on the internet. Unlimited internet time provides kids the opportunity to overshare.  Understanding boundaries and limits on the sharing of private information is imperative.
3. Install child protection software. There are a number of products that parents can install on the computer.  These can do a variety of things from monitoring websites and preventing kids from visiting certain sites, to logging keystrokes and maintaining chat histories.  While there are privacy considerations for parents and teens to talk through for older kids, these products will keep parents involved and aware of their childrens’ online activities.
4. Talk with your kids. Help your kids to understand that, while the internet is a wonderful tool, it can also be dangerous.  Let them know what is ok for them to do and what is not.  Know who their online friends are and what they are talking about.  As with any other area, being involved is the best way to keep them safe.

There are a variety of resources designed to inform parents on how to keep their kids safe online.  Some of those include:

SafeKids – online safety and civility

NetSmartz Workshop - this site is provided by the National Center for Missing & Exploited Children

iKeepSafe – Parent Resource Center

We hope that everyone has a safe and Happy Halloween!

Dr. Heather Mark, PhD. SVP of Market Strategy

Fraud happens through several different means including credit card fraud, unwanted access to sensitive information, or through third-party processing.  When speaking about the different types of fraud, for instance, third-party fraud takes place when an unknown identity accesses an account and initiates a transaction without the consent of the owner.  Several financial institutions are unaware of First Party Fraud (FPF).  First party fraud occurs when an individual creates an account with fabricated information and has no intention of paying on their account.  FPF is not considered to be a new age of fraudulent occurrences, but a form that seems to be overlooked and moved into the wrong type of debt account.   Findings have found that up to 20% of fraud, or $17 billion dollars, are misclassified and should be categorized as First Party Fraud.

Keir Breitenfeld, of Experian’s Decision Analytics team, states, “The lack of a uniform industry definition [for FPF] and subsequent operational treatment combined with the high probability that a large segment of FPF is currently classified as credit loss instead of fraud loss makes accurately quantifying the overall size of [the problem] challenging.” (http://www.pymnts.com/first-party-fraud-why-you-might-be-at-risk/?hpb).  With FPF becoming increasingly challenging to target with prevention methods, creating improved reporting and monitoring may stop these fraudsters early on, or even prevent them from opening an account, and save financial institutions from bearing the possibility of associated losses.  “…fraud does not discriminate.  It targets large and small-sized institutions, pursuing the path of least resistance.” (TSYS whitepaper, Recognizing First-Party Fraud, Why It’s More Important Than You May Think, Dale Daley and Rod Powers).

ProPay’s Risk department monitors merchants applying for accounts on a daily basis.  The Risk department has barriers set at the application level to check on credit scores, first payment defaults, business type, and so forth.  The Risk department consistently reviews accounts checking for abnormal transaction history in order to diminish the amount of fraudulent transactions occurring, therefore decreasing the amount of first party fraud.  Financial institutions creating boundaries and being able to identify FPF before it arises, will eventually lower the amount of uncollectible debt.

Travis Allen | Risk/Marketing Coordinator, Emerging Markets

In the recently released PCI DSS version 2 there is a statement that is sure to cause confusion…it states:

Note: It is not a PCI DSS requirement to use PA-DSS validated applications. Please consult with each payment brand individually to understand their PA-DSS compliance requirements.)

To (hopefully) answer the inevitable questions before they are asked I will provide some clarification.  You can read more in the previous posts #1, #2

The PCI DSS is an industry standard.  Each card brand has responsibility for defining compliance requirements and enforcing compliance with the various rules.  If a merchant accepts or handles Visa transaction data then they must comply with Visa’ operating regulations.  In the same way Amex merchants must comply with Amex rules and so forth for the other brands.

The PA DSS is an industry standard which applies to payment applications sold, distributed or licensed to third parties.  You can read more about the specifics in a previous post here. 

Visa is currently the only card brand requiring that companies use compliant and validated PA DSS applications.  Visa’ PA DSS mandates can be found here. 

If your company stores, transmits, or processes Visa data then it must comply with the Visa mandates.  If you do not store, transmit, or process Visa data then you do not.  It is really that simple.

Chris Mark, EVP; Data Security & Compliance

Today,  the Payment Card Industry Security Standards Council (PCI SSC) released the updated version of the Payment Card Industry Data Security Standard, the PCI DSS.  The SSC released a notice of the forthcoming changes in August, so the changes should not be too surprising. Most of the changes involved providing additional clarification around existing requirements.   A complete summary of the changes made to the standard can also be downloaded.

As the industry around the PCI DSS and securing payment transactions continues to evolve it becomes increasingly clear that companies are being asked to devote a growing percentage of resources to the protection of cardholder data.  At the same time, the ability to compromise that data is becoming democratized.  It’s possible to order up customized malware in order to breach a company’s security. Technical skills are not necessarily required to steal sensitive data from a company’s network environment.   A recent post by Chris Mark even comments on criminal organizations trying to keep their competitive edge in the crimeware industry.  While criminals have the luxury of concentrating on the compromise of one company at a time, companies must not only try to prevent any breach of security from any source, they must also try to balance increasing data security and compliance obligations.

While the card brands and the industry at large should be commended for taking steps to increase the baseline protections afforded to cardholder data, the fact remains that as long as the data has value to criminals the threat to data will not decrease.  So, how can a company continue to focus on their core competency while balancing these increasing security obligations?  Remove the data, remove the risk.®  By outsourcing the processing, storage and transmission of cardholder data to PCI DSS validated service providers, companies can both reduce their compliance burden and remove the data that attracts the thieves in the first place.

Dr. Heather Mark, PhD.  SVP of Market Strategy

In Customer Service, we understand that rules and regulations can be a hindrance when it comes to taking care of our valued customers. Please know, by no means does ProPay wish to make things more difficult and not be of assistance when contacting ProPay’s Customer Service Department. However, we must follow the industry’s rules and regulations so we may continue serving you.

PCI DSS compliance is the most important set of rules and regulations in the industry. A brief overview of PCI DSS compliance as outlined by Chris Mark, ProPay’s EVP of Data Security & Compliance, states, “PCI DSS is industry standard. The Card Brands (Visa, MC, AMEX, JCB, Discover) all accept the PCI DSS as the standard for their respective security programs” (Mark, Chris, Compliance with PCI DSS…know the rules; http://blog.propay.com/index.php/page/3/). So how does this affect Customer Service’s ability to assist you? It means as much as we want to be able to do everything we can to help, such as log in to your account to view what you  see, provide “sensitive” information to help you with your account, charge credit cards for you, etc, we simply are not able to do so given the regulation from the PCI DSS. What we can do is reset your password and help you gain access to your account. We can help find where to retrieve answers to your questions that ProPay is not able to provide you over phone conversations. We can walk you through the process in charging a credit card. We can answer your questions and help you in every way possible.

Being PCI DSS compliant means ProPay will continue serving you. Your business keeps ProPay in business, so we can continue being your credit card processor of choice. ProPay must follow rules and regulations as outlined by the industry, but we will do everything we can within those rules and regulations to assist you. We are here for our merchants and will be here for you for years to come. If you are not with ProPay, I encourage you to check out ProPay and compare us to other competitors. Please visit www.propay.com for more information.

Gary Fewkes

ProPay Customer Service Manager