Entries tagged with “regulatory compliance”.


A major internet service organization recently found itself the victim of a cyber security breach regarding financial data.

The company fell prey to hackers by a spear-phishing attack. Spear phishing is the attempt to get corporate information by sending an e-mail message that appears legitimate. The fraudulent message sometimes asks the recipient to click on a link to verify information. Instead, that link can download spyware, Trojan horses, or malware. That’s what was believed to have happened in the breach; employees clicked on links in an e-mail that apparently led to the installation of malware.

Besides giving the hackers access to e-mail, the scam also compromised content management systems, internal communication systems, and the company’s data system for managing domains. Security enhancements implemented months ago, by the firm, likely limited the unauthorized access sought by the hackers.

While this company will no doubt be more vigilant guarding against future spear phishing scams, there’s a lesson here that businesses of any size and type can impart to their own employees: Don’t click on links in e-mails that looks suspicious, particularly if the message is asking for information.  To learn more, contact us here at ProPay.

In the world of merchandise processing, there are two different types of transaction processing: swiping and keying. With the constant accessibility to mobile devices such as tablets, smartphones, and laptops more and more merchants are using swiping, but why? In order to fully understand why more merchants are swiping cards versus keying them in, let’s take a look at the difference between swiping and keying credit cards.

Swiping vs. Keying Credit Cards

The difference between swiping credit cards and keying them in is pretty self explanatory, when swiping you have to have the card present and it typically requires either a mobile device with a swipe adapter such as ProPay’s JAK, or a computer/register with an internet connection. Whereas when you key a credit card in, merchants have to hand enter every card number and the credit card doesn’t actually have to be present. So, why are more merchants avoiding keying credit cards? Three reasons: fraud, savings, and convenience.

Fraud Rates

The biggest reason not to key in credit cards is plain and simple: fraud. Because merchants don’t actually have to have the credit card present with keyed payments, the chances of fraudulent transactions are a lot higher. Because most thieves steal credit card numbers instead of the card itself and then make by-phone or online orders, the card itself is never seen. Avoid these types of no-swipe fraudulent transactions altogether and only allow customers to pay for merchandise when they have the card present.

Savings

Because there is a higher fraud rate for credit cards that are being keyed in, credit card processors charge a higher rate for keyed transactions compared to swiped transactions, in order to protect themselves against any false transactions. How much more money do they charge? About .5% more per transaction. For example, credit card processors typically charge around 3.5% for keyed transactions, whereas ProPay only charges 2.29% for keyed transactions.

Convenience

Have you ever had to hand enter someone’s credit card only to realize you misentered one number and you have to start all over? With swiping, you never have to worry about that problem again. Also, you can swipe anywhere, at anytime—giving you the freedom and mobility your business needs in order to stay prevalent in this economy.

To learn more about swiped rates visit ProPay online.

Being a merchant nowadays is very challenging – not only do you have to worry about the rebound from our recent economic recession – you also have to now worry about cyber security. According to Tech Crunch, more and more retailers are succumbing to hackers.

Many retailers, including major clothing, home-improvement, grocery, and restaurant chains  have been attacked and successfully breached. “[one retailer] saw 56 million accounts compromised!” The article states that a major reason why most retailers are being breached is because they haven’t converted from mag stripe card readers to more up-to-date systems like chip and PIN. If there’s a takeaway to this: if you have a brick and mortar store – you should update your system to avoid any breaches. Keep in mind that whether it’s your payment processor or you that gets breached – you’ll experience a major dent to your reputation either way. Make sure to choose a cyber-secure payment processor – and update your hardware/software on your end as well.

ProPay has been providing thousands of merchants (with more joining each day) with excellent payment processor services since the 1990s. Contact us today to learn more about our state-of-the-art cyber security measures – and how we can help your business succeed further.

In discussions with small merchants about the Payment Card Industry Data Security Standard (PCI DSS), it is clear that there is still some confusion surrounding exactly what payment acceptance channels must be in compliance with the standards.  It is not uncommon to hear merchants suggest that PCI DSS only applies to online payments.  That can be a very unfortunate misconception.  All payment acceptance channels must be compliant with the PCI DSS.  Depending on how many transactions you process annually, you may not be required to validate compliance, but being in compliance is always required – for every payment channel and every merchant.

As a small merchant, think about all of the different ways that you might take payments.  You might have a customer that calls you and asks to place an order over the phone.  How do you process that transaction? Do you save the card number in a spreadsheet (please don’t save the number in a spreadsheet)?  Or do you enter the number in a virtual terminal so that you can securely process the payment and save the information for later use?  Do you have a website through which you accept orders?  Do you accept payments in a face-to-face context using a mobile payment device?  Each of the ways that you accept payment must be compliant.

It’s rare to find a merchant that doesn’t require multi-channel support from their merchant service provider.  It’s important to find a service provider that meets all of the needs of your business model.  More importantly, merchants should seek out service providers that can support and maintain compliance for each of those channels.  Merchants should ask probing question about how the transaction is secured, how the data is stored, and how long the company has been providing compliant services.  More importantly, merchants should have a full understanding of where the liability lies in that there is a data compromise.  If you’re storing numbers in a spreadsheet and your laptop gets stolen, that is considered a compromise under PCI DSS and the fines, fees and penalties can flow to you, the merchant.  ( You can read about Visa’s penalties here)  If you’re using a registered, compliant service provider to support your business, and you’re not storing the data yourself, the service provider has the liability for any compromise of that data.

It’s very important to understand the chain of liability when selecting a service provider, and even when selecting specific services from that provider.  For more information about how PCI DSS impacts small merchants, you can check out the Payment Card Industry Security Standards Council (PCI SSC) resources for small businesses.

This may sound like I’m beating an old drum, but I think it’s important that this point be well-discussed and well understood.  When it comes to data protection, merchants (and sometimes even processors and other payment organizations) can become fixated on PCI DSS compliance.  Compliance with the PCI DSS is important – don’t get me wrong.  Protecting cardholder data is very important.  Trust is the oil that slicks the payment rails.  Customers need to be confident that their everyday transaction isn’t going to lead to identity theft or even just card data compromise.  The industry as a whole has made tremendous progress in protecting cardholder data.  But what about the other data in our system?  Are we paying attention to that?  Maybe we are PCI DSS compliant, but are we adequately protecting Social Security Numbers?

This is a discussion that occurs frequently in conferences and workshops, but doesn’t always get communicated to the merchant level. Let’s take a quick look at some of the existing regulations and the types of data that are impacted:

Payment Data/Customer Data PCI DSS
State PCI DSS Laws (NV, WA)
State Data Security Laws (ex: MA)
Health Information HIPAA
HITECH
Financial Information Gramm-Leach Bliley Act
State Data Security Laws
Company Information Sarbannes-Oxley (Public Companies)
Civil actions

Keep in mind that this is by no means an exhaustive list, but it does provide some notion of the types of data, beyond just the cardholder data, that has to be protected.  In addition to these laws, the courts are rapidly setting precedent on implied warranties between customers and merchants. In other words, in taking the data from the customer to facilitate the purchase, the merchant may have an “implied duty” to protect that data and may be held liable to customers in the case of a data breach.  This area is rapidly developing and should be carefully watched.

The point here is that while compliance with PCI DSS is important, both in terms of protecting consumers and in avoiding non-compliance penalties, companies should be aware of all the types of data in their environment.  Knowing what kind of data is being stored will help in taking the appropriate protective actions.