The latest news about Heartland Payment Systems’ 2008 security breach revealed some alarming, yet important, issues about the reporting of breaches and responsibility of the players involved in data security.
Heartland’s 2008 data breach is supposedly the largest breach of that year, but not the only one hit by the same hacker. According to Bob Carr, CEO of Heartland, most of the companies affected did not come forward. However, news articles are blasting Heartland for not reporting the 2008 breach earlier so customers and merchants could take action and precautions. While the Department of Justice has been successful in capturing individuals behind the recent data breaches, this should be a strong sign to any company involved with sensitive data that they should be stepping up efforts in the prevention of data loss.
Continue reading "Data Security: Who is Responsible?"
With the threats to data security in e-commerce, web application security should be the on the top of the list of concerns for any merchant. If a survey conducted by the Open Web Application Security Project (OWASP) is any example, organizations and merchants are only responding to security threats when they should be testing the secure coding of all web applications accepting electronic payments.
The Open Web Application Security Project (OWASP) was created to help improve the security of application software. The project, whose online home is a wiki site, is a forum community open to anyone and its primary mission is to promote the visibility of web application security. The project also exists to aid organizations in making educated decisions about the security risks of web applications.
Continue reading "How Secure Is Your Web Application?"
As a merchant, you accept Visa, MasterCard, American Express and Discover. You have learned that each card brand has its own set of data security guidelines. So, which one do you follow? Good news! The card industry has made that decision for you.
A Little History
The PCI Security Standards Council (PCI SSC) was formed in December, 2004 by the major card brands (Visa, MasterCard, American Express, Discover and JCB) to educate and enhance the security standards in the credit card industry. Prior to 2004, each card company had developed their own set of data security standards programs:
Continue reading "CISP, SDP, DISC…What Security Standard Do You Follow?"
The Payment Card Industry Security Standards Council is always creating new and effective versions of PCI DSS. The most recent of such compliance standards is version 1.2 which has 12 requirements for enhancing payment account security. These requirements are designed to address a broad range of data security, from software design to policies and procedures. Version 1.2 is not intended to change the existing DSS, but only to provide added security in a time when many feel it is most needed.
There are two notable changes, one requires that off-site data storage locations be visited and validated as compliant with PCI DSS. The other imposes a sunset date on wired equivalency privacy (WEP) use. For those of us who don’t speak techie, WEP is a software application intended to protect data as it travels across wireless networks. In previous posts, I have talked about WEP having to be upgraded by June 30th, 2010 to Wi-Fi protected access (WPA).
Here are the 12 core requirements as outlined by the card associations:
Continue reading "The Payment Card Industry Security Standard Dozen"
In 2005, a credit card giant was brought down by a massive security breach. It was said that at least 68,000 MasterCard account numbers were taken from the CardSystems database and that approximately 40 million cards of various brands were exposed. Since this breach, we have implemented PCI DSS and have come a long way in fighting these types of security breaches…or so we thought.
On Tuesday January 20th, 2009 Heartland Payment Systems, a New Jersey based payment processor, disclosed that they had been hacked. Heartland Payment Systems processes about 100 million transactions a month for over 250,000 merchants. Although Heartland has not released numbers on how many card numbers have been compromised, it has been said that this breach will set a historic record. A breach of this magnitude will no doubt create a surge in fraudulent transactions all across a wide range of ecommerce sites and affect online purchases for a long time.
Continue reading "Heartland Security Breach Shakes the Card Processing Industry"
Business owners already have a lot to worry about regarding changing tax laws and employee wage laws, now they have to add Payment Card Industry Data Security Standards Compliance to the mix. PCI Compliance has evolved with each passing year. Business owners are already up against rules, restrictions, and deadlines that are added every year. Some feel that compliance is expensive or too hard to achieve, but achieving PCI Compliance does not have to be difficult.
PCI Compliance is a key element in protecting card holder data. So how can your business stay compliant without breaking the bank?
Continue reading "How Do Business Owners Keep Up With New Compliance Rules Each Year?"
The sales associates at retail outlets following proper security guidelines is a good start to protecting against fraud this holiday season. But what if you are an online business, or the magnetic strip on a card does not work? In Part 1 of this topic, we talked about proper procedure for accepting cards in a card present environment. Transactions that don’t involve swiping a card are considered “hand-keyed” transactions.
With hand-keyed transactions you run a greater risk of fraud because the magnetic strip information is not available. If you are in a retail environment you can do the following:
Continue reading "Tis the Season for Fraud – How Is Your Business Helping? (Part 2)"
Merchant Services Providers and merchants have been hearing about PCI Compliance for the past few years. Sometimes there is a lack of understanding about what is needed to become PCI compliant. We come across information online or by word of mouth, and it may not always be correct. Some say it’s better to be safe than sorry, so make sure to do your research.
Some online merchants think if they select a PCI Compliant gateway and shopping cart that they are automatically PCI Compliant. It is important that online merchants remember that physical location security and written policy is part of the process as well. Merchants are required to submit a SAQ (Self Assessment Questionnaire) to their acquirer once a year, but just submitting the SAQ may not be enough. It is also important that employees undergo training on security policies. Businesses must have ongoing assessment and remedies.
Merchants may think that PCI Compliance is for large businesses and may be too expensive for the average small retailer; however fines from noncompliance are much greater. Businesses will not only lose out on audit fees but also will have to consider a loss of reputation. Even if you are a smaller business, you are still required to be PCI Compliant regardless of the volume your business does.
Continue reading "What Does PCI Really Mean to the Average Business Owner?"
Over the past couple of weeks I have run into many merchants that feel ripped off by their merchant sales representative. Time and time again I hear “I just didn’t know what to ask for.” Like with any other purchase for your business, it is important to learn about your product.
Here is a list of common terms you should know when talking to credit card processing companies:
- Qualified Rate – This is typically the rate you are quoted when you sign up for a merchant account. This rate only applies to swiped regular retail cards. Be sure to ask what your Mid-Qualified and non-Qualified rate will be.
- You may also be charged an Authorization fee. This is the amount charged to a merchant account each time communication happens between the software or point of sale terminal and the authorizing network. Make sure you are not charged an additional transaction fee because the two are the same.
- Your sales agent may refer to Basis Points. Basis points are the percentage that you are charged on a credit card transaction. One basis point is equal to 1/100th of 1 percent. Thus a rate of 1.85% is equivalent to 185 basis points. For some merchants, a basis point mark above Interchange is advantageous. Continue reading "Terms to Know When Shopping for a Merchant Account"
We all frequently read about various types of scams to look out for, warnings of Packet Sniffing, and stolen card numbers. The real scams to look for are the ones that are directly on your merchant account application. Fees seem to suddenly pop up after you have signed your agreement.
One of the most interesting scams that has come up frequently is related to hidden merchant fees. This scam entices merchants to apply for accounts at low rates with a brief quote. They conceal fees, rates, and many various extra charges. When applying for a merchant account, is important to stay away from advertisements that claim to have the lowest rates around. Some key fees to ask for are: discount rates, mid qualified rates (keyed rates), non qualified rates (rewards card and purchase card rates), transaction fees, setup fees, annual fees, statement fees, services fees, PCI Compliance fees, merchant club fees, and early termination fees.
Continue reading "What Hidden Merchant Account Fees Should You Watch Out For?"
August 31, 2009 
Posted by 
Tags: 
Loading ...