Posts Tagged ‘EMV Technology’

Then And Now: Data Security In America Since The Target Breach

Wednesday, December 16th, 2015
Data Breach - Ohio CPA Firm

The Target breach symbolizes the moment when the threat of personal data security violations became mainstream in America; and today, we don’t think about fraud in terms of if it will happen – it’s when it will happen.

It’s hard to remember a time when reports of data breaches, ransomware attacks and business email compromises (BEC) weren’t part of our daily lives. In fact, not so long ago we were pretty content to believe that the controls companies had in place were enough to protect us from the invisible threat of hackers and cyber criminals. But that was just a dream – and it wasn’t long before that dream manifested into a nightmarish scenario for one of the nation’s largest retailers.

Read Also: Businesses Beware: Sloppy Data Security Could Cost You

Two years ago, cyber criminals gained access to the point-of-sale systems belonging to Target. Authorities later learned that the hacker(s) gained access to about 11 GB worth of data (including highly-sensitive personal and credit card information). When the dust settled, about 70 million consumers nationwide were left vulnerable to identity theft and credit card fraud. This magnitude of this breach was huge and, as a result, companies everywhere made an effort to buckle down and implement a slew of “best practices.” But what has really changed since December 2013?

What Have We Learned From Target?

The Target breach symbolizes the moment when the threat of personal data security violations became mainstream in America; and today, we don’t think about fraud in terms of if it will happen – it’s when it will happen. But instead of becoming more vigilant about data security practices, it appears as though consumers have chosen a more desensitized reaction. These days we are content with trusting the credit card companies to notify us of any suspicious activity occurring on our account rather than implementing safer payment practices in our daily lives.

Retailers and credit card companies, on the other hand, have worked hard to make it more difficult for hackers to access their customer data. Since the breach, Target has:

  • Installed EMV compliant point-of-sale (POS) terminals in all stores to allow for transactions to be processed using a token instead of actual credit card numbers.
  • Joined two cybersecurity threat-sharing organizations in order to share and retrieve valuable information concerning data breaches and the source of those breaches.
  • Implemented more stringent firewall rules and governance procedures.
  • Constantly monitors and logs system activity.
  • Applied whitelisting technology, an administrative process that allows only preapproved applications to execute in a system, on the store’s POS systems.
  • Disabled or placed limited access on vendor accounts.
  • Deployed 2-factor authentication.
  • Established password vaults and required the use of more complex passwords.
  • Thoroughly reviewed and revised its process on how to determine which employees and contractors would have access to consumer data.

With the exception of the first two points, the measures Target has taken since its 2013 data breach are considered best practices, which means that if your business doesn’t have these security measures in place, you shouldn’t wait any longer. And, with regard to EMV technology, most businesses were expected to install and activate the new technology before Oct. 1, 2015 to avoid liability for losses resulting from fraudulent transactions.

A Moving Target

As long as there are fraudsters willing to pay for stolen names, addresses, credit card numbers and expiration dates, phone numbers, email addresses, dates of birth, Social Security numbers, etc., there will be cyber criminals looking for a way to hack into your company’s system to gain access to your consumer data or intellectual property. But if you are really serious about keeping your data safe, there are additional measures you can take.

1. Reinforce Your Firewall

Firewalls should be securely configured and continuously monitored. There are many providers that perform 24-7 firewall monitoring services to protect your company from attacks and or to alert you to signs of a possible breach. Moreover, providers are also coupling these services with the use of whitelists or blacklists, which triggers an immediate response if a potential threat is identified. Another great reinforcement for companies with experienced IT staff, would be the implementation of SIEM (Security Information and Event Management) or IDS (Intrusion Detection System) software.

2. Take Your VIP List Seriously

Not everybody should have access to your company’s domain – especially outside groups, and you should take care to review your employee and vendor access accounts routinely. The 2013 Target breach was a result of a breach that was intended for one of Target’s vendors. But, once in, the hacker was able to work his way into the Target Vendor Portal and infiltrate the Target POS systems.

3. Don’t Take Your Passwords For Granted

While doing so, be sure to verify that these credentials, in particular, require complex passwords, a limit on the number of attempts allowed before automatically disabling the account, and that they are required to be changed regularly. (Believe it or not, the most common password continues to be “123456” – proving that we are still not learning from past mistakes.)

By: Joe Welker, CISA (New Philadelphia office)

Check out these articles for more data security best practices

Malware Threat Spreads To Smart Phones

Who Is That Email Really From?

Could Your Company Be Ransomware’s Next Victim?

Share Button

Can’t Collect Payments? New Chip Technology Could Be Hurting Business’s Bottom Lines

Thursday, October 15th, 2015

EMV Technology Impacts Netflix’s Q3 Earnings

EMV Technology - Ohio CPA Firm

Netflix, known for offering award-winning shows like House of Cards and Orange is the New Black to users online recently reported a lack-luster third quarter performance. The company points to its inability to collect payments from users who have not yet updated their Netflix account information to reflect new payment card information they may have been issued as a result of the new EMV technology.

Since the United States made the switch to EMV (EuroPay, Mastercard and Visa) chip technology in October, some companies are beginning to report unexpected side effects – sluggish growth in the third quarter. A recent story from Patrick Kulp on Mashable, a global media company, reported that Netflix’s lack-luster third quarter earnings may be directly linked to the new technology.

Read Also: Will EMV Technology Change The Online Payment Option?

Why? Because, according to Kulp, “[many] Netflix users may not want to go through the hassle of updating their payment records, and some may even use the switch as an excuse to bail on the service. As a result, the company can’t collect their fees.” Now, as third quarter earnings continue to roll in, business analysts are beginning to speculate as to what this means for businesses hoping to finish the year on a high note.

Why Was EMV Implemented?

In September, I provided insight into the reasoning behind the new chip-based technology, which pointed to the increasing number of credit card breaches as the reasoning behind the change. Over the years millions of credit card numbers and associated data have been stolen, leaving the credit card industry on the hook for the fraudulent transactions. In an effort to transfer liability from payment card companies to individual businesses, while providing greater protection to users against credit card fraud, the PCI Security Council supported the addition of EMV chip technology to the existing PCI (Payment Card Industry) Security Requirements.

The ultimate goal of EMV is to stop and prevent further fraudulent activity. Success has already been noted in countries outside the U.S. “Currently, almost half of the world’s credit card fraud happens in the U.S. where magnetic stripe technology is the standard,” stated David Navetta and Susan Ross in a blog on Data Protection Report. “Outside the U.S., an estimated 40 percent of the world’s cards and 70 percent of the terminals already use the EMV technology. These countries are reporting significantly lower counterfeit fraud levels with EMV cards than with the magnetic stripe cards.”

Click here to read the full article

Unintended Outcomes

Businesses have rushed to accommodate the transition to avoid liability for any losses that result from fraudulent transactions. From installing devices that read the new chips, to training employees to address any questions and concerns that may come up during the payment process. Unfortunately, in order to bring the American public up to speed, payment card insurers are issuing new chip-enabled cards to card holders and, in many cases, users are being issued new card numbers as well.

Companies such as Netflix are beginning to feel the pinch as they are realizing that their customers are in no hurry to update their card numbers in their accounts, which means the company can’t collect subscription payments.

“Our over-forecast in the US for Q3 was due to slightly higher-than-expected involuntary churn (inability to collect), which we believe was driven in part by the ongoing transition to chip-based credit and debit cards,” the company said in its earnings release.

Is Your Business Witnessing Unexpected Consequences?

Third-quarter earnings are just beginning to be reported, which means we are unable to adequately identify how widespread this particular issue is.

So, we want to hear from you. Since the EMV chip technology went into effect on Oct. 1, what has your experience been? Have you had trouble collecting renewal payments from your customers? Comment below or send us a quick email.

If you have a specific question about EMV technology or another business challenge, you can always let us know by filling out the brief form at the top, right side of this page. And don’t forget to subscribe to Dear Drebit to get great business tips and advice delivered directly to your inbox!

By Joe Welker, CISA (New Philadelphia office)  

Are you looking for more ways to prevent fraud from taking control of your business? Check out these articles:

Who Is That Email Really From?

Malware Threat Spreads To Smart Phones

Businesses Beware: Sloppy Data Security Could Cost You

Share Button

Will EMV Technology Change The Online Payment Option?

Monday, September 21st, 2015
Online Payment Option -Ohio CPA Firm

Does a company that doesn’t physically swipe credit cards have to worry about increased liability when the new EMV rules are implemented in October?

Dear Drebit: Does a company that doesn’t physically swipe credit cards have to worry about increased liability when the new EMV rules are implemented in October? Sincerely, Online Payments Only

Dear Online Payments: As you may already know, I recently wrote an article to inform merchants about the Oct. 1 deadline to implement Credit Card EMV (EuroPay, MasterCard and Visa) technology. When this change takes effect, the liability for fraudulent transactions will no longer be assumed by the credit card issuing institution. Instead, if you continue to use the credit card’s magnetic stripe to process payments, your business will assume liability for any resulting fraud. For most businesses – especially smaller businesses – a single instance of fraud could be crippling.

EMV technology essentially swaps out the magnetic stripe used on credit cards today for an embedded chip. The chip scrambles sensitive cardholder data at the point of sale, which makes it increasingly difficult to fraudulently access and replicate consumer data.

Click here to read the full article.

But what changes lie ahead for businesses that utilize online payment methods and don’t require customers to physically swipe their credit card to pay for a product or service? Do they need to be concerned about this liability switch on Oct. 1 too?

EMV Concerns For Online Merchants

Your third-party processor (such as PayPal), is responsible for ensuring that the payment is authentic. These companies validate payments using a variety of methods.

Natalie Gagliordi, a blogger with Small Business Matters, writes that “for most online merchants, whatever payment processing technology they are using will likely contain out-of-the-box security and authentication protocols.” PayPal, for example, “has developed complex end-to-end encryption to help protect consumers and merchants with their payment information.”

But just because your business doesn’t bare the sole responsibility for keeping your customers’ credit card data safe, doesn’t mean you have nothing to worry about – quite the contrary. Some experts expect credit card fraudsters to pay more attention on hacking online consumer data. This means, for your customers’ sake, you must continue to be informed of online security best practices and should not only be knowledgeable about what your third-party payment processor is doing to keep credit card data safe, but what your third-party payment processor requires of you to maintain your compliance. This could include maintaining current antivirus protection, a secure firewall and other online safety protocols.

The EMV Migration Forum’s Card-Not-Present Working Committee recently published an informative whitepaper to address the growing threat of Card-Not-Present Fraud. This resource will give online merchants a little more insight into the numerous options currently available to help authenticate online payments.

In the meantime, if you have additional questions or concerns, contact your third-party payment processor immediately. Requirement 12.9 of the Payment Card Industry Data Security Standard v3.0 states that they must provide you with – in writing – the details of its role in providing PCI compliancy, as well as any requirements of your organization. Click here to learn more.

How Can Drebit Help You?

Readers, do you have questions about data security, fraud, accounting, succession planning and other general business topics, but don’t really know who to ask? Let Drebit help find the answer! Simply fill out the brief form at the top, right side of this page. You can also click here to reach out to one of fraud experts directly. If you like the advice we offer, why not click here to subscribe to Dear Drebit and get notified of new articles and updates the minute they are posted?

By Joe Welker, CISA (New Philadelphia office)  

Share Button

Fraudulent Credit Card Transactions Will Become Merchant’s Problem On Oct. 1

Wednesday, September 9th, 2015
Credit Card Fraud Prevention - Ohio CPA Firm.

As of Oct. 1, 2015, the liability for fraudulent transactions will no longer be assumed by the credit card issuing institution. Instead, if you (the merchant) fail to adopt EMV technology, your business will be responsible for any loss that results from a fraudulent transaction.

PCI to EMV – Protecting Credit Card Data

Your customers want their payment experience to be as easy and painless as possible, which is why you have come to depend on the ability to process credit card payments – especially if your average transaction is more than $20. But providing your consumers with the ability to pay with plastic has also been helpful to fraudsters looking to steal the information hidden within their card’s magnetic stripe. In an effort to crack down on fraudulent transactions, protect consumers and transfer liability from the credit card company to your business, the United States will begin to implement Credit Card EMV (EuroPay, MasterCard and Visa) technology.

Read Also: Businesses Beware: Sloppy Data Security Could Cost You

Change Is Necessary

Due to the increasing number of credit card breaches where millions of credit card numbers and associated data have been stolen, the industry has forced retailers and merchants to adhere to PCI (Payment Card Industry) Security Requirements. Supported by the PCI Security Council, the ultimate goal of EMV is to stop and prevent further fraudulent activity. Success has already been noted in countries outside the U.S. “Currently, almost half of the world’s credit card fraud happens in the U.S. where magnetic stripe technology is the standard,” states David Navetta and Susan Ross in a blog on Data Protection Report. “Outside the U.S., an estimated 40 percent of the world’s cards and 70 percent of the terminals already use the EMV technology. These countries are reporting significantly lower counterfeit fraud levels with EMV cards than with the magnetic stripe cards.”

Understanding EMV Technology

Credit Card EMV technology, which has been used in Europe since the early 1990s, replaces the magnetic stripe we have grown accustomed to with an embedded chip that, scrambles sensitive cardholder data at the point of sale terminal. This technology ultimately makes it more difficult to access and replicate consumer data in an attempt to commit fraud.

Businesses Can’t Afford Not To Comply

Why should you be concerned about the credit card industry’s switch-over to EMV technology? As of Oct. 1, 2015, the liability for fraudulent transactions will no longer be assumed by the credit card issuing institution. Instead, if you (the merchant) fail to adopt EMV technology, your business will be responsible for any loss that results from a fraudulent transaction. If your business currently accepts credit cards as a form of payment (and you would like to continue this practice), unless you want to be hit with potentially devastating losses, you must make sure to install and activate the new technology before the Oct. 1 deadline. That being said, some types of businesses will have a little more time to comply. If you aren’t quite sure whether or not your business is exempt, visit the website of each payment brand you accept to learn more.

Next Steps

  1. If you have not investigated or planned for EMV Technology, contact your card processor immediately to determine your business’s specific needs.
  2. Implementing EMV technology can be a cumbersome and time consuming project, but the best way to protect yourself from fraud and liability is to implement the new technology as soon as possible.
  3. If EMV technology has been implemented be sure to confirm that the chip reading capability has been enabled. In addition, confirm with issuers that cryptographic values are being associated with the card number to ensure that the EMV technology has been setup and configured properly.  Verifying that cryptographic values are being assigned will eliminate the chance of misconfiguration and possible fraudulent activity.
  4. Train your staff on the new procedures. When a customer tries to pay for a product or service using their card, they will notice some changes, such as their credit card being held in the EMV reading slot throughout the entire transaction process. This is normal, however your staff should be prepared to answer the questions that will certainly arise.

By Joe Welker, CISA (New Philadelphia office)

Want to learn more ways you can protect your business and your customers from a fraudster? Check out these articles:

Could Your Company Be Ransomware’s Next Victim? Don’t Turn A Blind Eye To PCI Compliance How Much Is Your Data Worth To Criminals?

Share Button