Posts Tagged ‘PCI Security Standards’

Can’t Collect Payments? New Chip Technology Could Be Hurting Business’s Bottom Lines

Thursday, October 15th, 2015

EMV Technology Impacts Netflix’s Q3 Earnings

EMV Technology - Ohio CPA Firm

Netflix, known for offering award-winning shows like House of Cards and Orange is the New Black to users online recently reported a lack-luster third quarter performance. The company points to its inability to collect payments from users who have not yet updated their Netflix account information to reflect new payment card information they may have been issued as a result of the new EMV technology.

Since the United States made the switch to EMV (EuroPay, Mastercard and Visa) chip technology in October, some companies are beginning to report unexpected side effects – sluggish growth in the third quarter. A recent story from Patrick Kulp on Mashable, a global media company, reported that Netflix’s lack-luster third quarter earnings may be directly linked to the new technology.

Read Also: Will EMV Technology Change The Online Payment Option?

Why? Because, according to Kulp, “[many] Netflix users may not want to go through the hassle of updating their payment records, and some may even use the switch as an excuse to bail on the service. As a result, the company can’t collect their fees.” Now, as third quarter earnings continue to roll in, business analysts are beginning to speculate as to what this means for businesses hoping to finish the year on a high note.

Why Was EMV Implemented?

In September, I provided insight into the reasoning behind the new chip-based technology, which pointed to the increasing number of credit card breaches as the reasoning behind the change. Over the years millions of credit card numbers and associated data have been stolen, leaving the credit card industry on the hook for the fraudulent transactions. In an effort to transfer liability from payment card companies to individual businesses, while providing greater protection to users against credit card fraud, the PCI Security Council supported the addition of EMV chip technology to the existing PCI (Payment Card Industry) Security Requirements.

The ultimate goal of EMV is to stop and prevent further fraudulent activity. Success has already been noted in countries outside the U.S. “Currently, almost half of the world’s credit card fraud happens in the U.S. where magnetic stripe technology is the standard,” stated David Navetta and Susan Ross in a blog on Data Protection Report. “Outside the U.S., an estimated 40 percent of the world’s cards and 70 percent of the terminals already use the EMV technology. These countries are reporting significantly lower counterfeit fraud levels with EMV cards than with the magnetic stripe cards.”

Click here to read the full article

Unintended Outcomes

Businesses have rushed to accommodate the transition to avoid liability for any losses that result from fraudulent transactions. From installing devices that read the new chips, to training employees to address any questions and concerns that may come up during the payment process. Unfortunately, in order to bring the American public up to speed, payment card insurers are issuing new chip-enabled cards to card holders and, in many cases, users are being issued new card numbers as well.

Companies such as Netflix are beginning to feel the pinch as they are realizing that their customers are in no hurry to update their card numbers in their accounts, which means the company can’t collect subscription payments.

“Our over-forecast in the US for Q3 was due to slightly higher-than-expected involuntary churn (inability to collect), which we believe was driven in part by the ongoing transition to chip-based credit and debit cards,” the company said in its earnings release.

Is Your Business Witnessing Unexpected Consequences?

Third-quarter earnings are just beginning to be reported, which means we are unable to adequately identify how widespread this particular issue is.

So, we want to hear from you. Since the EMV chip technology went into effect on Oct. 1, what has your experience been? Have you had trouble collecting renewal payments from your customers? Comment below or send us a quick email.

If you have a specific question about EMV technology or another business challenge, you can always let us know by filling out the brief form at the top, right side of this page. And don’t forget to subscribe to Dear Drebit to get great business tips and advice delivered directly to your inbox!

By Joe Welker, CISA (New Philadelphia office)  

Are you looking for more ways to prevent fraud from taking control of your business? Check out these articles:

Who Is That Email Really From?

Malware Threat Spreads To Smart Phones

Businesses Beware: Sloppy Data Security Could Cost You

Share Button

Will EMV Technology Change The Online Payment Option?

Monday, September 21st, 2015
Online Payment Option -Ohio CPA Firm

Does a company that doesn’t physically swipe credit cards have to worry about increased liability when the new EMV rules are implemented in October?

Dear Drebit: Does a company that doesn’t physically swipe credit cards have to worry about increased liability when the new EMV rules are implemented in October? Sincerely, Online Payments Only

Dear Online Payments: As you may already know, I recently wrote an article to inform merchants about the Oct. 1 deadline to implement Credit Card EMV (EuroPay, MasterCard and Visa) technology. When this change takes effect, the liability for fraudulent transactions will no longer be assumed by the credit card issuing institution. Instead, if you continue to use the credit card’s magnetic stripe to process payments, your business will assume liability for any resulting fraud. For most businesses – especially smaller businesses – a single instance of fraud could be crippling.

EMV technology essentially swaps out the magnetic stripe used on credit cards today for an embedded chip. The chip scrambles sensitive cardholder data at the point of sale, which makes it increasingly difficult to fraudulently access and replicate consumer data.

Click here to read the full article.

But what changes lie ahead for businesses that utilize online payment methods and don’t require customers to physically swipe their credit card to pay for a product or service? Do they need to be concerned about this liability switch on Oct. 1 too?

EMV Concerns For Online Merchants

Your third-party processor (such as PayPal), is responsible for ensuring that the payment is authentic. These companies validate payments using a variety of methods.

Natalie Gagliordi, a blogger with Small Business Matters, writes that “for most online merchants, whatever payment processing technology they are using will likely contain out-of-the-box security and authentication protocols.” PayPal, for example, “has developed complex end-to-end encryption to help protect consumers and merchants with their payment information.”

But just because your business doesn’t bare the sole responsibility for keeping your customers’ credit card data safe, doesn’t mean you have nothing to worry about – quite the contrary. Some experts expect credit card fraudsters to pay more attention on hacking online consumer data. This means, for your customers’ sake, you must continue to be informed of online security best practices and should not only be knowledgeable about what your third-party payment processor is doing to keep credit card data safe, but what your third-party payment processor requires of you to maintain your compliance. This could include maintaining current antivirus protection, a secure firewall and other online safety protocols.

The EMV Migration Forum’s Card-Not-Present Working Committee recently published an informative whitepaper to address the growing threat of Card-Not-Present Fraud. This resource will give online merchants a little more insight into the numerous options currently available to help authenticate online payments.

In the meantime, if you have additional questions or concerns, contact your third-party payment processor immediately. Requirement 12.9 of the Payment Card Industry Data Security Standard v3.0 states that they must provide you with – in writing – the details of its role in providing PCI compliancy, as well as any requirements of your organization. Click here to learn more.

How Can Drebit Help You?

Readers, do you have questions about data security, fraud, accounting, succession planning and other general business topics, but don’t really know who to ask? Let Drebit help find the answer! Simply fill out the brief form at the top, right side of this page. You can also click here to reach out to one of fraud experts directly. If you like the advice we offer, why not click here to subscribe to Dear Drebit and get notified of new articles and updates the minute they are posted?

By Joe Welker, CISA (New Philadelphia office)  

Share Button

Don’t Turn A Blind Eye To PCI Compliance

Thursday, July 2nd, 2015
PCI Compliance and Data Security - Rea & Associates - Ohio CPA Firm

Although you may employ a vendor to process credit card payments, it is still your client’s data and the ultimate need to protect that data is assumed by you.

You probably don’t have a lot of spare time on your hands. Between managing your business and employees, to ensuring your clients’ needs are being met. The last thing you might be concerned about is adhering to Payment Card Industry (PCI) Data Security compliance standards. But hold up. If your business (or any of your vendors) deals with client cardholder data or stores this information anywhere in your business’s IT systems, PCI standards are not something to ignore. It could be the difference between your business surviving and thriving or going down the drain.

PCI Data Security Best Practices

In November 2013, the Payment Card Industry (PCI) Data Security Standard version 3 was released. There were five requirements defined as “best practices.” And as of June 30, 2015, these requirements are mandatory and may affect your organization.

The Payment Card Industry (PCI) Data Security Standard v3.0 data sheet describes the need for compliance as: “All applications that store, process, or transmit cardholder data are in scope for an entity’s PCI DSS assessment, including applications that have been validated to PA-DSS.”

The two requirements that could most affect your organization are Requirements 12.9 and 9.9.

  • Requirement 12.9 – Additional requirements for service providers: Service providers acknowledge in writing to customers that they are responsible for the security of cardholder data the service provider possesses or otherwise stores, processes, or transmits on behalf of the customer, or to the extent that they could impact the security of the customer’s cardholder data environment.
  • Requirement: 9.9 – Protect devices that capture payment card data via direct physical interaction with the card from tampering and substitution.

So what exactly do these requirements mean for you (and your vendor)? In essence, Requirement 12.9 requires third parties to provide in writing the details of its role in providing PCI compliancy, as well as any requirements of your organization. Requirement 12.9 is relevant to Requirement 9.9 as it relates to devices used to scan or input credit card information. The vendor’s compliancy requirements could require the entity to adhere to Requirement 9.9 by protecting and monitoring devices used by the entity to scan or input credit card information. And because it’s ultimately the responsibility of your organization to protect client credit card information, it is important that your business obtain the PCI requirements of any vendors you work with and adhere to the requirements of their PCI Compliancy Standards.  It is always best practice to document in detail when testing for PCI or communicating with your vendor.

Remaining Three Best Practice PCI Compliance Requirements

The other three PCI compliance “best practice” requirements are listed below. These may or may not be items to be addressed by your organization depending on your current PCI classification. It’s best to review and determine if your entity needs to add to your current PCI testing procedures.

  • Requirement: 6.5.10 – Broken authentication and session management. Secure authentication and session management prevents unauthorized individuals from compromising legitimate account credentials, keys, or session tokens that would otherwise enable the intruder to assume the identity of an authorized user.
  • Requirement: 8.5.1 – Service providers with remote access to customer premises (for example,  for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer.
  • Requirement: P. 93 11.3 P. 55 6.5 – Implement a methodology for Penetration testing.  See P. 93 of the Payment Card Industry (PCI) Data Security Standard v3.0 data sheet for details.

The End of Outdated Secure Sockets Layer Encryption Protocol

Finally, in April 2015 the PCI Security Standards Council published a new version of the Payment Card Data Security Standard that calls for ending the use of the outdated Secure Sockets Layer (SSL) encryption protocol. The new standard requires that the use of SSL be discontinued and replaced by the use of the more secure Transport Layer Security (TLS) protocol. The deadline for this change has been set at June 2016.

Remember, although you may employ a vendor to process credit card payments, it is still your client’s data and the ultimate need to protect that data is assumed by you.

We hear of new breaches daily, so it’s in the best interest of your organization to know the responsibilities of your organization for PCI Compliancy.  Don’t assume that all the responsibility is on a third party vendor because it is all of our responsibility to maintain security and keep the integrity of our data secure.

By Joe Welker, CISA (New Philadelphia office)


Related Articles

Do You Know Who Has Access To Your IT Network?

How Can I Protect My Business From A Data Security Breach?

How Much Is Your Data Worth To Criminals?

Share Button

How Can I Protect My Business From A Data Security Breach?

Thursday, December 19th, 2013

We live in an ever-increasing digital world. And with that comes risk – and lots of it. The number of stolen debit/credit card numbers continues to grow every day. Today’s news story about how nearly 40 million Target customers had debit or credit card information stolen is the most recent example of the kind of risky, digital world we live in.  (more…)

Share Button