Tag Archives: global payments

world banking and finance 32597812

5 Essential Features You Need In A Global Payment Processor

Did you start an online business in the past year? Good for you! With the rise of the pandemic, millions of people worldwide have become self-employed entrepreneurs by starting their businesses online. Many people have been able to sell things that would’ve been too niche to make returns before, like specialized jewelry, art prints, and even pottery art! 

All these developments have been fantastic, but if you’re an online business owner yourself, you know how hard it can be to expand. Sometimes you can feel stuck in a rut, especially when you’re constantly getting comments from people on social media telling you that they wished they could support you but live overseas, or they don’t use your same currency!

Don’t worry; we are here to help! Online businesses can significantly benefit by adding a global payment processor to their websites since it allows them to expand their customer base worldwide.

Do you want to learn how? Well, here are five essential features you need to take into account if you want to start using a global payment processor.

  1. Speak The Language (Literally)

The tricky thing about international e-commerce is something that you’ve probably already guessed: language barriers. While English is spoken at least as a second language worldwide, some people have difficulty understanding it, especially when it’s not their native language. This type of confusion can increase tenfold when dealing with an online purchase since they don’t want to lose money by accidentally buying something they don’t want.

As you can see, language detection and conversion is a crucial feature you have to look for when shopping for a global payment processor. The numbers can back this up as well. A survey conducted recently on consumers from ten different non-English speaking nations said that 73% of them prefer to buy things from websites written in their native tongue, and more than half of them would never buy from only English-speaking websites. 

Therefore, if you want to engage these customers, you have to learn to speak their language!… literally. 

  1. Not All Currencies Are Made Equal

If you didn’t have the pleasure of being born in a third-world country, then you probably don’t know the stress of having to try to memorize how to do decimal conversions in your head. 

It’s true! Many currencies represent a fraction of a dollar; therefore, when people living abroad see the final cost in dollars, they tend to get scared or confused because they can’t make the conversion in their heads. According to another study, 17% of customers claim abandoned shopping carts because they could not calculate the final cost. 

It is essential that any global processor that you get converts both the language and the currency of the user as quickly and accurately as possible. That way, international customers will feel more relaxed when shopping at your online store, which means more revenue for you.

  1. Let Them Pay How They’re Used To

Support for international payment methods is an essential part of any global payment processor. Big card brands are a thing of the past. Nowadays, most consumers (especially international ones) prefer paying with cash vouchers, e-wallets, and bank transfers. E-wallets are especially important since tons of people, mainly internationally, use them for everyday purchases. 

The same survey we mentioned before found that 7% of customers abandon their carts at checkout because they can’t use the payment method they usually do. This is why adopting a more comprehensive range of payment methods is essential to growing your business. 

  1. Work With Banks Worldwide

It may surprise you but working with banks worldwide helps reduce false positives and declines from international transactions. It means fewer angry customer emails for you to read and more glowing customer reviews to fill your inbox.

Working with international banks is essential for any online business to grow since it helps them work with an online market. It is also a significant step in growing as a brand. Many people who live in countries abroad use bank transactions to pay for everything since it’s easy and convenient. In other words, working with offshore banks offers you the opportunity to make payment of goods faster and more effective than ever before.

It also helps to improve your image since working with world-renowned banks makes international customers see you as a trustworthy source. Many people who live abroad are afraid of getting scammed online, so seeing that you work with a bank they’ve known for years dramatically increases their confidence in you! Not to mention, it increases the chances of raising the number of purchases. 

Another survey found that 17% of people abandon their online carts because they don’t trust the website to handle their personal information safely, and they’re probably right to be wary. Nowadays, there are plenty of online scams, and giving all your information to an unfamiliar business can be risky. 

Introducing renowned banks will also help increase customer satisfaction since many cards tend to be rejected at the time of purchase by not working with international banks. So, if you want to increase your revenue, a global payment processor that can link you to foreign banks is the way to go.

  1. Protect Yourself Against Fraud

Alright, we’ve talked plenty about customers and how to satisfy their needs, but let’s talk about you for a second. While international trade can be a new and exciting way to grow your business, it can also leave you vulnerable and exposed to international hackers. So, how can you protect yourself against this new enemy? The best way to do that is to find a global processor with global network-based feud protection built in. This will protect you from foreign hackers while keeping your customers safe, too!

Conclusion

Owning an online business can be exhilarating, heartbreaking, and rewarding all at the same time. You have independence and many benefits when you are your boss, but that freedom comes with responsibility. So, be conscientious by finding a suitable global payment processor and help your business grow!

Global Payments, TSYS Complete Merger

In a $21.5 billion all-stock deal, Global Payments Inc., a global provider of payment processing technology and software solutions, merged with TSYS (Total System Services) to form a pure-play payments company using the name Global Payments, the largest merger of payment technology companies to date. Working with 1,300 financial institutions and 3.5 million merchant locations in more than 100 countries, facilitating credit card processing for more than 600 million cardholders, the merger positions the company to be a leader in owned software, integrated payments, and omnichannel solutions.

TSYS can leverage Global Payments 32-country global reach to access the global markets during a time when e-commerce transnational transactions are on the rise. By focusing on merchant services and payments-related business, the merged company hopes to differentiate itself from the other fintech mergers, according to TSYS CEO Troy Woods. For example, the TSYS Netspend business offers reloadable payment products while the merged company will also engage in consumer solutions and merchant acquiring. 

A pure-play payments technology firm, Global Payments’ headquarters is located in Atlanta, Georgia with more than 24,000 employees around the globe, serving countries in North America, Europe, Asia Pacific, and Latin America. Offering global solutions and advanced software, Global Payments offers a technology-enabled strategy to merchant services. 

Following the $35 billion FIS acquisition of Worldpay and Fiserv’s $22 billion acquisition of First Data, Global Payments’ acquisition of TSYS is another big fintech merger for 2019. TSYS shareholders will receive 0.8101 of Global Payments shares for each of their own. Global Payments investors will own 52 percent of the new company, leaving the remaining 48% percent to TSYS shareholders. Traded on the New York Stock Exchange (NYSE: GPN), Global Payments is a member of the S&P 500. Global Payments gained 1.0% in premarket trading. 

TSYS holds a presence with smaller retail merchants, and Global Payments has a strong hold with restaurants with each providing point of sale (POS) solutions tailored to those industries. Combining TSYS’s strength as a U.S. payment provider with Global Payments’ strength as an international payment provider makes for a stronger whole. 

Jeff Sloan will serve as CEO of the merged Global Payments company, Cameron Bready as president and chief operating officer, Paul Todd as senior executive vice president and chief financial officer, and David Green will serve as the senior executive vice president, general counsel, and corporate secretary. Josh Whipple will serve as chief strategy and risk officer while Gaylon Jowers oversees issuer solutions, and Kelly Knutson oversees NetSpend. 

“We share a common value of putting people first and will leverage the best of our cultures to preserve and enhance our commitment to all of our stakeholders,” said Jeff Sloan in the press release announcing the merger.

Hacker

Hackers find new target: Mariott [2023 Update]

Leave a reply

Holiday Inn, Marriott Hotels Suspected Targets of Data Breach

The Official Merchant Services Blog has breaking news regarding the ongoing series of credit card data breaches. One the heels of the major hack of discount retailer of Target that stole credit and debit card data from 40 million accounts right smack dab in the middle of the holiday shopping season, there’s yet another target of hacker greed: Holiday Inn. Lodgers at Holiday Inns, Marriott and Renaissance hotels may have had their payment card details compromised for much of 2013 as revealed a hotel management company  on Monday.

White Lodging Services, a hotel management company, warned in a news release it suspects point-of-sale systems at restaurants and lounges on 14 of its properties were compromised between March 20, 2013 and Dec. 16, 2013. Guests who did not use their card at restaurants and lounges, as well as those who used their room account for purchases from those outlets, were not affected, the press release revealed.

The Merrillville, Indiana-based company said it manages hotels like Holiday Inn under agreement with hotel owners. The company is a separate entity from the specific hotel brands it operates. White Lodging Services said it has contacted federal law enforcement and initiated a forensic review of its properties. It runs more than 169 hotels in 21 U.S. states.

databreach1

The Full List

The full list of the food and beverage outlets affected by the suspected breach were located at the following hotels:

  • Marriott Midway, Chicago, IL
  • Holiday Inn Midway, Chicago, IL
  • Holiday Inn Austin Northwest, Austin, TX
  • Sheraton Erie Bayfront, Erie, PA
  • Westin Austin at the Domain, Austin, TX
  • Marriott Boulder, Boulder, CO
  • Marriott Denver South, Denver, CO
  • Marriott Austin South, Austin, TX
  • Marriott Indianapolis Downtown, Indianapolis, IN
  • Marriott Richmond Downtown, Richmond, VA
  • Marriott Louisville Downtown, Louisville KY
  • Renaissance Plantation, Plantation, FL
  • Renaissance Broomfield Flatiron, Broomfield, CO
  • Radisson Star Plaza, Merrillville, IN

 

White Lodging last week told the New York Times it was investigating a potential security breach, covered in a report from security writer Brian Krebs. The same Krebs who broke the news on the Target Data Breach as well as the Global Data Breach.

What Was Hacked?

The unlawfully accessed data may have included names printed on customers’ credit or debit cards, credit or debit card numbers, the security code and card expiration dates.  Guests who used or visited the affected businesses during the nine month-period and who used a credit or debit card to pay their bills at the outlets might have had such information compromised and are encouraged to review their statements from that time period.

One idea posited on how this happened is RAM scraping. Attackers are planting malicious software, known as “RAM scrapers,” on POS devices, which capture unencrypted card details after a customer has swiped a card, defeating other security measures in place intended to protect sensitive details. White Lodging said customers’ names as printed on credit or debit cards, the card numbers, the cards’ security code and expiration dates may have been unlawfully accessed.

What’s Next?

Financial institutions have reissued some payment cards and are monitoring other credit and debit cards for unauthorized activity, the company said. White Lodging is also arranging to offer one year of complimentary personal identity protection services to all affected cardholders.

The unfolding disclosures have drawn the attention of the U.S. Congress. The House Energy and Commerce Committee is scheduled on Wednesday to hear from senior executives from Target and Neiman Marcus along with the U.S. Secret Service about how data breaches can be prevented.

Host Merchant Service’s PCI Compliance Initiative

Looking at the threat of a data breach, Merchants must wonder what the solution can be. Is there protection available? PCI Compliance is a great foundation for transaction security. The standards and protocols set up by the PCI-DSS Council are the first step a merchant needs to take to protect their data. And Host Merchant Services offers a PCI Compliance Initiative that helps its merchants quickly and seamlessly take that step.

Also, one thing to consider if you are a merchant and you are worried about data breaches affecting your bottom line: Host Merchant Services Data Breach Security Program. Click that link to download a PDF explaining the value-added service HMS provides its merchants that goes above and beyond just simple PCI Compliance and helps ensure a merchant’s peace of mind.

 

Credit Cards

Can Chip Cards Stop the Hax? [2023 Update]

Leave a reply

The massive data breach at Target is a big shining beacon illuminating exactly how behind the times the United States remains when it comes to credit card security — namely EMV® chip technology.

EMV is a worldwide standard for credit and debit card payments based around the use of chip card technology. The acronym stands for Europay, MasterCard, and Visa, who collaborated to create the technology. The goal of this project was to create a card that worked based off of a microprocessor chip that is read by the payment terminal. Because the U.S. has yet to widely deploy embedded chip technology, the nation has increasingly become the focus of hackers seeking to steal such information. The stolen data can easily be turned into phony credit cards that are sold on black markets around the world.

In fact, KrebsOnSecurity, the website that broke the news of the Target hack, has reported that the card information stolen in the Target Data Breach has been showing up on the black market. Credit and debit card accounts stolen during the security breach have reportedly flooded underground black markets, going on sale in batches of one million cards. The cards are being sold from around $20 to more than $100 each.

Over the last decade, most countries have moved toward using credit cards that carry information on embeddable microchips rather than magnetic strips. The additional encryption on these aptly named smart cards has made the kind of brazen data thefts suffered by Target almost impossible to pull off in other countries. Which is why as of Q4 2012, there were roughly 1.62 billion EMV cards in consumers’ hands and 23.8 million terminals deployed throughout Europe, Asia, and Africa. About 80 countries have adopted the technology as a standard. By comparison, about 1% ofcredit cards issued in the U.S. contain such technology, making the United States a tasty target for hackers.

“The U.S. is one of the last markets to convert from the magnetic stripe,” Randy Vanderhoof, director of the EMV Migration Forum told the LA Times. “There’s fewer places in the world where that stolen data could be used. So the U.S. becomes more of a high-value target.”

The credit card industry reports the U.S. accounted for only 24 percent of global credit card payments by volume in 2012, but it accounted for 47 percent of the fraud.

So Why No Chips in the U.S.?

According to experts the reasons the U.S. lags so badly in adopting smart cards are complicated. In part, there hasn’t been the political will to demand that businesses and financial institutions make the change. One might think the Target data breach would spur politicians to action or at least get consumers to light a fire under those politicians. But the Target hack is just one in a growing list of data breaches, and the 40 million compromised cards are rather mundane.

In April of 2011, the Playstation Network was hacked, compromising the vital information of 77 million accounts, and 24.5 million Sony Online Entertainment accounts. This has been touted as one of the largest personal data heists recorded in history, and prompted Sony to shut down its services for a month. In 2009, credit card processor Heartland Payment Systems disclosed that thieves had broken into is internal card processing network, and installed malicious software that allowed them to steal track data on more than 130 million cards.

If neither of those data breaches could spur on the adoption of EMV cards, it’s unlikely the Target hack will move the needle. The inertia built up against the smart cards then must be due to some other reason Analysts also say the payment processing system in the U.S. is more complicated, with merchants, credit companies and banks reluctant to spend the big bucks it would take to convert a system with 1 billion credit cards to EMV from magnetic stripes. But that’s still too murky.

The primary reason such technology has taken so long to make its way into the U.S. is far more simple: Chip-embedded cards are more expensive to produce. Each merchant would have to purchase new equipment to hand them.

What the Future Holds …

The good news for consumers is that the U.S. is indeed moving to embrace smart credit cards. The Official Merchant Services Blog reported almost two years ago that the United States was moving slowly but surely toward adopting chip cards. Visa took the lead in the U.S. push, reporting that as of December 31, 2011, the credit giant had issued more than 1 million credit cards that use “chip” technology to store consumer payment information. Visa made an announcement in August 2011 hat it planned to start issuing more EMV — Europay, Mastercard, Visa — smart cards to push the industry toward better security and an easier transition to mobile payments.

In the last couple of years major card issuers have laid out road maps for upgrading the card technology, and many have set out to achieve this by October 2015.

TransFirst, Host Merchant Services’ acquirer and one of the premier providers of transaction processing services and payment processing technologies in the U.S., issued a mandate in response to the EMV push. TransFirst said that Visa will require U.S. acquirer processors and sub-processor service providers to be able to support merchant acceptance of chip transactions no later than April 1, 2013. Visa also intends to institute a U.S. liability shift for domestic and cross-border counterfeit card-present point-of-sale transactions effective October 1, 2015, and for fuel-selling merchants by October 1, 2017.

Ocotber 2015 was chosen because at that point major credit card companies will change their rules about who is liable for fraudulent purchases caused by security breaches. Under the new rules, the entity in the payment chain — merchant, credit card, banks — deemed to have the weakest security will be liable. Credit card companies can’t make anyone adopt the technology, but they’re giving them a hard nudge.

The Bottom Line

While the Target Data Breach once again brings up the topic of credit card security, it seems like the U.S. is still poking along with its slow adoption of EMV chip cards. Hackers will still continue to target the low hanging fruit that the largely magnetic stripe based U.S. credit card industry still works with. But EMV chips and increased digital security of cardholder information is coming. October 2015 looms closer and closer.

The Future of PCI and Data Security

Leave a reply

Today The Official Merchant Services Blog marks the triumphant return to the timely topic of PCI DSS and cardholder data security. This tantalizing topic has been touted time and again in the peerless pages of our payment processing chronicles.

Days of Future Past

The crafty criminals that defraud, hack and swipe courageous consumers for their cardholder data are a constant concern for the entire credit card processing and data security sector. The industry has to be ever vigilant in its commitment to curb the high tech criminal activities and keep that cardholder data safe.

Retailers need to be eagle-eyed when it comes to defending data and securing customer information. They also need to be prepared for disaster, with a protocol-based plan of action for the worst case scenario — the dreaded data breach. But none of these advance preparations will save a merchant from data breach dangers if the merchant is unaware of PCI DSS, what it all means and what the requirements for PCI Compliance are.

The misdirection and misinformation out there about the process of PCI Compliance has led to complacency among many merchants. Face front true believers, we’ve even expressed the fantastic facts and figures to support merchant apathy regarding PCI Compliance in previous published purveyances of PCI related blogs.

The media gloms onto the gargantuan headlines of something as garish as a Global Payments data breach and the searing spotlight of data security dazzles the masses with the terrifying tidbits of these capricious crimes. But the nature of the crime has the danger spreading to small business merchants more and more frequently in the past few years. In fact, this article from Convenience Store Decisions, it is suggested that the heinous hackers and nefarious fraudsters are backing away from the big fish and targeting the smaller retailers with easier to breach defenses.

The CS Decisions scribe John Lofsock posits that one of the prime reasons for this shift can be pinpointed to an alteration in the criminals’ own dastardly demographics. Today’s hacker is becoming less the angst ridden, misunderstood teenager with whiz-bang keyboard and coding powers and turning into a far more treacherous group of villains. As the article puts it, “When hackers run up against businesses with sophisticated information technology and up-to-date security, they’ll turn to easier systems, including those of small non-profit agencies and family businesses.”

Datapocalypse Now

So what does a merchant do? The hale and hoary Host Merchant Services PCI Compliance pioneers readily suggest utilizing their very own PCI Compliance Initiative.  PCI Compliance is a fantastic foundation for top notch transaction security. The superlative standards and powerful protocols set up by the powers that be on the PCI-DSS Council are a forceful first step any enterprising merchant needs to take to protect their data. This is why helpful Host Merchant Services offers a power-packed PCI Compliance Initiative that gets merchants quickly and seamlessly up to speed.

Add to that amazing Initiative the second step that Merchants can take to shore up their security: Host Merchant Services Data Breach Security Program. Click that link to download a PDF explaining the value-added service HMS provides its merchants that goes above and beyond just simple PCI Compliance and helps ensure a merchant’s peace of mind. This program offers data breach insurance.

The article from CS Decisions quotes Trinette Huber, of Sinclair Oil Corp. in Salt Lake City as saying “as a merchant, I can go through all the steps to do this and do it in good faith, and yet if I have a breach — which is entirely possible — the PCI council will say I wasn’t literally compliant.”

This is where breach insurance comes into play true believers. The Data Breach Insurance that cutting edge and customer-oriented companies like Host Merchant Services offers can curb the pernicious penalties that merchants face when a breach occurs. As we’ve stated time and again here on The Official Merchant Services Blog, security only begins with PCI Compliance. It’s a never-ending battle for safety, justice and the power of payment processing. Merchant Services providers need to work in conjunction with merchants to stay out in front of any and all security issues. And even then, disaster can occur, so a solid data security plan will have backup protocols like data breach insurance.

The CS Decisions article also quotes Huber as saying that PCI “is asking thousands of merchants to do something (the credit card companies) should be doing themselves. They should be fixing the magnetic stripe (in credit/debit cards) so it’s not something that can be easily stolen, instead of asking merchants to fix (the security issues) for them.” 

That concern right there is why Visa has been pushing so hard for its EMV chip program with newer, more secure smartcards that have worked so well in Canada and Europe. Huber is noted in the article for describing the overbearing cost that the switch to EMV could entail for small business owners, as well as the fact that the EMV chips have been in place for decades and have already had data compromised before.

So if not EMV, Then What?

Will no canny crusader for competent credit card processing and dependable data transfer step up to take the challenge presented by the PCI DSS? John Lofsock, the audacious author of the article we’ve been analyzing, thinks that Point to Point Encryption (P2PE) might be the champion the industry needs. This tantalizing technology that is newer than EMV chips apparently ensures that credit card data is protected from the moment it is swiped all the way through to the nanosecond it arrives with the payment processor. This could curry favor with retailers because it completely eliminates the need for the retailer to secure cardholder data, as the retailer never has possession of said data.

The real boon, as noted by Lofsock, is that the P2PE method will make it much cheaper for merchants to be PCI Compliant by removing the need for merchants to deal with network segmentation and other costly and time-consuming parts of the compliance process like the audit.

It is noted that PCATS and PCI are preparing future standards that deal with P2PE so it is on their radar.

In the meantime, Host Merchant Services continues to offer the lowest PCI Compliance rates in the industry, as well as a vigorous PCI Compliance Initiative that seeks to inform and educate everyone interested as to the details of the process, step-by-step.

Global Data Breach: Update #3

Leave a reply

For today’s installment of The Official Merchant Services Blog, we are bringing you the most recent developments of the now infamous Global Payments Data Breach.

Back in March

When we first reported the breach, it had supposedly affected 50,000 cardholders and revolved around a taxi and parking garage company in the New York City area.  Over a short time, media outlets hyped up the story until the alleged number of affected cardholders hit 10,000,000.  Global CEO Paul Garcia estimated that closer to 1.5 million card numbers were compromised. Garcia also said that the breach was “self-reported” and “absolutely contained.”

In a quick response to the breach, Visa decided to remove the Atlanta-based processor from its list of “compliant service providers.”  This meant for the first time, Global would no longer be Payment Card Industry (PCI) compliant, a major problem for one of the world’s largest payment processors.  However, more consequences were to come for Global.

Update # 2

In May we learned that the breach might have actually dated back to June of 2011, a full eight months earlier than previously predicted.  Global stuck by it’s story that that the breach only affected 1.5 million cards or less, and occurred in February 2012.  The initial source of the breach, however, Brian Krebs and his blog krebsonsecurity.com revealed that “a hacker break-in at credit and debit card processor Global Payments Inc. dates back to at least early June 2011, Visa and MasterCard warned in updated alerts sent to card-issuing banks in the past week.”  Krebs also found that Visa and MasterCard were sending periodic alerts to the banks about cards that may need to be re-issued following a security breach at a processor or merchant.

The 3rd time’s the charm

Global Payments executives estimated Thursday that the data breach revealed earlier this year could cost them upwards of $120 million to fix.  A large part of which is an $84 million dollar charge from the fourth quarter of fiscal year 2012 to cover fines and initial remediation costs from the payment card networks.  Global CFO David Mangum said that the company also anticipates breach-related expenses and insurance payments in fiscal 2013 that could total $28 million or more.  All the while, Global is working with a ‘Qualified Security Assessor’ in order to regain the PCI compliance certification they lost when the breach went public.

Tracking Track Data

Track data, is the raw cardholder data contained in a magnetic strip in a credit or debit card.  In late May, Global asserted that only Track 2 data had been lost in the breach, which contains account numbers and expiration dates.  Track 1 data contains cardholder names, addresses and other crucial data.  Global seemed to be insisting that this would lead to less fraud since the thieves could not produce counterfeit cards with the stolen data.  Union Savings Bank, based in Danbury, Conn was one of the banks alerted by Visa and MasterCard early, about potential fraud.  Visa alerted USB that about 1,000 of its debit accounts were compromised in the Global Payments breach.  These details show how Track 2 data alone was enough for criminals to encode the card numbers and expiration dates onto any card equipped with a magnetic strip.  These cards can then be used at any merchant accepting signature debit, any transactions that do not require the cardholder to enter a PIN number.

Host Merchant Service’s PCI Compliance Initiative

Looking at the threat of a data breach, Merchants must wonder what the solution can be. Is there protection available? PCI Compliance is a great foundation for transaction security. The standards and protocols set up by the PCI-DSS Council are the first step a merchant needs to take to protect their data. And Host Merchant Services offers a PCI Compliance Initiative that helps its merchants quickly and seamlessly take that step.

Also, one thing to consider if you are a merchant and you are worried about data breaches affecting your bottom line: Host Merchant Services Data Breach Security Program. Click that link to download a PDF explaining the value-added service HMS provides its merchants that goes above and beyond just simple PCI Compliance and helps ensure a merchant’s peace of mind.

Global Reveals More About Data Breach [2023 Update]

Leave a reply

Today The Official Merchant Services Blog is updating its coverage of the Global Payments Data Breach. The big bomb Global just dropped is that apparently there was a second data breach.

The story, initially broken by Ellen Messmer at Network World stated that Global Payments itself revealed this latest news.

Data Breach II: Credit Card Boogaloo

From the Global Payments Website:  “The Company’s ongoing investigation recently revealed potential unauthorized access to servers containing personal information collected from a subset of merchant applicants.  It is unclear whether the intruders looked at or took any personal information from the Company’s systems; however, the Company will notify potentially-affected individuals in the coming days with helpful information and make available credit monitoring and identity protection insurance at no cost.  The notifications are unrelated to cardholder data and pertain to individuals associated with a subset of the Company’s U.S. merchant applicants.”

So What Was Compromised?

This second breach compromised the personal information of a subset small merchants that applied to be clients of Global Payments — and the company stressed that this set of merchants was different than the ones exposed in the first breach. The exposed information includes the sort of personal information the Atlanta processor uses as part of its underwriting process. The company stressed that it does not have evidence that any fraudsters obtained or misused the merchant applicants’ information — but the servers that contained that information were possibly accessed by an unauthorized party. Last time we updated this story, we provided information from Brian Krebs about how information from the first data breach could have been used by fraudsters.

Something to keep in mind regarding Global’s claims that the second breach did not lead to fraud is that Global still maintains that the information that was compromised in its first breach was not involved in fraud — even after Krebs dug up examples of fraud happening to Global customers in his blog entry here.

Wait, What?

The author of the official updated statement released by Global — Jane Elliot from Investor Relations — added this caveat to the statement: “This announcement may contain certain forward-looking statements within the meaning of the ‘safe-harbor’ provisions of the Private Securities Litigation Reform Act of 1995.  Statements that are not historical facts, including management’s expectations regarding future events and developments, are forward-looking statements and are subject to significant risks and uncertainties.  Important factors that may cause actual events or results to differ materially from those anticipated by such forward-looking statements include the following: further results of the continuing investigation of the unauthorized access of our processing system, including the discovery of additional card data or information implicated in the incident; the effect of our remediation efforts on operations; the impact of fines or penalties from the card networks and state authorities on our results of operations; and other risks detailed in the company’s SEC filings, including the most recently filed Form 10-Q or Form 10-K, as applicable.  The company undertakes no obligation to revise any of these statements to reflect future circumstances or the occurrence of unanticipated events.”

That reads like a very wordy hedge against the way this story has evolved to date. To put it another way, much of what Global has already stated, including clinging to the claim that the breach is contained and the number of compromised cards was just 1.5 million, has already been contradicted by information revealed by Visa and MasterCard.

Visa and MasterCard issued new alerts on May 15 suggesting the breach dated back to January 2011 — an exposure window significantly longer than what was originally reported by Global when news of the breach surfaced in late March. Visa’s alerts in March, which Brian Krebs used to break the story,  indicated the breach occurred sometime between Jan. 21, 2012, and Feb. 25, 2012. Global used those alerts to help underscore their assertion that the breach was small and contained. But on April 26, an updated advisory from Visa put the suspected intrusion date closer to June 7, 2011. Setting the length of exposure for compromised cards back six months. And then Visa and MasterCard released information that pushed the date back an entire year from the initial alert, to January 30, 2011. This vaults the figure of compromised cards to 7 million — much higher than the 1.5 million “or less” suggested by Global in their official statement.

All this contradiction over the length and severity of the breach had  been met with silence from Global Payments. They had offered no further comment other than to link to their website. But with this latest batch of statements, they’re now adding that very long caveat. And they apparently intend to clear matters up even further in June. The Company plans to provide additional information regarding the potential financial impact, the PCI compliance process and the status of the investigation not later than its July 26, 2012 year-end earnings call according to Paul R. Garcia, chairman and CEO of Global Payments.

The Official Merchant Services Blog will be following this story as close as ever now. It’s getting more complicated and convoluted. Hopefully that earnings call will clear the air a bit. But it still seems like the reporters digging into this, as well as Visa and MasterCard have a very different set of facts than the ones Global is sharing with people.

Global Data Breach Update

Leave a reply

Today The Official Merchant Services Blog is updating its coverage of the Global Payments Data Breach. The current update revolves around the expansion the duration of the breach as well as the number of cards potentially affected. It has been a virtual roller coaster ride in terms of narrowing down a number for the cards that were compromised. When the news of this breach initially hit on Friday, March 30 there were reports that a mere 50,000 cards were compromised. Then at the height of the story’s initial frenzy it was reported that the number of compromised cards might be closer to 10 million. Attempting to quash that frenzy, payments processor Global Payments Inc. itself released a statement that the number was closer to 1.5 million cards. And now, after some relentless coverage and work by Brian Krebs — the blogger who first reported the breach — it appears the number is once again creeping back towards the 10 million mark.

“That’s No Moon” 

The size of the Breach keeps expanding after Global Payments initially made statements that downplayed both its size and its impact.

Global’s statements have all been very succinct, and the company says it reported the breach immediately when it found out about the breach. Global also stated that the breach is contained and only affected 1.5 million cards or less when it occurred in February 2012.

But Visa and MasterCard issued new alerts on May 15 and suggest the breach dates back to January 2011 — an exposure window significantly longer than what was originally reported when news of the breach surfaced in late March. Visa’s alerts in March, which Brian Krebs used to break the story,  indicated the breach occurred sometime between Jan. 21, 2012, and Feb. 25, 2012. Global used those alerts to help underscore their assertion that the breach was small and contained. But on April 26, an updated advisory from Visa put the suspected intrusion date closer to June 7, 2011. Setting the length of exposure for compromised cards back six months. And then Visa and MasterCard released information that pushed the date back an entire year from the initial alert, to January 30, 2011. This vaults the figure of compromised cards to 7 million — much higher than the 1.5 million “or less” suggested by Global in their official statement.

All this wiggling over the timeline and severity of the breach has been met with silence from Global Payments. They have offered no further comment other than to link to their website.

So About Those Compromised Cards …

And apparently the Breach may not have been contained, or at least not contained quickly enough to prevent fraud. Krebs says on his blog, krebsonsecurity.com, “Debit card accounts stolen in a recent hacker break-in at card processor Global Payments have been showing up in fraud incidents at retailers in Las Vegas and elsewhere, according to officials from one bank impacted by the fraud.”

This is a pretty big break in the ongoing story, as details of fraud have been danced around previously and Global’s not released any statements other than their initial commentary that suggested the breach was not going to produce any meaningful fraud. Krebs says that in March of this year the Danbury, Conn. based Union Savings Bank began seeing an unusual pattern of fraud on a dozen or so debit cards it had issued, noting that most of the cards had recently been used in the same cafe at a nearby private school. The bank noted that the school was a customer of Global Payments and so the bank contacted Visa to see if this was related to the breach.

According to Krebs, that’s when USB heard from Tony Higgins, then a fraud investigator at Vons, a grocery chain in Southern California and Nevada owned by Safeway Inc. Higgins contacted Doug Fuller, Union Savings Bank’s chief risk officer. And Krebs’s blog describes the way the fraud worked: “According to Fuller, Higgins said the fraudsters were coming to the stores to buy low-denomination Safeway branded prepaid cards, and then encoding debit card accounts issued by USB onto the magnetic stripe on the backs of the prepaid cards. The thieves then used those cards to purchase additional prepaid cards with much higher values, which were then used to buy electronics and other high-priced goods from other retailers.”

Krebs then goes on to report that the fraud described by Higgins matched the unauthorized activity seen stemming from accounts used at the private school cafeteria. Fuller said Visa alerted Union Savings Bank that about 1,000 of its debit accounts were compromised in the Global Payments breach — including the dozen or so card accounts that initially prompted USB to investigate. Krebs reports that USB officials say the bank has suffered approximately $75,000 in fraudulent charges, and that it has so far spent close to $10,000 reissuing customer cards.

Track 1 Not Needed

The details revealed by Krebs on the fraud perpetrated upon Union Savings Bank illustrates how the criminals can extract value from debit cards even if they only have some of the data associated with the accounts. This is important to understand because Global’s statements have stated that only Track 2 data was taken during the breach. Global maintained that cardholder names, addresses and other Track 1 data was not obtained by criminals in the breach. The indirect suggestion Global was making with that statement was that counterfeit cards could not be produced with the data obtained in their breach. However, the details of what happened to USB shows how Track 2 data alone was enough for the criminals to encode the card number and expiration date onto any cards equipped with a magnetic stripe. Those cards were then capable of being used at any merchant accepting signature debit — transactions that do not require the cardholder to enter a PIN number.

HMS Solutions

Looking at the threat of a data breach, Merchants must wonder what the solution can be. Is there protection available? PCI Compliance is a great foundation for transaction security. The standards and protocols set up by the PCI-DSS Council are the first step a merchant needs to take to protect their data. And Host Merchant Services offers a PCI Compliance Initiative that helps its merchants quickly and seamlessly take that step.

Also, one thing to consider if you are a merchant and you are worried about data breaches affecting your bottom line: Host Merchant Services Data Breach Security Program. Click that link to download a PDF explaining the value-added service HMS provides its merchants that goes above and beyond just simple PCI Compliance and helps ensure a merchant’s peace of mind.

 

Data Breach Solutions

Leave a reply

Today The Official Merchant Services Blog has a quick follow up to its ongoing coverage of the Global Payments Data Breach. The past two entries in our blog have taken a sweeping look at the big picture of data breaches and PCI DSS and how effective those security standards are. PCI Compliance is a topic very near and dear to Host Merchant Services because the company pushes an aggressive initiative among its customers to keep them PCI Compliant.

PCI Compliance: The Foundation of Security

Past studies from Verizon and Gartner Research have suggested that business owners slack on their security needs, especially in terms of PCI DSS compliance. The most oft suggested reason for this lax outlook on security has to do with PCI itself not having a lot of traction with those business owners. The merchants tend to think any security issues are the responsibility of the third party processor or the bank or the credit card companies; they don’t see a direct link to their business because of the simple fact that their terminal that swipes cards wasn’t theirs to begin with. Other issues include Merchants getting lost in the complexities of the PCI DSS website and its many forms that need to be filled out, and the recent change to PCI version 2.0 in October 2010 changing the structure of the system. Merchants get distracted by their day to day responsibilities of the business and gloss over the minutiae of PCI compliance.

Host Merchant Services understands these problems. Part of their service mantra is that the company designs payment processing solutions that let their merchants focus on running their company. The general theme is to make payment processing seamless and easy for the merchants. This includes transaction security and was the catalyst that fueled the company’s PCI Compliance Initiative.

But as we’ve seen with the Global Payments Data Breach, security needs to go beyond just PCI Compliance.

An Extra Layer of Protection

This Article from The Data Center Journal suggests that better admin priveleges could have helped stave off The Global Payments Data Breach completely. From the article: “Avecto says that the possibility that the breach was caused by a compromised administrative account that was insufficiently protected shows that governance is a central requirement of modern IT security.”

The article maintains that multiple layers of security can go a long away to helping to prevent future data breaches of this type. Paul Kenyon, chief operating officer with Avecto, said in the article that “Our observations on this breach suggest that minimizing administrative privileges—an exercise in the principle of least privilege—would have gone a long way to preventing the breach.” It was suggested to Kenyon from another IT Security analyst that the privileged accounts that are reportedly at the heart of this breach need several layers of protection to properly insulate them from hackers.

Most articles looking at the aftermath of the data breach arrive at the consensus that security measures need to go beyond just PCI compliance. This article gives some very specific and clear advice on a step to take — a data breach solution.

Data Breach Penalties Stack Up

Yesterday’s blog also delved into the cost and fees companies face when they suffer a data breach.

And this article by Bank Info Security gives even more insight into the cost and impact of a data breach. It interviews Larry Ponemon, founder of the Ponemon Institute, which conducted this year’s Cost of a Data Breach study with sponsorship from Symantec. The study revealed that the average cost of a Data Breach has gone down this year. Which makes sense when you consider that even with the Global Payments Data Breach in the news right now, the scale is a lot smaller than the scale of the Heartland Data Breach.

In fact, this article, also from Bank Info Security, gives a side by side comparison between the much bigger Heartland Data Breach and the Global Payments Data Breach.

But back to Ponemon’s interview and his company’s study: “According to the annual report, the average per capita cost of a data breach has declined from $214 per record to $194 since 2011’s report.”

Ponemon suggests two reasons for the decline in average costs.

  1. Complacency: “We think people in general may be becoming numb to the data breach notification process. Most people have received at least one data breach notice; they may not even be aware of it because they don’t open their mail. The may see it as junk mail.”
  2. Topical Shift, or rather the rise of intellectual property breaches, which are not a part of the annual study: “We focus on one type of data breach – the type of data breach [of personal records] that requires notification in the United States and then other parts of the world – but in reality there are other, maybe more costly, data breaches that companies are experiencing every day.”

 

HMS Data Breach Security Program

The hackers that go after credit card information are a creative group of criminals who are constantly pushing technology forward and tying security systems in knots. Many times a discussion about data breaches ends up with the conclusion that “it’s not if a data breach is going to happen, it’s when a data breach is going to happen.”

Host Merchant Services offers a key resource in preparing a business to tackle that issue: Its Data Breach Security Program. This program protects a business and a merchant can get up to $100,000 in coverage per location for the most common forms of data breach:

  • Employee Dishonesty
  • Skimming
  • Theft of Credit Card Receipts
  • Theft of POS Terminals
  • Stolen Card Numbers
  • Theft of Computers

 

The Data Breach Security Program helps cover fees for any industry-mandated audit of a suspected breach, card replacement costs and related expenses, and industry fines and assessments. All of these fees come from non-compliance with PCI DSS and are fees and issues that any company even suspected of a breach can face as we described yesterday in our blog. The coverage would exceed even the penalties that Cisero’s faces as we saw in the article about their lawsuit targeting the PCI itself.

How Does It Work?

Host Merchant Services makes it easy to file claims once you’ve gotten on board with the Data Breach Security Program. A simple online form starts the process:

  • Step 1: Fill out the online claim form at www.merchantdatabreach.com
  • Step 2: Upload or fax the notice from the acquiring bank, which stipulates that there has been a breach or a suspected breach at your location and choose an authorized, qualified security assesor.
  • Step 3: When the forensic audit is complete, upload or fax a copy of the assessor’s report.
  • Step 4: HMS takes it from there. We process the claim for payment and if all documentation is in order you will receive a check for the expenses incurred from the audit and/or card replacement costs and/or fines incurred for a breach.

To recap

Data Breaches can and will occur. They are costly. The recent Global Payments Data Breach reminds us all how important transaction security is for all parties involved. Merchants need to understand how important PCI Compliance is for their business. And they also need to take more steps than just PCI Compliance. Host Merchant Services is committed to keeping its merchants safe and secure. The company takes the lead in the industry in terms of PCI Standards with its PCI Compliance Initiative. And the company offers added layers of protection to its merchants through its Data Breach Security Program.

pci and data breach

PCI and the Data Breach [2023 Update]

Leave a reply

TodayThe Official Merchant Services Blog continues looking at the bigger picture of the impact from the Global Payments Data Breach — specifically looking at the affect it’s going to have on PCI DSS as well as a little foray into State Security Breach Notification Laws.

You’ll remember yesterday we highlighted some of the criticisms found in the PCI DSS, specifically this article by Taylor Armerding which suggested that PCI compliance is not enough to protect data from the skilled and focused hackers who cause these data breaches.

We then focused on how PCI Compliance is still a great foundation for your transaction security. The standards and protocols set up by the council are the first step a merchant needs to take to protect their data. And Host Merchant Services offers a PCI Compliance Initiative that helps its merchants quickly and seamlessly take that step.

Still the idea that PCI DSS is not living up to its billing as security shows itself in this story from Wired about a small business filing suit against against its bank claiming that the financial institution, which used to process the restaurant’s credit and debit card transactions, wrongfully seized money from the business’ merchant bank account. In short, the business is suing the bank for taking funds as penalties for being non-compliant with PCI DSS.

Taking it to Court

The story explains that Stephen and Theodoara “Cissy” McComb, owners of Cisero’s Ristorante and Nightclub in Park City, Utah, racked up $90,000 in fines that Visa and MasterCard imposed after alleging that Cisero’s had failed to secure its network and suffered a data breach that resulted in fraudulent charges on customer bank cards. U.S. Bank seized about $10,000 from the McComb’s merchant account to cover those penalties and then sued the McCombs to obtain the remaining balance on the fines, saying a contract the McCombs signed with the bank makes them liable for such fines.

The McCombs struck back with a bold countersuit. The story explains: “But in their countersuit against U.S. Bank, the McCombs allege that the bank, and the payment card industry (PCI) in general, force merchants to sign one-sided contracts that are based on information that arbitrarily changes without notice, and that they impose random fines on merchants without providing proof of a breach or of fraudulent losses and without allowing merchants a meaningful opportunity to dispute claims before money is seized.”

This suit challenges the basic foundation of PCI security standards and opens up a lot of old wounds and criticisms about PCI DSS in context of the card issuers that make the call and form the council for PCI DSS. As the story says: “The controversial system, imposed on merchants by credit card companies like Visa and MasterCard, has been called a “near scam” by a spokesman for the National Retail Federation and others who say it’s designed less to secure card data than to profit credit card companies while giving them executive powers of punishment through a mandated compliance system that has no oversight.”

The linked article provides much of the details that led to the data breach with Cisero’s, as well as why the fines and penalties were applied according to PCI DSS standards. The McComb countersuit relies heavily on their assertion that PCI DSS oversteps its bounds in applying those penalties, offers no recourse for people to dispute the penalites, and levies penalties against businesses for violations even when no fraudulent transactions occur.

The Cost of a Data Breach

This case above and much of the criticism targeting PCI DSS deals with the fines banks, processors and subsequently merchants face when data gets breached. This article looks into the cost merchants face when the worst case scenario occurs. A lot of merchants feel that lack of compliance isn’t an issue because they feel they are not responsible of something goes awry. But this article sheds some light on that: “suppose you or your merchant is suspected of one of those inevitable human errors, or of being a victim of a hacker. As long as there isn’t actually a breach, it’s no big deal, right? Wrong.”

The article lists the costs of penalties:

  • Forensics Audit done by investigators when they suspect your business is susceptible to a breach: Between $8,000 and $20,000
  • $3 to $10 per card to replace all cards compromised in a breach that happens.
  • $5,000 to $50,000 in fines for lack of compliance.
  • And even further in fines specifically tied to any fraudulent transactions that do occur as a result of the breach.

The article states that the average cost comes to $36,000, a hefty sum that can cripple small businesses. The McComb data breach may seem high in comparison, but going over the huge variance in the fine structure, it’s pretty easy to see how the bank came to a $90,000 figure.

Back to Global Payments

Speaking of the fees and penalties, it’s interesting to note that the company faces many of the same problems that small businesses do now that Global has been breached and run afoul of Visa in terms of PCI Security and  Compliance. However this story for ZDNet states that the company will likely absorb any costs from the data breach and not be affected as badly as some of the small businesses discussed above are affected by fees and penalties.

Global Payments continues to process, even after being dropped by Visa’s list of providers that meet security standards. The company is now working on being reinstated and once again being PCI Compliant. Working in their favor is their statements that they reported the breach to authorities the moment they found out it happened.

Which brings us to …

Security Breach Notification Laws

Security Breach notification laws were enacted in response to an escalating number of breaches of consumer databases containing personal information. The first such law was the California data security breach notification law, or SB 1386. It was enacted in 2002 and became effective on July 1, 2003. Currently 46 states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted similar legislation requiring the notification of security breaches involving personal information. The only states that currently have no such law on their books are Alabama, Kentucky, New Mexico and South Dakota.

  • Host Merchant Services is located in Delaware. The Delaware Security Breach Notification Law can be reviewed in its entirety at This Link.
  • Global Payment Systems is located in Georgia. The Georgia Security Breach Notification Law can be reviewed in its entirety at This Link and its subsequent amendment can be found at This Link.

These laws tend to follow a similar basic structure to the one California passed first in 2002 — companies need to immediately disclose a data breach to customers, usually in writing.  There have since been a number of bills that would establish a national standard for data security breach notification but none have been passed in Congress yet.

The Bottom Line

So what does this all mean? For now it appears that Global is weathering the storm brought on by the news of the data breach. They’ve minimized the impact of the bad news and are working to get their compliance situation straightened out. The data breach has put the spotlight onto the PCI DSS itself and we’ve seen that some small businesses and merchants are highly critical of the system. Comparing the crippling fines they can theoretically face for a breach that leads to no fraud against the impact that a large processor like Global faces for the same type of problem can leave some thinking the system needs more oversight. But PCI DSS does set the bar for security. It forces hackers to work harder than they would if it didn’t exist. It is a first step in terms of what merchants and processors need to do to protect transaction and data security.

The court case in Utah is very fascinating as it really takes the contract aspect of the PCI DSS to task. The Official Merchant Services Blog will continue to follow the news on that case. And we will keep you posted on the latest developments with this Global Payments Data Breach.