Tag Archives: Host Merchant Services

Android Phone Now Takes Payments

Leave a reply

Host Merchant Services finally gets to make this announcement official: All mobile payment solutions the company offers now feature both iPhone and Android compatibility.

On February 28, 2012 Host Merchant Services teased through its Facebook Page that it would have big news regarding HMS and Mobile Payments in March. But technical difficulties with the full release of Payfox’s Android solution held the news back until today. In the Android Marketplace, Payfox is now listed and available for download. You can see the listing here.

The App has been on the Android Marketplace since March 21. But now the rest of the support is in place to get the app working. The final piece of the puzzle was the card reader — UniMag II, Two-Track Secure Mobile MagStripe Reader. The device is a two-track, encrypted magnetic stripe reader that works with a wide variety of mobile platforms, including Apple, HTC, LG, Motorola, and Samsung devices. Use your mobile device to read credit cards, signature debit cards, gift cards, loyalty cards, driver’s licenses, and ID badges. The UniMag reads up to 2 tracks of information with a single swipe in either direction, providing superior reading performance for your mobile device.  A merchant account is required to accept credit card transactions.

You can download the specs from the UniMag II data sheet right here. These are the Android devices supported by the reader:

  • HTC Aria
  • HTC Desire Z
  • HTC Eris
  • HTC EVO 4G
  • HTC EVO Shift 4G
  • HTC G2
  • HTC Hero
  • HTC Incredible
  • HTC MyTouch 4G
  • HTC EVO 3D
  • HTC Nexus One
  • HTC Incredible 2
  • HTC MyTouch 3G Slide
  • HTC MyTouch 4G Slide
  • HTC Thunderbolt
  • HTC Merge
  • LG Optimus T
  • LG Revolution
  • Motorola Droid 2
  • Motorola Droid X
  • Motorola Droid Pro
  • Motorola Milestone
  • Motorola FlipSide
  • Motorola Atrix
  • Motorola Droid 2
  • Motorola Droid 2 Global
  • Motorola Droid Bionic
  • Motorola Droid 3
  • Samsung Captivate
  • Samsung Droid Charge 4G
  • Samsung Epic
  • Samsung Epic 4G
  • Samsung Fascinate
  • Samsung Nexus S
  • Samsung Replenish
  • Samsung Infuse 4G
  • Samsung Continuum
  • Samsung Galaxy SII

Please Note

When you go to the Google Play Market and search for PayFox using your Android/Droid phone, the PayFox application will only display for those devices for which the application itself is compatible.

Red 5 Standing By

Our friends at Transfirst also wanted to offer some clarification about the use and licensing around the word Droid:

“Android and Droid are often used interchangeably when referring to ever-growing & increasingly popular line of smartphones that run on Google technology. The difference, for most purposes, is one of legal definitions and intellectual property. Android simply refers to the operating system and software that powers phones built by any of number manufacturers, including HTC or Motorola, and that run on any of the major carriers.

Droid, on the other hand, is a term coined and owned by LucasFilm Ltd., the licensing rights for which Verizon had to purchase in order to brand their specific line of Android Smartphones.”

In short, Androids are phones, and you can now use them to swipe payments. Droids are what Jawas scavenge. Though I’m sure the Jawas will happily accept mobile payments from all you moisture farmers out there. Ootini!

Data Breach Solutions

Leave a reply

Today The Official Merchant Services Blog has a quick follow up to its ongoing coverage of the Global Payments Data Breach. The past two entries in our blog have taken a sweeping look at the big picture of data breaches and PCI DSS and how effective those security standards are. PCI Compliance is a topic very near and dear to Host Merchant Services because the company pushes an aggressive initiative among its customers to keep them PCI Compliant.

PCI Compliance: The Foundation of Security

Past studies from Verizon and Gartner Research have suggested that business owners slack on their security needs, especially in terms of PCI DSS compliance. The most oft suggested reason for this lax outlook on security has to do with PCI itself not having a lot of traction with those business owners. The merchants tend to think any security issues are the responsibility of the third party processor or the bank or the credit card companies; they don’t see a direct link to their business because of the simple fact that their terminal that swipes cards wasn’t theirs to begin with. Other issues include Merchants getting lost in the complexities of the PCI DSS website and its many forms that need to be filled out, and the recent change to PCI version 2.0 in October 2010 changing the structure of the system. Merchants get distracted by their day to day responsibilities of the business and gloss over the minutiae of PCI compliance.

Host Merchant Services understands these problems. Part of their service mantra is that the company designs payment processing solutions that let their merchants focus on running their company. The general theme is to make payment processing seamless and easy for the merchants. This includes transaction security and was the catalyst that fueled the company’s PCI Compliance Initiative.

But as we’ve seen with the Global Payments Data Breach, security needs to go beyond just PCI Compliance.

An Extra Layer of Protection

This Article from The Data Center Journal suggests that better admin priveleges could have helped stave off The Global Payments Data Breach completely. From the article: “Avecto says that the possibility that the breach was caused by a compromised administrative account that was insufficiently protected shows that governance is a central requirement of modern IT security.”

The article maintains that multiple layers of security can go a long away to helping to prevent future data breaches of this type. Paul Kenyon, chief operating officer with Avecto, said in the article that “Our observations on this breach suggest that minimizing administrative privileges—an exercise in the principle of least privilege—would have gone a long way to preventing the breach.” It was suggested to Kenyon from another IT Security analyst that the privileged accounts that are reportedly at the heart of this breach need several layers of protection to properly insulate them from hackers.

Most articles looking at the aftermath of the data breach arrive at the consensus that security measures need to go beyond just PCI compliance. This article gives some very specific and clear advice on a step to take — a data breach solution.

Data Breach Penalties Stack Up

Yesterday’s blog also delved into the cost and fees companies face when they suffer a data breach.

And this article by Bank Info Security gives even more insight into the cost and impact of a data breach. It interviews Larry Ponemon, founder of the Ponemon Institute, which conducted this year’s Cost of a Data Breach study with sponsorship from Symantec. The study revealed that the average cost of a Data Breach has gone down this year. Which makes sense when you consider that even with the Global Payments Data Breach in the news right now, the scale is a lot smaller than the scale of the Heartland Data Breach.

In fact, this article, also from Bank Info Security, gives a side by side comparison between the much bigger Heartland Data Breach and the Global Payments Data Breach.

But back to Ponemon’s interview and his company’s study: “According to the annual report, the average per capita cost of a data breach has declined from $214 per record to $194 since 2011’s report.”

Ponemon suggests two reasons for the decline in average costs.

  1. Complacency: “We think people in general may be becoming numb to the data breach notification process. Most people have received at least one data breach notice; they may not even be aware of it because they don’t open their mail. The may see it as junk mail.”
  2. Topical Shift, or rather the rise of intellectual property breaches, which are not a part of the annual study: “We focus on one type of data breach – the type of data breach [of personal records] that requires notification in the United States and then other parts of the world – but in reality there are other, maybe more costly, data breaches that companies are experiencing every day.”

 

HMS Data Breach Security Program

The hackers that go after credit card information are a creative group of criminals who are constantly pushing technology forward and tying security systems in knots. Many times a discussion about data breaches ends up with the conclusion that “it’s not if a data breach is going to happen, it’s when a data breach is going to happen.”

Host Merchant Services offers a key resource in preparing a business to tackle that issue: Its Data Breach Security Program. This program protects a business and a merchant can get up to $100,000 in coverage per location for the most common forms of data breach:

  • Employee Dishonesty
  • Skimming
  • Theft of Credit Card Receipts
  • Theft of POS Terminals
  • Stolen Card Numbers
  • Theft of Computers

 

The Data Breach Security Program helps cover fees for any industry-mandated audit of a suspected breach, card replacement costs and related expenses, and industry fines and assessments. All of these fees come from non-compliance with PCI DSS and are fees and issues that any company even suspected of a breach can face as we described yesterday in our blog. The coverage would exceed even the penalties that Cisero’s faces as we saw in the article about their lawsuit targeting the PCI itself.

How Does It Work?

Host Merchant Services makes it easy to file claims once you’ve gotten on board with the Data Breach Security Program. A simple online form starts the process:

  • Step 1: Fill out the online claim form at www.merchantdatabreach.com
  • Step 2: Upload or fax the notice from the acquiring bank, which stipulates that there has been a breach or a suspected breach at your location and choose an authorized, qualified security assesor.
  • Step 3: When the forensic audit is complete, upload or fax a copy of the assessor’s report.
  • Step 4: HMS takes it from there. We process the claim for payment and if all documentation is in order you will receive a check for the expenses incurred from the audit and/or card replacement costs and/or fines incurred for a breach.

To recap

Data Breaches can and will occur. They are costly. The recent Global Payments Data Breach reminds us all how important transaction security is for all parties involved. Merchants need to understand how important PCI Compliance is for their business. And they also need to take more steps than just PCI Compliance. Host Merchant Services is committed to keeping its merchants safe and secure. The company takes the lead in the industry in terms of PCI Standards with its PCI Compliance Initiative. And the company offers added layers of protection to its merchants through its Data Breach Security Program.

pci and data breach

PCI and the Data Breach [2023 Update]

Leave a reply

TodayThe Official Merchant Services Blog continues looking at the bigger picture of the impact from the Global Payments Data Breach — specifically looking at the affect it’s going to have on PCI DSS as well as a little foray into State Security Breach Notification Laws.

You’ll remember yesterday we highlighted some of the criticisms found in the PCI DSS, specifically this article by Taylor Armerding which suggested that PCI compliance is not enough to protect data from the skilled and focused hackers who cause these data breaches.

We then focused on how PCI Compliance is still a great foundation for your transaction security. The standards and protocols set up by the council are the first step a merchant needs to take to protect their data. And Host Merchant Services offers a PCI Compliance Initiative that helps its merchants quickly and seamlessly take that step.

Still the idea that PCI DSS is not living up to its billing as security shows itself in this story from Wired about a small business filing suit against against its bank claiming that the financial institution, which used to process the restaurant’s credit and debit card transactions, wrongfully seized money from the business’ merchant bank account. In short, the business is suing the bank for taking funds as penalties for being non-compliant with PCI DSS.

Taking it to Court

The story explains that Stephen and Theodoara “Cissy” McComb, owners of Cisero’s Ristorante and Nightclub in Park City, Utah, racked up $90,000 in fines that Visa and MasterCard imposed after alleging that Cisero’s had failed to secure its network and suffered a data breach that resulted in fraudulent charges on customer bank cards. U.S. Bank seized about $10,000 from the McComb’s merchant account to cover those penalties and then sued the McCombs to obtain the remaining balance on the fines, saying a contract the McCombs signed with the bank makes them liable for such fines.

The McCombs struck back with a bold countersuit. The story explains: “But in their countersuit against U.S. Bank, the McCombs allege that the bank, and the payment card industry (PCI) in general, force merchants to sign one-sided contracts that are based on information that arbitrarily changes without notice, and that they impose random fines on merchants without providing proof of a breach or of fraudulent losses and without allowing merchants a meaningful opportunity to dispute claims before money is seized.”

This suit challenges the basic foundation of PCI security standards and opens up a lot of old wounds and criticisms about PCI DSS in context of the card issuers that make the call and form the council for PCI DSS. As the story says: “The controversial system, imposed on merchants by credit card companies like Visa and MasterCard, has been called a “near scam” by a spokesman for the National Retail Federation and others who say it’s designed less to secure card data than to profit credit card companies while giving them executive powers of punishment through a mandated compliance system that has no oversight.”

The linked article provides much of the details that led to the data breach with Cisero’s, as well as why the fines and penalties were applied according to PCI DSS standards. The McComb countersuit relies heavily on their assertion that PCI DSS oversteps its bounds in applying those penalties, offers no recourse for people to dispute the penalites, and levies penalties against businesses for violations even when no fraudulent transactions occur.

The Cost of a Data Breach

This case above and much of the criticism targeting PCI DSS deals with the fines banks, processors and subsequently merchants face when data gets breached. This article looks into the cost merchants face when the worst case scenario occurs. A lot of merchants feel that lack of compliance isn’t an issue because they feel they are not responsible of something goes awry. But this article sheds some light on that: “suppose you or your merchant is suspected of one of those inevitable human errors, or of being a victim of a hacker. As long as there isn’t actually a breach, it’s no big deal, right? Wrong.”

The article lists the costs of penalties:

  • Forensics Audit done by investigators when they suspect your business is susceptible to a breach: Between $8,000 and $20,000
  • $3 to $10 per card to replace all cards compromised in a breach that happens.
  • $5,000 to $50,000 in fines for lack of compliance.
  • And even further in fines specifically tied to any fraudulent transactions that do occur as a result of the breach.

The article states that the average cost comes to $36,000, a hefty sum that can cripple small businesses. The McComb data breach may seem high in comparison, but going over the huge variance in the fine structure, it’s pretty easy to see how the bank came to a $90,000 figure.

Back to Global Payments

Speaking of the fees and penalties, it’s interesting to note that the company faces many of the same problems that small businesses do now that Global has been breached and run afoul of Visa in terms of PCI Security and  Compliance. However this story for ZDNet states that the company will likely absorb any costs from the data breach and not be affected as badly as some of the small businesses discussed above are affected by fees and penalties.

Global Payments continues to process, even after being dropped by Visa’s list of providers that meet security standards. The company is now working on being reinstated and once again being PCI Compliant. Working in their favor is their statements that they reported the breach to authorities the moment they found out it happened.

Which brings us to …

Security Breach Notification Laws

Security Breach notification laws were enacted in response to an escalating number of breaches of consumer databases containing personal information. The first such law was the California data security breach notification law, or SB 1386. It was enacted in 2002 and became effective on July 1, 2003. Currently 46 states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted similar legislation requiring the notification of security breaches involving personal information. The only states that currently have no such law on their books are Alabama, Kentucky, New Mexico and South Dakota.

  • Host Merchant Services is located in Delaware. The Delaware Security Breach Notification Law can be reviewed in its entirety at This Link.
  • Global Payment Systems is located in Georgia. The Georgia Security Breach Notification Law can be reviewed in its entirety at This Link and its subsequent amendment can be found at This Link.

These laws tend to follow a similar basic structure to the one California passed first in 2002 — companies need to immediately disclose a data breach to customers, usually in writing.  There have since been a number of bills that would establish a national standard for data security breach notification but none have been passed in Congress yet.

The Bottom Line

So what does this all mean? For now it appears that Global is weathering the storm brought on by the news of the data breach. They’ve minimized the impact of the bad news and are working to get their compliance situation straightened out. The data breach has put the spotlight onto the PCI DSS itself and we’ve seen that some small businesses and merchants are highly critical of the system. Comparing the crippling fines they can theoretically face for a breach that leads to no fraud against the impact that a large processor like Global faces for the same type of problem can leave some thinking the system needs more oversight. But PCI DSS does set the bar for security. It forces hackers to work harder than they would if it didn’t exist. It is a first step in terms of what merchants and processors need to do to protect transaction and data security.

The court case in Utah is very fascinating as it really takes the contract aspect of the PCI DSS to task. The Official Merchant Services Blog will continue to follow the news on that case. And we will keep you posted on the latest developments with this Global Payments Data Breach.

Data Breach Consequences [2023 Update]

Leave a reply

Today The Official Merchant Services Blog is going to delve into the bigger picture of the impact that the Global Payments Data Breach is going to have on the payment processing industry. Obviously this news is going to have a huge impact on Global Payments itself. The company faces a big penalty after Visa dropped it from its registry of compliant service providers due to “unauthorized access into a portion of (Global Payments’) processing system.”

Fees and penalties related to reacquiring its compliance status and getting back on the registry will add up. In fact an executive from Co3 Systems, a data loss management firm, estimated the potential liability for a merchant with 1 million cards compromised could top $1.6 million from compliance fines alone. With Global’s own official statements indicating that the number of cards that were compromised being less than 1.5 million, the Co3 estimate is probably right in the ballpark of what Global faces.

The company also will take a hit to its business simply because of the breach itself and being dropped by Visa. While they are off the list, some potential customers may not be able to sign with them due to the lack of compliance status. And if the process to be reinstated takes too long, it could affect some of their current customers.

But there’s a larger context that needs to be considered with this data breach: PCI DSS itslef.

We’ve covered PCI Compliance very extensively in the blog. We looked at a report from Verizon last year that suggested 79% of organizations Verizon surveyed were found to be non-compliant in their initial audit in 2010. The study from the previous year had 78% of organizations were non-compliant. A study by Gartner Research demonstrated that 18% of merchants they surveyed were not PCI Compliant at all.

What is PCI?

These studies just underscore the large problem payment processing faces with security. The acronym PCI DSS stands for Payment Card Industry Data Security Standards. PCI Compliance is essentially the process of adhering to the standards set forth by the Payment Card Industry Data Security Standards Council (PCI DSS). You can review those standards in greater detail here. Essentially the standards are a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment.

What’s the Problem?

One of the biggest criticisms of the PCI DSS is that it is the minimum agreed upon set of security protocols. Because of its nature as a consensus set of standards put together by the council, PCI is often criticized for being behind the curve or not being thorough enough to deal with the hackers who are trying to get at the data and breach the security of the transactions. Combine that with the studies that keep showing merchants are not keeping their compliance current or not even becoming compliant in the first place and you open the door for a lot of criticism against the system designed to keep transactions safe and secure.

Taylor Armerding wrote a compelling article for CSO Online on the issue of PCI compliance in the aftermath of the latest data breach.  The lead statement of the article underscores the issue simply and effectively: “The latest data security breach to strike MasterCard and VISA has security experts focusing anew on the good and bad of PCI DSS. On one hand, the standard offers a clear blueprint on how to handle such a breach. On the other hand, compliance is usually not the cure, as this latest incident demonstrates.”

To add emphasis, Armerding quotes Neil Roiter, research director at Corero Network Security, as saying: “The Payment Card Industry Data Security Standard (PCI DSS) is highly prescriptive in nature, but simply complying does not ensure credit card security. Companies that rely on PCI DSS to solely dictate their security measures will continue to remain vulnerable to attack.”

The Weak Link

Armerding’s article suggested that compliance isn’t the be-all-end-all for security and that humans were still weakest link in the system. Quoting Anup Ghosh, founder and CEO of Invincea, a developer of browser protection systems, the article says that too much of the security standards are stuck in the past. Ghosh also suggests that PCI is complacent and easy for hackers to circumvent. Ghosh says that the systems in place are more designed to tell you what happened after the fact, being a reactive solution rather than a proactive solution. Ghosh then suggests that the data that was compromised was likely encrypted, but the security standards are behind the curve where it really counts: The Human Layer of Security.

Ghosh explains: “If I target employees, which is how you target these days, it is not very hard in phishing campaigns, to get employees to open an email or click on a link, which then provides access to their desktop and the privileges that come with it. [And in that case] Encryption is worthless.”

He then suggests a more proactive step of creating a more secure virtual environment for employees to work in so that whatever an employee clicks doesn’t end up compromising any data in the system.

PCI is Still Very Important

What Armerding and Ghosh say about PCI is quite compelling. But they both still point out that PCI Compliance is very important for merchants and payment processors. The standards may be behind the curve with the ever-clever hackers going after credit card data, but they set a starting point for security. They set the bar high enough that hackers have to put in work to circumvent the systems. Having PCI is so much better than not having it — which demonstrates how scary the Verizon and Gartner studies are.

Host Merchant Services advocates and performs a very zealous crusade for PCI Compliance. The company takes data security and safe transactions seriously and makes PCI Compliance a part of its value-added service package. HMS began a PCI Compliance Initiative last year that started with an ad campaign that offered for a limited time free PCI Compliance fees for merchants who signed up during that time. It then extended into an initiative run through a partnership agreement with HostMySite.com that offered a free PCI and Security Analysis to any customer interested, and now that same offer is available to anyone interested in Host Merchant Services, partnership or no partnership. The company provides on-call assistance with PCI Compliance questions and problems and will help all of its merchants get through the process with tips and advice from Host Merchant Services’ own PCI Compliance experts.

Tomorrow The Official Merchant Services Blog will follow up with the latest developments from the data breach, as well as more information about PCI Compliance, and PCI DSS issues that the payments industry and the tech industry are discussing.

For More Information

For more information about PCI Compliance, Host Merchant Services offers these resources:

PCI Compliance FAQ

Merchant Services Document Download Graphic

PCI Compliance Guide

Merchant Services Document Download Graphic

More on the Data Breach [2023 Update]

Leave a reply

Following up on our continuing and extensive coverage of the Global Payments Data Breach, The Official Merchant Services Blog has some new tidbits to report from the man who initially broke the story — Brian Krebs.

Krebs felt he needed to respond to the Global Payments conference call delivered by company chairman and top executive Paul Garcia.

In that call Garcia said, “There’s a lot of rumor and innuendo out there which is not helpful to anyone, and most of it incredibly inaccurate. In terms of other timelines, I just cannot be specific further about that.”

Krebs took that ambiguous commentary as a specific reference to his own reporting of the incident — notably that Krebs’ reports offered a different timeline than the one Global had been offering, Krebs’ reports offered a culprit in the data breach (citing Dominican Street Gangs and a New York City cab company and garage), and Krebs’ reporting suggested that at least 876 fraudulent cards had already been discovered as having been in use as a result of the breach while Global stated no fraudulent transactions were linked to the breach.

So there were definitely some differences in what was being reported by Krebs and being discussed, however grudgingly and tight-lipped, by Global in its official statements. It had gotten to a point of such discrepancy that Krebs was entertaining the idea that the Global breach wasn’t the breach he had initially reported. Krebs believed there might be another breach, still unverified, that fit his reporting better. As Krebs wrote on his blog: “Indeed, given GPN’s statements thus far, I continue to be nagged by the possibility that my initial reporting may have been related to a separate, as-yet undisclosed breached at another processor.”

But until another breach actually surfaces, Krebs continues to treat the Global breach as the one he had heard about and reported.

The Number Skew

The first topic Krebs addressed in response to Global’s statements and commentary was the number of compromised cards that Global reported versus the number of compromised cards the Wall Street Journal initially suggested. Krebs notes that the language Global is using in reference to the numbers is distinct and different from the language other companies have used in the past in terms of previous data breaches.

From an abcnews.go.com article“Brian Krebs, the security expert who reported about Visa and MasterCard’s

security breach on Friday, said GPS is only stating how many accounts it believes were ‘exported,’ which focuses on the number of accounts or card numbers that a forensics expert could reasonably argue were offloaded or downloaded from the company’s systems. “What GPS has not said is how many transactions they processed — and potentially compromised — during the time between when they discovered the breach,” Krebs said, which was early March, according to Global Payments, “and when they ‘contained’ the breach [in late March].” Krebs said the number of transactions or card numbers potentially exposed while the company was actively compromised ‘is probably far larger than the 1.5 million number they are citing in their statements, because those statements appear to be based on a figure that the company can say with relative certainty were downloaded or copied from its systems.’ “

Change in Web Hosting

The next tidbit Krebs offered was that Global changed its web hosting company in February: “For the past two years, GlobalPaymentsInc.com has been hosted at MaximumASP, a hosting provider in Louisville, KY. On Feb. 20, 2012, the company moved its Web site toAmazon’s EC2 cloud hosting service. MaximumASP declined to answer questions about possible reasons for the switch, citing customer confidentiality policies.”

This change in hosting appears to take place in the timeline that Krebs has offered as when the breach happened, and just a short time prior to the time when Garcia says the company discovered they had been breached.

Data Breach Chart From Visa

The next tidbit Krebs offered was a chart detailing the anatomy of a data breach. Krebs felt it was significant to note that there is a time period that Visa calls the window of vulnerable transactions.”  And Krebs also notes that the chart shows that discovery of the breach may or may not happen after the start date of the breach. All of this is an attempt to further investigate the timeline that Krebs is trying to construct even in the face of Global’s vague commentary about said timeline.

Hacker Makes Bold Claims

The last tidbit Krebs pointed out was that there are reports that the breach was far more extensive than was being reported.

Krebs cites a New York Times article: “The New York Times in a story published Saturday cited unnamed sources saying that this was the second time in a year that Global Payments had experienced a breach.”

Krebs then backs that claim up with a source of his own: “I have heard likewise from an anonymous hacker who claims the company was breached just after the new year in 2011.  The hacker said the company’s network was under full criminal control from that time until March 26, 2012.”

Krebs’ hacker source also claimed that hackers had been capturing data at regular monthly intervals from the company’s network for 13 months. They were gathering data on a total of 24 million unique transactions before they were shut out.

And Krebs tried to verify the authenticity of his source: “When asked if he had evidence that would back up his claims, the hacker produced a Microsoft Word document with Global Payments’s logo entitled “Disaster Recovery Plan TDS US: Loss of the Atlanta Data Center.” The document appears to have been created on May 6, 2010 by Raj Thiruvengadam, who according to LinkedIn.com was an Atlana-based Oracle database administrator for Global Payments from May 2006 through August 2011.”

What it all Means

Well at its most basic, there is a discrepancy between the information Global is releasing and the information that Krebs is uncovering. There very well may be a separate breach that Krebs was given the information on. As Krebs noted himself, in his initial report he did not mention Global at all. There also may be a separate or longer breach that happened to Global. Or it might be as Krebs suggested to ABC News, a purposely chosen metric for the numbers that doesn’t take into account something like “window of vulnerable transactions.”

Krebs and Global will most likely be advancing this story throughout the week and The Official Merchant Services Blog will keep you up to date on those details.

Global Payments Data Breach  [2023 Update]

Leave a reply

The Official Merchant Services Blog tackles the big news in the payment processing industry today: The Global Payments Data breach.

The news of this data breach hit on Friday and the weekend has seen some wild speculation tossed about. At first there were reports that a mere 50,000 cards were compromised. Then the media upped the number to 10,000,000. Today Global Payments and the media sources covering the story are reporting that the number is closer to 1.5 million cards.

The Story So Far …

The breach was first reported by blogger Brian Krebs at KrebsonSecurity.com. He said on Friday that Visa and MasterCard were alerting banks across the country about a recent major breach at a U.S.-based credit card processor. The first report cited as many as 10 million cards were compromised. By that afternoon Krebs revealed that the processor was Global Payments, and that the breach was discovered in early March 2012. Krebs cited the breach as occurring between January 21, 2012 and February 25, 2012. The alerts issued by Visa and MasterCard, according to Krebs, stated that Track 1 and Track 2 data was taken — which Krebs said meant that the information could be used to counterfeit new cards.

Then the media got more involved.

The Wall Street Journal followed up Krebs blogging with a story about the breach, making the news official. Global remained silent throughout the day, only confirming the report after the close of the markets and trading.

The rabid interest in the data breach sparked an interesting article by USAToday, which expanded on Krebs’ own reporting. Krebs stated that he had heard from his sources that investigators suspect Dominican street gangs were involved in the fraud, focusing mainly on commercial credit and debit card accounts. The article then cited Garnter banking security analyst Avivah Litan, who claimed that the breach involved a taxi and parking garage company in the New York City area. It was suggested that consumers who had paid for a NYC cab in the previous months using the new swipe technology might be victims of the breach and possible fraud. Litan also said she too had heard about a Central American gang connection.

Global’s Statements

Finally Global Payments started talking. The breach was verified by Global. Paul Garcia, Global’s chairman and chief executive, said in a statement that the breach was reported by the company to the FBI — suggesting that the company promptly identified the breach and reported it to the authorities. They’ve now called it a “self-reported” breach. However, media sources do note that the news about the breach still had to be dragged out into the spotlight by Krebs and his blog.

After confirming the breach Garcia stated that the breach was “absolutely contained” and stated that there had been no “fraudulent transactions” related to the breach.

However, the Green Sheet reported on Friday that Krebs had reported that PSCU Financial, a nonprofit cooperative credit union service organization, told its members 56,455 Visa and MasterCard accounts had been compromised, but fraud was found to have occurred in only 876 accounts so far.

Garcia stated that 1.5 million card numbers were compromised by the breach and re-affirmed that no fraud had taken place related to the compromised cards. “This is manageable,” Garcia said.

Visa Takes Action

In response to the data breach information hitting the spotlight, Visa took action against Global Payments. Visa removed Global Payments, an Atlanta company that helps the payment giant process transactions for merchants, from its list of “compliant service providers.”

Garcia in his statements to the press acknowledged that Visa had removed Global Payments from its compliance list pending resolution and remediation of the breach and that it was working “as expeditiously as possible” to return to compliance. The process would take “not days, but we don’t think it’s months.” In other words, Global was not going to be able to fix their PCI status quickly. Global Payments continues to process Visa cards worldwide according to Garcia.

Both Visa and MasterCard say their own systems weren’t compromised. Both credit card issuers had said Friday that they notified their card holders of the potential for identity theft and illicit charges because of the breach.

The Consequences

Global has not yet identified the size of the charge it will take as a result of the breach. But it is interesting to note that Heartland Payment Systems racked up a cost of $12 million in penalties and legal fees when its data breach compromised more than 120 million credit cards.

The Official Merchant Services Blog will be devoting much of its coverage to this developing story. Tomorrow we’re going to take a look at any updates as well as how this issue fits into the ongoing news regarding PCI security and compliance. Data Breaches have been a topic this blog has covered before. Though we’ve focused more on the breaches that affected video game companies like Sony and Turbine last year, our coverage was written with an eye toward the big picture problem of data breaches in general and compromised credit card information. So expect us to try and tie it all together through our focus this week.

Also …

And one last thing to consider if you are a merchant and you are worried about data breaches affecting your bottom line: Host Merchant Services Data Breach Security Program. Click that link to download a PDF explaining the value-added service HMS provides its merchants that goes above and beyond just simple PCI Compliance and helps ensure a merchant’s peace of mind.

Focus on E-Commerce [2023 Update]

Leave a reply

Host Merchant Services is stepping up its game in terms of E-Commerce, and The Official Merchant Services Blog has the scoop.

HMS, the premier provider of payment processing and e-commerce services for small and medium businesses has an edge in terms of E-Commerce. The company was founded by CEO Lou Honick, who previously spent 11 years running a web hosting company. Honick’s experience has translated into Host Merchant Services becoming E-Commerce specialists capable of combining service and savings to a variety of online merchants with customized packages and partnership programs.

Wisdom and Experience

The partnership program has been the anchor of Host Merchant Services’ E-Commerce initiative since the beginning.

“We don’t write a business off as high risk just because it sells its products or services online,” added Honick. “HMS understands the needs of e-commerce merchants and works tirelessly to provide them with the right services at the best possible rate.”

E-Commerce Industry Buzz

E-Commerce has been growing rapidly in the past few years, and HMS is positioned to offer its valuable services and customized partnership plans to the most profitable business sector in the country currently. Here’s an infographic detailing how much growth J.P. Morgan Bank has seen in E-Commerce through its surveys:

The Latest Initative

The latest from Host Merchant Services is a bold promotional offer — found here. The program, offered by internet services wholesaler OpenSRS specifically to their customers, gives those merchants an edge. The white label initiative lets resellers offer their online merchants a $75 promotional credit to customers who sign up for payment processing from HMS. This credit can be applied towards merchant services fees with HMS, and will be credited to their first full month’s statement. Any unused balance on this credit can be carried forward until the full value is exhausted, or the account has been open for six (6) months. The resellers receive a revenue share from processing fees generated by that customer.

Payfox for Android Coming Soon

Leave a reply

On February 28, 2012 Host Merchant Services teased through its Facebook Page that it would have big news regarding HMS and Mobile Payments in March. The Official Merchant Services Blog is here to give you that big news.

Sort of.

The news is that Payfox will be usable for Android phones as well as the iPhones it has been compatible with for the past couple of years. Unfortunately that news is coming piecemeal. The announcement was slated for late March. But the project isn’t quite ready for launch. According to an ISS Bulletin from Transfirst:

“Although PayFox Android is currently not yet available … We are expecting a formal release in the next couple of weeks. “

In anticipation of the pending release, there is a new “PayFox Droid card reader” option opened up in Transfirst’s ELAPP™ software. The option is there, but the functionality isn’t ready yet. So it’s just a teaser of what’s to come. ELAPP™ is an innovative virtual application system that walks users through the merchant boarding process with intelligent rules for data entry.

Host Merchant Services E-Commerce Mobile Payments image

That’s not the only teaser, however. In the Android Marketplace, Payfox is now listed and available for download. You can see the listing here.

User tests by the staff here at The Official Merchant Services Blog show that the download works. And the app will then show up on your Android phone. But there is no reader equipment available yet and the transactions can’t yet be processed. The App has been on the Android Marketplace since March 21.

So all we’re able to confidently report right now is that the pieces for Android appear to be in place, just not fully ready. We will keep you posted with any updates or breaks in this story. Once it is ready, Host Merchant Services will be rolling out a detailed press release discussing the addition of Android to their already robust iPhone capability and how it relates to their full e-commerce service package that it offers merchants.

Discount Fees

Discount Fees Debated [2023 Update]

Leave a reply

The Debate over Discount Fees Hinges on the Costs for Unsecured Credit

Tom Cleveland, March 22, 2012

The debate over the proper level of merchant discount fees rages on with legal arguments and proceedings plodding along, possibly for years to come.  One benefit of the latest struggle against bankers keeping their “hand” in the merchant industry’s “cash drawer” is that fees have been bifurcated between credit and debit cards in the United States, applying a lower transaction based fee to items regarded as true replacements for cash and checks.  Whether the banking “monopoly” will be broken remains in doubt, but the real issue is how to recover the total costs related to issuing unsecured credit.

Unsecured credit is more a phenomenon in American culture than in most other global domestic markets.  One argument often cited is that discount fees in the U.S. are materially higher than those in other countries, but the nature of credit and how it is offered to the general public is the core issue here.  The rest of the world is a lot “harsher” in how credit is extended, but credit drives our service economy that depends heavily on consumer retail spending.  Disposable income has remained flat for over a decade, and, until this economic fact changes for the better, the retail sector will continue to under perform.

Intuitively, one would expect these merchant fees for card services to be entirely transaction based, without a percentage of the sale ever having to be reimbursed to card issuing banks.  Unsecured credit, however, does not come without a significant cost structure.  The “rule of thumb” for individuals and companies alike is that a total revenue stream of 35% on volume is necessary to operate at an acceptable level to cover costs and deliver an adequate return on capital.  Interest charges cover two-thirds of this requirement, but additional fees are necessary to cover convenience usage where no interest can be charged.  Roughly half of retail purchase volume constitutes convenience usage in the card services industry.

The remaining third comes from account fees, merchant discount fees, and a plethora of various fee types foisted on the general public over the years.  Consultants advised banks decades ago to broaden their revenue base beyond interest-only charges to remain competitive, and we have all witnessed this “transformation” in “nickel-and-diming” tactics for years.

The costs for unsecured credit are actually higher today, due to present economic conditions, but may moderate over time, although not below the 35% threshold.  If merchant discount fees are to drop, then banks will have to raise account fees, almost doubling current levels to cover the difference.  There is no “free lunch” in this business.  Banks are currently under pressure from toxic mortgage assets, new legislation, and debit card fee reductions.  They have no desire to introduce new consumer fee changes, as many major banks have tried and failed with this approach recently.

Banks have fought merchant fee reductions for decades, due to unsecured credit costs.  The courts may eventually have to force the issue, necessitating a re-pricing exercise that will unfortunately impact us all in other ways.

Customer Service Pitfalls Part 3 [2023 Update]

Leave a reply

The Official Merchant Services Blog finishes its titanic trilogy on the affect Customer Service can have on a business. In our first blog we discussed anecdotal evidence and how it pertains to the perception of service and what can be learned from those anecdotes. In our second blog we took at look at the numbers, examining charts of data to determine a measured impact that customer service has on a business. The combination of strong anecdotal evidence and detailed charts demonstrated how integral quality customer service can be to a business’ financial success. Today we’re going to delve into the tips that get offered regarding inferior customer service — both tips on how customers can deal with customer service they find lacking and tips on how businesses can improve customer service that their customers find lacking.

I got onto this topic recently because of an online discussion that suggested that customers weren’t worth the effort of listening to their complaints. That discussion was sparked from  The story of Jennifer Hepler found on The Mary Sue. It brought up the concept of gamer entitlement and video game customers going too far in their negative complaints to video game developers. Added to that was this Forbes article about The Myth of Gamer Entitlement. This really created a framework where customer complaints were presented as too much hassle for game companies to listen to. So the game companies would place customer service extremely low on their priority list.

I really have issues with that concept. It makes no sense to meCustomers and quality customer service are extremely valuable to long-term business. So I set about to prove how valuable customer service can be for a business. After seeing the anecdotal evidence and the numerical data stack up, it’s quite clear that quality customer service has an impact on a business’ bottom line. Good customer service helps retain customers. Happy customers also give a business good word of mouth advertising — the most powerful and effective advertising a business can receive. Good customer service leads to high customer loyalty. High customer loyalty gives your business higher sales and a stronger brand identity.

What to Do if All is Not Well?

So let’s bring this back around to what started me on this line of thinking: Difficult Customers. The strategy that some video game companies are using to “deal” with the difficult customers was to launch a bit of an online campaign through gaming sites and other avenues to paint those difficult customers as unreasonable, and set the company up as a victim of their irrationality. From what I’ve seen and read of that option, the negativity has simply bred more negativity. Making the customers even more difficult and a lot of bad word of mouth has started to seep into the reputation of the company hurting their brand. So instead of creating an antagonistic atmosphere with difficult customers, I did a little research and found some tips and advice on how to deal with difficult customers and turn it into a positive.

The Customer’s Side

To get a handle on difficult customers I think it’s important to understand the perspective of the customer. This article by Mind Your Decisionsis amazing at giving us insight into that perspective — and it gives consumers a series of tips on how to get the service they desire from bad customer service situations. It hinges on the premise that for customers to get what they want from a business’ customer service department, their strategy should be reasonably unreasonable.

It states that being reasonable with bad customer service usually leads to the customer not getting what they want as they let the business continue to ignore their issue. It then states that being unreasonable with bad customer service also misses the mark as making a ruckus may get you what you want, but may leave you feeling like you made a mountain out of a molehill. So it advocates a strategy of being reasonably unreasonable: Holding firm, continually going after what it is you want from the company but not raising a ruckus while you follow that path.

The article is focused on giving customers advice on how to get businesses to respond to your desire for customer service: “When dealing with bad service, one of the easiest ways to be reasonably unreasonable is to explain you are a frequent customer and that you would like a full cash refund. Cash, unlike in-store discounts, can be used at competitors. This small request quickly gets the attention of managers who scramble to keep you happy. You may end up accepting an in-store discount, but it will likely be much larger because you started asking for cash.”

Articles like this are important to be aware of when you’re planning  your own customer service protocols. You find again and again that the advice offered to consumers is to not back down. To continue to push for service. To be difficult. Sure, there are always going to be a tiny selection of customers that are the exceptions to the rule — ones that are difficult to be difficult, ones that thrive off of confrontation, and ones that simply want to try and take advantage of your customer service to get something for nothing.

But these are the rare exceptions. Most of the time you are dealing with a customer that feels like they got a defective product or did not get the value of their purchase. They are seeking some sort of compensation, some understanding and some assistance. And because they feel justified in their crusade, they are going to feel entitled to service. They aren’t the unreasonable villains that the “gamer entitlement” tag suggests they are.

The moral of this story is a customer that wants a refund can be difficult about it. But can be turned back into a loyal customer if they receive understanding and compensation. It doesn’t even have to be in the form of a refund. But ignoring them or antagonizing them is only going to do more damage to your business and its reputation than the refund is usually worth. Most difficult customers aren’t that difficult once you initiate customer service that actually addresses their issues and their concerns.

Customer Service Tips

This article from Customer Service Manager offers five tips for dealing positively with difficult customers. Those five tips all hinge on engaging the customer’s emotions. As the article states in its conclusion: “Make no mistake about it; customers, be they internal or external, are primarily driven by their emotions. It’s therefore important to use human responses in any interaction particularly when a customer is upset or angry. If customers like you and feel that you care, then they’re more likely to accept what you say and forgive your mistakes.”

The tips break down to:

  • Have a thick skin. Be aware the customer is going to be angry and upset and don’t let that get to you.
  • Listen. Listen to what they have to say.
  • Don’t use the word sorry. Sorry, the article says is overused and has little impact with difficult customers.
  • Show empathy. The customer is upset and empathy will help mollify their anger.
  • Build a rapport. While empathizing with the customer opens the door for you, building a rapport gets you to your destination — customer service.

Most other lists I’ve found on how to deal with difficult customers breaks down to a similar set of tips. The important tips that I repeatedly ran into were all a variation on listening to the customer, showing them understanding and not letting their anger get to you. It all comes back to giving the customer your time, your ear and your energy. Giving them the attention they need to service them and address their issues. You do this and most of the customer service complaints you get are defused. You turn many of these customers into loyal fans of your business who will turn around and spread the news that you give excellent service. You attract more business and build a reputation for your business.

For me, the bottom line of customer service is this: There’s no such thing as gamer entitlement. Those gamers are customers who purchased your product and they are entitled to quality customer service. If you run a video game company you should beat the pants off of your competitors by being one that gives quality customer service. You’ll set yourself apart from the ones that are painting their own customers as the villains and themselves as the victim of a group of people who simply want what they paid for.