Today’s edition of the Official Merchant Services Blog will take a look into the newest data breach, involving NY-based Barnes & Noble Inc.
Barnes & Noble revealed last week a “sophisticated criminal effort” had taken place at 63 stores, resulting in hacked PIN pad devices putting some of its customers at risk. The company discovered the hacking in September, but did not disclose it until recently on the advice of federal authorities. Security experts at the FBI have admitted that immediate disclosure in data breaches can make it harder for investigators to find the perpetrators.
In response, the chain has ceased using all PIN pads in its stores, and it has identified the affected locations in California, Connecticut, Florida, New Jersey, New York, Illinois, Massachusetts, Pennsylvania and Rhode Island.
“The tampering, which affected fewer than 1% of PIN pads in Barnes & Noble stores,” the company said in a news release, “was a sophisticated criminal effort to steal credit card information, debit card information, and debit card PIN numbers from customers who swiped their cards through PIN pads when they made purchases. This situation involved only purchases in which a customer swiped a credit or debit card in a store using one of the compromised PIN pads.”
Barnes & Noble said its customer database was unaffected, and that none of the compromised PIN pads were at its college bookstores. The company also said the breach did not affect e-commerce sales, customers who bought online or through company’s Nook e-reader and Nook mobile app remain safe.
The bookseller is also working with the payment card networks, banks, and card issuers to identify accounts that may have been compromised. The company expects to have to go through a re-validation process before it again is deemed to be Payment Card Industry (PCI) compliant.
Although unfortunate, this data breach could have been prevented by discontinuing the use of unnecessary equipment. PIN pads for terminal are no longer a cost benefit to a company, since the Durbin Amendment. Durbin makes PIN Debit rates the same as Swipe Debit rates (as long as the bank is large enough to qualify), essentially eliminating the need to a PIN pad altogether. Check out our blog post on the differences between PIN and Swipe Debit here. Fewer PIN pads would reduce tampering of terminals and theft of cardholders PIN numbers.
In the meantime, Host Merchant Services continues to offer the lowest PCI Compliance rates in the industry, as well as a vigorous PCI Compliance Initiative that seeks to inform and educate everyone interested as to the details of the process, step-by-step.
Certified Hosting, a leading web hosting services company, announced today a new partnership with Host Merchant Services that will enable webmasters to use merchant services with their web hosting plans. All Certified Hosting customers, including those on shared web hosting, virtual private servers (VPS hosting), and dedicated server hosting plans, are now able to apply for Payment Card Industry (PCI) compliant payment processing that is delivered to Certified Hosting’s high standards of customer service.
“Certified Hosting offers a range of ecommerce hosting services,” says Kacy Carlsen, co-founder and CEO of Certified Hosting. “We have made it easy for our customers to get up and running with an online store using the latest scripts and rock-solid hosting services. Quality merchant services are an essential part of a good ecommerce strategy for any business, and we are proud to announce Host Merchant Services as our chosen payment services partner. We are confident that Host Merchant Services will deliver the quality of service our customers have come to expect, at an affordable price.”
As a leading web hosting provider, Certified Hosting balances cost against quality of service. The company’s reliable web hosting services come with a 99.999% uptime, at a price that is affordable to new and growing businesses. Similarly, Host Merchant Services offers professional payment processing with fees that are clear, fair, and incredibly low. Typically, each type of credit or debit card transaction incurs a different fee, depending on the risk associated with it. Some merchant service providers charge merchants predetermined fees, meaning that merchants always pay the highest rate, regardless of which card has been used. Host Merchant Services charges merchants using a system known as Interchange Plus. Interchange Plus ensures that merchants only pay the fees that have actually been incurred, plus a small surcharge for administration. As a result, merchants using Host Merchant Services can reduce their payment processing expenses and more accurately project the cost of future transactions.
“There are no other industries where customers pay unnecessarily high charges,” says Carlsen. “Yet merchants routinely pay fixed fees for payment processing that do not reflect the actual transaction cost. At Certified Hosting, we provide fairly priced services thanks to Host Merchant Services. And now we can offer credit card processing to match. Even better, Host Merchant Services is – like Certified Hosting – an honest, upfront company that does not surprise merchants with hidden fees and charges.”
Another factor in Certified Hosting’s success is the company’s unlimited web hosting services, with no charges for customers who use a lot of disk space or bandwidth. The payment processing industry is full of complex terms and conditions, including additional charges buried deep in endless documentation. Host Merchant Services removes several common surcharges in the industry, with free applications, free setup, a free virtual terminal and an affordable payment gateway. Merchants are simply charged for the transactions they carry out, making accepting credit cards online more affordable and, crucially, more predictable.
“The most important thing about Host Merchant Services is that payment processing is made simple,” says Carlsen. “Host Merchant Services has no hidden charges, no expensive setup fees, and no unpredictable fees. With Host Merchant Services, our ecommerce hosting customers can quickly apply online, be approved in minutes, and begin taking payments in as little as 24 hours. We hope customers will take advantage of this new partnership so they can spend less on payment processing and maximize their profits.”
Certified Hosting has a proven record of excellent customer service, going the extra mile to help customers grow their online businesses. With this new partnership, Certified Hosting allows customers to get started right away with an affordable and efficient solution for payment processing.
Today the Official Merchant Services Blog will examine the PCI Security Standards Council’s most recent guidelines, and their slow crawl towards comprehensive security requirements for mobile devices.
On Thursday, the PCI Security Standards Council released a set of best practices geared toward software developers of mobile devices. These guidelines come four months after they released some guidance about mobile payments for small businesses.
The PCI Council, based in Wakefield Massachusetts administers the Payment Card Industry data-security standard and affiliated standards for secure payments software and also PIN-based transaction devices. The guidelines were released during the Council’s annual North American meeting in Orlando, Florida on Thursday, after hinting at a possible PCI clarification in early September. Present at the gathering were security assessors, merchants, processors and vendors, all preparing for the update of the main PCI standard next year.
The Council announced that it is starting to approve hardware for mobile payments such as card readers that plug into smart phones or tablet computers. The Council has not delved into the approval of software for mobile payments and have they made it clear when that will happen. They have however, announced that more guidance for merchants will come next year and that they will continue to take input from the payments industry on the serious task of protecting card holder data when payments originate from mobile devices.
Correcting software vulnerabilities is the most important aim of the Council’s new guidelines, as app developers crank out new programs for processing payments on smart phones and tablets everyday. The guidance covers everything from the payment transaction, access protection, and remote disablement of a missing device.
The last point is arguably the most important aspect of a new mobile PCI security system. Since mobile payments are true to their name, mobile, the chance of someone running away with your credit card terminal is an increasingly possible risk. The same applies for any tablets acting as POS systems in a store. An unlucky shopkeeper may open up in the morning only to find part of his or her POS system missing, and all cardholder data inside compromised. This is what the PCI Security Standards Council seeks to avoid.
Today The Official Merchant Services Blog marks the triumphant return to the timely topic of PCI DSS and cardholder data security. This tantalizing topic has been touted time and again in the peerless pages of our payment processing chronicles.
Days of Future Past
The crafty criminals that defraud, hack and swipe courageous consumers for their cardholder data are a constant concern for the entire credit card processing and data security sector. The industry has to be ever vigilant in its commitment to curb the high tech criminal activities and keep that cardholder data safe.
Retailers need to be eagle-eyed when it comes to defending data and securing customer information. They also need to be prepared for disaster, with a protocol-based plan of action for the worst case scenario — the dreaded data breach. But none of these advance preparations will save a merchant from data breach dangers if the merchant is unaware of PCI DSS, what it all means and what the requirements for PCI Compliance are.
The misdirection and misinformation out there about the process of PCI Compliance has led to complacency among many merchants. Face front true believers, we’ve even expressed the fantastic facts and figures to support merchant apathy regarding PCI Compliance in previous published purveyances of PCI related blogs.
The media gloms onto the gargantuan headlines of something as garish as a Global Payments data breach and the searing spotlight of data security dazzles the masses with the terrifying tidbits of these capricious crimes. But the nature of the crime has the danger spreading to small business merchants more and more frequently in the past few years. In fact, this article from Convenience Store Decisions, it is suggested that the heinous hackers and nefarious fraudsters are backing away from the big fish and targeting the smaller retailers with easier to breach defenses.
The CS Decisions scribe John Lofsock posits that one of the prime reasons for this shift can be pinpointed to an alteration in the criminals’ own dastardly demographics. Today’s hacker is becoming less the angst ridden, misunderstood teenager with whiz-bang keyboard and coding powers and turning into a far more treacherous group of villains. As the article puts it, “When hackers run up against businesses with sophisticated information technology and up-to-date security, they’ll turn to easier systems, including those of small non-profit agencies and family businesses.”
Datapocalypse Now
So what does a merchant do? The hale and hoary Host Merchant Services PCI Compliance pioneers readily suggest utilizing their very own PCI Compliance Initiative. PCI Compliance is a fantastic foundation for top notch transaction security. The superlative standards and powerful protocols set up by the powers that be on the PCI-DSS Council are a forceful first step any enterprising merchant needs to take to protect their data. This is why helpful Host Merchant Servicesoffers a power-packed PCI Compliance Initiative that gets merchants quickly and seamlessly up to speed.
Add to that amazing Initiative the second step that Merchants can take to shore up their security: Host Merchant Services Data Breach Security Program. Click that link to download a PDF explaining the value-added service HMS provides its merchants that goes above and beyond just simple PCI Compliance and helps ensure a merchant’s peace of mind. This program offers data breach insurance.
The article from CS Decisions quotes Trinette Huber, of Sinclair Oil Corp. in Salt Lake City as saying “as a merchant, I can go through all the steps to do this and do it in good faith, and yet if I have a breach — which is entirely possible — the PCI council will say I wasn’t literally compliant.”
This is where breach insurance comes into play true believers. The Data Breach Insurance that cutting edge and customer-oriented companies like Host Merchant Services offers can curb the pernicious penalties that merchants face when a breach occurs. As we’ve stated time and again here on The Official Merchant Services Blog, security only begins with PCI Compliance. It’s a never-ending battle for safety, justice and the power of payment processing. Merchant Services providers need to work in conjunction with merchants to stay out in front of any and all security issues. And even then, disaster can occur, so a solid data security plan will have backup protocols like data breach insurance.
The CS Decisions article also quotes Huber as saying that PCI “is asking thousands of merchants to do something (the credit card companies) should be doing themselves. They should be fixing the magnetic stripe (in credit/debit cards) so it’s not something that can be easily stolen, instead of asking merchants to fix (the security issues) for them.”
That concern right there is why Visa has been pushing so hard for its EMV chip program with newer, more secure smartcards that have worked so well in Canada and Europe. Huber is noted in the article for describing the overbearing cost that the switch to EMV could entail for small business owners, as well as the fact that the EMV chips have been in place for decades and have already had data compromised before.
So if not EMV, Then What?
Will no canny crusader for competent credit card processing and dependable data transfer step up to take the challenge presented by the PCI DSS? John Lofsock, the audacious author of the article we’ve been analyzing, thinks that Point to Point Encryption (P2PE) might be the champion the industry needs. This tantalizing technology that is newer than EMV chips apparently ensures that credit card data is protected from the moment it is swiped all the way through to the nanosecond it arrives with the payment processor. This could curry favor with retailers because it completely eliminates the need for the retailer to secure cardholder data, as the retailer never has possession of said data.
The real boon, as noted by Lofsock, is that the P2PE method will make it much cheaper for merchants to be PCI Compliant by removing the need for merchants to deal with network segmentation and other costly and time-consuming parts of the compliance process like the audit.
It is noted that PCATS and PCI are preparing future standards that deal with P2PE so it is on their radar.
In the meantime, Host Merchant Services continues to offer the lowest PCI Compliance rates in the industry, as well as a vigorous PCI Compliance Initiative that seeks to inform and educate everyone interested as to the details of the process, step-by-step.
For today’s installment of The Official Merchant Services Blog, we are bringing you the most recent developments of the now infamous Global Payments Data Breach.
Back in March
When we first reported the breach, it had supposedly affected 50,000 cardholders and revolved around a taxi and parking garage company in the New York City area. Over a short time, media outlets hyped up the story until the alleged number of affected cardholders hit 10,000,000. Global CEO Paul Garcia estimated that closer to 1.5 million card numbers were compromised. Garcia also said that the breach was “self-reported” and “absolutely contained.”
In a quick response to the breach, Visa decided to remove the Atlanta-based processor from its list of “compliant service providers.” This meant for the first time, Global would no longer be Payment Card Industry (PCI) compliant, a major problem for one of the world’s largest payment processors. However, more consequences were to come for Global.
Update # 2
In May we learned that the breach might have actually dated back to June of 2011, a full eight months earlier than previously predicted. Global stuck by it’s story that that the breach only affected 1.5 million cards or less, and occurred in February 2012. The initial source of the breach, however, Brian Krebs and his blog krebsonsecurity.com revealed that “a hacker break-in at credit and debit card processor Global Payments Inc. dates back to at least early June 2011, Visa and MasterCard warned in updated alerts sent to card-issuing banks in the past week.” Krebs also found that Visa and MasterCard were sending periodic alerts to the banks about cards that may need to be re-issued following a security breach at a processor or merchant.
The 3rd time’s the charm
Global Payments executives estimated Thursday that the data breach revealed earlier this year could cost them upwards of $120 million to fix. A large part of which is an $84 million dollar charge from the fourth quarter of fiscal year 2012 to cover fines and initial remediation costs from the payment card networks. Global CFO David Mangum said that the company also anticipates breach-related expenses and insurance payments in fiscal 2013 that could total $28 million or more. All the while, Global is working with a ‘Qualified Security Assessor’ in order to regain the PCI compliance certification they lost when the breach went public.
Tracking Track Data
Track data, is the raw cardholder data contained in a magnetic strip in a credit or debit card. In late May, Global asserted that only Track 2 data had been lost in the breach, which contains account numbers and expiration dates. Track 1 data contains cardholder names, addresses and other crucial data. Global seemed to be insisting that this would lead to less fraud since the thieves could not produce counterfeit cards with the stolen data. Union Savings Bank, based in Danbury, Conn was one of the banks alerted by Visa and MasterCard early, about potential fraud. Visa alerted USB that about 1,000 of its debit accounts were compromised in the Global Payments breach. These details show how Track 2 data alone was enough for criminals to encode the card numbers and expiration dates onto any card equipped with a magnetic strip. These cards can then be used at any merchant accepting signature debit, any transactions that do not require the cardholder to enter a PIN number.
Host Merchant Service’s PCI Compliance Initiative
Looking at the threat of a data breach, Merchants must wonder what the solution can be. Is there protection available?PCI Compliance is a great foundation for transaction security. The standards and protocols set up by the PCI-DSS Council are the first step a merchant needs to take to protect their data. And Host Merchant Servicesoffers a PCI Compliance Initiative that helps its merchants quickly and seamlessly take that step.
Also, one thing to consider if you are a merchant and you are worried about data breaches affecting your bottom line: Host Merchant Services Data Breach Security Program. Click that link to download a PDF explaining the value-added service HMS provides its merchants that goes above and beyond just simple PCI Compliance and helps ensure a merchant’s peace of mind.
Today The Official Merchant Services Blog is just going to offer a quick update on some services Host Merchant Services provides directly for its current customers. Today our site launched a page for our current merchants to go to in order to access online assistance services. There are currently two:
TRUPCI
We’ve pushed our PCI Compliance Initiative for quite some time now. Host Merchant Services goal is to make it easy for our customers to stay PCI Compliant. The details of the PCI Compliance Initiative are:
A Free PCI Compliance Analysis of your business by HMS.
A Free PCI Compliance Scan.
A report compiled for your business regarding its PCI Compliance issues and what it needs to do to become PCI Compliant.
All totaled, this is a suite of services with a $100 value that you get at no extra cost.
And finally we’ve gotten great results from the program. For our current merchants who wish to roll up their sleeves and get into the process with us step-by-step, they can go to their TRUPCI assistant.
LOGIN HERE
Additional Resources
If you choose to process with HMS, we will also walk you through the entire procedure step by step, making PCI Compliance an easy and hassle free operation for you.
And read our step by step guide to becoming PCI Compliant as a level 4 Merchant (the most common level used for PCI Compliance).
Host Merchant Services knows that your business needs secure transactions to function. And we’re here to make the process of PCI Compliance easy, understandable and consistent for you each year.
In House Gateway
We’ve also been pushing our custom designed E-Commerce packages. And part of that offer includes the in-house payment gateway that lets you run your transactions completely online.
To access the Host Merchant Services in-house Payment Gateway:
Today The Official Merchant Services Blog has a quick follow up to its ongoing coverage of the Global Payments Data Breach. The past two entries in our blog have taken a sweeping look at the big picture of data breaches and PCI DSS and how effective those security standards are. PCI Compliance is a topic very near and dear to Host Merchant Services because the company pushes an aggressive initiative among its customers to keep them PCI Compliant.
PCI Compliance: The Foundation of Security
Past studies from Verizon and Gartner Research have suggested that business owners slack on their security needs, especially in terms of PCI DSS compliance. The most oft suggested reason for this lax outlook on security has to do with PCI itself not having a lot of traction with those business owners. The merchants tend to think any security issues are the responsibility of the third party processor or the bank or the credit card companies; they don’t see a direct link to their business because of the simple fact that their terminal that swipes cards wasn’t theirs to begin with. Other issues include Merchants getting lost in the complexities of the PCI DSS website and its many forms that need to be filled out, and the recent change to PCI version 2.0 in October 2010 changing the structure of the system. Merchants get distracted by their day to day responsibilities of the business and gloss over the minutiae of PCI compliance.
Host Merchant Services understands these problems. Part of their service mantra is that the company designs payment processing solutions that let their merchants focus on running their company. The general theme is to make payment processing seamless and easy for the merchants. This includes transaction security and was the catalyst that fueled the company’s PCI Compliance Initiative.
But as we’ve seen with the Global Payments Data Breach, security needs to go beyond just PCI Compliance.
An Extra Layer of Protection
This Article from The Data Center Journal suggests that better admin priveleges could have helped stave off The Global Payments Data Breach completely. From the article: “Avecto says that the possibility that the breach was caused by a compromised administrative account that was insufficiently protected shows that governance is a central requirement of modern IT security.”
The article maintains that multiple layers of security can go a long away to helping to prevent future data breaches of this type. Paul Kenyon, chief operating officer with Avecto, said in the article that “Our observations on this breach suggest that minimizing administrative privileges—an exercise in the principle of least privilege—would have gone a long way to preventing the breach.” It was suggested to Kenyon from another IT Security analyst that the privileged accounts that are reportedly at the heart of this breach need several layers of protection to properly insulate them from hackers.
Most articles looking at the aftermath of the data breach arrive at the consensus that security measures need to go beyond just PCI compliance. This article gives some very specific and clear advice on a step to take — a data breach solution.
Data Breach Penalties Stack Up
Yesterday’s blog also delved into the cost and fees companies face when they suffer a data breach.
And this article by Bank Info Security gives even more insight into the cost and impact of a data breach. It interviews Larry Ponemon, founder of the Ponemon Institute, which conducted this year’s Cost of a Data Breach study with sponsorship from Symantec. The study revealed that the average cost of a Data Breach has gone down this year. Which makes sense when you consider that even with the Global Payments Data Breach in the news right now, the scale is a lot smaller than the scale of the Heartland Data Breach.
In fact, this article, also from Bank Info Security, gives a side by side comparison between the much bigger Heartland Data Breach and the Global Payments Data Breach.
But back to Ponemon’s interview and his company’s study: “According to the annual report, the average per capita cost of a data breach has declined from $214 per record to $194 since 2011’s report.”
Ponemon suggests two reasons for the decline in average costs.
Complacency:“We think people in general may be becoming numb to the data breach notification process. Most people have received at least one data breach notice; they may not even be aware of it because they don’t open their mail. The may see it as junk mail.”
Topical Shift, or rather the rise of intellectual property breaches, which are not a part of the annual study: “We focus on one type of data breach – the type of data breach [of personal records] that requires notification in the United States and then other parts of the world – but in reality there are other, maybe more costly, data breaches that companies are experiencing every day.”
HMS Data Breach Security Program
The hackers that go after credit card information are a creative group of criminals who are constantly pushing technology forward and tying security systems in knots. Many times a discussion about data breaches ends up with the conclusion that “it’s not if a data breach is going to happen, it’s when a data breach is going to happen.”
Host Merchant Services offers a key resource in preparing a business to tackle that issue: Its Data Breach Security Program. This program protects a business and a merchant can get up to $100,000 in coverage per location for the most common forms of data breach:
Employee Dishonesty
Skimming
Theft of Credit Card Receipts
Theft of POS Terminals
Stolen Card Numbers
Theft of Computers
The Data Breach Security Program helps cover fees for any industry-mandated audit of a suspected breach, card replacement costs and related expenses, and industry fines and assessments. All of these fees come from non-compliance with PCI DSS and are fees and issues that any company even suspected of a breach can face as we described yesterday in our blog. The coverage would exceed even the penalties that Cisero’s faces as we saw in the article about their lawsuit targeting the PCI itself.
How Does It Work?
Host Merchant Services makes it easy to file claims once you’ve gotten on board with the Data Breach Security Program. A simple online form starts the process:
Step 1: Fill out the online claim form at www.merchantdatabreach.com
Step 2: Upload or fax the notice from the acquiring bank, which stipulates that there has been a breach or a suspected breach at your location and choose an authorized, qualified security assesor.
Step 3: When the forensic audit is complete, upload or fax a copy of the assessor’s report.
Step 4: HMS takes it from there. We process the claim for payment and if all documentation is in order you will receive a check for the expenses incurred from the audit and/or card replacement costs and/or fines incurred for a breach.
To recap
Data Breaches can and will occur. They are costly. The recent Global Payments Data Breach reminds us all how important transaction security is for all parties involved. Merchants need to understand how important PCI Compliance is for their business. And they also need to take more steps than just PCI Compliance. Host Merchant Services is committed to keeping its merchants safe and secure. The company takes the lead in the industry in terms of PCI Standards with its PCI Compliance Initiative. And the company offers added layers of protection to its merchants through its Data Breach Security Program.
TodayThe Official Merchant Services Blog continues looking at the bigger picture of the impact from the Global Payments Data Breach — specifically looking at the affect it’s going to have on PCI DSS as well as a little foray into State Security Breach Notification Laws.
You’ll remember yesterday we highlighted some of the criticisms found in the PCI DSS, specifically this article by Taylor Armerding which suggested that PCI compliance is not enough to protect data from the skilled and focused hackers who cause these data breaches.
We then focused on how PCI Compliance is still a great foundation for your transaction security. The standards and protocols set up by the council are the first step a merchant needs to take to protect their data. And Host Merchant Services offers a PCI Compliance Initiative that helps its merchants quickly and seamlessly take that step.
Still the idea that PCI DSS is not living up to its billing as security shows itself in this story from Wired about a small business filing suit against against its bank claiming that the financial institution, which used to process the restaurant’s credit and debit card transactions, wrongfully seized money from the business’ merchant bank account. In short, the business is suing the bank for taking funds as penalties for being non-compliant with PCI DSS.
Taking it to Court
The story explains that Stephen and Theodoara “Cissy” McComb, owners of Cisero’s Ristorante and Nightclub in Park City, Utah, racked up $90,000 in fines that Visa and MasterCard imposed after alleging that Cisero’s had failed to secure its network and suffered a data breach that resulted in fraudulent charges on customer bank cards. U.S. Bank seized about $10,000 from the McComb’s merchant account to cover those penalties and then sued the McCombs to obtain the remaining balance on the fines, saying a contract the McCombs signed with the bank makes them liable for such fines.
The McCombs struck back with a bold countersuit. The story explains: “But in their countersuit against U.S. Bank, the McCombs allege that the bank, and the payment card industry (PCI) in general, force merchants to sign one-sided contracts that are based on information that arbitrarily changes without notice, and that they impose random fines on merchants without providing proof of a breach or of fraudulent losses and without allowing merchants a meaningful opportunity to dispute claims before money is seized.”
This suit challenges the basic foundation of PCI security standards and opens up a lot of old wounds and criticisms about PCI DSS in context of the card issuers that make the call and form the council for PCI DSS. As the story says: “The controversial system, imposed on merchants by credit card companies like Visa and MasterCard, has been called a “near scam” by a spokesman for the National Retail Federation and others who say it’s designed less to secure card data than to profit credit card companies while giving them executive powers of punishment through a mandated compliance system that has no oversight.”
The linked article provides much of the details that led to the data breach with Cisero’s, as well as why the fines and penalties were applied according to PCI DSS standards. The McComb countersuit relies heavily on their assertion that PCI DSS oversteps its bounds in applying those penalties, offers no recourse for people to dispute the penalites, and levies penalties against businesses for violations even when no fraudulent transactions occur.
The Cost of a Data Breach
This case above and much of the criticism targeting PCI DSS deals with the fines banks, processors and subsequently merchants face when data gets breached. This article looks into the cost merchants face when the worst case scenario occurs. A lot of merchants feel that lack of compliance isn’t an issue because they feel they are not responsible of something goes awry. But this article sheds some light on that: “suppose you or your merchant is suspected of one of those inevitable human errors, or of being a victim of a hacker. As long as there isn’t actually a breach, it’s no big deal, right? Wrong.”
The article lists the costs of penalties:
Forensics Audit done by investigators when they suspect your business is susceptible to a breach: Between $8,000 and $20,000
$3 to $10 per card to replace all cards compromised in a breach that happens.
$5,000 to $50,000 in fines for lack of compliance.
And even further in fines specifically tied to any fraudulent transactions that do occur as a result of the breach.
The article states that the average cost comes to $36,000, a hefty sum that can cripple small businesses. The McComb data breach may seem high in comparison, but going over the huge variance in the fine structure, it’s pretty easy to see how the bank came to a $90,000 figure.
Back to Global Payments
Speaking of the fees and penalties, it’s interesting to note that the company faces many of the same problems that small businesses do now that Global has been breached and run afoul of Visa in terms of PCI Security and Compliance. However this story for ZDNet states that the company will likely absorb any costs from the data breach and not be affected as badly as some of the small businesses discussed above are affected by fees and penalties.
Global Payments continues to process, even after being dropped by Visa’s list of providers that meet security standards. The company is now working on being reinstated and once again being PCI Compliant. Working in their favor is their statements that they reported the breach to authorities the moment they found out it happened.
Which brings us to …
Security Breach Notification Laws
Security Breach notification laws were enacted in response to an escalating number of breaches of consumer databases containing personal information. The first such law was the California data security breach notification law, or SB 1386. It was enacted in 2002 and became effective on July 1, 2003. Currently 46 states, the District of Columbia, Puerto Rico and the Virgin Islands have enacted similar legislation requiring the notification of security breaches involving personal information. The only states that currently have no such law on their books are Alabama, Kentucky, New Mexico and South Dakota.
Host Merchant Services is located in Delaware. The Delaware Security Breach Notification Law can be reviewed in its entirety at This Link.
Global Payment Systems is located in Georgia. The Georgia Security Breach Notification Law can be reviewed in its entirety at This Link and its subsequent amendment can be found at This Link.
These laws tend to follow a similar basic structure to the one California passed first in 2002 — companies need to immediately disclose a data breach to customers, usually in writing. There have since been a number of bills that would establish a national standard for data security breach notification but none have been passed in Congress yet.
The Bottom Line
So what does this all mean? For now it appears that Global is weathering the storm brought on by the news of the data breach. They’ve minimized the impact of the bad news and are working to get their compliance situation straightened out. The data breach has put the spotlight onto the PCI DSS itself and we’ve seen that some small businesses and merchants are highly critical of the system. Comparing the crippling fines they can theoretically face for a breach that leads to no fraud against the impact that a large processor like Global faces for the same type of problem can leave some thinking the system needs more oversight. But PCI DSS does set the bar for security. It forces hackers to work harder than they would if it didn’t exist. It is a first step in terms of what merchants and processors need to do to protect transaction and data security.
The court case in Utah is very fascinating as it really takes the contract aspect of the PCI DSS to task. The Official Merchant Services Blog will continue to follow the news on that case. And we will keep you posted on the latest developments with this Global Payments Data Breach.
Today The Official Merchant Services Blog is going to delve into the bigger picture of the impact that the Global Payments Data Breach is going to have on the payment processing industry. Obviously this news is going to have a huge impact on Global Payments itself. The company faces a big penalty after Visa dropped it from its registry of compliant service providers due to “unauthorized access into a portion of (Global Payments’) processing system.”
Fees and penalties related to reacquiring its compliance status and getting back on the registry will add up. In fact an executive from Co3 Systems, a data loss management firm, estimated the potential liability for a merchant with 1 million cards compromised could top $1.6 million from compliance fines alone. With Global’s own official statements indicating that the number of cards that were compromised being less than 1.5 million, the Co3 estimate is probably right in the ballpark of what Global faces.
The company also will take a hit to its business simply because of the breach itself and being dropped by Visa. While they are off the list, some potential customers may not be able to sign with them due to the lack of compliance status. And if the process to be reinstated takes too long, it could affect some of their current customers.
But there’s a larger context that needs to be considered with this data breach: PCI DSS itslef.
We’ve covered PCI Compliance very extensively in the blog. We looked at a report from Verizon last year that suggested 79% of organizations Verizon surveyed were found to be non-compliant in their initial audit in 2010. The study from the previous year had 78% of organizations were non-compliant. A study by Gartner Research demonstrated that 18% of merchants they surveyed were not PCI Compliant at all.
What is PCI?
These studies just underscore the large problem payment processing faces with security. The acronym PCI DSS stands for Payment Card Industry Data Security Standards. PCI Compliance is essentially the process of adhering to the standards set forth by the Payment Card Industry Data Security Standards Council (PCI DSS). You can review those standards in greater detail here. Essentially the standards are a set of requirements designed to ensure that all companies that process, store or transmit credit card information maintain a secure environment.
What’s the Problem?
One of the biggest criticisms of the PCI DSS is that it is the minimum agreed upon set of security protocols. Because of its nature as a consensus set of standards put together by the council, PCI is often criticized for being behind the curve or not being thorough enough to deal with the hackers who are trying to get at the data and breach the security of the transactions. Combine that with the studies that keep showing merchants are not keeping their compliance current or not even becoming compliant in the first place and you open the door for a lot of criticism against the system designed to keep transactions safe and secure.
Taylor Armerding wrote a compelling article for CSO Online on the issue of PCI compliance in the aftermath of the latest data breach. The lead statement of the article underscores the issue simply and effectively: “The latest data security breach to strike MasterCard and VISA has security experts focusing anew on the good and bad of PCI DSS. On one hand, the standard offers a clear blueprint on how to handle such a breach. On the other hand, compliance is usually not the cure, as this latest incident demonstrates.”
To add emphasis, Armerding quotes Neil Roiter, research director at Corero Network Security, as saying: “The Payment Card Industry Data Security Standard (PCI DSS) is highly prescriptive in nature, but simply complying does not ensure credit card security. Companies that rely on PCI DSS to solely dictate their security measures will continue to remain vulnerable to attack.”
The Weak Link
Armerding’s article suggested that compliance isn’t the be-all-end-all for security and that humans were still weakest link in the system. Quoting Anup Ghosh, founder and CEO of Invincea, a developer of browser protection systems, the article says that too much of the security standards are stuck in the past. Ghosh also suggests that PCI is complacent and easy for hackers to circumvent. Ghosh says that the systems in place are more designed to tell you what happened after the fact, being a reactive solution rather than a proactive solution. Ghosh then suggests that the data that was compromised was likely encrypted, but the security standards are behind the curve where it really counts: The Human Layer of Security.
Ghosh explains: “If I target employees, which is how you target these days, it is not very hard in phishing campaigns, to get employees to open an email or click on a link, which then provides access to their desktop and the privileges that come with it. [And in that case] Encryption is worthless.”
He then suggests a more proactive step of creating a more secure virtual environment for employees to work in so that whatever an employee clicks doesn’t end up compromising any data in the system.
PCI is Still Very Important
What Armerding and Ghosh say about PCI is quite compelling. But they both still point out that PCI Compliance is very important for merchants and payment processors. The standards may be behind the curve with the ever-clever hackers going after credit card data, but they set a starting point for security. They set the bar high enough that hackers have to put in work to circumvent the systems. Having PCI is so much better than not having it — which demonstrates how scary the Verizon and Gartner studies are.
Host Merchant Services advocates and performs a very zealous crusade for PCI Compliance. The company takes data security and safe transactions seriously and makes PCI Compliance a part of its value-added service package. HMS began a PCI Compliance Initiative last year that started with an ad campaign that offered for a limited time free PCI Compliance fees for merchants who signed up during that time. It then extended into an initiative run through a partnership agreement with HostMySite.com that offered a free PCI and Security Analysis to any customer interested, and now that same offer is available to anyone interested in Host Merchant Services, partnership or no partnership. The company provides on-call assistance with PCI Compliance questions and problems and will help all of its merchants get through the process with tips and advice from Host Merchant Services’ own PCI Compliance experts.
Tomorrow The Official Merchant Services Blog will follow up with the latest developments from the data breach, as well as more information about PCI Compliance, and PCI DSS issues that the payments industry and the tech industry are discussing.
For More Information
For more information about PCI Compliance, Host Merchant Services offers these resources:
The Official Merchant Services Blog tackles the big news in the payment processing industry today: The Global Payments Data breach.
The news of this data breach hit on Friday and the weekend has seen some wild speculation tossed about. At first there were reports that a mere 50,000 cards were compromised. Then the media upped the number to 10,000,000. Today Global Payments and the media sources covering the story are reporting that the number is closer to 1.5 million cards.
The Story So Far …
The breach was first reported by blogger Brian Krebs at KrebsonSecurity.com. He said on Friday that Visa and MasterCard were alerting banks across the country about a recent major breach at a U.S.-based credit card processor. The first report cited as many as 10 million cards were compromised. By that afternoon Krebs revealed that the processor was Global Payments, and that the breach was discovered in early March 2012. Krebs cited the breach as occurring between January 21, 2012 and February 25, 2012. The alerts issued by Visa and MasterCard, according to Krebs, stated that Track 1 and Track 2 data was taken — which Krebs said meant that the information could be used to counterfeit new cards.
Then the media got more involved.
The Wall Street Journal followed up Krebs blogging with a story about the breach, making the news official. Global remained silent throughout the day, only confirming the report after the close of the markets and trading.
The rabid interest in the data breach sparked an interesting article by USAToday, which expanded on Krebs’ own reporting. Krebs stated that he had heard from his sources that investigators suspect Dominican street gangs were involved in the fraud, focusing mainly on commercial credit and debit card accounts. The article then cited Garnter banking security analyst Avivah Litan, who claimed that the breach involved a taxi and parking garage company in the New York City area. It was suggested that consumers who had paid for a NYC cab in the previous months using the new swipe technology might be victims of the breach and possible fraud. Litan also said she too had heard about a Central American gang connection.
Global’s Statements
Finally Global Payments started talking. The breach was verified by Global. Paul Garcia, Global’s chairman and chief executive, said in a statement that the breach was reported by the company to the FBI — suggesting that the company promptly identified the breach and reported it to the authorities. They’ve now called it a “self-reported” breach. However, media sources do note that the news about the breach still had to be dragged out into the spotlight by Krebs and his blog.
After confirming the breach Garcia stated that the breach was “absolutely contained” and stated that there had been no “fraudulent transactions” related to the breach.
However, the Green Sheet reported on Friday that Krebs had reported that PSCU Financial, a nonprofit cooperative credit union service organization, told its members 56,455 Visa and MasterCard accounts had been compromised, but fraud was found to have occurred in only 876 accounts so far.
Garcia stated that 1.5 million card numbers were compromised by the breach and re-affirmed that no fraud had taken place related to the compromised cards. “This is manageable,” Garcia said.
Visa Takes Action
In response to the data breach information hitting the spotlight, Visa took action against Global Payments. Visa removed Global Payments, an Atlanta company that helps the payment giant process transactions for merchants, from its list of “compliant service providers.”
Garcia in his statements to the press acknowledged thatVisahad removed Global Payments from its compliance list pending resolution and remediation of the breach and that it was working “as expeditiously as possible” to return to compliance. The process would take “not days, but we don’t think it’s months.” In other words, Global was not going to be able to fix their PCI status quickly. Global Payments continues to process Visa cards worldwide according to Garcia.
Both Visa and MasterCard say their own systems weren’t compromised. Both credit card issuers had said Friday that they notified their card holders of the potential for identity theft and illicit charges because of the breach.
The Consequences
Global has not yet identified the size of the charge it will take as a result of the breach. But it is interesting to note that Heartland Payment Systems racked up a cost of $12 million in penalties and legal fees when its data breach compromised more than 120 million credit cards.
The Official Merchant Services Blog will be devoting much of its coverage to this developing story. Tomorrow we’re going to take a look at any updates as well as how this issue fits into the ongoing news regarding PCI security and compliance. Data Breaches have been a topic this blog has covered before. Though we’ve focused more on the breaches that affected video game companies like Sony and Turbine last year, our coverage was written with an eye toward the big picture problem of data breaches in general and compromised credit card information. So expect us to try and tie it all together through our focus this week.
Also …
And one last thing to consider if you are a merchant and you are worried about data breaches affecting your bottom line: Host Merchant Services Data Breach Security Program. Click that link to download a PDF explaining the value-added service HMS provides its merchants that goes above and beyond just simple PCI Compliance and helps ensure a merchant’s peace of mind.
In May we learned that the breach might have actually 
This case above and much of the criticism targeting PCI DSS deals with the fines banks, processors and subsequently merchants face when data gets breached. This article looks into the cost merchants face when the worst case scenario occurs. A lot of merchants feel that lack of compliance isn’t an issue because they feel they are not responsible of something goes awry. But this article sheds some light on that: “suppose you or your merchant is suspected of one of those inevitable human errors, or of being a victim of a hacker. As long as there isn’t actually a breach, it’s no big deal, right? Wrong.”
Speaking of the fees and penalties, it’s interesting to note that the company faces many of the same problems that small businesses do now that Global has been breached and run afoul of Visa in terms of PCI Security and Compliance. However this story for ZDNet states that the company will likely absorb any costs from the data breach and not be affected as badly as some of the small businesses discussed above are affected by fees and penalties.
