Tag Archives: security

Top ERP Trends to Watch in 2023

An ERP is the backbone of business operations. It helps with every function you can think of; Operations, Sales, Customer Support, Marketing, and internal supporting teams such as HR, Legal, and IT. If you’re using an ERP such as the one offered by NetSuite, even the Finance department can be integrated into a single environment.

The type of ERP a business uses is mainly determined by the size of the business, what industry the company operates in, and the future strategy and goals; is the business planning to grow further or is already at a specific sweet spot? However, there are certain functionalities that enterprises must focus on that are absolute for an effective ERP deployment. These include whether the ERP is cloud-based, whether it has a mobile application, what different teams the ERP can serve well, or how much integration an ERP can facilitate.

Often businesses deploy an ERP in segments, some core departments are onboarded first, and the rest follow. That can also impact the type of ERP a company chooses to use. Below we look at an ERP, its many benefits, and the top ERP trends to watch for in 2023. We highlight what is essential for businesses and the latest cutting-edge ERP product offering that various solutions providers are at the forefront of.

What is an ERP?

ERP, also known as Enterprise Resource Planning, has its root in supply chain management systems used by manufacturers called Materials Requirements Planning (MRP). MRPs are mainly used to plan around inventories efficiently and manage production based on supply and demand. Similarly, an ERP helps companies manage financial resources where businesses record transactions and accounting entries in the general ledger and oversee accounts receivables, payables, and payroll. An ERP also has a robust financial reporting functionality offering rich insight into specific operations and the overall health of a company.

The ERP Trends to Watch in 2023

The Cloud and Hybrid Deployment Model

With over 20 years of companies offering cloud-based services or ERP solutions, it’s hard to imagine that not all ERPs today aren’t cloud-based. Chief Technology Officers worldwide say that over 50% of all IT spending this year will be on cloud computing. So that means that some portion of the nearly 50% that isn’t cloud-related will go towards traditional IT spending, such as servers and on-premise data centers. These house on-premise software deployments, including ERPs.

There have been legitimate reasons for businesses not to shift to the cloud, including security, resiliency, and whether data storage on the cloud is hosted in another country.

However, on-premises ERPs carry their own set of risks. How much and for how long do security and Support exist or legacy operating systems running these ERP systems? Can they find staff to manage these systems easily, and do the costs of doing so outweigh the cost of migrating to the cloud?

In a nutshell, businesses are still in the midst of a transition to the cloud. However, the shift has accelerated. Work dynamics are changing as more employees work from home, making ERPs that aren’t on a cloud riskier and untenable.

That’s not to say that the on-premises deployment model will completely disappear. A hybrid approach still makes sense for many businesses. Resiliency is a big concern as service outages by cloud service providers, however brief, can wreak havoc on businesses.

Mobile

Mobile was once viewed as a tertiary feature that was more gimmicky than nice to have. Over time, it started to become a value add. Today, given the changes in how we work and the advancements in mobile devices such as tablets, mobile is becoming the de-facto standard. As employees work from anywhere and work shifts to the cloud, a mobile iteration of an ERP is an absolute must from any service provider.

The mobile version of an ERP offers tremendous productivity by allowing customers to access it from anywhere at any time. Second, besides the user interface, the underlying technology isn’t that different from the regular version of the ERP since they’re both cloud-based.

Furthermore, a mobile ERP may be better than a traditional ERP as it allows customers to quickly capture and upload receipts or other transactions that need to be recorded in real-time. This goes beyond productivity and more into the realm of user adoption and compliance with timely expense report filings.

Finally, we’re all well aware of one of the best benefits of ERP, enhanced decision-making based on all the data gathered and easily and intuitively presented. As customers are further inclined to adopt the usage of an ERP motivated by the real-time benefits of mobile functionality, businesses will also see improvements based on quicker data capture and resulting analytics and reporting.

Artificial Intelligence

No product escapes the mention of Artificial Intelligence (AI) or similar terms such as Machine Learning (ML), Robotic Process Automation (RPA, and the like. And an ERP is no exception. No, AI won’t be taking over human tasks entirely in 2023, but it is viewed as a tool to drive productivity by automating the more mundane and repetitive tasks of customers.

Recurring deprecation expenses for assets can be recorded automatically based on their specific duration. Transactions can be automatically recorded in the applicable expense accounts based on precedents. Also, the ERP can execute relevant alerts and reminders for tasks such as asset revaluations, and receivables follow-ups, among others.

Furthermore, as more businesses use a subscription-based revenue model, they can automatically send periodic invoices for that subscription fee, record the transaction and process the payment without human interaction.

Increasingly, AI is used to identify internal audit red flags, client credit risks, and product sales recommendations based on customer personas and use cases. We predict that ERPs will leverage AI to streamline the customer experience further. Upon closing a sale, AI will allow businesses to generate invoices, onboard customers autonomously, and even recommend renewal price increases based on relevant factors.

The adoption of AI in ERP offers unprecedented efficiency by delivering automation, interactive advisory-type reviews, eliminating mundane and repetitive tasks, and reducing mistakes.

A blurring of the lines between ERP and CRM

In a way, you can call it the flywheel effect. Businesses have been successful with ERPs and CRM, Customer Relationship Management, software for over two decades. CRM was the first cloud-based business targeting companies with a new way of connecting and collaborating internally and introducing an entirely new paradigm on the customer experience.

Salesforce.com improved how companies supported, marketed, sold to, and conducted email campaigns outreaches to customers. The use of CRMs allowed all these functions to leverage data by setting up a single repository of all forms of interactions with existing and potential customers.

The data allowed companies to recalibrate messaging in a very targeted manner. Today, there isn’t only a sales or marketing team or a customer service team. Now, we have an exact science devised around the client: Customer Experience. As businesses captured the best practices for marketing to customers, sales processes, onboarding, and continuous hand-holding after the close via Support, they decided to codify these processes into an entirely new business practice, known as the customer lifecycle. Today, Sales, Support, Customer Success, and Account Management teams are all integrated and easily able to collaborate with one another.

Will all the intelligence available from a CRM, it is surprising that such systems are still a world apart from the ERPs used at firms. Shouldn’t the high-touch nature of a client, as evidenced by the CRM, factor into the contribution margins? Can the ERP calculating those margins easily capture that data for a CRM?

Companies like NetSuite have started offering unified solutions for both CRM and ERP. It is the logical next step to leverage the combined data sets of both systems. With an integrated offering, businesses can target customers based on specific financial benchmarks. Although businesses may already be able to see the total contract values of their customers or have a good gauge on the customer’s lifetime value. However, can companies easily calculate and access gross margins for each client using disparate ERP and CRM functions?

Shorter-Term Contracts

The subscription revenue model has become omnipresent in the business community in the last fifteen years. Companies in numerous industries have widely adopted this business model. There is a subscription offering for shaving razors and luxury watch rentals – so it’s not just applicable to SaaS businesses. Similar to the subscription model, the ensuing dynamic will be shorter-term contracts. Nothing delineates pricing models like a challenging economic environment. It is much harder for businesses to stop paying for a $2,000 monthly enterprise license than to cancel a $25,000 annual subscription.

With the annual subscription model, customers are locked into longer cycles when they may need certain tools for specific projects. A common question customers ask during an economic downturn is if the company has a monthly payment option for their product or service. Even in the event that the business intends to renew services for the entire year, the shorter-term contract offers customers the flexibility to manage their liquidity in uncertain times.

There is some silver lining to these changes. For all the benefits of shorter-term contracts, customers are willing to pay more for the product. Annual contracts can require a hefty upfront cost that requires shorter-term payments. Customers are willing to pay for the agility and flexibility offered by short-term contracts. Furthermore, shorter-term contracts are a great way to showcase all the use cases and benefits of an ERP or any other product. It is an excellent way for companies to get their foot in the door and let the service level win customers over and limit churn.

Integrated Payments

ERPs with integrated payments systems allow customers to check out quickly and process payments that are already on file, securely stored on the ERP. There are multiple benefits to this feature. First, it speeds up the checkout process. The decreased friction in the sales cycle translates into a higher likelihood of closing the transaction. Second, all this manifests into better cash flows for merchants.

Finally, integrated payments can allow merchants to offer customers to pay online and pick up their merchandise from their store locations. Host Merchant Services has a long history of partnering with NetSuite as a third-party payment processing ERP’s API tool CyberSource. HMS easily connects to the integrated platform and manages the end-to-end payment lifecycle, starting from the invoicing process all the way through to payments and reconciliation.

Blockchain

Blockchain has been all the rage lately and is repeatedly touted as the next technology breakthrough that will have a lasting impact on businesses and consumers. Blockchain is distributed and immutable ledger that records transactions and the tracking of both tangible and intangible assets of both companies and individuals.

Blockchain has remarkable potential because it can provide instant access to members of a network permissioned to access all data on the distributed ledger. The blockchain allows customers to access orders placed, payments made, production, inventory, sales, and every other business function, in real-time.

There are practical applications of blockchain for an ERP. For example, Walmart is looking to implement invoice recording, payments, and dispute resolution via the blockchain. Their existing supply chain is already being recorded on the blockchain by linking their delivery fleet’s GPS data to their incoming freight.

Invoicing is another segment of their operation that companies will shift to the blockchain over time. So if there is a dispute related to invoices or the quality of goods received, the blockchain offers immediate insight by accessing the entire digital trail. Still, it can also diagnose the root cause of substandard quality by pinpointing specific production centers. All functions offered by an ERP can easily be shifted onto the blockchain. So, it won’t be long before an ERP is provided solely on the distributed ledger.

Security

There have been a lot of concerns around security, especially for businesses with all the personal and financial data they can access. Plus, the security threats wreak the most havoc with data being compromised, leading to considerable damages resulting from a loss of trust, reputational damage, and most likely lawsuits. One of the best ways for businesses to prepare is to have an ERP with a full scope of security protocols in compliance with the most stringent industry standards.

These standards are a perfect way for merchants to build loyalty among their customers. Numerous brands have clients willing to share their payment details with the likes of Amazon and Apple, given the strong security settings and the use of tokenization to process their transactions, usually in a single click. Customers seldom ever have to reenter their payment information after doing it the first time. It becomes a virtuous loop; customers enter their payment once and never have to do it again. Since they never have to enter their payment details at a particular platform or merchant, they consistently choose to shop on that merchant’s site. This phenomenon of customer loyalty has been greatly documented in a Wharton study on Amazon’s one-click patent and business process[MF1] .

There are numerous SaaS offerings, such as the NetSuite ERP, which is cloud-based and has all the latest security settings, patches, and updates fully implemented and continuously updated as new releases are made automatically. Since the NetSuite ERP also offers integrated payments solutions, the latest payment security standards comply with PCI DSS (Payment Card Industry Data Security Standard). These standards include the Card Code Verification (CVV2), and Address Verification Service (AVS), among many others.

There are many great features that an ERP now offers. It can significantly enhance collaboration and efficiency in businesses that use ERP. Numerous vendors, such as NetSuite, understand the far-reaching impacts robust security protocols have on finance functions and operations. These measures can also enhance customer experience by offering an integrated payments solution.

An ERP is not suitable for all businesses. Even businesses that do deploy an ERP have different needs and use cases that drive their decision-making. The past few years have been essential for merchants as more have started businesses in industries where an ERP can offer tremendous benefits. Furthermore, ERPs themselves have implemented many features and functionalities that are increasingly useful to businesses, including cloud-based SaaS offerings, mobile functionalities, and integrated tools for multiple teams such as Sales, Support, and Marketing to enable enhanced collaboration. As businesses consider their needs for ERPs, it is vital to keep a watchful eye on all the latest trends of 2023.

[MF1]https://knowledge.wharton.upenn.edu/article/amazons-1-click-goes-off-patent/

Guide to EMV Compliance

EMV compliance states that a point-of-sale layout can accept EMV-compatible credit cards. The business also has a reader for handling EMV cards. If a customer enters a store and inserts their credit card into a machine slot, that store complies with EMV rules. The store at issue is probably not EMV compliant if it can only accept magstripe payments.

Compliance with EMV is a global payment technology standard developed by MasterCard and Visa member groups to protect customers against fraudulent transactions. As you might have guessed from the term, EMV stands for Europe, MasterCard, and Visa. The other organizations have also joined in on the EMV standard, which is a more secure choice.

The American Express, Discover, JCB, MasterCard, Union Pay, and Visa member groups in 1993 joined together to create chip technology to protect themselves from the frequent breaches of the 2010s. With the use of Magstripe technology, more people lost their data, and fraudsters became adept. Since magstripe data could work in multiple transactions, theft only required taking the data of a person for a long time before it was discovered. Chip technology addresses such data leakage.

Technology Chip

By assigning separate, anonymous tokens for every transaction through a computer chip, EMV chip technology overpowers the magstripe technology, rendering any data taken virtually useless. The transaction content cannot be utilized at another time.

For numerous transactions, Magstripe data is lucrative to thieves. EMV compliance will not prevent anyone from stealing data, but it will make selling and using that data much tougher than before. That is why the EMV compliance statistics are so outstanding.

EMV compliance for merchants entails upgrading current chip technology hardware. This change must work throughout your entire firm if a transaction that does not employ EMV does not conform to your work. While non-EMV transactions can still be accepted, they are exposed to risk and subject to the same legislation as non-EMV transactions. Note that this applies only to transactions involving the use of a genuine card. For online transactions, the old limits still apply.

You should not only be concerned about obligations. Customers do not like firms with which they are dangerous. It is a terrible experience for customers, and when there is fraud, they generally lose faith in the organization.

The EMV Chip Specification aims to strengthen face-to-face payment transaction security by incorporating components that minimize fraud caused by fake, lost, or stolen cards. The characteristics described in the EMV Chip Specifications are as follows:

The chip card system checks that the card is genuine to safeguard both online and offline transactions from counterfeit fraud.
Risk management parameters will set the conditions through which the issuer allows an offline transaction and the conditions that compel on-line transactions for authorization, such as exceeding offline limitations.
Digital signature of payment data for completeness of transactions.
More comprehensive verification mechanisms for cardholder protection against card fraud, plus verification for cases where a card is lost or stolen.

Steps to EMV Compliance

It’s now easier than ever to become EMV compliant. All you have to do now is get a POS system that accepts EMV cards and mobile readers for chip cards.

One of the main advantages of changing to EMV is the ability to combat remittances and avoid paying for both the services provided and the customer’s loss.

If you haven’t already done so, switching to EMV will be the most beneficial, but there are other tactics you can do to support it.

How to Stop Chargebacks

Make the switch to EMV right away.
Keep a record of all receipts and orders of purchase
Prevent fraud with the newest 3DSecure technology from internet technologies, including AVS, card verification, and VISA.
Include a tracking number for shipments.
Confirm the delivery for the customer.
Record information about the customer and previous orders that the person has made.

You Can Upgrade EMV In Moments

You may have postponed EMV updates due to the associated hardware and software costs, but we are pleased to report that switching is easier today. And, regardless of the amount you spend on switching, you’re going to save money in the long term because you can protect chargebacks and avoid further physical transaction fraud.

Why Compliance Is Critical

It’s always an essential subject, but compliance has a direct influence on small and medium-sized enterprises.

In the past, if someone had stolen a credit card and completed a fraudulent purchase, the issuer of the credit card was held accountable. It’s been like this for years until compliance with EMV became a factor.

When a fraudulent transaction is conducted, it works less on the card and more on your failure to use the chip as intended. As a result, liability moves from the issuer of the credit card to the company concerned.

As of October 2018, if you only accept magnetic credit card payments, all fraud-related charges and end-of-story costs will be blamed on you. But EMV compliance ensures you’ll avoid these liability-related issues. The move will probably cover more than the upgrade cost, depending on the business you are running and the average dollar amount for each transaction.

Can EMV Influence Your PCI Compliance Work?

The EMV chip does not comply with PCI compliance rules, nor does it reduce the vendor’s PCI coverage. Whether or not EMV is implemented, compliance with PCI is necessary. To fully protect client information in card transactions, all merchants and service providers must comply with EMV and PCI requirements. Even in combination, these guidelines are not 100% effective against fraud. But the cardholder and the vendor have better protection here than if they were battling alone. EMV and PCI collaborate to enable safe and secure card transactions for traders, customers, and issuers.

Improving the Bottom Line With Fraud Mitigation

Ecommerce fraud has become a significant concern in today’s economy. People are flocking online more than ever before to make purchases. Some retailers are also focusing more on their digital commerce efforts than their in-store work.

People are using digital commerce services more than ever, but there are worries about the fraud mitigation efforts these companies use. Some businesses are unaware of what they can do to stay safe while online. Others might not be willing to evolve their websites to make them more secure and functional.

But more people are engaging in ecommerce fraud than ever before, as businesses lost about $17.5 billion in online fraud this past year. That total is expected to rise to $20 billion in 2021, especially as people become more reliant on digital sales and less on going to traditional outlets for things.

Many of these losses come from synthetic ID fraud. The practice entails a user using another person’s identifiable data to acquire something online. The person who makes a transaction is not the person that the website assumes is making the deal.

New efforts to mitigate the risks of online fraud are critical for the industry’s survival. The threat of synthetic ID fraud is too significant for people to ignore, as are various other worries. But artificial intelligence can be critical to preventing possible threats from becoming worse.

Fraud Mitigation – Synthetic ID Fraud Concerns

The most significant worry about synthetic ID fraud is that it isn’t easy for traditional fraud mitigation measures to identify. Sometimes synthetic fraud entails using one piece of identifiable data to move forward. A person’s Social Security Number could work, but the person’s address or name may not be there. A website could assume the customer is the one that links to the SSN in this example.

Sometimes the synthetic fraud will entail behaviors that are similar to what someone might utilize online. These issues are impossible for some old online platforms to recognize. It becomes easier for people to get away with fraud this way, forcing businesses to write off their losses.

Other Fraudulent Activities

Online fraud can occur on any shopping website through many other methods:

A person might steal credit card data and test it on a website. The person can test the card to see the possible credit limit on that card. Once someone knows that a card works, that person will want to continue making expensive transactions on that card.
People could steal passwords and other bits of verification data when getting online. A person might use the data one finds to impersonate an actual person’s account.
Interception fraud can occur when someone uses the same billing and shipping info on a stolen card, but the person will intercept the goods in transit. The customer might contact a customer service department to change the shipping address right before moving out of a warehouse.

Many other fraud instances could occur, and they can all be dramatic. The worries that people have surrounding fraud can be dangerous and risky, but they don’t have to be worrisome if the best measures work. Artificial intelligence is a suitable solution to use, as the next section shows.

AI Is Necessary

Artificial intelligence-based solutions will be critical for helping businesses stay safe and to avoid fraud. AI can review customer actions and compare them with general signs of fraud. For example, an AI system can flag situations where someone tries to commit interception fraud by changing the shipping address after placing the order.

An AI system can use a database that highlights general examples of fraud and common warning signs. The AI review will compare multiple activities in a transaction with the known fraud instances and then flag transactions that may be a concern.

Depending on the setup a business uses, the company can either alert a customer or block the transaction altogether. The held transaction could also be secured if the customer provides enough data to confirm one’s identity. The work can be extensive at times, but it is about ensuring everything happening online stays safe and secure without risking possible losses on either end of the deal.

There are many ways how an AI system can work:

Customer behaviors can be gauged versus what people normally do on a website. A website can review when someone gets online, when that person is purchasing things, and where someone accesses a website.
A system can also review the payment methods that people use. An entity that uses multiple payment methods might be trying to use many accounts for the same item.
Some parties may be using foreign sources for funds. They might use credit cards issued by banks in different countries. Others might be using funds through accounts that support cryptocurrencies that some retailers might not accept for payment purposes.

A business can use multiple third-party programs to identify connection sources and to verify addresses and other details. The business can include these programs surrounding whatever one feels is right for use.

The goal of the analysis is to reduce the risk of chargebacks by identifying fraudulent cases as soon as possible. All activities can be reviewed versus whatever norms the website experiences.

Responding Is Critical

All online retailers must be ready to respond to potential fraud cases. The process requires twenty-four-hour support that can identify anything new.

But the response should include a personal touch. A company must review the norms that customers express and find cases where something is outside the ordinary. It becomes easier for businesses to reduce their fraud risks when they recognize what is working and what they should be doing when keeping their efforts afloat.

Fraud is a significant worry that can impact any business, but it will be easier to rebound and reduce risks if the right measures work. Businesses can stop various concerns if they know what they are doing while recognizing possible changes that might occur after a while.

PayPal Launches New Merchant Fraud Protection Tool

Digital threats are becoming common, and there are concerns on how well businesses can stay protected from these issues. The global pandemic has prompted many people to complete more transactions online. These include card-not-present deals that might be vulnerable to online threats and other concerns. These problems may continue well after the pandemic officially ends. People have become more used to handling online transactions.

PayPal is responding to these increasing concerns by releasing a new merchant fraud protection tool. PayPal is launching the new Fraud Protection Advanced system to protect businesses. The system will work with prior fraud details to find new instances and help flag transactions that might cause trouble.

PayPal’s Fraud Protection Advanced setup will help businesses review potential fraud situations. It uses network information and machine learning to provide smart results.

PayPal produced this setup thanks to the partnerships the company has with many analytics organizations. The company has more than twenty years of data surrounding merchant activities and signs of fraud. The team will use this data to find certain issues.

The move comes as more people are resorting to online commerce than ever. But as more people are shopping online, there is also an increased risk of fraud and other illegal activities. It is easier for data thieves to steal content. Many online merchants don’t have the tools necessary to prevent fraud.

PayPal’s aim is to use digital information and predictive analysis to find potential fraud activities. The design reduces the risk of managing transactions and ensures online deals can remain safe. It allows businesses to collect the funds they deserve.

What Does the Service Offer?

The Fraud Protection Advance service will use many technologies to identify fraudulent transactions. Much of this entails working with analytics and machine learning.

The system can identify situations where fraud is likely to occur. The work includes reviewing online consumer behavior and identifying signs of data theft or fraud.

The setup uses real-time data modeling to note unique fraud patterns and to block potential transactions. It works with prior information surrounding different transactions and fraud activities to review instances where fraud may develop. These reviews help prevent fraud and other issues from developing. The work reduces risks and ensures businesses can get the money they deserve.

The Fraud Protection Tool also reviews routine tasks and monitors how well they function. These tasks are monitored based on how well they operate and what changes might develop. It can also find potential threats and activities that are going on outside of routine efforts. Such reviews can help find potentially unusual or difficult activities that might compromise the quality of the business.

The General Goal

The goal of the Fraud Protection Advance service is to prevent chargebacks from occurring. Many cases of fraud lead to chargebacks. These instances of a card company having to reimburse a customer can be a problem, especially since many card companies have zero-liability policies. A person might commit a fraudulent transaction that leads to a chargeback. The move causes the business to lose money and inventory due to fraud.

False declines may also occur in some cases. A false decline entails a person’s card being rejected despite that person not having done anything wrong with one’s card. These false declines can be substantial hits on a business, as they might prevent some people from doing business with a website. The issue can cause some businesses to lose revenue due to people not completing their transactions as they wish.

These issues often occur during card-not-present or CNP transactions. A CNP deal can happen online, which is also where many cases of fraud may develop.

Such concerns can cause parties to lose out on future transactions. The support that PayPal has for preventing future fraud issues will be critical in ensuring everyone can stay safe and protected from various forms of harm.

Noting the Concern of Fraud

PayPal’s new fraud protection system comes as nearly a fifth of people in the United States purchased things online in 2020. The value is a record, with much of it coming from the closures of many physical businesses around the country. But it has also made it to where data thieves are more willing to steal online data from other people.

Hundreds of analysts report that businesses are losing millions of dollars each year from digital fraud. But most companies haven’t done much to try and combat the issue. The hope is for people to start putting in more of an initiative to fight data theft.

PayPal has hopes that it can help prevent data theft and reduce the risks each business holds. The Fraud Protection Advanced system will ensure businesses will have the analytics and reports necessary to help them stop data theft beforehand.

Necessary For Increased Online Sales

The new work PayPal is introducing is critical for ensuring that businesses will stay protected when handling online transactions. As the global pandemic progresses, it becomes evident that people are more willing than ever to do business online. They are also interested in handling contact-free transactions. These points have gone from being out of safety to out of convenience, especially as people see what makes such transactions beneficial.

Many of the people who are making the shift to online transactions include millennials and bridge millennials. They have been refining their digital habits over the past year, and they are leading the way in managing more online transactions. But there always exists the risk that some people may attempt to commit fraud and acquire things for free. The issue can lead to chargebacks, which can cause a business to lose more money than it can afford to manage.

PayPal’s merchant fraud protection system will potentially reduce the risk from managing online transactions. The work will reduce the general threat involved and ensure no one’s data is lost. The effort is critical for today’s increasingly online world.

What is Tokenization in Payments?

If you accept credit card payments, security should be your utmost concern. Amid the PCI compliance issues, tokenization is one of the primary issues/concerns all businesses should know and understand.

What is Tokenization?

It sounds complicated by tokenization is literally replacing important numbers with ‘tokens’ or a string of numbers/characters for security purposes. The numbers are placeholders for important information, such as the credit card number or account number.

Tokenization is the direct replacement of the sensitive data that if revealed could put a customer’s information at risk. The token can be safely stored and if stolen, hackers wouldn’t’ be able to do anything with it.

How Does it Work?

Tokenization is a part of the payment process. You don’t have to do anything different – a token is assigned when the customer processes his/her payment. If you store the payment information, you’ll never see the customer’s account information. Instead, you’ll see the tokens, which protect the real information.

Here’s how it works:

The customer enters his/her payment data
The system immediately replaces the account data with a string of characters
The tokens are sent for authorization and immediately sent back
You can process the payment with the provided token

Why Tokenization is Important

There’s one reason tokenization is important – fraud. It’s reaching high levels and merchants have to do everything possible to stop it, starting with tokenization.

If you store customer data, you must use tokens to replace their ‘real information.’ While there are many benefits of storing customer’s data, including starting a loyalty program, using a customer’s buying history to advertise, and recommending future products, there’s such a high risk in storing the information that tokenization is crucial.

The good news is if anyone were to get their hands on the tokens, they are virtually useless to them. Sure, the data was hacked, but they can’t connect the tokens with anyone’s information, making it impossible to steal the credit card information.

Tokenization also increases customer loyalty. There’s something reassuring about knowing you can shop at a store and not have to enter your information. Think of Amazon – most people store payment information and even use their one-click purchasing, so all they have to do is click the button and the item is purchased. It’s convenient and smart.

They benefit merchants too because it enhances purchase power, and increases the likelihood of subscription-based purchases.

Bottom Line

If you accept recurring payments, want to store customer’s payment information for convenience and customer loyalty, or you just want to provide a quick way to check out, tokenization is the key to your success.

Work with a payment processor that offers tokenization and makes it easy for the merchant to implement. Running a business is hard enough, but adding the complexities of payment processing on top of it can be a lot for a business owner. Find a payment processor you can trust and that will have your back in all things credit card security.

What Is Synthetic Identity Fraud?

It feels like a never-ending race and a battle to one-up one another: the battle against fraudsters. While the equipment we have to detect and prevent these fraudsters has been improving substantially over the previous decade, fraudsters always seem to find a way to get through eventually.

One of the latest tactics is synthetic identity fraud, a unique type of fraud in which fraudsters combine fake and legitimate information to create brand-new identities rather than just stealing someone else’s identity.

We’re not talking about a lone wolf hiding in their basement trying to make a quick grab at what they can, either. These are the actions of large-scale criminal organizations that know exactly what they’re up to. They are sophisticated, methodical and patient, and right now as many as 85% to 95% of synthetic identity fraudsters are easily slipping through risk detection systems that are failing to notice them.

According to GIACT Chief Experience Officer David Barnhardt, “They are doing the same things we are: always evolving their tactics to meet the newest technology and offers out there. Whenever a new thing in security comes along, they come out and see if they can beat it.” He went on to say, “When I was working in banking, we knew for certain that with any new initiative we rolled out, we would be attacked for six months and would have to tweak our approach every day. What they’ve learned is that they don’t have to rob a bank in person – they can do it with malware, make more money and get away with it.”

Synthetic Identity Fraud Is Rising

When looking into GIACT’s analysis, as much as $6 billion was stolen by synthetic fraudsters taking legitimate, personally-identifying information in 2016 alone, and that amount has been rising in the years since.

By establishing synthetic identities, fraudsters can open bank accounts and cards and act as if they’re legitimate customers, allowing them to make purchases slowly and quietly at first, sometimes for as long as a year while they build strong credit scores, before then going all out.

How to Defeat Synthetic Identity Fraud

It’s unfortunate, but there aren’t really any special ways to get rid of identity fraudsters. It would seem like, for now at least, they’re here to stay. What we do have, though, are tips and tricks for fighting fraud. Always remember though – the fraudsters are always thinking outside the box and always trying to get a step ahead. Therefore the industry has had to keep on its toes and come up with many creative ways of keeping ahead of the fraudsters.

Bernhardt also commented upon the advantages that fraudsters have. Should the levels of data breaches someday get down to 0, there’s always going to be data that fraudsters will find useful on social media. With this data, it’s possible that fraudsters could put together a functional profile from which they could commit synthetic identity fraud.

Ultimately, there’s no special answer to making this problem go away. We just need to remain vigilant and do all we can and continue to evolve to keep the fraudsters at bay while protecting the security of sensitive information.

Chinese Hackers Were Successfully Able to Bypass 2FA

On December 19, the cyber security firm Fox-IT, which is headquartered in the Netherlands, reported that they discovered a previously-unknown infiltration of managed service provider and government computer systems in at least 10 countries, including the United States, Mexico, Brazil, the United Kingdom, France, Germany, Italy, Portugal and Spain. These systems covered a wide range of industries, including aviation, construction, energy, finance, gambling, healthcare, insurance, offshore engineering, payroll and HR services, physical lock manufacturing, software development and transportation. Fox-IT believes a Chinese government-funded hacking group managed to bypass two-factor authentication (2FA) to initially access and then spread through these systems.

What Is 2FA?

Two-factor authentication was designed to make it more difficult for hackers to access secure, private data. It requires that a user provide two unique forms of information to prove identification when logging into accounts. For example, a system might recognize a user by their physical hardware, via a unique linked code, coupled with a separate unique password. The user might input a memorized password or a one-time password generated by a separate piece of hardware called a token or password generator. In banking, 2FA occurs when a card holder uses their physical card with their unique PIN number at an ATM or during debit transactions. In point-of-sale software payment processing, a merchant or an employee uses 2FA when they sign into their point-of-sale software on a computer, a unique device, with a unique password.

Which Group Is Responsible?

Although many hacking groups supported by the Chinese government exist, Fox-IT has linked this event to a Beijing-based group called APT20. Security firms believe this group started in 2011. Since the Chinese government invests a lot of time and money into hiding their hacking groups, APT 2020 was able to keep a low profile during 2016 and 2017. Firms couldn’t track them until they slipped up in 2018. Fox-IT referred to the 2FA bypass as “Operation Wocao” after a member of APT20 used the Chinese curse word “wocao” in a final line of Windows command failure code when they realized that their actions had been detected and they couldn’t hack a system. The word aptly described both the frustration and shock felt by not only the hacker, but also Fox-IT techs who realized that the system and others had been hacked in such a rare fashion.

How Did They Do It?

This specific group typically uses the most basic hacking tools combined with the software already present on their victims’ systems. Two-factor authentication is incredibly difficulty to bypass since it uses unique forms of identification. Fox-IT has stated that APT20 found a way, currently unknown, to compromise the 2FA for virtual private networks possibly via vulnerabilities in the the corporate and government enterprise application platform known as JBoss. Essentially, they found a way to bypass the credentials necessary to access their victim’s VPN accounts and the computer systems attached to those networks. APT20 then focused their efforts on locating and hacking additional linked systems that held the credentials necessary for them to find and retrieve additional private data. The attack was designed to help them find higher and higher levels of authentication to access higher and higher levels of information. For example, they targeted password managers/vaults and then used the passwords they found to continue their data search and retrieval. Once they were finished, they did everything possible to delete all footprints of their actions to prevent detection.

What About Payment Processing?

APT20’s rare bypass of 2FA shows that hackers might be able to access any system in a similar fashion, including networked computers owned by merchants using point-of-sale software and/or customer databases. A hacking group could potentially mine merchant systems for customer names, credit card numbers, expiration dates and secure CVV codes. If the system also has a customer database, hackers could also retrieve private details, such as customers home addresses and product likes and dislikes. Hackers might use this data to learn more about specific individuals, such as politicians or military leaders, or create false identities.

We recommend that all merchants focus on improving not only their computer and network safety, but also their employee-based vulnerabilities. It’s important to train employees to recognize the many techniques used by hackers and how their actions can help these bad government-funded actors gain access. Merchants can also protect their systems by blocking employees from checking private email or downloading software on these systems.

Our team at Host Merchant Services goes beyond securing our own payment processing systems against these types of attacks: Host Merchant Services Data Breach Security Program. Click that link to download a PDF explaining the value-added service HMS provides its merchants that goes above and beyond just simple PCI Compliance and helps ensure a merchant’s peace of mind.

Facebook Users’ Phone Numbers Exposed Online

Earlier this month, a huge database containing Facebook user IDs and phone numbers of 267 million members was breached and exposed, where it was then left on the web for almost two weeks before finally being removed.

According to security reasearcher Bob Diachenko, who discovered the unsecured Elasticsearch dabatase along with Comparitech, it may not have belonged to Facebook, rather a cybercriminal organization.

According to the report released December 19th, “A database this big is likely to be used for phishing and spam, particularly via SMS. Facebook users should be on the lookout for suspicious text messages. Even if the sender knows your name or some basic information about you, be skeptical of any unsolicited messages.”

First annexed on the 4th of December and not noticed until 10 days later on December the 14th, the database is now thankfully unavailable. According to Diachenko, however, the data was also posted on December 12th to a hacker forum, where it was then available to download.

It’s still not clear exactly how the information was collected, although Diachenko suggests that it could have been stolen from the developer API that Facebook provides to app developers in order for them to access user data and profiles prior to it becoming restricted last year. Another possibility could be that it was all due to a glitch, which enabled the criminals to access the information despite the restrictions. Or, it could simply have just been scraped from profile pages that are publically visible.

According to the published report, “’Scraping’ is a term used to describe a process in which automated bots quickly sift through large number of web pages, copying data from each one into a database. It’s difficult for Facebook and other social media sites to prevent scraping because they often cannot tell the difference between a legitimate user and a bot. Scraping is against Facebook’s – and most other social networks’ – terms of service.”

Regardless of how it actually happened, Facebook users have been warned by the researchers to make sure that their security and privacy settings are set to private rather than public, which can help to decrease any chances of their profiles being scraped. Especially since the stolen data has also been posted to the aforementioned hacker forum and is still being held by the cybercriminals, so it could very well still be used for targeted phishing attacks or spam.

This isn’t the first time that Facebook user data has been found around the web, and unfortunately it probably also won’t be the last. As recently as September, hundreds of millions of Facebook user phone numbers was again found leaked on an open server, and just a few months prior in April two different datasets held by two app developers were found by researchers. In both of these instances, Facebook was the data source for the records.

And one last thing to consider if you are a merchant and you are worried about data breaches affecting your bottom line: Host Merchant Services Data Breach Security Program. Click that link to download a PDF explaining the value-added service HMS provides its merchants that goes above and beyond just simple PCI Compliance and helps ensure a merchant’s peace of mind.

How the New Colorado Digital Driver’s License Works

The United States is one of about a dozen countries without a mandatory national identification document; for this reason, driver’s licenses, state ID cards, passports, and even social security numbers have served as alternatives to a federal identification system that both conservatives and liberals cannot seem to agree on. Starting in October 2020, the Real ID Act will come into full effect, and this digital coordination of personal information currently managed at a state level will be the closest Americans will get to national ID card, at least for the time being.

In Colorado, a state known for its friendly attitude towards technology, both driver’s licenses and state-issued ID cards are going fully digital. In an interview with the Wall Street, Colorado’s Chief Information Officer Theresa Szczurek explained that a mobile version of driver’s licenses is like a “killer app” for state residents in the sense that it takes away the burden of having to carry a wallet. This new form of ID is actually a feature of myColorado, a comprehensive mobile app that grants residents access to a variety of services provided by the state.

The philosophy behind this digital ID project comes from the growing trend of Americans never leaving home without their smartphones. If a woman in Denver goes out to walk the dogs, she is unlikely to bring her purse, wallet, or pocketbook, but she will very likely bring along her smartphone. Speaking of Denver, this is a city where 20% of retail payments are made with mobile devices. By order of Governor Jared Polis, most Colorado state agencies have been ordered to accept this electronic ID as a valid form of identification, and this is already being used by a few commercial establishments that need to check ID for various purposes such as selling cigarettes, serving liquor, or verifying a point-of-sale purchase made with credit cards.

The myColorado driver’s license automatically links with the databases managed by the Department of Motor Vehicles. Changes personal information can be updated through the myColorado app, and this includes taking selfies. A Colorado driver’s license is typically good for five years, and for many residents who change addresses two or more times during that period, this means many trips to the DMV. With the new electronic ID version, changes can be made directly from smartphones 24 hours a day and even on weekends without worrying about taking time off from work to stand in long lines at DMV offices.

PayPal Top Target for Phishing

Over the past 15 years or so, phishing has been an unfortunately effective practice whereby a thief will make an attempt to obtain peoples’ login information to a number of websites. The fact that it’s still being used extensively to this day is a testament to just how effective a scam it is. Vade Secure has recently released the quarterly Phishers’ Favorites report which has unveiled a new top target for phishers in mobile payments leader PayPal.

The top 25 imitated brands were examined in Vade Secure’s report, and it also shined a light on many of the tactics employed by the phishers as they pose as these various websites in an attempt to break security and obtain users’ data and information. Ever since the Vade Secure reports first began in the second quarter of 2018, Microsoft has had the privilege of owning the number 1 spot when it comes to the company most targeted for phishing. As of the first quarter of 2019, however, Microsoft lost that top spot to PayPal. Online streaming service Netflix, with its 158 million subscribers worldwide, is next in line at 3rd place.

There are some fairly scary statistics that come with PayPal’s sudden rise to the top of the phishing ladder. Vade’s AI engine found 16,547 unique PayPal phishing URLs, breaking down to as many as around 180 per day, up almost 70% on the previous year. It wasn’t just PayPal that was making gains in this fashion, either. Of the top 25 brands when it comes to phishing, 10 were financial services brands, such as Bank of America, Chase, and CIBC, all of which were in the top 10.

PayPal, Microsoft and Netflix, just like any bank or any high street store, are holding facilities for data. Data which, eventually down the line, is going to allow phishers the ability to access money. This is why it should come as no surprise to see financial institutions and companies such as PayPal, Microsoft, and Netflix becoming well represented in lists such as the Vade Secure Quarterly Phisher’s Favorites report due to them being the prime targets for such an effort, and also being in charge of the data that those looking to steal data would find most valuable.

And one last thing to consider if you are a merchant and you are worried about security affecting your bottom line: Host Merchant Services Data Breach Security Program. Click that link to download a PDF explaining the value-added service HMS provides its merchants that goes above and beyond just simple PCI Compliance and helps ensure a merchant’s peace of mind.