Tag Archives: security

Data Breach at Wendy’s Expands to Over 1000 Locations

Leave a reply

Data security issues at Wendy’s have now been super-sized.

Following whispers of a data breach in January, Wendy’s finally confirmed payment security issues in May, when spokesmen admitted fewer than 300 stores had been affected by malware. Now, the company admits the real number of compromised restaurants is over 1,000.

Thieves installed malware on POS card terminals to capture card numbers, cardholder names, verifications values, expiration dates, service codes and other critical data. Wendy’s stated that CVV codes were not at risk. The malware has been called “highly sophisticated in nature and extremely difficult to detect.”

The initial claim of fewer than 300 affected stores was cast into doubt by reports from card issuers that fraudulent charge volume indicated a far larger distribution throughout the chain’s 5,800 U.S. locations. Wendy’s states that the attack came in two separate waves, making it difficult to determine the total size of the data breach when it was first detected. Investigators first determined the scope as only 300 locations, only to be hit by a second, mutated strain of the malware soon thereafter.

The attack appears to have been the result of compromised security credentials used for remote access by third-party POS service companies. These companies are often hired by franchisees to manage POS systems in their restaurants, and most access them remotely. Of the 5,800 Wendy’s restaurants in the U.S., only about 630 are owned and operated by Wendy’s itself, with the remainder in the hands of local franchise owners. None of the company-owned stores have been implicated in the data breach.

In response to their discovery of the larger scale of the breach, Wendy’s has compiled a searchable database of affected locations. This database is accessible to customers on the company website.

The affected locations had not yet moved to the use of EMV chip cards. Gavin Waugh, vice president and treasurer at The Wendy’s Company, believes that the attack might not have been prevented by use of EMV. Wendy’s declined to provide a timetable for the completion of the rollout of EMV to their network of restaurants.

Gartner Group analyst Avivah Litan states that although many locations have received and installed EMV-capable terminals, not all have activated them. She acknowledged that there is a backlog of requests at the companies who certify EMV readiness for merchants ready to move to the new standard.

Amex Changes EMV Chargeback Policy

Leave a reply

The transition to chip cards, or EMV (Europay, MasterCard and Visa chip technology) hasn’t been an easy one for merchants to adopt. In order to ensure that they are compliant with new rules, merchants have had to upgrade credit card processing systems in order to accept the new chip cards. Failure to do so leaves the merchant responsible for fraudulent charges, since old systems leave gaps in security features.

As you can imagine, this can quickly add up to a frightening liability, all due to neglecting to upgrade their credit card processing system.

American Express Relieving the Stress of EMV Chargebacks

The EMV chargeback liability that could extend from merchants being responsible for fraudulent charges is huge, and American Express seems to understand that it might be a little too burdensome and punitive for merchants who are struggling to update expensive credit card processing machines. That’s why, by September 2016, American Express will no longer be charging back for fraudulent transactions under $25.

Sensing that maybe this isn’t enough, American Express is going to go even further beginning by the end of the year. In late 2016, they will place important caps on the total number of chargebacks a merchant faces, placing the cap at 10 transactions per card. This means that after the first 10 chargebacks for fraudulent activity, the credit card issuer will become responsible rather than the merchant.

All good things must come to an end, and that includes American Express’s enlightened chargeback policy. They’re giving merchants only until April 2018 to enjoy these lightened liabilities. After that, if a merchant hasn’t upgraded his or her credit card processor to a chip-enabled system, they will once again become fully responsible for fraudulent charges. That is hopefully enough motivation for merchants who haven’t made the switch yet.

Err on the Side of Caution: Nonprofits and Virtual Credit Cards

Leave a reply

A jarring amount of 17.6 million people (7% of Americans) had at least one incident of identity theft in 2014, according to the Bureau of Justice Statistics. Unfortunately some of that identity theft can come from third parties, including criminals accessing business accounts to get information about consumers. Nonprofits, small businesses and large corporate companies can all be at risk without a proper protection plan.

In the case of nonprofits, fundraising for charities may also be affected without a secure nonprofit processing system. One questionable online merchant can lead to access of a nonprofit’s bank or credit union account information, credit or debit card numbers, Social Security numbers (linked to employees of the nonprofit services). In a tech world where “password” continues to be a common password for both individuals and companies, a lucky guess can expose an entire company’s important documents.

Virtual credit cards are one continuously effective way to protect company financial information. Some of the biggest perks of virtual credit cards include:

• Flexibility to not release vital credit card information from lesser known companies
• Ability to set a maximum spending amount
• Specifying an expiration date for the virtual card
• Shopping safely online with what looks like a regular merchant card number
• Potential cash rebates

The owner(s) and accountant(s) of any company may already be aware of the amount of record-keeping involved in making sure that all involved parties receive their paychecks, reimbursements, supplies and any other applicable expenses. However, nonprofit processing has the added requirement of being able to explain all purchases and payments made for a humanitarian or environmental cause. Unlike for-profit companies, which benefit the founder and however many employees work for the organization, funds for charities ideologically make a full circle into supplies for education, first aid, food, shelter, water and other things associated with the organization’s focus.

So even one questionable purchase, or suspicious merchant, can hurt the reputation of a nonprofit. This is the exact reason why nonprofit processing should incorporate virtual credit cards into its billing options for charities. While some companies have already tried to make online purchases easier by using trusted sites like PayPal, a company may still be at risk of password break-ins.

An email site that isn’t secure, unattended mailboxes (where bank statements may be found), dumpster diving, malware and fake clone sites (spoof) could put a nonprofit at risk of releasing private financial account information. By using a virtual credit card, if an identity theft occurs, it gives the hacker less information to work with.

Visa and MasterCard Sued by Home Depot over Chip Card Security

Leave a reply

Around the world, 80 countries have added EMV chips to their credit cards. These chip cards are more secure than credit cards with only a magnetic strip and have helped to reduce credit card fraud in many places. As a result, these cards are now being introduced in the United States. Many retailers, however, are alleging that Visa and MasterCard are not utilizing the chip to its fullest potential. Home Depot has joined other retailers, like Wal-Mart, by filing a lawsuit against the credit card issuers. Mark Horwedel, CEO of the trader group The Merchant Advisory Group expects more lawsuits to follow.

The lawsuit contends that Visa and MasterCard are not doing enough to prevent credit card fraud, yet are forcing retailers to carry more of the cost and liability for fraudulent credit card transactions. Though the chip cards used around the globe may look the same, they aren’t processed the same way. In most of the countries that have adopted EMV technology, a PIN number is required to complete a credit card transaction. In the United States, however, Visa and MasterCard are requiring only a signature. This makes transactions less secure than they could be. Since retailers are now responsible for fraud, Home Depot alleges that card issuers are not doing enough to protect them from it.

Failure to require a PIN also creates problems for online customers, where credit card processing is done without a signature or other verification steps. For these transactions, chip card security doesn’t help at all unless it is coupled with a PIN.

Home Depot also claims that it costs them more to process non-PIN transactions, forcing them to pay $750 million dollars a year in credit card processing fees. According to the retailer, Visa and MasterCard are intentionally blocking the store’s ability to protect itself from fees and fraud on purpose to drive their own profits. They claim chip card security that requires a PIN would better protect consumer and reduce credit card processing costs.

The Home Depot has reason to be concerned, as the company was the victim of a data breach in 2014 that affected 56 million credit and debit card numbers. The retailer immediately implemented credit card processing that incorporated the chip technology, but would like to do more to protect itself and its customers. The company fully supports chip card security and EMV technologies, but wants American consumers to enjoy the same meaningful fraud protection that Europeans have been enjoying for more than a decade.

Hackers Rush to Cash In Before Chip Cards

Hackers Rush to Cash In Before Chip Cards Take Over

Leave a reply

While plans are being initiated that will reduce credit card fraud, it appears the problem is going to get worse before it gets better. Credit card issuers are rushing to send new EMV enabled cards to their customers. These cards, also known as chip cards, contain technology that makes credit card theft much more difficult. Knowing this, hackers and fraudsters are in a rush to steal as much credit card information as they can before their job gets harder.

According to CNBC, as much as $10 billion dollars in fraudulent credit card charges are anticipated between 2016 and 2020 as retailers and card issuers finish adopting EMV cards and technology. As of May 2016, only 20% of credit cards and 10% of debit cards were chip enabled, leaving lots of people still at risk for a security breach. The bad guys know this and are scrambling to take advantage of security weaknesses in cards with magnetic strips.

On the other side of the table, retailers and banks are rushing to get chip cards into the hands of consumers. PYMNTS.com reports that, on average, 23,000 merchants per week are installing chip technology in their businesses. Overall, the number of retailers using the chips to read cards has increased by 12.5% since the technology’s introduction. Progress is clearly being made, but not fast enough to protect everyone.

Once all of the credit cards have chips and the bad guys have used up their stolen cards, card not present fraud is expected to decrease. However, a different kind of fraud is expected to take its place. With credit card numbers being harder to steal remotely, experts anticipate that more people will fraudulently apply for credit card accounts. Using a temporary address, these fraudsters will get credit cards mailed to them using an address they will later abandon. With the card in hand, they will still be able to make fraudulent purchases.

Though the criminals aren’t going anywhere, neither are those who fight them. New technologies are being considered and developed even as EMV chips are being instituted. In the meantime, the best way to protect yourself is to watch your accounts carefully and use caution when using your card online.

Hacker

Hackers find new target: Mariott [2023 Update]

Leave a reply

Holiday Inn, Marriott Hotels Suspected Targets of Data Breach

The Official Merchant Services Blog has breaking news regarding the ongoing series of credit card data breaches. One the heels of the major hack of discount retailer of Target that stole credit and debit card data from 40 million accounts right smack dab in the middle of the holiday shopping season, there’s yet another target of hacker greed: Holiday Inn. Lodgers at Holiday Inns, Marriott and Renaissance hotels may have had their payment card details compromised for much of 2013 as revealed a hotel management company  on Monday.

White Lodging Services, a hotel management company, warned in a news release it suspects point-of-sale systems at restaurants and lounges on 14 of its properties were compromised between March 20, 2013 and Dec. 16, 2013. Guests who did not use their card at restaurants and lounges, as well as those who used their room account for purchases from those outlets, were not affected, the press release revealed.

The Merrillville, Indiana-based company said it manages hotels like Holiday Inn under agreement with hotel owners. The company is a separate entity from the specific hotel brands it operates. White Lodging Services said it has contacted federal law enforcement and initiated a forensic review of its properties. It runs more than 169 hotels in 21 U.S. states.

databreach1

The Full List

The full list of the food and beverage outlets affected by the suspected breach were located at the following hotels:

  • Marriott Midway, Chicago, IL
  • Holiday Inn Midway, Chicago, IL
  • Holiday Inn Austin Northwest, Austin, TX
  • Sheraton Erie Bayfront, Erie, PA
  • Westin Austin at the Domain, Austin, TX
  • Marriott Boulder, Boulder, CO
  • Marriott Denver South, Denver, CO
  • Marriott Austin South, Austin, TX
  • Marriott Indianapolis Downtown, Indianapolis, IN
  • Marriott Richmond Downtown, Richmond, VA
  • Marriott Louisville Downtown, Louisville KY
  • Renaissance Plantation, Plantation, FL
  • Renaissance Broomfield Flatiron, Broomfield, CO
  • Radisson Star Plaza, Merrillville, IN

 

White Lodging last week told the New York Times it was investigating a potential security breach, covered in a report from security writer Brian Krebs. The same Krebs who broke the news on the Target Data Breach as well as the Global Data Breach.

What Was Hacked?

The unlawfully accessed data may have included names printed on customers’ credit or debit cards, credit or debit card numbers, the security code and card expiration dates.  Guests who used or visited the affected businesses during the nine month-period and who used a credit or debit card to pay their bills at the outlets might have had such information compromised and are encouraged to review their statements from that time period.

One idea posited on how this happened is RAM scraping. Attackers are planting malicious software, known as “RAM scrapers,” on POS devices, which capture unencrypted card details after a customer has swiped a card, defeating other security measures in place intended to protect sensitive details. White Lodging said customers’ names as printed on credit or debit cards, the card numbers, the cards’ security code and expiration dates may have been unlawfully accessed.

What’s Next?

Financial institutions have reissued some payment cards and are monitoring other credit and debit cards for unauthorized activity, the company said. White Lodging is also arranging to offer one year of complimentary personal identity protection services to all affected cardholders.

The unfolding disclosures have drawn the attention of the U.S. Congress. The House Energy and Commerce Committee is scheduled on Wednesday to hear from senior executives from Target and Neiman Marcus along with the U.S. Secret Service about how data breaches can be prevented.

Host Merchant Service’s PCI Compliance Initiative

Looking at the threat of a data breach, Merchants must wonder what the solution can be. Is there protection available? PCI Compliance is a great foundation for transaction security. The standards and protocols set up by the PCI-DSS Council are the first step a merchant needs to take to protect their data. And Host Merchant Services offers a PCI Compliance Initiative that helps its merchants quickly and seamlessly take that step.

Also, one thing to consider if you are a merchant and you are worried about data breaches affecting your bottom line: Host Merchant Services Data Breach Security Program. Click that link to download a PDF explaining the value-added service HMS provides its merchants that goes above and beyond just simple PCI Compliance and helps ensure a merchant’s peace of mind.

 

Internet Security

Leave a reply

Security is one of the defining internet issues of this decade.  While there is not one distinct body of law that governs a company’s rights and responsibilities, there are methods to prioritize compliance efforts.  This issue is relatively unique to the internet space since the laws and regulations that apply come from many different areas.  In recent years the Federal Trade Commission (FTC) has taken an increasingly prominent role in responding to these problems.  In addition, almost every state has some sort of law that at least requires reporting of unauthorized disclosure of information.  Indeed many state laws, particularly Massachusetts and California, go substantially beyond simple breach disclosure and mitigation.

Host Merchant Services is located in Delaware. The Delaware Security Breach Notification Law can be reviewed in its entirety at This Link.

While many agencies, such as the SEC, have regulations that address security issues in the industries they regulate, the FTC is the agency primarily tasked with addressing internet security issues.  The FTC has the authority to prosecute companies and individuals who engage in deceptive trade practices.  The best way to determine the enforcement priorities of the FTC is to look at recent enforcement actions.  These actions have focused on the “locked door” problem:  Many companies focus on the number of locks they’ve placed on the door to data, as opposed to making sure these doors do not become unlocked over time.

Sloppy security practices are an issue that the FTC has said is simply screaming for regulatory and enforcement activity.

Time and time again, the FTC has stated that companies must have procedures in place to ensure that their businesses are secure, to detect security vulnerabilities, and inform customers and, if necessary,  regulators, when unauthorized disclosures are discovered.  To avoid FTC action, internet businesses need to shift some of their security thinking and strategy from high profile areas to basic security and process control schemes.  This could involve redeploying resources from traditional security screening measures (such as trying to breach firewalls) to creating change control processes, training staff on quality control and ensuring that vendors actually meet the security standards you need — and that they profess to have.

It is a bit trickier to generalize about state security statutes.  That said, most state laws have relatively similar goals to their federal counterparts.  As an initial matter you should ensure that your entire “ecosystem” has the same, or similar, breach definitions.  Doing so avoids gaps that lead to misinformation and failure to comply with breach definitions set out in your state laws.  A second component of general compliance is to create both internal and external notification plans.  Your internal plan should create a system where both employees and vendors are alerted to a possible breach.  External plans should contain at a minimum a statement of what is known about the breach, mitigation efforts, a contact point, and future steps you are taking regarding the breach.  You should identify which information will be excluded from these notification efforts because of confidentiality or other restrictions.

A final component of a state compliance plan is to anticipate how you will fold in state regulators and law enforcement entities.  At a minimum, these will be agencies in the state in which you are located, but may, in some instances, include regulatory agencies in other states.  It is important not to play hide-the-ball and simply fail to provide the regulatory and law enforcement notifications required by law.  In making these notifications, you should involve your attorney to determine how much information you are required to disclose, and methods of protecting your company from litigation.

For More Information

For more legal information you can visit my site:

David Snead’s Home Page

Merchant Services Document Download Graphic

To learn more about PCI Compliance, Host Merchant Services offers these resources:

PCI Compliance FAQ

Merchant Services Document Download Graphic

PCI Compliance Guide

Merchant Services Document Download Graphic

Disclaimer:  Legal decisions must be made based on your unique situation. Please consult with an attorney prior to making decisions based on this post.