Tag Archives: target

Terminal Retirements

Leave a reply

Following up on our recent blog about terminal of the future, the VX 520, today we’re going to let the other shoe drop. With the payment processing industry thrusting its spotlight onto security in the wake of the Target Data Breach, the PCI DSS and its upgraded protocols are getting a lot of attention.

Host Merchant Services has been ahead of the curve on PCI compliance, having instituted a PCI Compliance Initiative years ago. But the Payment Card Industry Security Standards Council is in a continuous state of refining their security requirements and best practices so we here at HMS have to remain agile and adept at navigating these changes.

EMV smart cards, a topic we’ve discussed in depth here, are prompting PCI DSS to reorganize large swaths of its standards, and as a result, retire various terminals. As more and more POS hardware adapts to support EMV chip cards and end to end encryption, manufacturers and software developers will have to put their older equipment out to pasture. With the release of EMV/Contactless terminal applications, many of the legacy terminal devices/applications do not have the memory capacity required in order to support the association mandates. As a result, TSYS has provided a preliminary end of life schedule for credit card terminal applications that will be fully retired.

This is something the PCI DSS has been preparing for, and as such they have a schedule implemented for the retirement of older equipment. Coming up next is the VX 510 Terminal and its VDID300 Application, scheduled for retirement on June 3, 2014. Also the VX 510 and VX 570 and its VXGFT02 Application will be retired that day.

Prior to this date, Host Merchant Services has terminal upgrades available for our merchants. While we will continue to honor merchant boarding for these devices until the effective end of life date, once that occurs these devices/applications will no longer be an option available within our internal systems and downloads will no longer be available for terminal updates, swaps or technical support. So upgrading should be a priority, and Host Merchant Services will make the process seamless and trouble-free.

PayPal President Hacked [2023 Update]

Leave a reply

Twitter, the modern equivalent of Mad Libs and the yellow journalism of the late 19th century, has revealed to us a gem of irony that makes the whole Target getting hacked story seem that much more poignant.

No one is safe in this bold new era of credit card hackers and identity thieves. Not even the president of a major payment processing company.

PayPal President David Marcus has been the victim of credit card fraud, he said on Monday. The leader of the online payments company revealed via Twitter that his credit card information had been stolen on a trip to the United Kingdom and he’d racked up a “ton” of fraudulent transactions on his account.

Smart Chip Didn’t Help

Marcus speculated that thieves probably skimmed the info from the magnetic stripe on his card, even though his card had an EMV chip, a technology that makes cards in Europe more secure than the ones commonly used in the U.S.

EMV® chip technology– or EMV — is a worldwide standard for credit and debit card payments based around the use of chip card technology. The acronym stands for Europay, MasterCard, and Visa, who collaborated to create the technology. The goal of this project was to create a card that worked based off of a microprocessor chip that is read by the payment terminal. Because the U.S. has yet to widely deploy embedded chip technology, the nation has increasingly become the focus of hackers seeking to steal such information. The stolen data can easily be turned into phony credit cards that are sold on black markets around the world.

Is it Just a Marketing Ploy?

Marcus adroitly used the incident as an opportunity to plug his own company, suggesting that the fraud wouldn’t have happened if the merchant had accepted PayPal. His company is currently trying to expand its presence as a payment option in physical stores, putting it in direct competition with platforms like Square and Google Wallet.

It also comes right when data breaches are major news in the payment processing industry. On December 19 2013, Target confirmed a sophisticated data breachoccured. In their press release they stated: “Approximately 40 million credit and debit card accounts may have been impacted between Nov. 27 and Dec. 15, 2013. Target alerted authorities and financial institutions immediately after it was made aware of the unauthorized access, and is putting all appropriate resources behind these efforts.  Among other actions, Target is partnering with a leading third-party forensics firm to conduct a thorough investigation of the incident.”

So Marcus’ misfortune happens right at the time identity theft, credit card fraud and hackers are on everyone’s mind. With EMV chip cards being touted as one of the best solutions to the hacking problem, Marcus’ mishap even taps into that buzz.

Hacker

Hackers find new target: Mariott [2023 Update]

Leave a reply

Holiday Inn, Marriott Hotels Suspected Targets of Data Breach

The Official Merchant Services Blog has breaking news regarding the ongoing series of credit card data breaches. One the heels of the major hack of discount retailer of Target that stole credit and debit card data from 40 million accounts right smack dab in the middle of the holiday shopping season, there’s yet another target of hacker greed: Holiday Inn. Lodgers at Holiday Inns, Marriott and Renaissance hotels may have had their payment card details compromised for much of 2013 as revealed a hotel management company  on Monday.

White Lodging Services, a hotel management company, warned in a news release it suspects point-of-sale systems at restaurants and lounges on 14 of its properties were compromised between March 20, 2013 and Dec. 16, 2013. Guests who did not use their card at restaurants and lounges, as well as those who used their room account for purchases from those outlets, were not affected, the press release revealed.

The Merrillville, Indiana-based company said it manages hotels like Holiday Inn under agreement with hotel owners. The company is a separate entity from the specific hotel brands it operates. White Lodging Services said it has contacted federal law enforcement and initiated a forensic review of its properties. It runs more than 169 hotels in 21 U.S. states.

databreach1

The Full List

The full list of the food and beverage outlets affected by the suspected breach were located at the following hotels:

  • Marriott Midway, Chicago, IL
  • Holiday Inn Midway, Chicago, IL
  • Holiday Inn Austin Northwest, Austin, TX
  • Sheraton Erie Bayfront, Erie, PA
  • Westin Austin at the Domain, Austin, TX
  • Marriott Boulder, Boulder, CO
  • Marriott Denver South, Denver, CO
  • Marriott Austin South, Austin, TX
  • Marriott Indianapolis Downtown, Indianapolis, IN
  • Marriott Richmond Downtown, Richmond, VA
  • Marriott Louisville Downtown, Louisville KY
  • Renaissance Plantation, Plantation, FL
  • Renaissance Broomfield Flatiron, Broomfield, CO
  • Radisson Star Plaza, Merrillville, IN

 

White Lodging last week told the New York Times it was investigating a potential security breach, covered in a report from security writer Brian Krebs. The same Krebs who broke the news on the Target Data Breach as well as the Global Data Breach.

What Was Hacked?

The unlawfully accessed data may have included names printed on customers’ credit or debit cards, credit or debit card numbers, the security code and card expiration dates.  Guests who used or visited the affected businesses during the nine month-period and who used a credit or debit card to pay their bills at the outlets might have had such information compromised and are encouraged to review their statements from that time period.

One idea posited on how this happened is RAM scraping. Attackers are planting malicious software, known as “RAM scrapers,” on POS devices, which capture unencrypted card details after a customer has swiped a card, defeating other security measures in place intended to protect sensitive details. White Lodging said customers’ names as printed on credit or debit cards, the card numbers, the cards’ security code and expiration dates may have been unlawfully accessed.

What’s Next?

Financial institutions have reissued some payment cards and are monitoring other credit and debit cards for unauthorized activity, the company said. White Lodging is also arranging to offer one year of complimentary personal identity protection services to all affected cardholders.

The unfolding disclosures have drawn the attention of the U.S. Congress. The House Energy and Commerce Committee is scheduled on Wednesday to hear from senior executives from Target and Neiman Marcus along with the U.S. Secret Service about how data breaches can be prevented.

Host Merchant Service’s PCI Compliance Initiative

Looking at the threat of a data breach, Merchants must wonder what the solution can be. Is there protection available? PCI Compliance is a great foundation for transaction security. The standards and protocols set up by the PCI-DSS Council are the first step a merchant needs to take to protect their data. And Host Merchant Services offers a PCI Compliance Initiative that helps its merchants quickly and seamlessly take that step.

Also, one thing to consider if you are a merchant and you are worried about data breaches affecting your bottom line: Host Merchant Services Data Breach Security Program. Click that link to download a PDF explaining the value-added service HMS provides its merchants that goes above and beyond just simple PCI Compliance and helps ensure a merchant’s peace of mind.

 

Credit Cards

Can Chip Cards Stop the Hax? [2023 Update]

Leave a reply

The massive data breach at Target is a big shining beacon illuminating exactly how behind the times the United States remains when it comes to credit card security — namely EMV® chip technology.

EMV is a worldwide standard for credit and debit card payments based around the use of chip card technology. The acronym stands for Europay, MasterCard, and Visa, who collaborated to create the technology. The goal of this project was to create a card that worked based off of a microprocessor chip that is read by the payment terminal. Because the U.S. has yet to widely deploy embedded chip technology, the nation has increasingly become the focus of hackers seeking to steal such information. The stolen data can easily be turned into phony credit cards that are sold on black markets around the world.

In fact, KrebsOnSecurity, the website that broke the news of the Target hack, has reported that the card information stolen in the Target Data Breach has been showing up on the black market. Credit and debit card accounts stolen during the security breach have reportedly flooded underground black markets, going on sale in batches of one million cards. The cards are being sold from around $20 to more than $100 each.

Over the last decade, most countries have moved toward using credit cards that carry information on embeddable microchips rather than magnetic strips. The additional encryption on these aptly named smart cards has made the kind of brazen data thefts suffered by Target almost impossible to pull off in other countries. Which is why as of Q4 2012, there were roughly 1.62 billion EMV cards in consumers’ hands and 23.8 million terminals deployed throughout Europe, Asia, and Africa. About 80 countries have adopted the technology as a standard. By comparison, about 1% ofcredit cards issued in the U.S. contain such technology, making the United States a tasty target for hackers.

“The U.S. is one of the last markets to convert from the magnetic stripe,” Randy Vanderhoof, director of the EMV Migration Forum told the LA Times. “There’s fewer places in the world where that stolen data could be used. So the U.S. becomes more of a high-value target.”

The credit card industry reports the U.S. accounted for only 24 percent of global credit card payments by volume in 2012, but it accounted for 47 percent of the fraud.

So Why No Chips in the U.S.?

According to experts the reasons the U.S. lags so badly in adopting smart cards are complicated. In part, there hasn’t been the political will to demand that businesses and financial institutions make the change. One might think the Target data breach would spur politicians to action or at least get consumers to light a fire under those politicians. But the Target hack is just one in a growing list of data breaches, and the 40 million compromised cards are rather mundane.

In April of 2011, the Playstation Network was hacked, compromising the vital information of 77 million accounts, and 24.5 million Sony Online Entertainment accounts. This has been touted as one of the largest personal data heists recorded in history, and prompted Sony to shut down its services for a month. In 2009, credit card processor Heartland Payment Systems disclosed that thieves had broken into is internal card processing network, and installed malicious software that allowed them to steal track data on more than 130 million cards.

If neither of those data breaches could spur on the adoption of EMV cards, it’s unlikely the Target hack will move the needle. The inertia built up against the smart cards then must be due to some other reason Analysts also say the payment processing system in the U.S. is more complicated, with merchants, credit companies and banks reluctant to spend the big bucks it would take to convert a system with 1 billion credit cards to EMV from magnetic stripes. But that’s still too murky.

The primary reason such technology has taken so long to make its way into the U.S. is far more simple: Chip-embedded cards are more expensive to produce. Each merchant would have to purchase new equipment to hand them.

What the Future Holds …

The good news for consumers is that the U.S. is indeed moving to embrace smart credit cards. The Official Merchant Services Blog reported almost two years ago that the United States was moving slowly but surely toward adopting chip cards. Visa took the lead in the U.S. push, reporting that as of December 31, 2011, the credit giant had issued more than 1 million credit cards that use “chip” technology to store consumer payment information. Visa made an announcement in August 2011 hat it planned to start issuing more EMV — Europay, Mastercard, Visa — smart cards to push the industry toward better security and an easier transition to mobile payments.

In the last couple of years major card issuers have laid out road maps for upgrading the card technology, and many have set out to achieve this by October 2015.

TransFirst, Host Merchant Services’ acquirer and one of the premier providers of transaction processing services and payment processing technologies in the U.S., issued a mandate in response to the EMV push. TransFirst said that Visa will require U.S. acquirer processors and sub-processor service providers to be able to support merchant acceptance of chip transactions no later than April 1, 2013. Visa also intends to institute a U.S. liability shift for domestic and cross-border counterfeit card-present point-of-sale transactions effective October 1, 2015, and for fuel-selling merchants by October 1, 2017.

Ocotber 2015 was chosen because at that point major credit card companies will change their rules about who is liable for fraudulent purchases caused by security breaches. Under the new rules, the entity in the payment chain — merchant, credit card, banks — deemed to have the weakest security will be liable. Credit card companies can’t make anyone adopt the technology, but they’re giving them a hard nudge.

The Bottom Line

While the Target Data Breach once again brings up the topic of credit card security, it seems like the U.S. is still poking along with its slow adoption of EMV chip cards. Hackers will still continue to target the low hanging fruit that the largely magnetic stripe based U.S. credit card industry still works with. But EMV chips and increased digital security of cardholder information is coming. October 2015 looms closer and closer.

Discover Teams Up with PayPal

Discover Teams Up with PayPal [2023 Update]

Leave a reply

The Official Merchant Services Blog continues to shine its spotlight of educational information directly on the Mobile Payments Industry. This bristling business sector keeps creating buzz among payment processing persons as well as overall economic assortments. One minute people are predicting hundreds of billions of dollars in revenue will get generated by consumers embracing the cashless society model and conveniently swiping their phones to pay for every little thing that catches their eye. The next minute people are predicting U.S. consumers are too wary and cautious and not ready to expose their information to the cloud and the criminals trying to crack their way into that cloud.

This titanic tug-of-war between “the next big thing” that economic analysts desperately desire M-Payments to become and the “hold your horses hombre” caution that those same analysts caveat the slow acceptance in U.S. markets has been defining the media coverage of the Mobile Wallet Madness for more than a year. But the potential for prodigious profits has pushed the possibilities of mobile payment processing through the morass of misgivings.

Merchants United!

As we purposely pointed out to our peerless readers just mere days ago, the Merchant Customer Exchange was formed. This epic assemblage of retail industry giants teams Wal-Mart Stores Inc., Best Buy Co. and Target Corp, 7-Eleven  Inc., Alon Brands Inc., CVS Caremark Corp., Darden Restaurants Inc., Lowes Co., Sunoco Inc., Sears Holding Corp. and the Publix Supermarket chains into a mega-group of retail merchant might on a mobile wallet mission.

Coming on the heels of Visa’s saturation of the 2012 London Olympics with all things Mobile and all things Visa, the mighty mingling of the MCX merchants applied unforeseen amounts of pressure on the mobile payment marketplace.

Mobile Payment Paring: Discover and PayPal

On August 22 PayPal, owned by eBay, announced a deal with Discover Financial Services to bring PayPal access to the 7 million merchants in Discover’s network. This deal will begin in the second quarter of 2013 and the announcement was made a mere two weeks after Square partnered up with Starbucks to let customers pay with Square’s app at the 7,000 U.S. Starbucks locations.

Excelsior! Retail titans are teaming up with mobile gadgeteers in one mass scramble to make it to market before the U.S. consumer becomes firmly affixed on the easiest and most widespread brand — as is wont to happen with U.S. shopper market behavior.

The PayPal deal is a particular point of note because PayPal itself is pushing from the online marketplace back into the physical realm of brick and mortar. This may indeed help bridge the gap from e-commerce to old fashioned commerce, and that bifrost of payment processing could very well buttress mobile payment processing in a brave new world of cashles-sness and contactless transactions.

The super-powered pairing of Discover and PayPal drove stock prices for each company, with Discover gaining 3.9% and eBay gaining 2.5% on the market the day the announcement was made. This arrangement will greatly accelerate PayPal’s in-store payment efforts. By riding on Discover’s network, PayPal can get into more locations  and get there quickly. Best of all this movement doesn’t requiring any significant integration work by merchants. That potentially puts PayPal at a big advantage against rival mobile payment systems such as Google Wallet, Isis, and Square.

Discover is integrating PayPal’s payment system into its software, which will be uploaded to millions of point-of-sale terminals that support Discover Card payments. PayPal’s branding and rules will be presented to consumers who choose to pay in store with PayPal. PayPal currently has more than 50 million U.S. customers who will be able to take advantage of in-store payments.

Don’t Call it a Comeback

Leave a reply

Today The Official Merchant Services Blog is here to update our readers on the latest development in the  lawsuit against Visa Inc., MasterCard Inc. —  the largest antitrust settlement in U.S. history. We broke the story last week when we revealed that the card companies agreed to pay more than $6 billion to settle lawsuits from retailers claiming that the card issuers engaged in anti-competitive practices.

The July 13 settlement still needs to be OK’d by a judge, and today we learned that the decision may be getting held up by plaintiffs who do not want the settlement and the money it brings.

The Opposition and Their Position

The National Association of Convenience Stores (NACS), a class plaintiff in the lawsuit, rejected the settlement offer according to their own website. Because the proposed settlement does not introduce competition and transparency into the broken credit card swipe fee market, the NACS Board of Directors unanimously rejected the proposed settlement agreement.

The settlement is the largest antitrust settlement in U.S. history, but NACS was not impressed because it only amounts to less than two months’ worth of swipe fees, based on the estimated $50 billion in swipe fees collected by the credit card companies on an annual basis. Worse, NACS feels that with the settlement there are no fundamental market changes that would constrain Visa and MasterCard from continuing to raise rates.

Wal-Mart Joins Opposition

The NACS opposition was announced almost immediately after the news of the settlement proposal was revealed. It’s taken a little bit of time, but others have started to join the opposition. Wal-Mart Stores Inc, the world’s largest retailer, joined the growing chorus of merchants opposed to the proposed settlement. Wal-Mart said the $7.25 billion settlement would not change a “broken” system of what credit card companies charge retailers for processing credit and debit card payments, known as “swipe fees.”

For the Record

NACS and Wal-Mart share the same criticism of the settlement.

“Not only does the proposed settlement fail to introduce competition and transparency into a clearly broken market, it actually provides Visa and MasterCard with the tools to continue to shield swipe fees from market forces,” said NACS Chairman Tom Robinson, who is also president of Santa Clara, Calif.-based Robinson Oil Corp.

Mirroring the NACS criticism, Wal-Mart said in a statement released by the company, “the proposed settlement would not structurally change the broken market or prohibit credit card networks from continually increasing hidden swipe fees, which already cost consumers tens of billions of dollars each year.”

Robinson also said, “this proposed settlement allows the card companies to continue to dictate the prices banks charge and the rules that constrain the market including for emerging payment methods, particularly mobile payments. Consumers and merchants ultimately will pay more as a result of this agreement — without any relief in sight.”

Wal-Mart again mirrored the NACS statements and went further when it said the settlement would not “prohibit credit card networks from continually increasing hidden swipe fees, which already cost consumers tens of billions of dollars each year,” and would “also constrain emerging payments innovation.” These innovations the opposition keeps referring to most likely include mobile wallets that allow consumers to pay using their smartphones.

Stay on Target

Joining Wal-Mart and NACS as vocal opponents of the settlement was Wal-Mart competitor Target. In a July 20 statement, Target used the now familiar language that the united opposition is using when it said in a statement that: “The proposed settlement would perpetuate a broken system, restrict retailers from any future legal action and offer no long-term relief for retailers or consumers.”

The NACS, Wal-Mart and Target were also joined by SIGMA, an association representing independent motor fuel marketers and chain retailers, in opposing this settlement. And then the National Grocers Association jumped on the anti-settlement bandwagon on July 27. “NGA joined the lawsuit on behalf of its independent retail grocer members over seven years ago to bring about real reform of the anticompetitive credit card swipe fee system,” said NGA president and CEO Peter Larkin in a statement. “This proposed settlement agreement fails in this regard by allowing Visa and MasterCard to continue their dominant anticompetitive practices.”

The Final Word

So as opposition mounts, it may be all for naught. The final decision still rests with a judge. It will be up to U.S. District Court Judge John Gleeson to approve or reject the settlement, a process that will play out in Brooklyn federal court over the next few months.