Updated: Tuesday, May 26, 2015
Ready or not, PCI 3.0 is here
T he deadline for PCI 3.0 mandatory compliance is fast approaching. If you and your merchants are compliant that's good news. The bad news: the odds are against ongoing compliance. That's why card data security needs to be a multifaceted undertaking.
"PCI, EMV, point-to-point encryption – all of these things have to be done together," said Don Brooks, Senior Security Engineer at security services company Trustwave. These days EMV (short for Europay, MasterCard and Visa, the technical standard for chip cards and chip-reading terminals) is garnering much attention, with its looming October 2015 deadline for compliance.
However, compliance with the latest Payment Card Industry Data Security Standard (PCI DSS, or often just PCI) is mandatory beginning June 30. Acquirers and their partners should be working now to ensure merchants are and remain compliant with PCI 3.0, Brooks advised in an interview with The Green Sheet. "Ultimately it all comes down to the acquirer and the ISO making sure merchants are doing the right thing," he said.
PCI 3.0, released in 2014, updates the standard, which was previously updated in 2011. The effective date was January 1, 2015, but mandatory compliance was delayed for six months to provide companies sufficient time to complete implementation routines. PCI requirements apply to all organizations that accept, process, store or transmit payment card data – from the largest national acquirers to the smallest merchants.
More hands-on approach
The scope of PCI 3.0 is much broader than past versions, placing greater responsibility on merchants for protecting the integrity of POS devices, networks and authentication protocols, as well as for oversight of third-party service providers. "The changes focus on responding to what the bad guys are doing," Brooks said.
Over the past few years, for example, hundreds (possibly thousands) of malware-infected POS devices have been the source of major card-data breaches. So PCI 3.0 specifically requires that merchants keep tabs on and regularly inspect POS devices for tampering and substitution, and that they train employees to be on the lookout for signs of device tampering.
Also, as PCI compliance requirements have expanded, more merchants are outsourcing risk management and PCI compliance routines. It's an understandable step – even the simplest self-assessment forms are pages long – but it comes with its own set of responsibilities. Under PCI 3.0, for example, merchants need to validate authentication routines used by third-parties and ensure they use unique authentication credentials for each customer. They also must require that third-party providers acknowledge in writing their responsibilities concerning cardholder data.
Compliance improves, or does it?
Security breaches are a major source of concern for organizations large and small. Indeed, few companies seem immune. A survey of 9,700 businesses by the consultancy PricewaterhouseCoopers (PwC) revealed those companies alone detected nearly 43 million "security incidents" last year. Incidents are not breaches, but they can lead to breaches. PwC estimated (based on its data) that security incidents have been increasing at a compound annual rate of 66 percent since 2009, when there were fewer than 9 million incidents.
Worse, many companies remain unaware of their responsibilities for protecting card data. Software Advice, a unit of the consultancy Gartner Inc., surveyed small and midsize businesses on PCI 3.0 in December 2014 and found nearly one in five did not even know what PCI was; 30 percent did not know the penalties for noncompliance. Just 38 percent said they were "very confident" they would be compliant with the updated PCI rules; fewer yet, 16 percent, expressed confidence in their understanding of the new rules regarding third-party provider oversight.
Meanwhile, Verizon Communications Inc., which operates a unit focused on card data security and PCI compliance, reported that although overall compliance with PCI continues to improve, few organizations are able to sustain compliance over the long term.
The Verizon 2015 PCI Compliance Report analyzes the outcomes of nearly 3,000 PCI assessments conducted by its Qualified Security Assessors last year, as well as forensic investigation reports produced by the company's security unit. It revealed that between 2013 and 2014, compliance with 11 of the 12 PCI requirements was up, with the biggest increase in compliance witnessed in procedures for authenticating network access. The only area where compliance was lower was with testing security systems. In fact, most of the lowest compliance scores involved testing procedures, the report noted.
"Compliance with the Payment Card Industry Data Security Standard (PCI DSS) continues to improve, but four out of five companies still fail at interim assessment," the Verizon report stated. "This indicates that they've failed to sustain the security controls they put in place."
Second Sally Beauty breach a 'wake-up call'
Friday, May 22, 2015
D enton, Texas-based specialty retailer Sally Beauty Holdings Inc. revealed on May 15, 2015, that the company had suffered its second security breach in less than two years. The publicly traded company, with approximately 4,800 stores worldwide and annual revenues of $3.8 billion, withheld details on the recent attack but confirmed it is fully cooperating with ongoing investigations.
Sally Beauty President and Chief Executive Officer Chris Brickman, who replaced the company's outgoing CEO, Gary Winterhalter, in February 2015, declined to speculate on details of the intrusion, deferring to the ongoing forensics investigation. He did, however, encourage customers to monitor payment card and bank accounts for suspicious activity.
"We are working diligently to address the issue and to care for any customers who may have been affected by the incident," he stated, while noting that payment card brand rules stipulate customers will not be responsible for fraudulent charges to their accounts if said charges are promptly reported. The company also established a dedicated toll-free hotline and email address for customers to direct concerns about the breach and its possible impact on their payment cards.
Second call to first responders
In March 2014, Sally Beauty became aware of an unauthorized intrusion into its internal processing systems, affecting approximately 25,000 customer records. Four card issuers subsequently traced fraudulent transactions to payment cards linked to the attack. Security analysts believe account details for approximately 260,000 credit and debit cards were stolen.
The company said it hired Verizon Communications Inc. to conduct an investigation and lead efforts to "remediate and mitigate the issues caused by this security incident." These efforts included offering a free year of credit monitoring and identity theft protection to consumers whose cards may have been affected.
The security community views the second breach at Sally Beauty as a wake-up call for retailers, demonstrating the need for ongoing vigilance and compliance.
"This second Sally breach illustrates how vulnerable companies continue to be, even when they should be on notice," said Michele Borovac, Vice President at HyTrust, a cloud-security company based in Mountain View, Calif. She went on to say that attackers are getting smarter and that sometimes even the best perimeter measures are not enough to "stop the kill chain."
Multipronged security benefits
Borovac and her team have seen a recurring pattern in recent breaches, in which attackers have used administrator credentials to gain access to internal security systems. "Organizations must take a fresh look at their internal security systems, processes and people, and put controls in place to protect these privileged accounts," she said.
Many security analysts consider the multipronged data security strategies that incorporate a combination of compatible technologies and services to be the best defense against cyber attacks.
Marcin Kleczynski is CEO of Malwarebytes, an anti-malware solutions provider headquartered in San Jose, Calif. In recent years Kleczynski and his colleagues have seen a marked uptick in cyber attacks across multiple industries. The majority of these attacks focus primarily on stealing financial data. "The financial industry needs to make a greater effort toward evolving our current digital payment technologies to something far more secure," he said.
Kleczynski urged consumers to demand greater security in the financial world and encouraged business owners to adopt smarter, more secure technologies.
We can enhance security and protect consumer data by "employing, or at least experimenting with, numerous security technologies like two factor authentication, chip and PIN and even dynamic card numbers," he said, adding that these technologies create additional layers of defense, which render a customer's financial information as useless if it is stolen.
An ounce of prevention
The retail and payment communities are well aware of the devastating effects of data security breaches on retailers. As of this writing, Sally Beauty's stock had been declining since the breach become public knowledge. Some financial analysts have questioned if the company has the resilience to survive the second major attack.
Dr. Mike Lloyd, Chief Technology Officer at Sunnyvale, Calif.-based cyber-analytics platform RedSeal Inc., recommended the use of automated technologies to help organizations identify security gaps before breaches occur.
"Much like a chain, a network is only as strong as its weakest links, and it's very clear now that we face persistent thieves, organized like ants, who will find whatever we leave open to take," he said.
Will Google 'buy' push retailers' buttons?
Tuesday, May 19, 2015
G oogle Inc. is widely rumored to have near-term plans for incorporating a buy button into its mobile search pages, according to mainstream media reports that began circulating on May 15, 2015. Retail analysts suggest that the development would mark a strategic shift for the search engine, moving it from a neutral position to head-to-head competition with retailers and e-commerce marketplace giants such as Amazon.com Inc., eBay Inc. and Alibaba.com.
Google's buy button would facilitate impulse purchases during routine product searches, sources say. Similar to Amazon's one-click payment method, buy buttons would transport consumers to an e-commerce site where their personal information and buying preferences would be stored so they could complete purchases.
Buy buttons would have the potential to prolong average visit times on the Google site, as opposed to current Google searches that link to websites outside Google's footprint. The Amazon Marketplace has successfully leveraged this model, hosting an array of third-party sellers that transact directly with Amazon customers who buy their goods and services without ever leaving Amazon.com.
Limited pilot, limited disclosure
Industry analysts have anticipated Google's response to increasing competition from Amazon, which has gained a reputation as a search engine as well as an online marketplace. A recent study by Forrester Research found that in the third quarter of 2014, 39 percent of U.S. shoppers initiated online searches on Amazon, compared with only 11 percent who began product searches on Google. These indicators demonstrate the value of aggregated search and e-commerce functions.
In the first phase of Google's pilot, buy buttons will reportedly only be featured in mobile searches conducted on smartphones and tablets, appearing only on sponsored products endorsed and paid for by leading retailers.
While there has been widespread speculation about buy buttons' overall impact on e-commerce, a Google spokeswoman said that the company had nothing to announce. "We continuously explore and test many ideas for improving the experience for consumers," she said.
Facebook, Twitter, Pinterest explore online marketplace
Payments analysts have long predicted that widespread popularity of social media sites would inevitably lead to new forms of social commerce. In July 2014, Facebook, Twitter and Pinterest all disclosed plans to add buy buttons to their social media sites, prompting speculation that the monetization of social media was finally at hand.
Facebook shared that it was testing a buy button for news feeds and product pages. "With this feature, people on desktop or mobile can click the "Buy" call-to-action button on ads and Page posts to purchase a product directly from a business, without leaving Facebook," the company stated. Facebook further noted that "none of the credit or debit card information" used in its e-commerce transactions would be shared with third parties, and consumers would have an option of storing their payment cards on Facebook.
Twitter's "Buy Now" button, which first appeared on July 1, 2014, on a single retail site, went viral as followers around the world re-tweeted images of the button embedded next to different retail products. The event was a bit of a dust-up, as the button itself was inactive and part of a limited beta test. However, the excitement created by its appearance was indicative of Twitter's broad e-commerce potential.
Pinterest is also experimenting with a buy button that would enable visitors to click and buy "pinned" products directly on the site. The button follows the successful release of the "Pin It" button, which enables single click pinning to Pinterest of products of interest users find on other websites.
Just buttons for now, no selling or shipping
While speculation grows regarding Google's buy button plans, there are no indications that Google will do anything more than expedite and streamline mobile commerce, prolonging the average visits of millions of shoppers who access its site from mobile phone browsers and Android apps. Its plan to improve efficiencies of Internet shopping is widely believed to be a direct challenge to Amazon's search and online advertising prowess.
Additionally, Google is experimenting with membership programs that facilitate a range of VIP services, much like the popular Amazon Prime program that has gained approximately 40 million subscribers. Google Express, launched in 2014, is being tested in major regional markets in the United States, including New York, San Francisco, Washington, D.C., Boston, and Los Angeles. Subscribers who pay a $95 annual membership fee can use the service to order online from participating retailers, including Costco Wholesale Corp., Staples Inc., and Walgreen Corp. for unlimited same-day delivery on orders over $15.
ShopRunner Inc. introduced a similar program with a $79 dollar annual fee that provides members with exclusive discounts and two-day shipping from participating retailers, including such well-known brands as Staples Inc., General Nutrition Centers Inc., Neiman Marcus Group Inc., and American Eagle Outfitters Inc.
SEAA hosts Transaction Cardi Gras in New Orleans
Monday, May 18, 2015
T he Southeast Acquirers Association held its 14th annual conference April 20 to 21, 2015, in New Orleans with a balanced blend of exhibits, entertainment and presentations. The two-day event included networking, presentations, seminars and entertainment in a city known for hospitality, music and world-class cuisine.
Leading industry processors, manufacturers, vendors, leasing companies and technology startups convened in the exhibit hall. Monday evening's opening reception was followed by a Bourbon Street pub crawl led by a live jazz band. Show highlights included an ETA Certified Payments Professional seminar, an array of contests and an eclectic mix of guest speakers.
"In our experience, it was a well-organized, high quality event with a great balance between social gatherings and informative discussions around payments, acquiring and merchant relationships," said conference exhibitor Stephen Ramminger, Senior Business Operations Manager at Atlanta-based ControlScan.
SEAA, ETA strategic partnership
Presenter Jason Oxman, Chief Executive Officer of the Electronic Transactions Association, drew applause when commenting on the ETA's active collaboration with regional industry associations.
"I'm honored to have the opportunity to represent the industry," he said, reflecting on the ETA's 25-year history and continuing focus on education, advocacy and exchange of information. He shared findings from a newly released Goldman Sachs study in which 64 percent of respondents stated they expect merchant volumes to increase in 2015; approximately 45 percent of merchants said they were on track to achieve EMV (Europay, MasterCard and Visa) compliance by the end of 2015.
Oxman noted that the ETA now has four full-time lobbyists in Washington, D.C., currently monitoring six pending bills in Congress. He expressed confidence in the newly formed bipartisan Congressional Payments Caucus and the payments industry's role in powering payments throughout the United States.
Eclectic presentation mix
Casey Porter, Director of Product Delivery at Visa Inc., co-presented with Oxman on the role of ISOs and merchant level salespeople in the ever-changing payments market. Porter said Visa is working with processors and acquirers "to drive our value and sell our issuing products into the merchant base," through timely offers and discounts at the POS.
Keynote speaker and author Mac Fulfer shared his Amazing Face Reading sales techniques, which included a live demonstration involving four brave audience volunteers. Fulfer noted that sales professionals can take their cues from a prospect's facial characteristics to adapt sales presentations. "There is no law against using face reading," he said.
Other presentations by industry experts included advice on selling merchant portfolios, using technology to acquire new merchants, and effective ways to build a personal brand through networking and relationships.
Whodat2015 innovation awards
Winners of the SEAA's Whodat2015 Innovation Program were honored at the conference. Ten finalists competed in four categories: originality, revenue opportunity, presentation quality and market impact.
Finalists had eight minutes to present innovations to a judging panel during the opening session on April 20. Contest rules stipulated that solutions must be production-ready at the time of competition. Entrants were limited to one product per submission form and two product submissions per company with an April 1 deadline.
First prize winner Ping 2 Credit Mobile received $1,000, a complimentary exhibit space in the Payments Next Zone at Transact 16, and a complimentary booth at the 2016 SEAA. Second place winner Click a Waiter Inc. received $500. Third place winner Jory LLC received $300, and fourth place winner Quisk Inc. received a $200 prize.
Pay it forward with lagniappe
Lagniappe, a word that means a little something extra, is thought to have originated in New Orleans from the Spanish la ñapa. It also can be used to describe the spirit of camaraderie and partnership at Transaction Cardi Gras.
Gary DeBaise, Account Representative at New York-based Xpress-Pay, said that exhibiting at SEAA increased the company's visibility and credibility. He described the show's overall atmosphere as "friendly professionalism" and offered an example, stating, "I met someone at lunch and he opened a conversation right away about my business, his business and how we can potentially work together."
Michael Doron, Managing Director of Pay.On America Inc., was also pleased by booth traffic and level of interest at the conference. "There's a growing need for secure, PCI-compliant, cross-border e-commerce in the card-not-present space," he said, noting that attendees and fellow exhibitors were equally interested in learning about his company's products and services.
Small change for small issuers in Target-MasterCard settlement
Friday, May 15, 2015
I n a four page ruling issued May 7, 2015, United States District Court Judge Paul A. Magnuson blocked a preliminary injunction filed by a group of small banks and credit unions against a settlement proposed by MasterCard Worldwide and Target Corp. The plaintiffs' claimed the settlement terms provide insufficient compensation for losses resulting from Target's 2013 security data breach, which compromised approximately 40 million credit and debit cards and 70 million consumer email and physical addresses.
Plaintiffs included Mutual Bank in Whitman, Mass.; Village Bank in St. Francis, Minn.; CSE Federal Credit Union in Lake Charles, La.; First Federal Savings of Lorain in Lorain, Ohio; and Umpqua Bank in Roseburg, Ore., a subsidiary of Umpqua Holdings Corp. The claimants stated that smaller financial institutions lack the reserves and infrastructure to effectively deal with the increasingly frequent and wide-scale attacks against retailers. Breach-related costs include credit and debit card reissuance, reimbursement of fraudulent charges and preventive maintenance such as free credit screening services to customers potentially affected by data breaches.
April 15 handshake, May 20 deadline
Target and MasterCard disclosed on April 15 that they had settled a dispute over the amount Target owed MasterCard's issuing banks for the December 2013 security breach. Target agreed to pay MasterCard $19 million if MasterCard secured a 90 percent approval from eligible card issuers by May 20. On April 16, MasterCard sent estimates to issuer banks of calculated damages from the Target breach, offering to pay a fixed percentage of MasterCard-related costs. Banks and credit unions had until May 20 to accept or reject the offer.
Judge Magnuson called the 30-day window "a short time-frame" for banks to decide and noted that lead counsel for plaintiffs "were neither involved nor informed of the settlement before the public announcement." Despite his expressed disapproval, Judge Magnuson could find no evidence of outright coercion or misconduct.
"Plaintiffs' lead counsel has proffered not a single affidavit from a bank that it fears losing MasterCard's business if it does not accept MasterCard's offer," he wrote, thus reluctantly granting approval for the settlement to go forward.
Ruling based on 1995 precedent
Judge Magnuson referenced a 1995 ruling by the Eighth Circuit Court in Great Rivers Co-op of Se. Iowa vs. Farmland Industries Inc., which cautioned against restraining speech in a class-action context, claiming that the courts cannot intervene in class-action settlements unless there is clear evidence of interference in the plaintiffs' rights. Guided by this standard, he was clearly empathetic toward the plaintiffs but found insufficient legal basis to grant the preliminary injunction.
"The Court agrees with the Plaintiff's counsel that the terms of the settlement do not appear altogether fair or reasonable," Magnuson wrote, further noting that "the way this issue has arisen is neither fair nor is it how the Court expects attorneys to conduct themselves in litigating matters before the Court." He later commented that while the settlement may not pass the smell test, there was no serious misconduct by any of the parties.
Target leaves Canada, expects more fall-out
Target is bracing for more fall-out from the 2013 breach. In its annual report released March 13, the retailer stated that it expects further litigation from consumers as well as from state and federal regulatory bodies, including the Federal Trade Commission, the Securities and Exchange Commission and leading payment card brands.
Target recently closed 133 stores in Canada, laying off more than 17,000 workers in that market and auctioning off its Canadian real estate. Lowe's Cos. and Wal-Mart Stores Inc. were quick to snap up available sites. On May 8, Wal-Mart revealed plans to acquire 12 stores and a 1.4 million square foot distribution center for $138 million and said it plans to invest approximately $153 million more on improvements and renovations. Lowes stated on May 11 that it acquired 13 former Canadian Target stores and a major distribution center in Ontario for a reported $124 million.
View prior breaking news