by Ty Hardison

Experts predict active year of breaches ahead of EMV deadline

Because payment cards with EMV security chips will proliferate the market this year, experts expect that 2015 will be an active year for breaches.

Because payment cards with EMV security chips will proliferate within the market this year, experts expect that 2015 will be an active year for breaches. This is because criminals with tried-and-true methods of compromising existing POS systems will attempt to exploit the final window of time when those strategies are effective. 

"It absolutely will be the worst year of fraud because criminals know we are putting bars on the windows with EMV," said Bob Letgers of Fidelity National Information Solutions. "They will exploit that channel as much as they can."

Letgers made his remarks during a panel at the Consumer Bankers Association conference in Orlando, according to the Orlando Sentinel. As the October deadline draws closer, hackers have at least six months left to … more

Verizon study shows PCI compliance is improving

A new study by Verizon posts a more encouraging outlook on the state of compliance.

As payment card standards evolve, surveys have been conducted to gauge the level of seriousness merchants pay to remaining compliant with PCI requirements. On this blog, we discussed the troubling statistic that fewer than one-third of businesses remain compliant between PCI audits. A new study by Verizon posts a more encouraging outlook on the state of compliance, however, as it found that the total number of compliant organizations rose by 20 percent last year. 

The shift may be due to two primary reasons. First, with new standards in place this year, PCI compliance is factoring more prominently into the conversation about payment card security. On the other hand, a spate of high-profile breaches has positioned security practices as an important risk reduction measure. The … more

Strong third party relationships can boost efficiency of response plans

Good relationships with third party service providers can strengthen response plans.

One of the most important facets of payment card security is enacting an emergency response plan. Prevention efforts can only go so far to protect merchants from the fallout of a breach, so preparing for the worst is an integral part of data protection strategy. 

On this blog, we recently discussed how continuous attention to compliance measures like auditing helps companies identify breaches as soon as a compromise occurs. But then what?

"Once auditing is in place, you should be able to detect and respond to any incidents that fall outside of normal business rules," explains Steve Dickson, vice president and general manager of Windows Management, Dell Software in CIO Magazine. "Have a solution that can simultaneously audit and alert. You also need to remediate any issues by … more

PCI 3.0 standards expect more constant vigilance from vendors

A more proactive approach to payment data security can reduce the risk of costly attacks.

One of the biggest hurdles to payment card processing security is for companies to remain compliant between audits. As we've reported on this blog, many don't. However, continuous review and monitoring is written into the new PCI 3.0 standards to prevent companies from overlooking their responsibility to evaluate practices on an ongoing basis. Instead of cramming for a PCI audit, businesses are expected to integrate assessment measures into their regular operations. 

Experts say that those expectations may be the most challenging difference between old PCI standards and the latest guidelines. 

"PCI DSS 3.0 inherently implies that organizations adopt continuous compliance and monitoring to reduce the risk of a breach...," writes Torsten George of Info Security Magazine. "This … more

Robust penetration tests are critical to data security

Robust penetration tests are critical to data security.

One of the most effective ways a company can determine the security of a card processing platform is to undergo a penetration test. These are required for PCI compliance, and merchants conduct them annually to identify vulnerabilities to preempt malicious hacking attempts. In a standard penetration test, administrators make their best effort to compromise a network in the manner of cybercriminals, thereby revealing which areas might be sensitive to a breach. 

Mark Burnette of Net Security says penetration tests allow merchants to use the tools of hackers to help fortify existing systems. Rather than waiting for criminals to discover vulnerabilities in your payment card processing system, penetrating them yourself first can allow companies to double down on security. 

"In the … more

What merchants need to know about the new credit card fraud liability rules

Starting October 1, retailers, rather than card issuers, may be held liable for credit card fraud if an EMV card is accepted at an EMV-less terminal.

New rules for retailer credit card fraud are slated to go into effect on October 1, representing the first major sea change in credit fraud liability in years. But what do merchants need to know to make sure that they're ready for this change?

According to the financial news website The Street, come this October, U.S. retailers looking to better manage risk after a new shift in fraud liability will need terminals compliant with Europay-MasterCard-Visa (EMV) "smart cards," which are designed to better curb instances of counterfeiting. This shift in determining where liability lies if fraud occurs is just one step in a much larger process of pushing for a more widespread of EMV throughout the U.S.

While card issuers — predominantly banks — used to … more

Marriott franchise hit by another string of breaches

Many of the Marriott Hotel locations whose credit processing systems were compromised in 2013 experienced a similar breach in the second half of last year.

Many of the Marriott Hotel locations whose credit processing systems were compromised in 2013 experienced a similar breach in the second half of last year. After several banks and credit institutions investigated incidents of fraud on credit and debit accounts, investigative reporter Brian Krebs followed the payments to the series of hotels, 14 in total. 

The locations in question are run by franchise operator White Lodging Services, and the breach was traced to hacked point of sale systems. The compromises mostly occurred at restaurants and bars at the hotels, between September 2014 and January 2015, according to Jeff Goldman at eSecurity Planet. 

"We recently were made aware of the possibility of unusual credit card transactions at a number of hotels operated by one of our … more

New "Ghost" vulnerability prompts warning from Homeland Security Department

A new vulnerability called

A new vulnerability called "Ghost" has emerged as a threat to computer systems, cautions PCI Security Standards. The United States Department of Homeland Security has issued a warning to users of Linux GNU C Library operating versions prior to 2.18. By remotely executing a code, hackers can take control of a system to install malware, manipulate files and carry out other illegal activities with stolen credentials, reports Mobile Payments Today. 

The warning was released through the United States Computer Emergency Readiness Team, and PCI Security Standards Council made suggestions for companies to protect their secure payment card data in light of the new threat:

First, companies should work with IT departments to find systems, servers and pieces of hardware that run a targeted … more

Less than one-third of retailers remain compliant between audits

According to Verizon's 2015 PCI Report, only 28.6 percent of retailers remain compliant with PCI standards in the periods between audits.

Businesses that use credit card merchant services are held to PCI compliance standards, but many of them only do the legwork in advance of an audit. With the spate of headline-grabbing breaches, it's easy to see why this is bad business practice. According to Verizon's 2015 PCI Report, only 28.6 percent of retailers remain compliant with PCI standards in the periods between audits. This means that some companies are keeping up with standards imposed on credit card security for only a brief window of time, leaving them open to vulnerabilities for the remainder of the year. 

"We see compliance going down day by day, month by month, after the assessment," said Rodolphe Simonetti, managing director for Verizon's compliance consulting. "Compliance is supposed to be … more

Supreme Court denies merchants' petition for lower debit card processing fees

The Supreme Court opted to dismiss a merchant petition calling for the court to reconsider the debit card swipe fees set by the Fed.

In 2011, the Federal Reserve was accused of ignoring the Durbin Amendment to the 2010 Dodd-Frank Act when it established a debit card swiping fee of 21 cents per transaction, a cap that they claimed was allowed by the amendment's ambiguous language. On the other side of that debate, merchants argued that that cap was far beyond what was originally intended by Dodd-Frank, with a U.S. district court ruling in their favor in the summer of 2013. But as we shared with you last year, that ruling was then overturned by an appellate court, stating the legislation, albeit "poorly drafted," still entitled the Fed to the merchant interchange fees it had set for debit card swipes

That setback prompted merchants to file a petition with the U.S. Supreme Court, arguing the high court to take up its … more