by Ty Hardison

Not all businesses require EMV terminals: Does yours?

Do I need an EMV terminal for phone and online transactions?

At Vantage, we routinely field questions about payment processing technology. Clients come to us every day with their queries: sometimes specific ones about their business model while others become more frequently asked. With the growing buzz surrounding EMV chip card rollout, driven in part by a frenzy to sell terminal hardware, here is one of our top EMV FAQs to date:

Question: "My business processes all credit card payments online and never sees a physical credit card because we receive this information over the phone.  Is this EMV-ready terminal something that we will need to acquire?" Answer: If payments online and over the phone are the only transactions your company manages, then no, you won't need an EMV terminal. EMV is being implemented in an attempt to prevent … more

March blog roundup: PCI compliance strategies

In case you missed it (ICYMI), here's a roundup of some of our favorite Vantage Viewpoint blog entries from the last month.

Last month, we delved into PCI compliance topics on the Vantage Viewpoint blog. What are the hurdles to staying compliant, and what are the risks to overlooking payment card security? In case you missed it, here are some of our favorite posts from March about PCI compliance. 

PCI 3.0 standards expect more constant vigilance from vendors

Key takeaway: Continuous review and monitoring is written into the new PCI 3.0 standards to prevent companies from overlooking their responsibility to evaluate practices on an ongoing basis. Instead of cramming for a PCI audit, businesses are expected to integrate assessment measures into their regular operations.

Strong third party relationships can boost efficiency of response plans

Key takeaway: One of the most important facets of … more

Verizon: 80 percent of merchants fail interim PCI assessments

According to Verizon, 80 percent of merchants fail interim PCI compliance assessments.

On this blog, we discussed previews of the 2015 Verizon PCI Compliance Report from January, which suggested that fewer than one-third of merchants remained compliant between audits. According to the full report released this month, that figure could be as low as one-quarter. The firm states that 80 percent of all retailers fail interim PCI audits, leaving a sizeable majority of merchants vulnerable to cyber attacks through most of the year. 

"Today's cybersecurity landscape is constantly changing," said Rodolphe Simonetti, managing director, professional services for Verizon Enterprise Solutions. "Compliance at a point in time isn't sufficient to protect data. Putting the focus on making compliance sustainable is key. It must be a part of day-to-day activities within an … more

For mobile payment platforms, merchants shouldn't feel rushed

Merchants shouldn't feel rushed to get compatible with mobile payment platforms.

With countless media stories about the rise of mobile payment technologies like Apple Pay, Samsung Pay and others, merchants may feel pressure to get compatible to offer customers another option for point-of-sale transactions. However, Natalie Burg of Forbes says businesses on the fence about whether or not to adopt a new platform shouldn't feel rushed to make the decision. 

"Mobile technology offers many opportunities to grow consumer and merchant payments alike and for less friction in the experience for both," says Troy Leach, CTO of PCI Security Standards Council. "However, with that comes many new challenges not associated with traditional payments that all parties have come to trust."

Granted, those "traditional payments" come with challenges of their own, as evidenced by … more

Experts predict active year of breaches ahead of EMV deadline

Because payment cards with EMV security chips will proliferate the market this year, experts expect that 2015 will be an active year for breaches.

Because payment cards with EMV security chips will proliferate within the market this year, experts expect that 2015 will be an active year for breaches. This is because criminals with tried-and-true methods of compromising existing POS systems will attempt to exploit the final window of time when those strategies are effective. 

"It absolutely will be the worst year of fraud because criminals know we are putting bars on the windows with EMV," said Bob Letgers of Fidelity National Information Solutions. "They will exploit that channel as much as they can."

Letgers made his remarks during a panel at the Consumer Bankers Association conference in Orlando, according to the Orlando Sentinel. As the October deadline draws closer, hackers have at least six months left to … more

Verizon study shows PCI compliance is improving

A new study by Verizon posts a more encouraging outlook on the state of compliance.

As payment card standards evolve, surveys have been conducted to gauge the level of seriousness merchants pay to remaining compliant with PCI requirements. On this blog, we discussed the troubling statistic that fewer than one-third of businesses remain compliant between PCI audits. A new study by Verizon posts a more encouraging outlook on the state of compliance, however, as it found that the total number of compliant organizations rose by 20 percent last year. 

The shift may be due to two primary reasons. First, with new standards in place this year, PCI compliance is factoring more prominently into the conversation about payment card security. On the other hand, a spate of high-profile breaches has positioned security practices as an important risk reduction measure. The … more

Strong third party relationships can boost efficiency of response plans

Good relationships with third party service providers can strengthen response plans.

One of the most important facets of payment card security is enacting an emergency response plan. Prevention efforts can only go so far to protect merchants from the fallout of a breach, so preparing for the worst is an integral part of data protection strategy. 

On this blog, we recently discussed how continuous attention to compliance measures like auditing helps companies identify breaches as soon as a compromise occurs. But then what?

"Once auditing is in place, you should be able to detect and respond to any incidents that fall outside of normal business rules," explains Steve Dickson, vice president and general manager of Windows Management, Dell Software in CIO Magazine. "Have a solution that can simultaneously audit and alert. You also need to remediate any issues by … more

PCI 3.0 standards expect more constant vigilance from vendors

A more proactive approach to payment data security can reduce the risk of costly attacks.

One of the biggest hurdles to payment card processing security is for companies to remain compliant between audits. As we've reported on this blog, many don't. However, continuous review and monitoring is written into the new PCI 3.0 standards to prevent companies from overlooking their responsibility to evaluate practices on an ongoing basis. Instead of cramming for a PCI audit, businesses are expected to integrate assessment measures into their regular operations. 

Experts say that those expectations may be the most challenging difference between old PCI standards and the latest guidelines. 

"PCI DSS 3.0 inherently implies that organizations adopt continuous compliance and monitoring to reduce the risk of a breach...," writes Torsten George of Info Security Magazine. "This … more

Robust penetration tests are critical to data security

Robust penetration tests are critical to data security.

One of the most effective ways a company can determine the security of a card processing platform is to undergo a penetration test. These are required for PCI compliance, and merchants conduct them annually to identify vulnerabilities to preempt malicious hacking attempts. In a standard penetration test, administrators make their best effort to compromise a network in the manner of cybercriminals, thereby revealing which areas might be sensitive to a breach. 

Mark Burnette of Net Security says penetration tests allow merchants to use the tools of hackers to help fortify existing systems. Rather than waiting for criminals to discover vulnerabilities in your payment card processing system, penetrating them yourself first can allow companies to double down on security. 

"In the … more

What merchants need to know about the new credit card fraud liability rules

Starting October 1, retailers, rather than card issuers, may be held liable for credit card fraud if an EMV card is accepted at an EMV-less terminal.

New rules for retailer credit card fraud are slated to go into effect on October 1, representing the first major sea change in credit fraud liability in years. But what do merchants need to know to make sure that they're ready for this change?

According to the financial news website The Street, come this October, U.S. retailers looking to better manage risk after a new shift in fraud liability will need terminals compliant with Europay-MasterCard-Visa (EMV) "smart cards," which are designed to better curb instances of counterfeiting. This shift in determining where liability lies if fraud occurs is just one step in a much larger process of pushing for a more widespread of EMV throughout the U.S.

While card issuers — predominantly banks — used to … more