Category Archives: Blog Posts

EMV Readiness Program

The third part of this series introduces the Choice Merchant Solutions EMV Readiness Program – part of a combined incentive program to shift businesses to chip-and-pin capable hardware as quickly as possible. The goal of this program is to secure customer payments and transactions, but we have found a way to benefit businesses as well.

Last time, we described the landscape for merchants. The final entry in this series will lift the veil that shrouds EMV and ensure that readers, clients, and customers are aware of the actions they can take to protect their payment card information.

What is EMV?

EMV stands for Europay, MasterCard, Visa – the three founding members of the chip-and-pin standard. In uncomplicated terms, adopting the EMV standard will increase security by utilizing a chip installed on new credit cards to validate and authenticate transactions. The EMV standard is managed by EMVCo, which was founded by the above companies.

Unfortunately, the United States is one of the last countries to adopt EMV technology, and the price we have paid is very high. These two events show how serious EMV adoption is, especially after 2013 being the worst year in history for data breaches. If you haven’t already, read the second post in this series here.

The Liability Shift

In October 2015, Visa, MasterCard and American express will implement a liability shift – merchants will be held for insecure card-present transactions. Visa, MasterCard, and American express have stated that businesses with EMV deployment will be protected from this liability.

What does this mean for merchants?

By October 2015, merchants will need to have the capability to accept EMV cards, or they will be held liable for fraudulent transactions. Conversely, card issuers will be held liable for fraudulent transactions if the cards they issue are not EMV capable. Caroyln Balfany of MasterCard explains it very well:

So if a merchant is still using the old system, they can still run a transaction with a swipe and a signature. But they will be liable for any fraudulent transactions if the customer has a chip card. And the same goes the other way – if the merchant has a new terminal, but the bank hasn’t issued a chip and PIN card to the customer, the bank would be liable.

-Carolyn Balfany

Recent Events

Breaches

Since this series was started, several other large corporations have been breached, including Dairy Queen and K-mart. Serious failures in data security such as these cost millions in damages, repairs, and inevitable upgrades, while hemorrhaging customer trust. Small businesses do not have the assets or scale to absorb attacks in the same way that these companies do, so data security is even more important for Main Street.

White House

In the past week, universal EMV acceptance has gained support from the highest power in the land. President Obama signed an executive order last Friday starting the “Buy Secure” Initiative, which will protect customer information, begin the transition of government issued-cards to chip-and-pin technology, and motivate Congress to pass data breach and cybersecurity legislation.

Rebates

American Express, the most exclusive credit card issuer, is offering financial incentives for small businesses in order to spur adoption of a more secure method of processing transactions. The program is very accessible, only requiring that merchants have EMV compliant hardware, be located in the United States, and process less than $3 million in annual American Express charge volume.

The cost of this program is astronomical, and the cost of upgrading thousands of major retailers to chip-and-pin enabled credit card readers is even higher. Thankfully, Main Street businesses do not have to deal with this; all they have to do is contact their merchant services provider and purchase an equipment upgrade.

How can I accept EMV cards?

You need an EMV-ready terminal. Most merchant services companies should be able to provide you with one, especially considering the popularity of the topic. Fill out the form below to hear back from one of our representatives.

Choice Merchant Solutions EMV Readiness Program

The Choice Merchant Solutions EMV Readiness Program is designed for proactive business owners that want to stay ahead of the curve, protect their customer’s data, and reduce expenses.

Our program starts with the proper hardware. We use the Verifone VX 520, a dual communication terminal that comes equipped to handle EMV right out of the box. The VX 520 offers enhanced security features and can communicate through a phone line or an Ethernet connection, making it ideal for any business.

Our clients have given us positive feedback on the device. The VX520 is much faster than its predecessor, a key factor in moving customers quickly and efficiently. Employees like it as well. The user interface is a vast improvement from the previous model, and commonly used functions are intuitively placed and easily accessible.

In addition to VX 520 terminal, the EMV Readiness Program includes an unprecedented 4 year rate lock.

This offer is only available for a limited time.

Worried that there’s no point in upgrading when nobody has the card? Not a problem. Here is a list of card issuers that have already begun to send consumers EMV ready cards. Look in your wallet, you may already have one!

For more information, you can email us at [email protected] or call us at 860-507-1294.

Follow us on Facebook, Twitter, and LinkedIn for more information concerning the safety of your information, and be sure to use the hashtag #EMVReady.

Protecting Customer Information

In our last blog post titled Data Breaches, Data Breaches Everywhere, we talked about the big data security and the largest data breaches of 2013. They affected multinational companies and some of the largest retailers in the United States.

However, that does not mean small businesses are exempt - in 2012, about 40% of data breaches occurred in businesses with fewer than 100 employees. So how can small businesses combat this and make protecting customer information a priority? Read the second entry in this three part series to find out.

PCI Compliance

The Payment Card Industry (PCI) Security Standards Council is the governing body of payment card data security for most businesses and an advocate for protecting customer information. Founded in 2006 by American Express, Discover Financial Services, JCB International, MasterCard, and Visa Inc., the PCI Data Security Standard (DSS), serves as the baseline for merchants that accept cards as a form of payment – from national department store chains to seasonal fruit stands.

In security terms, it means that your business adheres to the PCI DSS requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. In operational terms, it means that you are playing your role to make sure your customers’ payment card data is being kept safe throughout every transaction, and that they – and you – can have confidence that they’re protected against the pain and cost of data breaches.

-PCI Data Security Standards Council Website

Businesses comply with the PCI DSS by following these 12 guidelines:

Install and maintain a firewall configuration to protect cardholder data
Do not use vendor-supplied defaults for system passwords and other security parameters
Protect stored cardholder data
Encrypt transmission of cardholder data across open, public networks
Use and regularly update anti-virus software or programs
Develop and maintain secure systems and applications
Restrict access to cardholder data by business need to know
Assign a unique ID to each person with computer access
Restrict physical access to cardholder data
Track and monitor all access to network resources and cardholder data
Regularly test security systems and processes
Maintain a policy that addresses information security for all personnel

The important thing to remember is that the PCI SSC cannot enforce these rules, they simply provide information about best practices and data security.

Small Business Data Security

These are some things to watch out for while running a small business, and some simple solutions.

Hacking – malicious individuals can get your information by accessing your hardware or software through lackluster protective measures. Solve this by securing your connections. Encrypt your Wi-Fi, put a password on it, and don’t give it out to just anyone. There are dozens of options that range from free to $1000’s for all types of businesses.
Payment fraud – people can access your info through the POS or terminal. Solve this by controlling user access to your Point-of-Sale system or terminal. Create unique user ID’s for each employee to control their permissions, monitor their usage, and hold them accountable. Your merchant services provider can help you with setting this up.
Employee fraud – not everyone is who they say they are. Solve this by running background checks and extending your interview process. And remember, fewer employees means each has a higher chance to screw up your business.
Lost, discarded, or stolen documents – people can sift through your trash if it’s not shredded. Solve this by buying a document shredder. Shred documents on a daily or weekly basis, and make sure that the remnants are properly destroyed.
Negligence – Target’s malware detection tool caught the attack, but it wasn’t configured properly. Solve this by turning on all security features and options. Check regularly to make sure that they are on and up to date.
Third-party companies – Hackers work backwards from the point of easiest entry. Target was breached through an HVAC provider. Solve this by vetting your partners’, suppliers’, and vendors’ security measures. Their security is your security.

High Risk Merchants

High risk merchants usually pay higher rates and fees, are watched very closely for fraud, and have other stipulations stapled to their contracts. Businesses that accept card-not-present transactions, some service providers, or businesses in an industry that is heavily regulated are typically considered higher risk. The least common denominator is increased chance of fraud and increased chance of chargebacks.

It is extremely important that businesses in this category maintain the strongest level of protection for their customer’s payment card information. Their businesses are already suffering non-negotiable increased costs, by adding a data breach or fraud on top of that, they run the risk of having their merchant account shut down, or in the worst-case scenario, being put out of business.

What To Do If You Are Breached

Don’t panic – Panicking leads to hasty decisions. Haste makes waste. Don’t panic.
Preserve the crime scene – That’s what it is now. Preserving the crime scene means that the authorities have a better chance of finding useful information. Instead of wiping hard drives or unplugging cords, stop using your terminal, virtual gateway, or Point-of-sale system, and break out the cash drawer.
Gather info from service providers (internet, telephone, security, merchant services) – they have access to information that you don’t. Make some phone calls and let them know what happened and ask what they can do about it.
Legal advice – Call the police, and get yourself a lawyer. You may not need one depending on the size and scope of the breach, but that’s not something you want to test.
Communicate – Tell your employees and customers. Let your service providers, third party vendors, wholesalers, and anyone else that could be effected know that your payment card security was compromised, that you are looking into it, and that you will keep them updated. As evidenced by the efforts of Neiman Marcus, Target, and PF Chang’s, an open line of communication between executives and customers is very effective damage control.
Reevaluate – Something went wrong. Find out what it was, and fix it so that it never happens again. The PCI SSC has many resources for small businesses here and here.

Landscape for Merchants

The landscape for merchants is not promising. Last year was the worst in history for data breaches. Main Street businesses need to comply with PCI DSS regardless, but proactive owners and executives will add additional layers of security to protect customer information.

The best way to do this is to accept chip-and-pin cards (also known as EMV cards), by using a terminal equipped for them. 86% of financial institutions plan to issue chip-and-pin cards in the next two years. Small businesses don’t have the same luxury. By October 2015, merchants who are unable to accept chip-and-pin cards will be held liable for fraudulent transactions, something considered long overdue.

The Choice Merchant Solutions EMV Readiness Program helps merchants convert to a more secure system before it’s too late and emphasizes protecting customer information. Check back for the penultimate chapter of this series, which will tell you everything you need to know about EMV. If you’re an early adopter, or want to find out more from a qualified representative, call us at 860.296.1300 or check out our merchant processing page.

Follow us on Facebook, Twitter, and LinkedIn for more information concerning the safety of your information, and for the rest of the series.

Data Breaches, Data Breaches Everywhere.

The payments industry is constantly evolving. In the past five years dozens of new payment systems have been developed. Unfortunately, crime evolves just as quickly, leading to highly publicized incidents such as the recent data breaches at Home Depot and Target.

This series is designed to educate merchants that are accepting credit cards, and make sure that small and local business data security is not overlooked. Local businesses are not protected by corporate firewalls, private security firms, nor monitored by the Department of Justice – it’s up to independent merchant services providers to inform merchants of the risks and how to reduce them.

Part one will focus on the largest and most publicized data breaches on large businesses across the country in 2013.

Part two will provide information about policies and regulations, prevention details, and best practices for merchants to protect their security and their customer’s information.

Part three will cover the Choice Merchant Solutions EMV Readiness Program – including the benefits of processing with Choice, the limited-time incentives for early sign-up, and the best way to spread the word about EMV.

Part 1: The largest data breaches of 2013.

Source: https://www.riskbasedsecurity.com/reports/2013-DataBreachQuickView.pdf

Target

The data breach into Target Corporation’s system took place during late 2013. It started the day before Thanksgiving, and continuing until the 15^th of December – the peak of the holiday shopping season. About 110 million customers were affected, including 40 million unique compromised cards.

As of August, Target estimates that the overall cost of the data breach is $148 million. In response, the company has accelerated its plans to spend $100 million investing in new technology in order to decrease the possibility of a repeat incident and ease consumers fears.

PF Chang’s China Bistro

National restaurant chain PF Chang’s suffered a similar breach, which started in October 2013 and continued until June 2014. While the length of the breach was longer, the amount of information compromised was lower due to the size of the company – although conclusive statistics were not published.

The cost of the breach is still unknown, despite affecting 33 locations across 18 states. In response, the chain switched to using carbon slips to process credit and debit cards – exchanging digital security for human error – in lieu of using built-in point of sale systems.

Neiman Marcus

Luxury department store Neiman Marcus was compromised mid-July 2013, and the breach continued until late October. Originally, NM declared that approximately 1.1 million customers were effected, but later revised that estimate to 350,000. In mid-June, it was confirmed that about 9,200 unique cards were used fraudulently.

While the Neiman Marcus data breach had considerably less reach, the response by the company has been similar to the reactions of larger companies. The company has offered credit monitoring and identify theft services to anyone who made purchases at the chain in 2013.

Others

2013 was a record year for data breaches – over 800 million customer records were compromised. While there were approximately 1000 fewer incidents in 2013 than the prior year, there were over three times as many records exposed. Hackers are getting better, more sophisticated, and focusing their efforts.

Source: https://www.riskbasedsecurity.com/reports/2013-DataBreachQuickView.pdf

These three events show the spectrum of data breaches – there is no criteria that makes a company more appealing for an intrusion. Retailers such as Michael’s and Aldi’s have also been affected. Software provider Adobe Systems was the victim of the largest data breach in history, with approximately 152 million records exposed – including credit and debit card information.

Follow us on Facebook, Twitter, and LinkedIn for more information concerning the safety of your information, and for the rest of the series.