Verifone PCI Compliance Confusion

To keep up with security threats, the rules of PCI compliance change frequently, especially for PIN Entry devices and payment applications. This complicates compliance, and makes it difficult for merchants to understand.

PCI DSS has tried to make things simpler by creating specific timelines that depict when updates on payment terminals need to be completed. But, compliance enforced by the card brands themselves, not PCI DSS.

Individual acquirers can adjust the rules if they are eager to ensure compliance and avoid liability for data breaches and rule violations. Since different acquirers are handling PCI in varying manners, it makes it difficult for the merchants, ISO’s, and merchant level salespeople to comprehend and get a clear view of what is going on and what needs to be done.

The Dates

For pin-entry terminals, and ATM Sales and Placement websites,July 2010 and December 2014 are important dates. Terminals manufactured before 2004 must be swapped out by the first date above. Terminals manufactured between 2004-2007 need to be swapped out by the second date. They cannot be used after 2014 and they haven’t been legally sold since 2007.

Terminals that were made after 2007 contain Triple DES, or Data Encryption Standard, encryption and as of today, can be used indefinitely.

Some additional rules have been formed that create further confusion. As an example, Visa has required that summaries of PCI DES-compliant terminals and attendant POS activity be submitted by October of 2009.

Additional Fees

Many acquirers will be charging PIC noncompliance fees. Acquirers are held liable when the merchant is non compliant, so this is a way to levy the costs of a breach if one should occur.

If terminals do not have the PIN debit feature, there is no need to get rid of them. But, for security purposes, having an updated terminal is always a good idea.

The questionnaire sent out to merchants by PCI SSC failed to ask whether or not PIN-entry devices were used. The questionnaire will be updated to do so.

Lessons from the Heartland Breach

Heartland Payment Systems announced on January 20, 2009 that they had experienced a huge data breach. This breach came almost soon after the breaches of  Hannaford and TJX, two other payment system companies. Despite the arrival in PCI DSS data breach laws there has been an increase in data compromises of 47% from 2007-2008. It makes one think, if companies are PCI DSS complaint then how could private data be at risk of breach? 

 Many writers have recently written about their views on the PCI DSS. Many believe that the breach is evidence that the PCI DSS system of data protection is inefficient. Despite the opinions of these writers, the increase of data breach does not prove, or show evidence of a flawed system. It does show however, the difficulty to effectively protect personal data.  

There are several aspects that must be considered when investigating a data breach, such as the merchants' risk level, the type of data being stored, how and why it is stored, and how it is being protected. The way that data is compromised should also be given thought.  To predict every threat to data is almost impossible, the best one could do is limit the risk to an acceptable degree.  

PCI DSS compliance issues have become the main focus with companies in the industry rather than security. Some feel that it is better for business if the merchants and other companies are not well informed on the PCI DSS. The companies put their trust in the PCI DSS and expect there information to be kept safe and not at risk.  Many companies have not been interested in understanding information security and the difficulty in protecting data. Many are hiring experts for PCI compliance and expecting data security when the PCI DSS standards are not up to par.  

In short, data thieves are winning the battle of data security. Education of security strategies and risk management should be the goal of companies instead of a compliance based approach to risk management. Data thieves are always becoming more creative, organizations need to become more creative in protecting the data. All companies are experiencing difficulties on data security as shown by the Heartland data breach. Clearly, the PCI DSS data security standard should be reevaluated.

Press Release

FOR IMMEDIATE RELEASE

South Easton, MA- MSI Merchant Service announced its Better Business Bureau Accreditation today with BBB. BBB has over 400,000 Accredited Businesses and more than 128 offices in North America.

“We are pleased to be a BBB Accredited Business because it signifies our commitment to customer service, reliability, and trust,” said MSI Merchant Service Spokesperson.

“BBB Accreditation indicates that MSI Merchant Service has agreed to adhere to the BBB Accreditation Standards, which sets the business apart from their competitors. Accreditation clearly defines what a business has achieved, what it stands for, and what it promises to consumers,” said Kevin J. Sanders, President and CEO of BBB. “BBB Business Accredited Businesses pledge to follow through on their commitments, deliver on their promises, and right any wrongs if an honest mistake has been made.” According to Princeton Research (2007), 7 in 10 consumers say they will be more likely to buy from a business designated as a BBB Accredited Business.

BBB provides the ability to check out 3 million businesses nationwide, that consumers can access anytime via BBB’s website, bbb.org. Consumers can make an education decision on who they want to do business with by researching the business. BBB responds to millions of such inquiries each year, providing information about charity organizations; helping resolve customers’ disputes with businesses through conciliation, mediation, and arbitration; and promoting trust, ethical business standards, and voluntary regulation of business practices.

As a BBB Accredited Business, MSI Merchant Service may display the widely recognized BBB Accredited Business seal. BBB Accredited Businesses are setting the standard to Start With Trust.

About BBB

BBB is an unbiased organization that sets and upholds high standards for fair and honest business behavior. Businesses that ear BBB Accreditation contractually agree and adhere to the organization’s high standards or ethical business behavior. BBB provides objective advice, free business BBB Reliability Reports and charity BBB Wise Giving Reports, and educational information on topics affecting marketplace trust. To further promote trust, BBB also offers complaint and dispute resolution support for consumers and businesses when there is difference in viewpoints. The first BBB was founded in 1912. Today, 128 BBBs serve communities across the United States and Canada, evaluating and monitoring more than 3 million local and national businesses and charities. Please visit www.bbb.org for more information about the BBB System.

Two New Ethernet Machines Added To MSI’s Product Line

FOR IMMEDIATE RELEASE – January 30, 2009

South Easton, MA – Companies that want to make credit and debit card payments more accessible to their clients have two new options to choose from in the Merchant Service Inc. product line. The company’s new credit processing machines enable faster, more reliable Ethernet access to the Internet.

“We are delighted to offer our clients a better way to serve their customers,” said Chris Tobiaz, MSI’s President and CFO. “Our two new additions are designed to enable merchants to forego old fashion phone line connections in favor of more secured Internet access to billing services, if they so desire. This means transactions can take place much more expediently and companies don’t have to go to the expense of adding phone lines to accommodate credit card payments.”

The new additions to the product line are the:

Nurit 8400 IP – This is a countertop payment device that offers unparalleled flexibility. The Nurit 8400 offers configurable options that make it a favorite in a number of environments. This model is best suited for small to medium-sized businesses that need durability, reliability and performance. The machine can handle debit, credit, EMV and value added applications, such as gift cards and loyalty programs. This model offers plenty of options in regard to connectivity. In addition to LAN via Ethernet and RS-485, it also accommodates GPRS wireless connections, dialup and USB host. MSI offers the Nurit 8400 for $479 on a flat purchase basis or on a lease-to-own plan at $19.95 a month.
VeriFone Vx570 – Delivered by one of the most trusted names in the industry, the VeriFone Vx570 is a credit card machine that’s designed to be very easy for customers to read and use. It offers a large, highly visible ATM type backlit display. This device can accommodate credit, debit, gift card, EBT and even check authorization purchases. Communication options for the Vx570 include LAN via Ethernet, RS-485, GPRS wireless, USB host and even dial-up if a customer so desired. This machine costs $449 to purchase and $17.95 a month on a lease-to-own plan.

“With the days of cash transactions all but over, most businesses need to have credit card machines available to help their customers make purchases,” said Tobiaz. “Our latest product line additions help businesses close their sales without breaking their banks in the process. Both the VeriFone and Nurit models are designed to deliver a number of options while staying in a very affordable price range. They also process transactions within seconds because they are already connected to front end of the approval server. This cuts processing time way down, which is great for businesses that have extreme busy times -such as diners at lunch time, night clubs Saturday at midnight or coffee shops at 7 am.”

For more information about MSI or its products, contact Chris Tobiaz at 877-877-9592 or visit www.msimerchantservice.com.

About MSI
Merchant Service Inc. is dedicated to helping businesses of all sizes meet their needs to process payments in a secure, expedient fashion. The company carries an extensive line of credit card machines and also offers a host of options for businesses that need to be able to accept online payments. It is MSI’s goal to make doing business a pleasure for its clients and their own customers.

####

Heartland Payment Systems Security Breach

Heartland Payment Systems Security Breach
Heartland Payment Systems of Princeton, NJ reported on Tuesday that a security breach may have comprised tens of millions of credit/debit card transactions last year. If figures are accurate, this makes the Heartland incident one of the largest data breaches ever reported.

Here’s a quick run down:
1. Sometime in late 2008, there was a security breach at Heartland, which processes payments for more than 250,000 businesses nationwide.
2. Heartland uncovered the breach when they were notified by the credit card companies of fraudulent charges coming in.
3. Stolen data includes names, card numbers and expiration dates, but not Social Security numbers, addresses, phone numbers, or unencrypted PIN’s.
4. Heartland doesn’t know who is responsible and exactly how many businesses were affected, but now believes that the breach is closed.

In a press release found at the company’s website, Heartland indicates that “cyber thieves breached its system in 2008 and stole credit card information.” The company says it was alerted by Visa and MasterCard of suspicious activity surrounding cards that had all been used at merchants which rely on Heartland to process payments. An investigation uncovered malicious software that compromised data that crossed Heartland’s entire network.

President and CFO Robert Baldwin indicates that intruders had access to Heartland’s system for “longer than weeks” in late 2008; the malware was planted on the company’s network, and therefore recorded data as it was being sent for processing to Heartland by the company’s clients. Baldwin ascertains that since no SSN’s, addresses, phone numbers, or PIN’s were stolen, there is no risk for identity theft. He assures cardholders that if their information was compromised, they are not liable for the fraudulent charges.

Heartland now believes that the security breach is closed.

Deceptive Disclosure, or Just Good Timing?
With the disclosure of the security breach falling on Barack Obama’s inauguration day, many industry officials are questioning Heartland’s timing of the news release. Says Avivah Litan, fraud analyst with Gartner Inc., “This looks like the biggest breach ever disclosed, and they’re doing it on inauguration day? I can’t believe they waited until today to disclose. That seems very deceptive.”

Baldwin counters, saying that Heartland worked to disclose the breach last week, but couldn’t due to legal procedures. He claims that Heartland considered holding back another day, but ultimately decided it was important to get the information out as soon as possible, “recognizing of course that this is not an ideal day from the perspective of visibility.”

So on a day where most of America are glued to the coverage of the Presidential inauguration, is this considered deceptive, or just good timing (from Heartland’s standpoint, that is)?

Is Your Processing Company Safe?

The Heartland disclosure follows a year of similar breach disclosures at several major U.S. cards processors. In 2008, both RBS Worldpay and Hannaford Brothers Co. disclosed breaches of their payment systems that may have affected millions of credit/debit card accounts. Similarly, TJX Companies Inc. disclosed a number of breaches in 2007 that exposed more than 45 million account holders. In 2005, a breach at payment card processor CardSystems Solutions jeopardized roughly 40 million credit and debit card accounts. The increasing number of incidents suggest that cyber-crooks may be targeting payment processors more and more – sparking security concerns across the entire payment processing industry. Because Heartland maintains that they are compliant with the Payment Card Industry Data Security Standards (security controls mandated by major credit card companies), the breach adds to growing doubt about the effectiveness of PCI rules. Can what happened to Heartland happen again?

Merchant Service Inc., or MSI, is a credit card processing company that provides the merchant accounts, credit card machines, and software that allow businesses to accept credit and debit card transactions. MSI’s security has never been breached.