All posts by Sandra Taylor

Join Us in Las Vegas for CRM 2015!

We are proud to announce that experts from Paymetric will be at SAPinsider’s CRM 2015, the premier event for SAP sales, marketing, e-commerce, service and interaction center management. The event takes place at the Mirage Resort and Casino in Las Vegas, March 30 through April 1, 2015.

Attend to learn best practices across sales, marketing, service and commerce and case studies on how successful companies are leveraging SAP solutions to better engage with their customers. You will also have countless opportunities to engage and network with your peers, SAP partners, and SAP experts.

Paymetric will be exhibiting at booth #120 in the expo hall – be sure to visit us to learn more about our best-in-class payment acceptance and data security solutions for SAP® merchants.

You can get full details on the agenda and more information about the event by visiting www.crm2015.com.

To schedule a one-on-one demo on-site at the show, please contact us.

As Big Banks Prep for EMV, Fraud Relief Remains Far Off

Large banks and card issuers are ready for the U.S. shift to chip-and-PIN technology, according to a report issued Wednesday. But the drop in fraud that is expected to result is unlikely to come any time soon.

The use of EMV-style chip cards is supposed to make retailers like Target less appealing targets for hackers because they will be storing less card data. However, the way the U.S. is implementing EMV leaves plenty of room for the continued use of fake cards. And there is a plethora of ways hackers can use stolen card information without using a physical card.

“EMV’s impact on fraud in 2015 could be pretty much a toss-up,” said Steve Mott, CEO of BetterBuyDesign, a consultancy based in Stamford, Conn.

According to a study released Wednesday by CardHub, all 10 of the largest credit card issuers are in the process of issuing chip-based credit and debit cards and expect the majority of their portfolios to be updated by the end of 2015. All the major banks are issuing chip-and-signature cards, with 40% also supporting PIN capabilities. About 65% of retailers plan to accept chip-and-PIN cards as well.

This means the major banks are in good shape to handle the October 2015 “liability shift” deadlines Visa, MasterCard and Discover have set to encourage U.S. issuers and merchants to migrate from magnetic stripe cards to EMV.

“Right now, issuers incur the cost of card-present counterfeit fraud in stores,” said Martin Ferenczi, president for North America at Oberthur Technologies, a manufacturer of chip cards. “After October 2015, the institution with the lesser technology will be liable for fraudulent charges.”

The CardHub study also shows that the major card issuers are all putting magnetic stripes on their chip cards. This provides convenience all around — the new cards consumers get in the mail will be usable on older point-of-sale terminals that are not yet EMV-ready as well as new devices. It also waters down the security promised by EMV.

As long as there are dual or hybrid payment terminals and ATMs that accept magnetic stripe cards, hackers will be able to use fake cards created with stolen credit and debit card data.

“Visa is projecting 29% of POS transactions to be chip-on-chip, but everyone I know believes the right number is more like 5% or less,” Mott said. “If it’s wildly successful, EMV chip-on-chip volume might hit a running rate of 10% by year-end, but only at the 200 top retailers.”

Mott expects merchants probably will have 30% to 40% of locations equipped with EMV-ready terminals by year end, but most of them will not have the software installed and certified to make them work.

“Many will choose to turn them off until they can figure out how to get around the user ‘gotchas,’ such as leaving cards in the dip slots and not dipping them long enough,” he said.

In some near-term scenarios, Mott said, EMV could actually increase fraud. For instance, EMV credentials sent “in the clear,” or unencrypted, could be intercepted and used online on websites that don’t require security codes.

Eventually, as the U.S. gradually shifts to EMV-only mode, fraudsters’ ability to use fake credit and debit cards on physical machines (this is also known as “card present” fraud) will fade, as it has in other countries like the U.K. and Canada. They will then take their stolen card data and inclination toward thievery elsewhere.

Card-Not-Present Fraud

EMV stands for Europay, MasterCard and Visa, a standard for chip-and-PIN cards that are considered far more secure than the magnetic stripe cards we use in the U.S. today. Card credentials will be tokenized, such that retailers will not receive the actual card number, but a temporary token generated by a card network. Hackers who break into a retailer’s network the way thieves compromised Target more than a year ago would find a stash of useless numbers. On top of that, EMV chip credit and debit cards are almost impossible to duplicate, which means counterfeit card fraud should decrease.

Many industry observers expect the migration to EMV will increase fraud in all the places where credit cards are used but not physically presented, such as on shopping websites, over the phone, over the mail, and over fax machines. This is called card-not-present fraud. Some experts include mobile app payments, such as Uber and Apple Pay transactions, in this category. Card-not-present fraud already accounted for 45% of U.S. card fraud in 2014, according to Aite Group.

When the U.K. shifted to EMV cards, counterfeit card fraud fell 56%, according to Aite, but card-not-present fraud rose 79% in the first three years after the country switched to chip cards. It more than doubled in Australia and Canada.

“The experience in the U.K. is very indicative of what we’ll see here,” said Joram Borenstein, vice president of marketing at Nice Actimize, a provider of fraud analytics. “Understanding how card-not-present fraud is likely to spike, we need to retrain fraud investigators.”

Read the full original article here.

Financials 2015

Join us at SAPinsider’s FINANCIALS 2015 in Las Vegas! Friends, colleagues of Paymetric save $200!

Paymetric is a proud sponsor, speaker and exhibitor at SAPinsider’s FINANCIALS 2015, the premier event for SAP financial accounting, control, planning, consolidation, closings, and reporting.

Taking place at the Wynn Hotel in Las Vegas, March 17-20, 2015, attendees will learn proven methods for continuously improving and transforming key financial processes. If you’re able to attend the event, please be sure to stop by our booth #210 in the exhibition hall, where Paymetric experts will be onsite discussing our best-in-class payment acceptance and data security solutions for SAP merchants. Scan your badge for a chance to win a PS4!

Our close collaboration with SAPinsider this year has made it possible for us to extend a special registration discount to all of our valued clients and colleagues who have not yet registered — $200 off the on-site price! Click here to get started and save!

Paymetric will also be speaking at the following session:

Session Topic: Optimize Your 2015 ePayments Strategy
Speaker: Jennifer Rossi, VP Channel Sales, Paymetric, Inc
Date: Tuesday, March 17
Time: 4:45 PM – 6:00 PM
Location: Palmer 2, Wynn Hotel Las Vegas

In this session, attendees will learn:

  • Risks and challenges around the ePayments landscape of today’s enterprise
  • A complete overview of the ePayments and data security solutions available to you today and how they work together for your benefit
  • The impact to your PCI DSS audit scope, based on the configuration of your infrastructure What to expect before, during, and after a solution implementation
  • Several client success stories about their journey through the process and the results gained from their solution

Click here to learn more and add this session to your agenda! For more information, or to schedule a one-on-one demo with a Paymetric expert at the show, contact us at sales@paymetric.com.

 

Natural Grocers investigates possible payment card breach

Natural Grocers Investigates Payment Card Data Breach

Natural Grocers is the latest US retailer to announce that it is investigating a possible data breach involving customer payment cards.

The seller of natural and organic foods, which has 93 stores in 15 states, said it is investigating a possible data breach involving an “unauthorized intrusion targeting limited customer payment data.”

The company claims that it hasn’t received reports of any fraudulent use of payment cards from any customer, credit card company or financial institution. However, sources in the financial industry have traced a pattern of fraud on customer credit and debit cards suggesting hackers have tapped into point of sales (POS) systems at Natural Grocers locations across the country, according to US investigative reporter Brian Krebs.

The company said there was no evidence card verification codes were accessed, and no personally identifiable information was involved.

Read the full original story here on computerweekly.com.

How much did the Target, Home Depot breaches really cost?

2014 was the year of breaches for Target and Home Depot.

Target’s breach costs, of course, were the result of a spillover from the attack that hit during the company’s 2013 fourth quarter. And the year of breaches only got worse when Home Depot got hit in September. Now, both companies have provided full-picture outlooks of just how much the breaches impacted the retailers as they reported on their Q4 earnings this week.

Home Depot reported Tuesday (Feb. 24) and reported that the net expenses of the data breach cost the company roughly $33 million. Home Depot CFO Carol Tomé shared briefly in the call with analysts about how the breach costs break down.

“In the fourth quarter, our gross data breach expenses were approximately $20 million. After estimating our insurance recovery, we recorded approximately $5 million of net data breach related expenses in the quarter. For the year, our gross data breach expenses were approximately $63 million, and after expected insurance recovery our net data breach expenses were approximately $33 million,” she said, later noting that the 2015 guidance for the company did not include any “expenses that we may incur in the future for data breach-related claims.”

As for Target, the company reported yesterday (Feb. 25) that the total breach expenses incurred from its massive data breach amounted to $162 million (2013 and 2014 figures combined). For Target’s fourth quarter, it incurred $4 million worth of breach-related expenses. Full-year net breach expenses were $145 million ($191 million offset by $46 million insurance receivable). As for fourth quarter in 2013, Target’s breach expenses hit $17 million ($61 million offset by $44 million insurance receivable).

“A year ago, we were in the recovery mode, working to repair guest relationships following the data breach while we undertook an assessment of the long-term prospects for our Canadian business,” Target CEO Brian Cornell said in the call with analysts. “Fast forward to today and we’ve ended the year with the data breached fully behind us and that we’ve made tough decision to execute the Canadian business.”

Click here to read the original article on PYMNTS.com.

Many attackers lurk undetected for months, study finds

According to CIO.com, attackers who penetrate company networks often pose as legitimate users for long periods of time, causing lengthy delays before victims figure out they’ve been hacked.

FireEye’s Mandiant forensics service found that it took a median of 205 days for an organization to detect a compromise, down slightly from 229 days in 2013, according to its 2015 Threat Report.

The drop is nearly insignificant. “I don’t think it’s enough to make a claim that people are getting better at this,” said Matt Hastings, a senior consultant with Mandiant who works on incident response.

One of the main problems is that attackers are moving away from using malware that can be quickly detected. Instead, they’re stealing authentication credentials and using them to log into systems remotely. In that way, they look like legitimate users logging into systems, which becomes difficult to detect.

In two of the largest payment card data breaches, affecting Target and Home Depot, attackers obtained credentials used by third-parties to access those retailers’ networks, allowing them to gain a foothold that eventually enabled attacks on their point-of-sale systems.

To be sure, attackers still use malware and backdoors, but more judiciously. In fact, victims will often find components and tools used for an attack and remove them, Hastings said, but still fail to understand fully what is going on.

As a result, the hackers—seeing that some of their intrusions have been detected—can change tactics to maintain their presence in a network.

Mandiant’s report said in 69 percent of breaches, an organization found out about an attack from another group, such as law enforcement. That’s up from 67 percent in 2013 and 63 percent in 2012.

One of the ways an attacker can appear to be an authorized user is by gaining VPN access. Mandiant saw attackers obtain login credentials for those systems more in 2014 than ever before.

Once they enter through a VPN, an attacker can often get access to other systems, Hastings said. That opens the possibility of using a tool such as Mimikatz, which can collect clear-text passwords of users currently logged in.

Windows will keep credentials in memory so they can be reused for single-sign on, and that can allow Mimikatz to grab them.

Windows Server 2012 R2 and Windows 8.1 have a defensive mechanism called “protected processes” to defend against this kind of attack, Hastings said. But most organizations use Windows Server 2008 functional domains and Windows 7 endpoints.

“Unfortunately, at this point, it’s very hard to mitigate this type of risk,” Hastings said.

To further blur their activity, attackers modify and recompile Mimikatz’s source code. Mandiant said it did not find a single instance in which an organization’s antivirus software detected or prevented Mimikatz from running, despite its reputation.

Click here to read the original story on CIO.com.

PCI Compliance

You hear a lot about PCI compliance and data breaches in the news, but do you actually have the technology in place to protect your organization? You can pass a PCI audit and still experience a data breach.

So what’s the answer? Replacing credit card information, with tokens, or a surrogate value, to ensure you’re protecting your customers’ data.

With Paymetric’s XiIntercept™, our data intercept solution, you can:

  • Capture card data as soon as possible in the workflow
  • Prevent cardholder data from entering your enterprise system
  • Replace credit card number with tokens, rendering the data useless to thieves

Mitigate the risk of fees, fines and legal costs associated with a data breach.

Securely Integrate a Fraud Management Solution

Online payment fraud costs businesses billions of dollars each year, not just in fraud loss, but in administrative overhead as well.

With the explosion in eCommerce transactions comes a corresponding rise in fraudulent transactions.

According to Forrester, merchants pay $200 billion to $250 billion in fraud loss annually. Implementing a fraud management solution enables you to:

  • Maximize revenues through improved detection rates and fewer chargebacks and false positives
  • Simplify and combine all fraud prevention processes and procedures
  • Securely integrate fraud without exposing raw credit card data in the merchant environment
  • Automate manual processes and drive down administrative, personnel and IT costs

Learn more about fraud management here.

Five Benefits of Integrating ePayments in the Enterprise

Processing electronic payments outside of your standard workflow means:

• Slower processes with more error
• Reconciliation headaches
• PCI compliance and data security risk

We can help. Paymetric’s suite of on-demand payment acceptance solutions can integrate into your existing enterprise systems securely, enabling you to:

• Eliminate manual processes and reconciliation challenges
• Lower interchange rates by up to 1%
• Secure cardholder data in rest and in transit
• Easily scale with our processor-agnostic tokenization solution
• Enhance your receivables processes and financial supply chain modules

Find out why some of the most respected brands in the world turn to Paymetric for their electronic payment acceptance needs.