The Same Point-of-Sale Malware File has been Linked to Multiple Data Breaches in North America

Credit-card-and-POS-and-malware image for Visa PwnPOS post

Visa’s Payment Fraud Disruption (PFD) team recently determined that seven point-of-sale breaches reported since March 2018 in North America were linked to the exact same malware file hash, now known as the “PwnPOS” File.

PwnPOS is a point-of-sale (POS) malware file that was first identified back in 2015, but there are indications it may have been active as early as 2013.

From 2016 to 2017, there were only a few reported instances of PwnPOS infections, but that number increased significantly in 2018. Visa’s PFD team discovered that each of the malware files recovered from the 2018 breaches were the same across all instances, which means the PwnPOS malware family is easily identifiable.

 How it Works

There are three main attributes of the PwnPOS malware:

1)  A component that adds or removes itself from a list of system services

2)  This component enables the malware to avoid detection and persist on a targeted machine

3)  The malware installs a RAM scraper that monitors for keyboard inputs containing a string of numbers

Once those keyboard inputs are scraped, the malware checks the string of numbers against the Luhn algorithm (a formula used to validate identification numbers) to determine if it is a credit card number. If the numbers pass the check, the malware extracts the compromised data.

Mitigation Measures

To identify the presence of the PwnPOS malware, Payscout recommends scanning your networks for the following indicators of compromise:

Visa PwnPOS Malware Alert - Indicators of Compromise

The indicators above correspond to the RAM scraper component of the PwnPOS malware. The seven cases Visa’s PFD team identified in 2018 had additional PwnPOS file attributes, but the RAM scraper component was consistently present in all instances, making it the most reliable indicator of compromise available.

Best Practices

Visa recommends the following best practices to reduce the risk of exposure:

  • Secure remote access with strong passwords, ensure only the necessary individuals have permission for remote access, and disable remote access when not in use.
  • Enable EMV on all point-of-sale devices.
  • Provide each Admin user with their own user credentials. User accounts should also only be provided with the permissions vital to job responsibilities.
  • Turn on heuristics (behavioral analysis) on anti-malware to search for suspicious behavior, and update anti-malware applications.
  • Monitor network traffic for suspicious connections, and log system and network events.
  • Implement Network Segmentation, where possible, to prevent the spread of malicious software and limit an attacker’s foothold.
  • Maintain a patch management program and update all software and hardware firmware to most current release to limit the attack surface for zero-day vulnerabilities.

Free eBook: 5 Ways an Online Payment Portal Will Streamline Your Business and Increase Revenue

Why Every Business Owner Should Read Payscout’s Payment Portal eBook
Every Business Owner Should Read Payscout’s Payment Portal eBook

As a result of the innovations in global mobile payment processing and other facets of the payment industry, Payscout is one of the most well-respected and successful payment processing organizations in the industry. Payscout consistently ranks among the top 30 companies in the financial services industry, and has ranked in the top 20 for medium-sized businesses on Entrepreneur’s list of Top Company Cultures. As such, when payments industry professionals from Payscout talk, the financial industry service industry listens.

Which means that any business hoping to increase their efficiency, growth, and profit might want to consider doing the same. Thankfully for them, Payscout has a commitment to education and transparency that’s resulted in the publishing of an eBook entitled “5 Ways an Online Payment Portal Will Streamline Your Business and Increase Revenue.” The following is a brief overview of topics covered in its five chapters, but shouldn’t be considered an alternative to reading it in its entirety, as this eBook is a must-read for anyone interested in their business profiting. The free eBook is available for download directly from Payscout’s website.

 Customer Convenience

The demographics of the American and global marketplaces are changing. There will soon be more millennials involved in commerce than baby boomers, and they have billions to spend. Having largely grown up with the internet and proficient in the use of devices, for millennials, convenient, comprehensive payment options for everything from entertainment streaming to utility payment processing is now expected. Disregarding that reality can prove devastating for a business.

 Flexibility

In the same vein, traditional bill paying, chiefly by cash and check, continues to decrease in popularity. At the same time, automated bill payment featuring credit and debit cards has increased. Modern customers are simply choosing plastic over paper, and every business should at least allow the option to accommodate that preference.

 Efficiency

Efficiency is an asset to any business, but a good example is accounts receivable and collections. Repeatedly mailing bill reminders and making calls not only doesn’t work, but also wastes the time of the collector and the debtor, wastes resources, and loses money better spent elsewhere. Setting up an automated, intuitive, reasonable process for reminders and a user-friendly payment portal through accounts receivable collections software will save a company money and is more likely to actually result in money being collected.

 Security

Hacking and malicious intrusions into a company’s network can result in customer information being compromised, fraudulent charges, and a loss of millions in revenue. It can cost both current and future customers by permanently damaging a company’s reputation, literally overnight. That’s why it’s so important to choose a payment processor that is Payment Card Industry Data Security Standard (PCI DSS) compliant. And when choosing a payment processing company, be sure to ask about their data encryption algorithm and their tokenization technology.

 Brand Building

A non profit may be doing everything right marketing-wise by running an efficient and ethical business, advertising in the right places, and using branding to spread the word about their organization and contributions to altruism. However, if their non-profit payment processing platform only accepts one-off payments in the form of cash and checks, they’re going to be faced with less donations and fewer recurring donors. While many want to support the causes they believe in, the reality is that some people are simply not interested in (or seemingly too busy to) physically deliver cash or mail checks. Fortunately, a secure non-profit payment processing solution can streamline the process, making it easy to drive consistent, recurring donations from different payment options to your organization.

 Optimize the success and continued growth of your business or non profit with the industry’s best payment processing solutions, at www.payscout.com

Streamline and Secure Your Business’s Payment Processing with Payscout’s Virtual Terminal

Online Shopping on laptop with credit card

From the complexity of healthcare payment processing to the relative simplicity of buying and selling a product, the modern marketplace is far more dynamic than it’s ever been. For the vast majority of human history, most basic transactional commerce involved a customer purchasing a product or service from a vendor. The point of sale (POS) was a static, physical exchange of currency for the product or service, usually at the business of the merchant or vendor. At the risk of stating the obvious, the internet has changed that dynamic for good. Trillions of dollars are now spent online and any reasonable business with a product that can be sold, advertised, or promoted on the internet, does so—or at least should.

Failing to do so risks, if not guarantees, that their business will suffer (or possibly fail). However, this profitable new paradigm is accompanied by perils and vulnerabilities. When an internet vendor doesn’t interact face-to-face with any of their clients, they are put in a position where they have to trust that a consumer is who they say they are and actually has the funds they’re accessing with their credit or debit card. Fortunately, there are solutions for mitigating or eliminating the risk of things such as consumer fraud, insufficient funds, stolen cards, or payment processing that isn’t fully secure. When dealing with digital, remote, and international payment processing, businesses can protect themselves and increase their efficiency (and in turn, profits) by leveraging Payscout’s virtual terminal.

Benefits and Services of the Virtual Terminal

There are two primary ways in which Payscout’s virtual terminal aids any company doing business online: guaranteeing the money that a consumer is spending is actually there, and then ensuring a secure transfer of those funds. Payscout has managed this by deploying the most secure, advanced technology to ensure that the customer has sufficient funds in their merchant bank to cover the price of the purchase on any major credit card. That allows merchants to accept or decline transactions as necessary, and that means fewer chargebacks. Those features are available at both physical POS terminals and online sales.

 Security Features

Every feature of modern commerce requires security. That reality informs every product and service Payscout offers, from accounts receivable collections software to innovations in data tokenization. The security solutions for the Virtual Terminal are based on Payscout’s development of proprietary ecommerce tools and developer APIs to protect all consumer data sent between a business’ website and the merchant service bank. Additional security features include Advanced Fraud protection technology, Visa 3D Secure, MasterCard Secure Code, and PCI compliance. All of that advanced, reliable safeguarding provides the security every business needs to thrive in the internet age.

Optimize your business’s profit potential and growth with the industry’s best payment processing solutions, at www.payscout.com

How to Streamline Your Online Business Payment Processing

How to Streamline Your Online Business Payment Processing

There are so many considerations, concerns, complicated details, and unforeseen hurdles accompanying the running of a business that it can be easy to overlook features that could either help or hinder your business’s success. In this case, that feature is payment processing. A user-friendly, streamlined payment processing infrastructure can prove to be a revenue driver by increasing conversions, while a poorly managed system can turn off and drive away consumers, leaving your business with a lot of missed opportunities and abandoned shopping carts.

 Don’t Exclude Payment Methods or Processing Options

Consumers have become so accustomed to having multiple payment options that any business with a payment processing solution that does not support multiple sources of payment could suffer. To maximize conversions, incorporate both domestic and international payment processing. Credit and debit cards are obviously a must, but some consumers prefer additional payment alternatives. Those include online payment systems, app-centric payment options, direct payment services, account-based payments and merchant accounts, as well as the ability to accept (and possibly offer) coupons and gift cards.

 Allow Guest Checkout

Customers establishing accounts with online businesses are generally a mutually beneficial arrangement. It’s certainly mutually beneficial when the customers are happy and willing to do it. These accounts make it easier for customers to reorder from you and increases the likelihood they will do so, which in turn increases trust and brand loyalty.

Unfortunately, account-averse customers complicate that relationship. It’s not necessarily the result of arbitrary account-antagonism or consumers being too impatient to sign up. Sometimes people are in a rush, and some consumers are just wary of sharing additional personal information on the internet. Instead of having to create an account or forgo the purchase, allow the option to purchase as a guest to ensure you don’t miss out on potential business. Generally, requests for information should be tiered, from the bare minimum required to complete a purchase to the information necessary to establish an account, to whatever additional information would contribute to your sales metrics that customers are willing to provide.

Invest in Security and Let People Know

From the often labyrinthine world of healthcare payment processing to stocking, selling, and shipping T-shirts, customers don’t just want a secure payment processing option—they demand it. Due to the spate of high-profile data hacks, network intrusions of major corporations, and the ubiquity of identity theft issues that remain a threat, consumers are even more leery of ecommerce. To assuage those concerns, invest in tight security and a protected, encrypted secure payment portal. Once it’s been employed, be sure that it’s mentioned where consumers will see it so they can rest assured you’re taking responsible actions to minimize risk.

 A Clear, Intuitive Purchase Process

It’s a bit surprising that providing this information is still necessary, but there are still sites with vague purchase and payment processes. The entirety of the purchase process should include very clear calls to action and additional options. Consumers want to be both aware of the status of a potential purchase throughout the process, while having the option to continue browsing without the risk of backing out of an order or doubling up on one. As such, each button should identify exactly what clicking it is going to accomplish. Which is why vague buttons like “Go Ahead,” “Continue,” “Apply,” “Order” or “Checkout” are worth reconsidering. Those can mean an order overview or the actual purchasing of whatever’s in their cart. Stick with “Add to Cart,” “Go to Checkout,” and “Buy Now” or “Place your Order” for the utmost clarity. And always provide the opportunity to both edit the cart and continue shopping.

 About Payscout

Payscout has consistently been recognized as one of the most innovative, trusted, and dynamic payment processing providers in the industry. By facilitating sound, secure, convenient payment processing solutions across the U.S., Canada, Brazil, and the E.U., Payscout links merchants and their customers with their debit, credit, ATM, mobile, and alternative payment systems. Payscout makes it easy to manage payments, both on-site and for mobile and online platforms. Additionally, Payscout can integrate with over a dozen software payment processing applications, while specializing in accounts receivable collections software, utility payment processing, and non profit payment processing. Payscout can accommodate any payment requirement confidently with safe, secure, speedy, friendly, and convenient service.

Discover everything Payscout’s payment processing solutions can do for you, at www.payscout.com

Business Security Tips for Safer Commerce

female business owner on rooftop with tablet

As the internet hosts financial enterprises from utility payment processing for major cities to the buying and selling of corporations, the hundreds of billions of dollars transferred, earned, and spent online represent a tremendous opportunity. Big opportunities, however, are often accompanied by great risk. Some of that risk is simply the unavoidable and unforeseeable, chaotic, esoteric fluctuations of global markets.

Some of that risk – fraud and theft – is also more malicious but, thankfully, addressable. Anyone doing business online (and offline) faces both of these risks, but addressing their vulnerability to hackers, identity thieves, credit and debit card scammers, etc. requires trustworthy partners and some prudent safeguards. Payscout is the perfect partner for smart and secure payment processing that—along with some best practices below—can make your business safer and more secure.

Restrict the Number of Allowable Transaction Attempts

Significant developments in the security of physical point of sale (POS) and mobile payment processing by companies like Payscout mean that scammers are focusing more on card-not-present scams. This trend has given birth to an online marketplace of stolen payment card numbers that thieves can buy individually or in bulk. Some of those numbers have been rendered useless by reporting or have incomplete information, but scammers will often try a series of card numbers until one works. Restricting the number of allowable transaction attempts can thwart that sort of “brute force” attempt at fraud.

 Keep Track of Suspicious Card Numbers

Retain a log of suspicious card numbers. Most payment card processing companies allow vendors to review attempted transactions, successful or not. Recording and perusing those daily transactions can help identify the sort of attempt described above – if one of the cards went through before the daily transaction limit had been reached.

 Keep Your Digital Fortress in Good Repair

Payscout provides vast, dependable security measures (such as encryption and tokenization services) to protect all financial information in a merchant’s database, fraud-protection and security specialists that handle automated screening and manual review, and a variety of check and card protection and verification services. Payscout also offers services ranging from local non profit payment processing to global payment processing from multinational corporations. But their expertise and resources can only help so much if your firewall, anti-virus, anti-malware, anti-spyware, etc. protection is lapsed, lax, or not present.

 Don’t Mix Business with Personal

There are a number of good reasons for having separate, dedicated hardware, software, and devices for business and personal use. For one, using one device and/or system for your business and personal computing can result in frustrating confusion—particularly if your personal computing includes personal finances. But more importantly, if you have everything in one place and do get hacked, you risk losing everything. Be safe!

Protect your business’s future and secure its continuing growth and success at www.payscout.com.

 

Commerce with Confidence: Security and Peace of Mind in “Risky” Businesses

A close-up of female`s hands holding smartphone and credit card paying bill online via internet making transaction using mobile bank application on cell phone. Modern technology and online payment.

There is risk of fraud inherent to any business, but, fair or not, some occupations and payment methods are considered more vulnerable than others. And it’s not just billion-dollar conglomerates who need to worry about risk. The vast majority of fraud is perpetrated on small- and medium-sized businesses.

However, there are simple steps you can take to mitigate or even eliminate that risk.

Mobile Payment Made Secure

According to market studies, payments made on mobile devices recently reached $75 billion a year. By 2020, they predict that revenue will increase to $503 billion. It’s not really an income source that you want to miss out on due to anxiety about safety.

Safer mobile payment practices are very similar to those for traditional credit or debit card transactions. It boils down to due diligence. Ensure that the Wi-Fi network the mobile device is linked to is sound and secure. If the mobile payment isn’t face-to-face, require a CVV code and consider adding a two-factor authentication method (2FA) that requires consumers respond to a verification code before the transaction can be completed. Also always partner with a trustworthy mobile payment processing provider.

Best Practices for a Safe Non Profit

For the most part, non profits attract honest, decent people committed to making the world a better place. Sadly, as the financial oversight of non profits is generally less stringent than the oversight of for-profit organizations, that environment can attract the unscrupulous.

The best way to prevent abuses of a non profit’s funds is to enforce a mandate requiring transparency. Transparency and open, honest accounting and management should start from the top down. Beginning with the officers, emphasize the necessity for open books and candid discussion of the finances. Also employ a firm with a good reputation that is equipped to handle non profit payment processing.

Promoting a healthy culture at a non profit, according to fraud experts, can make a big difference. Those with closed off, insular or bullying leadership are more likely to be engaged in fraud.

Pain-Free Medical Billing

 More than $3.4 trillion dollars is spent on healthcare in the United States alone, every year. Because there is so much money being spent and handled by so many people and organizations, there are already some aggressive regulations in place to reduce medical fraud. Just being familiar with, and familiarizing the employees of a medical business with those regulations and guidelines alone can help prevent fraud.

Make comprehensive compliance to medical billing and fraud-prevention practices a top priority. Set the example by choosing a healthcare payment processing provider with a specialization in compliant billing.

That means not just some education and training, but continued education and training. Consider making compliance an element of employee evaluations, implementing policies to protect and encourage whistleblowers, perform audits (or hire auditors to do so), and compare the billing of your business with comparable providers in your area and nationally. Sometimes a simple comparison is all it takes to identify questionable finances.

About Payscout

Payscout has earned international praise as a new-generation global payment processing provider. They serve thousands of clients from a multitude of industries across six continents and all 50 states. Their “Go Global Now” technology platform gives merchants access to over 100 countries, billions of consumers, and trillions of dollars. Payscout is recognized as one of the few providers to deliver a true global payment solution that encompasses all merchant risk verticals, including those for mobile payment, healthcare, and non profit communities.

Learn how secure and efficient payment processing can be with Payscout at www.payscout.com

Going Global? You’ll Need These Multi-Layered Fraud Solutions

Cross-border ecommerce represents a tremendous opportunity for enterprising entrepreneurs, but the opportunity comes with a caveat: Cross-border fraud is on the rise.

Fortunately, emerging technologies are adding advanced layers of fraud protection to facilitate safe, secure transactions that enable entrepreneurs to maximize the opportunity.  The progression is rather simple, really: An entrepreneur selling widgets out of a brick-and-mortar operation realizes the expanded reach an ecommerce site would afford them and they start processing online.  As market share grows and business booms, the prospect of expanding the customer base by going global is too compelling to miss.  But what changes when an entrepreneur wants to start processing (and fulfilling) card-not-present (CNP) transactions across borders?  The biggest obstacle is unquestionably fraud – and the potential solutions are driving a revolution in multi-layered fraud protection technologies.

Consider the technology designed to mitigate fraud in each of the merchant channels described in the example above. At the point-of-sale (POS), EMV (Europay, Mastercard and Visa) technology is already dramatically reducing the risk of identity theft and card/PAN (personal account number) theft.  However, as technology improves at one level, the fraudsters find their new opportunity at the next.  In domestic CNP transactions, technology tools such as address verification services (AVS) and CVV2 are standard here in the United States.  In cross-border commerce, however, the entrepreneurs (and consumers) require added layers of security.

Multi-layered fraud tools (such as Payscout’s fraud solution suite) connect to multiple data sources, such as device fingerprinting and geo-location services, on top of the AVS and CVV2 solutions.  Those added layers of security support more secure transactions, provide further insight and promote quality know-your-customer (KYC) practices.  Cross-border merchants need fraud solutions that create customized fraud algorithms, based on the entrepreneur’s requirements, that connect to multiple data sources.  With these solutions in place, merchants can protect their bottom line – and their margin growth.

These technology tools (and partnering with the right payment processor to provide them) help merchants reduce risk and maintain margin growth.  Payscout is leveraging these tools on a global scale in an effort to achieve its mission to “support the entrepreneurial dream one [secure] transaction at a time.”

Tips for Avoiding Credit Card Fraud

 

Fraud is one of the major issues faced by many credit card owners today. Millions of dollars are lost to credit card fraud each year, with no sign of this trend decreasing. High profile security breaches on organizations like Target and T-Mobile prove that even companies that invest in the best security possible can fall victim to theft and fraud.

So, how can an everyday person protect their identity and prevent fraud? There may be no surefire way to prevent credit card fraud, but there are certainly steps you can take to protect yourself. Try following these three tips to cut down on your chances of falling victim to credit card fraud.

1. Keep Your Card Secured

This might seem obvious, but many people fall victim to fraud after first falling victim to theft. Never leave your credit cards in a place that could be accessed by thieves, like in a desk drawer or in your car’s glove box. Remember, a thief does not need your pin number to withdraw money from an ATM using your credit card, and they can ring up a big bill buying things online. It is best to keep your credit card on your person, either in your wallet or purse, at all times to keep it out of the hands of potential thieves.

2. Don’t Share Your Credit Card Information

The golden rule in avoiding credit card fraud is to not share your credit card information with anyone. It is extremely easy to shop online, and providing online retailers with your credit card information has almost become second nature to some. However, you need to be careful about who you shop with. Make sure you are using a legitimate merchant site and check the website’s credibility before you buy. You also should be cautious about providing your information over the phone, as telephone scams are rampant. Remember, if a deal sounds too good to be true, it usually is.

3. Review Your Billing Statements

There are times when credit card thieves withdraw small amounts of cash from many different bank accounts hoping that their victims never notice the discrepancy. That is why it is so important to review your monthly bank and credit card statements, and equally as important to report any spending you do not remember or have no record of.

How to Avoid Merchant Account Scams

Merchant account scams are a relatively new form of cybercrime. However, the number of scams impacting the U.S. and abroad are growing rapidly. This simply means that business owners accepting debit and credit card payments and process through a merchant account need to take the necessary steps to protect themselves from becoming victims. Some merchant account scams are specifically targeting businesses that work with debit and credit card processing businesses to process the transactions for their customers.

These particular types of scams have the ability to target both the physical store and online marketplace. These scams are specially designed to get credit and identity information about the businesses and their clients. It is a good thing that there are ways to prevent yourself from becoming the target of a merchant account scam. Businesses should take the following steps to secure their data, and protect their employees, money and customers:

  • Research before you sign a contract: New businesses are usually the primary targets of scams, because they are generally less educated about the merchant account fee process. This allows scammers posing as legitimate merchant account providers to take advantage of them. So, do your homework before signing with a merchant services provider! Check with your local Better Business Bureau to see if they are a legitimately registered business.
  • Trust in peer reviews: Before signing with a merchant services provider, check out their reputation online. Go through their complaints records, status of services and consumer reports. Check their online reviews as well. Do their customers seem happy with them? You should also keep an eye on a company’s social media accounts as people frequently post complaints against companies on their social media accounts versus a website.
  • Compare charges: You should compare every transaction charge on charge statements against the transactions in your financial business records. This ensures that the charged amount and time of each transaction lines up with what is in your personal records. Doing this on a regular basis will help you keep informed about your account and will enable you to catch inaccuracies quickly.

There are many different types of scams that can be applied to merchant accounts. We’ve compiled a short list of the most popular scams to help you recognize them:

  • Partial scam – The most common partial scam is the ‘hidden fee’ scam where concealed fees, rates and extra charges (usually applied by the processing bank), suddenly pop-up, or remain hidden and unaccounted for until the eCommerce merchant receives the bill from the processing bank.
  • Full-scale scam – A full-scale scam is where a merchant applies for a merchant account with a provider that doesn’t actually exist. After filling in a surprisingly short membership form, merchants will get an expensive bill with a high deposit rate in order to suck the maximum amount of money out of the merchant without raising suspicion. After getting the merchant’s money, the scam provider will simply disappear. Emails go unanswered, websites are erased and telephone lines are disconnected. Merchants unlucky enough to fall for this scam will most likely never see their money again.
  • Backdoor scam – A backdoor scam involves changing the program code of a gateway in order to provide a backdoor (hole) for a third-party scammer to connect to later on, when the gateway is in use.

You can prevent falling victim to a merchant account scam simply by working with a credible merchant services provider such as Payscout. Check us out online or contact one of our customer service specialists at 888-689-6088 to find out how we will partner with you to help you securely grow your business.