Data Breaches and the Importance of PCI Compliance

cybercrime, hacking and technology- hands of hacker
An Integration to Payscout’s Paywire Gateway Can Significantly Reduce Your Risk of PCI Non-Compliance

American Medical Collection Agency (AMCA), a 3rd-party healthcare debt collection firm servicing 7.7 million consumers, recently experienced a massive data breach, exposing consumers’ personal data and payment information. AMCA subsequently filed for bankruptcy, as a result of fall out from the data breach. This event is a stark reminder of how crucial it is to abide by PCI compliance requirements and to understand if your software partners and providers are compliant. 

Payscout is a PCI Level 1 and PA-DSS certified Service Provider, and we have recently been reviewing our new and existing technology partnerships to ensure that our mutual customers are fully protected. We have integration solutions that, as our partner, can reduce your PCI scope, regardless of whether you offer an online application (PCI DSS requirement) or a distributed application (PA DSS requirement). 

Definition of PCI Scope

PCI Scope is established by the presence of a credit card number (PAN). If the PAN is ever transmitted, processed, or stored by your software, then it is a payment industry requirement to comply with PCI DSS and complete a rigorous compliance validation facilitated by an authorized QSA (Qualified Security Assessor) Company. Organizations that do not comply with PCI DSS face potentially serious consequences, which can include the following:

  • Increased transaction fees
  • Fines from the acquiring bank and/or card brands
  • Responsibility for fraud loss in the event of a breach or other security incident
  • Loss of ability to accept credit cards as a form of tender
  • Reputational damage in the event of a breach
  • Inability to claim safe harbor should a serious security incident impact cardholder data security

The Costs to be PCI Compliant

For a Software Company to become a PCI Compliant Service Provider, in addition to rigorous and time consuming annual audits, typical costs for QSA audits are as follows:

  • PCI DSS $25k+ Annually
  • PA DSS $30k+ every 3 Years + PCI DSS Annual Cost

In the event of a breach, the cost to resolve a security incident is $7 – $15 per credit card number. These costs could rise to $70k – $150k for 10,000 credit card numbers. Many software vendors and merchants have the potential to impact the security of many more than 10,000 card numbers, and so fraud loss could be astronomical. Following AMCA’s data breach, AMCA’s largest clients immediately terminated their relationships, further impacting AMCA’s ability to bear these expenses and consequently rendering them bankrupt. These consequences not only affect the software company, but additionally put all customers using the software at risk. 

We can work with you to identify the best solution for your situation, based on your type of application and how it is distributed. In addition, we work with a QSA who can attest to your out of scope status and provide a letter certifying that status for your customer’s compliance audits.

 Does Your Business Fall Within the Scope of PCI Compliance Requirements?

There are many layers to PCI Compliance requirements. If you facilitate electronic payments within your software application, how you capture card details (card number, expiration date, and CVV) could put you in the scope of PCI Compliance. 

According to current PCI Requirements, here’s how it works: 

  • If you capture payment card information directly within input fields in your application for transmission to a payment gateway via an API, you are in PCI Scope
  • If you capture payment card information using a payment gateway’s hosted payment page, presented in either an iFrame or Modal window (Popup, Lightbox, etc), you are out of PCI Scope
  • If you capture payment card information as a full redirect to a payment gateway’s hosted payment page, you are out of PCI Scope
  • If you capture payment card information via some other method, requirements will vary. 

How is your Product/ Software deployed?

  • If your Product/ Software is deployed online as a Web Application, you are required to comply with PCI DSS requirements
  • If your Product/ Software is distributed within a Client’s network (via either Desktop or Web Applications), you are required to comply with both PCI DSS and PA DSS requirements 

Interested in learning more? Payscout’s Fran Fisher will be discussing PCI Compliance Scope in further detail at Ontario Systems’ 2019 PowerUp Conference.

Wondering if your Business falls within PCI Scope? Contact sales@payscout.com so we can help you find out.

The Same Point-of-Sale Malware File has been Linked to Multiple Data Breaches in North America

Credit-card-and-POS-and-malware image for Visa PwnPOS post

Visa’s Payment Fraud Disruption (PFD) team recently determined that seven point-of-sale breaches reported since March 2018 in North America were linked to the exact same malware file hash, now known as the “PwnPOS” File.

PwnPOS is a point-of-sale (POS) malware file that was first identified back in 2015, but there are indications it may have been active as early as 2013.

From 2016 to 2017, there were only a few reported instances of PwnPOS infections, but that number increased significantly in 2018. Visa’s PFD team discovered that each of the malware files recovered from the 2018 breaches were the same across all instances, which means the PwnPOS malware family is easily identifiable.

 How it Works

There are three main attributes of the PwnPOS malware:

1)  A component that adds or removes itself from a list of system services

2)  This component enables the malware to avoid detection and persist on a targeted machine

3)  The malware installs a RAM scraper that monitors for keyboard inputs containing a string of numbers

Once those keyboard inputs are scraped, the malware checks the string of numbers against the Luhn algorithm (a formula used to validate identification numbers) to determine if it is a credit card number. If the numbers pass the check, the malware extracts the compromised data.

Mitigation Measures

To identify the presence of the PwnPOS malware, Payscout recommends scanning your networks for the following indicators of compromise:

Visa PwnPOS Malware Alert - Indicators of Compromise

The indicators above correspond to the RAM scraper component of the PwnPOS malware. The seven cases Visa’s PFD team identified in 2018 had additional PwnPOS file attributes, but the RAM scraper component was consistently present in all instances, making it the most reliable indicator of compromise available.

Best Practices

Visa recommends the following best practices to reduce the risk of exposure:

  • Secure remote access with strong passwords, ensure only the necessary individuals have permission for remote access, and disable remote access when not in use.
  • Enable EMV on all point-of-sale devices.
  • Provide each Admin user with their own user credentials. User accounts should also only be provided with the permissions vital to job responsibilities.
  • Turn on heuristics (behavioral analysis) on anti-malware to search for suspicious behavior, and update anti-malware applications.
  • Monitor network traffic for suspicious connections, and log system and network events.
  • Implement Network Segmentation, where possible, to prevent the spread of malicious software and limit an attacker’s foothold.
  • Maintain a patch management program and update all software and hardware firmware to most current release to limit the attack surface for zero-day vulnerabilities.

Business Security Tips for Safer Commerce

female business owner on rooftop with tablet

As the internet hosts financial enterprises from utility payment processing for major cities to the buying and selling of corporations, the hundreds of billions of dollars transferred, earned, and spent online represent a tremendous opportunity. Big opportunities, however, are often accompanied by great risk. Some of that risk is simply the unavoidable and unforeseeable, chaotic, esoteric fluctuations of global markets.

Some of that risk – fraud and theft – is also more malicious but, thankfully, addressable. Anyone doing business online (and offline) faces both of these risks, but addressing their vulnerability to hackers, identity thieves, credit and debit card scammers, etc. requires trustworthy partners and some prudent safeguards. Payscout is the perfect partner for smart and secure payment processing that—along with some best practices below—can make your business safer and more secure.

Restrict the Number of Allowable Transaction Attempts

Significant developments in the security of physical point of sale (POS) and mobile payment processing by companies like Payscout mean that scammers are focusing more on card-not-present scams. This trend has given birth to an online marketplace of stolen payment card numbers that thieves can buy individually or in bulk. Some of those numbers have been rendered useless by reporting or have incomplete information, but scammers will often try a series of card numbers until one works. Restricting the number of allowable transaction attempts can thwart that sort of “brute force” attempt at fraud.

 Keep Track of Suspicious Card Numbers

Retain a log of suspicious card numbers. Most payment card processing companies allow vendors to review attempted transactions, successful or not. Recording and perusing those daily transactions can help identify the sort of attempt described above – if one of the cards went through before the daily transaction limit had been reached.

 Keep Your Digital Fortress in Good Repair

Payscout provides vast, dependable security measures (such as encryption and tokenization services) to protect all financial information in a merchant’s database, fraud-protection and security specialists that handle automated screening and manual review, and a variety of check and card protection and verification services. Payscout also offers services ranging from local non profit payment processing to global payment processing from multinational corporations. But their expertise and resources can only help so much if your firewall, anti-virus, anti-malware, anti-spyware, etc. protection is lapsed, lax, or not present.

 Don’t Mix Business with Personal

There are a number of good reasons for having separate, dedicated hardware, software, and devices for business and personal use. For one, using one device and/or system for your business and personal computing can result in frustrating confusion—particularly if your personal computing includes personal finances. But more importantly, if you have everything in one place and do get hacked, you risk losing everything. Be safe!

Protect your business’s future and secure its continuing growth and success at www.payscout.com.

 

Commerce with Confidence: Security and Peace of Mind in “Risky” Businesses

A close-up of female`s hands holding smartphone and credit card paying bill online via internet making transaction using mobile bank application on cell phone. Modern technology and online payment.

There is risk of fraud inherent to any business, but, fair or not, some occupations and payment methods are considered more vulnerable than others. And it’s not just billion-dollar conglomerates who need to worry about risk. The vast majority of fraud is perpetrated on small- and medium-sized businesses.

However, there are simple steps you can take to mitigate or even eliminate that risk.

Mobile Payment Made Secure

According to market studies, payments made on mobile devices recently reached $75 billion a year. By 2020, they predict that revenue will increase to $503 billion. It’s not really an income source that you want to miss out on due to anxiety about safety.

Safer mobile payment practices are very similar to those for traditional credit or debit card transactions. It boils down to due diligence. Ensure that the Wi-Fi network the mobile device is linked to is sound and secure. If the mobile payment isn’t face-to-face, require a CVV code and consider adding a two-factor authentication method (2FA) that requires consumers respond to a verification code before the transaction can be completed. Also always partner with a trustworthy mobile payment processing provider.

Best Practices for a Safe Non Profit

For the most part, non profits attract honest, decent people committed to making the world a better place. Sadly, as the financial oversight of non profits is generally less stringent than the oversight of for-profit organizations, that environment can attract the unscrupulous.

The best way to prevent abuses of a non profit’s funds is to enforce a mandate requiring transparency. Transparency and open, honest accounting and management should start from the top down. Beginning with the officers, emphasize the necessity for open books and candid discussion of the finances. Also employ a firm with a good reputation that is equipped to handle non profit payment processing.

Promoting a healthy culture at a non profit, according to fraud experts, can make a big difference. Those with closed off, insular or bullying leadership are more likely to be engaged in fraud.

Pain-Free Medical Billing

 More than $3.4 trillion dollars is spent on healthcare in the United States alone, every year. Because there is so much money being spent and handled by so many people and organizations, there are already some aggressive regulations in place to reduce medical fraud. Just being familiar with, and familiarizing the employees of a medical business with those regulations and guidelines alone can help prevent fraud.

Make comprehensive compliance to medical billing and fraud-prevention practices a top priority. Set the example by choosing a healthcare payment processing provider with a specialization in compliant billing.

That means not just some education and training, but continued education and training. Consider making compliance an element of employee evaluations, implementing policies to protect and encourage whistleblowers, perform audits (or hire auditors to do so), and compare the billing of your business with comparable providers in your area and nationally. Sometimes a simple comparison is all it takes to identify questionable finances.

About Payscout

Payscout has earned international praise as a new-generation global payment processing provider. They serve thousands of clients from a multitude of industries across six continents and all 50 states. Their “Go Global Now” technology platform gives merchants access to over 100 countries, billions of consumers, and trillions of dollars. Payscout is recognized as one of the few providers to deliver a true global payment solution that encompasses all merchant risk verticals, including those for mobile payment, healthcare, and non profit communities.

Learn how secure and efficient payment processing can be with Payscout at www.payscout.com

Going Global? You’ll Need These Multi-Layered Fraud Solutions

Cross-border ecommerce represents a tremendous opportunity for enterprising entrepreneurs, but the opportunity comes with a caveat: Cross-border fraud is on the rise.

Fortunately, emerging technologies are adding advanced layers of fraud protection to facilitate safe, secure transactions that enable entrepreneurs to maximize the opportunity.  The progression is rather simple, really: An entrepreneur selling widgets out of a brick-and-mortar operation realizes the expanded reach an ecommerce site would afford them and they start processing online.  As market share grows and business booms, the prospect of expanding the customer base by going global is too compelling to miss.  But what changes when an entrepreneur wants to start processing (and fulfilling) card-not-present (CNP) transactions across borders?  The biggest obstacle is unquestionably fraud – and the potential solutions are driving a revolution in multi-layered fraud protection technologies.

Consider the technology designed to mitigate fraud in each of the merchant channels described in the example above. At the point-of-sale (POS), EMV (Europay, Mastercard and Visa) technology is already dramatically reducing the risk of identity theft and card/PAN (personal account number) theft.  However, as technology improves at one level, the fraudsters find their new opportunity at the next.  In domestic CNP transactions, technology tools such as address verification services (AVS) and CVV2 are standard here in the United States.  In cross-border commerce, however, the entrepreneurs (and consumers) require added layers of security.

Multi-layered fraud tools (such as Payscout’s fraud solution suite) connect to multiple data sources, such as device fingerprinting and geo-location services, on top of the AVS and CVV2 solutions.  Those added layers of security support more secure transactions, provide further insight and promote quality know-your-customer (KYC) practices.  Cross-border merchants need fraud solutions that create customized fraud algorithms, based on the entrepreneur’s requirements, that connect to multiple data sources.  With these solutions in place, merchants can protect their bottom line – and their margin growth.

These technology tools (and partnering with the right payment processor to provide them) help merchants reduce risk and maintain margin growth.  Payscout is leveraging these tools on a global scale in an effort to achieve its mission to “support the entrepreneurial dream one [secure] transaction at a time.”

Tips for Avoiding Credit Card Fraud

 

Fraud is one of the major issues faced by many credit card owners today. Millions of dollars are lost to credit card fraud each year, with no sign of this trend decreasing. High profile security breaches on organizations like Target and T-Mobile prove that even companies that invest in the best security possible can fall victim to theft and fraud.

So, how can an everyday person protect their identity and prevent fraud? There may be no surefire way to prevent credit card fraud, but there are certainly steps you can take to protect yourself. Try following these three tips to cut down on your chances of falling victim to credit card fraud.

1. Keep Your Card Secured

This might seem obvious, but many people fall victim to fraud after first falling victim to theft. Never leave your credit cards in a place that could be accessed by thieves, like in a desk drawer or in your car’s glove box. Remember, a thief does not need your pin number to withdraw money from an ATM using your credit card, and they can ring up a big bill buying things online. It is best to keep your credit card on your person, either in your wallet or purse, at all times to keep it out of the hands of potential thieves.

2. Don’t Share Your Credit Card Information

The golden rule in avoiding credit card fraud is to not share your credit card information with anyone. It is extremely easy to shop online, and providing online retailers with your credit card information has almost become second nature to some. However, you need to be careful about who you shop with. Make sure you are using a legitimate merchant site and check the website’s credibility before you buy. You also should be cautious about providing your information over the phone, as telephone scams are rampant. Remember, if a deal sounds too good to be true, it usually is.

3. Review Your Billing Statements

There are times when credit card thieves withdraw small amounts of cash from many different bank accounts hoping that their victims never notice the discrepancy. That is why it is so important to review your monthly bank and credit card statements, and equally as important to report any spending you do not remember or have no record of.

How to Avoid Merchant Account Scams

Merchant account scams are a relatively new form of cybercrime. However, the number of scams impacting the U.S. and abroad are growing rapidly. This simply means that business owners accepting debit and credit card payments and process through a merchant account need to take the necessary steps to protect themselves from becoming victims. Some merchant account scams are specifically targeting businesses that work with debit and credit card processing businesses to process the transactions for their customers.

These particular types of scams have the ability to target both the physical store and online marketplace. These scams are specially designed to get credit and identity information about the businesses and their clients. It is a good thing that there are ways to prevent yourself from becoming the target of a merchant account scam. Businesses should take the following steps to secure their data, and protect their employees, money and customers:

  • Research before you sign a contract: New businesses are usually the primary targets of scams, because they are generally less educated about the merchant account fee process. This allows scammers posing as legitimate merchant account providers to take advantage of them. So, do your homework before signing with a merchant services provider! Check with your local Better Business Bureau to see if they are a legitimately registered business.
  • Trust in peer reviews: Before signing with a merchant services provider, check out their reputation online. Go through their complaints records, status of services and consumer reports. Check their online reviews as well. Do their customers seem happy with them? You should also keep an eye on a company’s social media accounts as people frequently post complaints against companies on their social media accounts versus a website.
  • Compare charges: You should compare every transaction charge on charge statements against the transactions in your financial business records. This ensures that the charged amount and time of each transaction lines up with what is in your personal records. Doing this on a regular basis will help you keep informed about your account and will enable you to catch inaccuracies quickly.

There are many different types of scams that can be applied to merchant accounts. We’ve compiled a short list of the most popular scams to help you recognize them:

  • Partial scam – The most common partial scam is the ‘hidden fee’ scam where concealed fees, rates and extra charges (usually applied by the processing bank), suddenly pop-up, or remain hidden and unaccounted for until the eCommerce merchant receives the bill from the processing bank.
  • Full-scale scam – A full-scale scam is where a merchant applies for a merchant account with a provider that doesn’t actually exist. After filling in a surprisingly short membership form, merchants will get an expensive bill with a high deposit rate in order to suck the maximum amount of money out of the merchant without raising suspicion. After getting the merchant’s money, the scam provider will simply disappear. Emails go unanswered, websites are erased and telephone lines are disconnected. Merchants unlucky enough to fall for this scam will most likely never see their money again.
  • Backdoor scam – A backdoor scam involves changing the program code of a gateway in order to provide a backdoor (hole) for a third-party scammer to connect to later on, when the gateway is in use.

You can prevent falling victim to a merchant account scam simply by working with a credible merchant services provider such as Payscout. Check us out online or contact one of our customer service specialists at 888-689-6088 to find out how we will partner with you to help you securely grow your business.