Financial Security Guides

For Merchants

Avoid chargebacks by using EMV chip card technology

If you accept credit cards at your business, chances are pretty good that you’re familiar with the new EMV technology used to process credit cards that have an embedded data chip. It’s an important piece of information to have considering that in October 2015, liability for certain fraud chargebacks shifted to merchants when a chip card is presented in-store, and not processed with EMV technology.

Many merchants are still unaware of the risks of using traditional POS systems and terminals when accepting a chip card payment. Since chip cards are theoretically impossible to duplicate or clone, the only way for fraudsters to use them is at merchant locations where EMV is not in use. The chip cards being issued today, and likely for the next several years, have both a chip and a traditional magnetic stripe so they can be used in both types of terminals. Without the technology to authenticate an embedded data chip, merchants may inadvertently accept a fraudulent card. When that happens, the merchant will likely receive a chargeback.

Handling some chargebacks is par for the course when you operate a business. But if you’ve ever handled a one, you know how cumbersome and time consuming the process can be. You have a certain number of days to respond, must provide the correct documentation, and then you wait for a response. You may be required to submit additional information before a judgement is reached. And, if you’re found to be at fault, there are fees and penalties, in addition to the loss of funds for the items you sold. It’s not a positive experience overall, and one that most merchants despise.

The bad news for merchants without EMV technology is that fraud chargebacks are going to increase over the coming years. The reason is fairly simple to understand: fraud is a booming business. When one door to fraud closes, more traffic flows through the remaining open doors. EMV only closes one door on fraud: card present transactions in locations with EMV technology. That means other avenues, like card not present online transactions, and in-store non-EMV transactions are still vulnerable and can expect to see a sharp increase.

Implementing an EMV capable terminal or POS system is the best way to avoid the coming influx of chargebacks. There is a variety of EMV solutions on the market today and more to come as POS developers continue to innovate to provide enhanced solutions with added value like built in encryption and tokenization.

Tokenization

Four reasons why tokenization matters to businesses like yours

Tokenization may sound complicated, but its beauty is in its simplicity.

Tokenization substitutes a string of random numbers—known as a token—for private data like payment account numbers. Instead of your full private number passing through multiple systems of varying security, your personal data is tokenized at point of entry. The actual data the token references is stored in highly secure token vaults.

Tokenization makes the process of accepting payments easier and more secure for businesses. Tokenization is more than just a security technology—it helps create seamless payment experiences and satisfied customers. Tokenization reduces risk from data breaches, helps foster trust with customers, minimizes red tape and drives technology behind popular payment services like mobile wallets.

Best of all, businesses reap all these benefits today. Let’s take a look.

Tokenization reduces risk from data breaches

Criminals target businesses that accept credit and debit cards because that’s the raw data that fuels fraud. Hackers target insecure systems that contain this raw data, and sell the stolen information or use it themselves to make fraudulent purchases.

The costs to businesses are all too familiar. Ponemon Institute’s 2018 “Cost of a Data Breach” study pegged the average cost of a data breach at $3.86 million. Ponemon’s cost estimate for each lost or stolen record containing confidential information now stands at $148.

Tokenization protects business from the negative financial impacts of a data theft. Even in the case of breach, valuable personal data isn’t there to steal. Tokenization can’t protect your business from a data breach—that takes best practices and a commitment to rigorous procedures. But tokenization makes your system dramatically less attractive to criminals and reduces the financial fallout from any potential breach.

Tokenization helps foster trust with your customers

Consumers have spoken with a clear, unambiguous and unified voice, demanding safety and security wherever they shop. In the age of fraud, building trust and loyalty with customers begins with keeping their payment and other personal data safe.

In a 2018 CA Technologies/Frost & Sullivan study, 59 percent of consumers said a data breach had a negative impact on their trust in the impacted company. Beyond avoiding the worst case scenario of a data breach, using advanced security such as tokenization fosters customer trust. Consumers don’t want their payments data falling into the wrong hands. Demonstrating a strong commitment to the security of customer data is foundational to trust.

Tokenization offers an anchor in defense against threats to your business’ reputation. Working quietly behind the scenes, tokenization is helping businesses maintain and grow customer trust and loyalty.

Tokenization means less red tape for your business

Businesses that accept credit and debit cards need to be in compliance with the Payment Card Industry Data Security Standard (PCI DSS). Tokenization makes achieving and maintaining compliance with industry regulations a significantly easier lift.

Tokenization addresses requirement set #3: protecting cardholder data at rest. PCI DSS seeks to reduce retention of sensitive data and safely govern its storage and deletion. Tokenization satisfies this critical requirement by never letting sensitive cardholder information touch your systems in the first place.

Tokenization isn’t a compliance silver bullet. But working with a PCI-compliant vendor offers a smart approach to payment security. Leading payment technology companies offer tokenization as part of their payment processing services. That lets you focus on growing your business while your payment partner reduces red tape and helps keeps you in compliance.

Tokenization drives payment innovations

The technology behind tokenization is essential to all the ways we buy and sell today. From secure in-store point of sale acceptance to payments on-the-go, from traditional eCommerce, to a new generation of in-app payments, tokenization makes paying with the devices that drive our lives easier—and safer—than ever.

The rising popularity of in-store payments with your customers’ mobile devices features tokenization. When consumers pay with a mobile wallet such as Apple Pay or Google Pay, their personal credit card data is stored on their phone as a token, making their phone even safer than plastic cards. Online, tokenization is revolutionizing eCommerce payments by improving both safety and user experience. Tokenization is similarly representing payments made via increasingly popular dedicated apps. In short tokenization is making seamless commerce a safer reality virtually everywhere it takes place.

Security Points to Follow

If you decide to outsource online payment management to a specialist company, this company will be responsible for security by encrypting data in the following ways:

New technologies

Is your business PCI-compliant? Do you accept only EMV or chip-enabled credit and debit cards? Have you begun to learn about biometrics and how this can add a layer of security to your payment solution? These techniques as well as tokenization can go a long way in preventing chargebacks.

SSL-protected website

Customers expect to use an SSL-protected website when entering their credit card information. The recognized “https” at the beginning of a website’s address has become one of the standards of security that consumers have come to count on. Guaranteed privacy of data transferred via the Internet using SSL (Secure Socket Layer) standard protocol

Address verification

Never accept a credit card payment without confirming the customer’s billing address. Errors in the billing address, such as a mistake in the Zip Code or using Road instead of Street, often are indicators that the credit card is stolen. Some merchants have restrictive rules on accepting orders that are delivered to an address other than the billing address. It may be worth adding in an extra step to confirm the different delivery address.

Integrity of data transferred guaranteed by embedding data

Authentication of the different parties (trader and bank) via a shared secret key

Safe storage of data through compliance with Visa and Mastercard standards (known as PCI DSS)

Authentication of all parties involved (known as 3D secure) to keep fraud at a minimum by authenticating the user of the credit or debit card

In a bid to minimise fraud, filtering (or scoring) systems can also be put in place to prevent suspicious activity. For instance, filters can screen for payments made from billing addresses that include a postcode with previous fraudulent activity.

Ten tips to protect your small business from hackers: Be safe, as cyber crime rockets and open banking approaches

2017-11-24

Crime committed online by cyber hackers is increasingly becoming daily news.

Last week, Cash Converters revealed it had suffered a major breach of security with thousands of UK borrowers' personal data being held to ransom.

It comes hot on the heels of one of the worst ever data breaches at credit agency Equifax, which saw 694,000 customer records in the UK have their data stolen.

Politicians, newspapers, telecomms and energy firms have all been targeted by hackers

Scarier still, in a little under two months' time, European legislation called the Payments Services Directive II - also known as open banking - will come into force.

In a nutshell, this change will mean that banks and building societies will have to share your data with registered third parties as long as you consent.

Hard as it may be to believe, the reality is your data shouldn't be any more or less safe after open banking than it is now.

But according to Stephen Walker, lead analyst at Global Data, its advent is likely to escalate attempted hacks.

'It’s a well-known fact that banking receives 300 to 400 per cent more cyber security attacks than any other industry,' he explains.

'That’s because the rewards are that much higher, in terms of not only lost funds, but fraudulent identity, identity fraud, and banks have traditionally protected that by keeping the drawbridge closed.

'Open banking effectively asks them to open the front door. Banks will be exposed to, I think, more risks in more places, with little guidance on how to address those risks, and as things stand, as my understanding is, full liability in the event of any breach.'

Whether or not you choose to allow your bank to provide access to your information to a third party - such as a budgeting app for example - it always pays to do everything you can to stay safe online.

To help, we have asked data security specialist Nik Whitfield, of Panaseer, to give his top 10 tips to protect yourself and your business from hackers.

1. Keep software up to date
========================

The idea of auto updates is great. The reality is far more difficult as most updates require testing in the environment prior to implementation.

Many companies also have large backlog of updates or patches, which requires prioritisation. Ultimately, if companies build updates into their normal IT operations, it becomes more feasible to have auto-updates turned on for the most common systems.

Top 10 most crackable online passwords

One in 10 of us use one of 25 passwords.

Here are the most overused and least safe passwords - so steer clear!

123456

password

12345

12345678

football

qwerty

1234567890

1234567

princess

1234

Use Have I been pwned to check if your password is still safe.

2. Practise good password behaviour
==============================

This may be one of the oldest tips for security but it’s still a huge problem. Forcing the use of strong password usage is still the most effective approach to this issue - ensuring a minimum password length and complexity, making sure they get updated regularly and not letting staff re-use old passwords.

This approach, coupled with good and ongoing awareness training on other important password controls (don’t use the same passwords for personal and business use, don’t store your passwords in a software tool, never share passwords) is key.

Staff need reinforced education on passwords and the risks.

Use password vaults to store passwords safely - here are a few to consider: LastPass, Dashlane, KeePass and 1Password. Hopefully one day authentication techniques will be improved to the degree where we no longer need passwords.

3. Make security part of your buying decision when purchasing software
=======================================================

As we move more to software as a service, cloud, and other operating models, the importance of incorporating security from the start becomes more important.

This means product and development teams should engage the security department from the very beginning of the decision and implementation process.

By getting involved early, key security decisions over access, logging, and monitoring can be addressed up front and potentially avoid becoming an obstacle for implementation later in the cycle. Businesses should integrate dual factor authentication for all new applications/systems - without it, the system should not be integrated.

The same goes for individuals - if you're upgrading your computer, software or home systems, think about security first.

4. Keep firewalls turned on
=====================

There is always a temptation to consider turning off security measures such as firewalls when running into application or system implementation issues.

But sometimes the problem with this is that they are not turned back on, which can expose the entire company or your personal computer to compromise. Using tools to automate the monitoring of firewalls (such as xxxxx) will ensure that doesn't happen.

5. Change wifi passwords from the default
================================

All default passwords on all IT devices and software should be changed as part of the initial implementation procedures. Since wifi is a gateway into a company’s network or your home network, it is critical that there are no easy ways for unauthorised users to gain access.

Most intruders, regardless of their motive, will first try to breach a company using weaknesses in their basic security.

Any company’s normal assessment processes for devices and software should include searching for default passwords.

This is really important - hackers have successfully used household devices including baby monitors, smart TVs or wifi to hack into people's homes and gain access to their data.

MOST COMMON CYBER CRIMES

Phishing: bogus emails asking for security information and personal details

Webcam manager: where criminals takeover your webcam

File hijacker: where criminals hijack files and hold them to ransom

Keylogging: where criminals record what you type on your keyboard

Screenshot manager: allows criminals to take screenshots of your computer screen

Ad clicker: allows a criminal to direct a victim’s computer to click a specific link

Source: National Crime Agency

6. Try not to connect to public wifi
==========================

Businesses need to marry IT policy with employee behaviour. In a ideal world, staff would never connect corporate devices to a public wifi network.

However, with the human need to be always connected, I’m not sure it’s worth trying to fight the tide on this.

Sure, for our users with higher level privileges or key personnel, it might be a good approach to advise they do not use public wifi, but even they may not comply.

It may be best to focus on steps we can take to help reduce the risk of using public wifi, such as making sure antivirus is running and current on the device, turning off user admin rights on the device, making sure data loss prevention software is running and not permitting privileged access when not on the company network.

It's also worth noting that last month researchers at a Belgian university revealed hat huge numbers of wifi-enabled devices are vulnerable to a newly discovered hack nicknamed Krack.

Computers and phones running iOS, Android Windows, Linux, as well as wifi hardware from companies including Cisco and Ubiquity Networks, are all affected by the issue. Make sure you are up to date with Krack patches.

7. Use antivirus software
===================

USE IT! Also make sure you keep the 'definition files' current. While many businesses are now questioning the value of today’s antivirus applications, not using it is foolish.

This comes down to the simple premise that the bad hackers always go for the easiest way to compromise your system and not using this very basic security approach will make it much more likely that you will be compromised.

Would you leave your house and never lock it?

8. Use an old laptop for all your online banking
=====================================

Often people just ditch an old laptop, or leave it somewhere to gather dust.

Rather than do this, it's actually a great idea to keep an old laptop working but use it for online banking transactions only.

Of course, it's still important to be smart about your banking application safety (use complex passwords, change the passwords frequently, use dual factor authentication), keep your device software updated and closely monitor your banking activity.

9. Never respond to incoming links
===========================

Not responding to links embedded in email is a strong security practice for consumers and businesses alike.

If you must use an embedded link, make sure you know the source sending the email and that you trust the sender. If not, you should not connect to the link.

Also, looking at the details of the source of the message, the content of the message and link, you may be able to identify that the message isn’t from who it appears to be from.

If so, discard or send to your IT support person to research if it is valid. Again, if you are not sure, never click on a link.

10. Tell vulnerable customers about the risks and how to protect themselves
==========================================================

One of the most important facets of information security is education and awareness.

Unfortunately, most businesses allocate less to this area of security than most other areas.

In the end, most breaches start with human behaviour, which means we need to do as much as we can to educate users.

Any opportunity to teach secure computing should be seized, especially when that education is using a real example pertinent to the user.

WHAT IS OPEN BANKING?
======================

Millions of UK customers have received letters from their bank alerting them to new rules allowing them to choose to share their financial data and get a better service.

Open banking comes into force on 13 January 2018 and means customers can give consent to their bank or building society to share their data in a protected way with registered third party providers such as budgeting or financial apps.

NatWest and RBS, Lloyds Banking Group, Santander, HSBC and first direct have already written to customers outlining what the changes mean.

Rules originating in Brussels, known as the Payment Services Directive II (PSD2), together with a British version referred to as Open Banking, hit in mid-January and will see the biggest banks and building societies across Europe forced to provide standard open access to all their customer data to regulated third parties.

Eventually this should mean that customers will be able to pull all of their financial accounts into one app through which they can easily switch to the best value deals on offer for savings, current accounts, loans, mortgages and even potentially energy bills.

Sharing your data in this way might sound scary but it's vital to note - you're not sharing access to your money, you're sharing access to analyse your information only.

This analysis should have the power to help you manage your money better, more efficiently and with far less effort.