Emerald Business Systems Blog

Steps to Take to Reduce the Anxiety of Paying Online

Posted in Online Business,PCI,POS,Retail by ebs4pos on March 23, 2010

Last year, 92 million people bought things online using credit cards, debit cards and services like PayPal and Google Checkout. Millions of others paid bills and wired money electronically from bank accounts with just a few clicks.Despite the apparent popularity of all these services, they still cause nagging anxiety for many of us.We wonder, how secure are these payment systems? Will I be out the money if someone steals my account numbers and goes on a wild shopping spree or bleeds my savings dry?Deciding which online payment method to use would seem to be a simple matter of picking whichever offers higher security. But the wise consumer also weighs the legal protections in the case of theft: the best security and the lowest liability don’t necessarily go together.Here’s the lowdown on the risks associated with the most popular ways to pay online:

via Steps to Take to Reduce the Anxiety of Paying Online – NYTimes.com.


PCI and the Art of the Compensating Control – CSO Online – Security and Risk

Posted in PCI,POS,Security by ebs4pos on March 16, 2010

This guide to compensating controls is excerpted from chapter 12 of PCI Compliance by Dr. Anton Chuvakin and Branden Williams (Syngress, 2009). For a full sample chapter, see http://www.pcicompliancebook.info/

Information in this chapter:

* What is a Compensating Control?

* Where are Compensating Controls in PCI DSS?

* What a Compensating Control Is Not

* Funny Controls You Didn’t Design

* How to Create a Good Compensating Control

Few payment security professionals can find a hotter PCI DSS topic than compensating controls. They always look like this mythical accelerator to compliance used to push PCI Compliance initiatives through completion at a minimal cost to your company with little or no effort.

Compensating controls are challenging. They often require a risk-based approach that can vary greatly from one Qualified Security Assessor (QSA) to another. There is no guarantee a compensating control that works today will work one year from now, and the evolution of the standard itself could render a previous control invalid.

Also on CSOonline: PCI DSS No Angel, But Certainly Not the Devil

The goal of this chapter is to paint a compensating control mural. After reading this chapter, you should know how to create a compensating control, what situations may or may not be appropriate for compensating controls, and what land mines you must avoid as you lean on these controls to achieve compliance with the Payment Card Industry Data Security Standard (PCI DSS).

via PCI and the Art of the Compensating Control – CSO Online – Security and Risk.

RSA 2010 EXCLUSIVE PCI Security Standards Council Interview

Posted in PCI,Security by ebs4pos on March 14, 2010

RSA 2010 EXCLUSIVE PCI Security Standards Council Interview

At RSA 2010, I was given a unique opportunity to interview Bob Russo GM at PCI SSC and Troy Leach CTO at PCI SSC. I have prepared a deck of very tough questions and then had an hour-long discussion with Bob and Troy around those questions. What follows is the interview reconstruction from my notes with minimum edits and clarifications by the Council folks.

via Anton Chuvakin Blog – “Security Warrior”: RSA 2010 EXCLUSIVE PCI Security Standards Council Interview.

Understanding tokenization amid PCI encryption requirements

Posted in Bars and Taverns,PCI,POS,Restaurant,Retail by ebs4pos on March 14, 2010

Achieving compliance with PCI DSS encryption requirements is no easy feat. However, tokenization, a growing technology that enables a token to replace a credit card number in an electronic transaction, is emerging as a useful, complementary strategy for saving time, money and turmoil during your PCI DSS compliance processes.

This mini learning guide offers a brief introduction to tokenization technology, as well as PCI DSS encryption requirements. Learn more about the future of tokenization and how the technology may help to ease PCI DSS compliance burdens.

via Understanding tokenization amid PCI encryption requirements.

Thieves skim customer data from debit terminals

Posted in Bars and Taverns,PCI,POS,Restaurant,Retail,Security by ebs4pos on March 13, 2010

Thieves are accessing personal financial information using the old-fashioned smash-and-grab method, but what they’re grabbing are point-of-sale terminals, not merchandise.

CBC-TV’s Marketplace has learned that many retailers are not helping the situation because they leave valuable information on the terminals where customers swipe their debit and credit cards when paying for purchases instead of wiping the data each night as they’re supposed to.

It’s the equivalent of leaving the store vault open and full of cash, except the cash is credit and debit card data, said RCMP Det. John Koppes of Abbotsford, B.C., who is the Mounties’ computer crime specialist.

Watch “Who’s Minding the Store” on Marketplace, Friday at 8:30 p.m. ET, 9 p.m. in Newfoundland and Labrador.

“In the old days, they’d go with a gun, and they would try to get into the bank vault,” said Koppes. “The criminals now know that the open bank vault per se can be the point-of-sale terminals sitting on a counter top or in a store.”

via CBC News – Consumer Life – Thieves skim customer data from debit terminals.

How Credit Card Payment Processing Works

Posted in Bars and Taverns,General Business,PCI,POS,Restaurant,Retail by ebs4pos on March 12, 2010

Credit cards have become so popular today as a means of payment that they are accepted by almost every merchant that exists today. With the credit card being so popular, there have been a lot of banks that issue credit cards of either own and most of the credit cards that exist today make use of either Visa or MasterCard. However, even though there are various credit cards that can be found these days, all of them actually work in the same way.To start a payment process that uses a credit card, a merchant should first calculate the total amount of items that a buyer is purchasing. Then, after the merchant has received the credit card from the buyer, he or she will then swipe the card by passing it through an insertion line in a point-of-sale unit that has been designed especially for credit cards. At this point of time, it is necessary to determine the total amount to cut off the credit card in use.There are usually 2 ways of determining this total amount. The first way is that the merchant enters the amount manually by typing it into the point-of-sale machine. Another way is to transmit the amount digitally by means of transmission from the cash register. Either way it will usually work just fine since they are basically used for the same purpose.After this process has been completed, the merchant then sends the transaction and credit card details to the acquiring bank of the credit card. This bank then forwards the information to the issuing bank of the card. The issuing bank will then check whether or not there are sufficient funds for payment. If not, transaction is rejected. Otherwise, the issuing bank will generate and send back the authorization code so that payment can be made. Then, the acquiring bank forwards the authorization code to the merchant’s point-of-sale machine.After all the above processes have been completed, a proof of purchase by means of a credit card will be printed. Then the payment process is thoroughly done.

via How Credit Card Payment Processing Works – American Banking News.

Overpaying For PCI Compliance?

Posted in Bars and Taverns,PCI,POS,Restaurant,Retail by ebs4pos on March 11, 2010

Are you paying too much to validate your PCI compliance? It’s possible, even likely, that you are. The reason is not that your QSA is too expensive or that PCI is too demanding. Rather, the reason many merchants pay too much is that they forget PCI Requirement 0. You don’t know Requirement 0? It says: Minimize Your PCI Scope. Failing to comply with Requirement 0 may be due to inertia or ignorance or both. Regardless of the reason, the result is excessive and unnecessary spending on people, process and technology, together with a lot of frustration.

via StorefrontBacktalk » Blog Archive » Overpaying For PCI Compliance.

A ‘Breach’ in Customer Loyalty

Posted in PCI,Restaurant by ebs4pos on March 6, 2010

Compliance with the Payment Card Industry Data Security Standards PCI DSS continues to be a hot topic in hospitality circles, and for technology writers. In fact, large volumes have been written on the topic, with countless articles offering best practices and reporting on non-compliance penalties, such as increasing fees and commissions. It’s been reported, also, that the hospitality industry continues to struggle with compliance. The American Hotel and Lodging Association’s PCI Primer1 reports that upwards of 55% of credit card fraud comes from the hospitality industry, and the smallest merchants Level 4 account for more than 85% of compromises, with a noticeable increase in risks coming from franchisees.There is one area, however, that remains difficult to measure: consumer confidence. What is the tangible impact to customer confidence and company reputations when a security breach occurs? The University of Delaware is conducting a study, with the assistance of graduate student Ekaterina Berezina, on the impact of poor security on consumer confidence. Specifically, the study seeks to understand the impact of a credit card breaches on service quality, guest satisfaction, future revisit intention and the likelihood of recommending the brand/hotel to others word-of-mouth intention.

via A ‘Breach’ in Customer Loyalty | In This Issue | Hospitality Technology: Technology Resource for Restaurant/Lodging Executives.

Why 41 Percent of You Would Fail a PCI Audit – CSO Online – Security and Risk

Posted in PCI,POS,Retail by ebs4pos on March 1, 2010

Security vendors are launching a gazillion products this week at RSA Conference 2010, but hidden in all of those press releases are a few nuggets that illustrate the big picture trends. Here are a few of the more interesting items found in the press room this morning:

QSAs: 41 Percent of Companies Would Fail PCI audit

New research from The Ponemon Institute suggests nearly half of the companies out there would bomb a PCI security audit.

The report says that while only two percent of businesses outright fail compliance audits, 41 percent would fail if unable to rely on temporary compensating controls to meet Payment Card Industry Data Security Standard (PCI DSS) requirements. These alternative routes to compliance must meet QSA approval, but they may be just temporary fixes or be eliminated by future changes to PCI DSS. Their prevalence appears to indicate businesses are still coming up to the speed with the security standard introduced in 2006.

via RSA 2010: Why 41 Percent of You Would Fail a PCI Audit – CSO Online – Security and Risk.

Average Annual Cost of PCI Compliance Audit? $225k – CSO Online – Security and Risk

Posted in PCI,POS,Retail by ebs4pos on March 1, 2010

Merchants that undergo network audits to ensure compliance with the Payment Card Industry Data Security Standards are paying an average of $225,000 each year — and 10% of these business are paying $500,000 or more annually, according to a new study. In spite of that, 2% of them fail these audits.Credit card data security: Who’s responsible?The study, conducted by The Ponemon Institute under sponsorship of Thales, surveyed 155 qualified security assessors QSA worldwide who are authorized by the PCI Security Standards Council to conduct these annual technical reviews of the largest merchants’ networks. The QSAs were asked to share information about how much their customers are spending on annual PCI audits, which are required by banks and card associations, such as Visa or MasterCard, to be allowed to process payment cards.With $225,000 to $500,000 spent annually on a PCI audit, “that’s a large chunk of change to be doing each and every year,” says Dr. Larry Ponemon, the Institute’s founder. That cost doesn’t include the technology changes and the operating and staff costs associated with the audit, according to the survey. Ponemon notes that sometimes the annual PCI audit “leads to a better security posture, but not always.”

via Average Annual Cost of PCI Compliance Audit? $225k – CSO Online – Security and Risk.

Next Page »