Why protecting cardholder data is good for your business

Posted on August 7, 2014

More than 800 million computer records with sensitive information have been a part of data breaches in the U.S. since 2005 (privacyrights.org).  Moreover, because many small merchants have minimal security for cardholder data, over 80% of attacks target small businesses.

The PCI Security Standards Council explains that if you are at fault for a security breach, fallout can be as follows:

  • Fines and penalties
  • Termination of ability to accept payment cards
  • Lost confidence, so customers go to other merchants
  • Lost sales
  • Cost of reissuing new payment cards
  • Legal costs, settlements and judgments
  • Fraud losses
  • Higher subsequent costs of compliance
  • Going out of business

As stated by the PCI Council,

“Merchant-based vulnerabilities may appear almost anywhere in the card-processing ecosystem including point-of-sale devices; personal computers or servers; wireless hotspots or Web shopping applications; in paper-based storage systems; and unsecured transmission of cardholder data to service providers. Vulnerabilities may even extend to systems operated by service providers and acquirers, which are the financial institutions that initiate and maintain the relationships with merchants that accept payment cards.”

Some requirements by the PCI Security Standards Council that can enhance security are to maintain a firewall, and protect stored cardholder data:

Maintaining a firewall to protect cardholder data

Firewalls control your computer network’s traffic, allowing you to deny all traffic from untrusted networks and potentially denying criminal attacks. Identify all connections to cardholder data and configure a firewall that allows only the necessary connections.

Protecting stored cardholder data

Cardholder data should only be stored if absolutely necessary. When stored, cardholders trust the merchant to go through precautions to protect sensitive data from criminal attacks. Data storage should be limited to the time required for business purposes. Consider using truncation, index tokens, and securely stored pads to improve your security. In addition, restrict access to cardholder data to a need-to-know basis. Individuals should only be authorized to sensitive data if it is necessary information to perform a job.

To learn more about PCI standards and compliance, visit the PCI Security Standards Council, or give us a call.


Are American consumers ready for EMV chip cards?

Posted on July 29, 2014

We believe that American consumers are ready to switch over to EMV chip cards – here’s why.

Pymnts a leading payment blog cited a recent internal survey conducted by MasterCard that showed 57% of MasterCard holders would be interested in receiving Chip cards within 6 months or less.

Although consumers might not understand the technology behind EMV Chip & PIN, there’s enough additional support that shows they understand that it is more secure, devalues data and makes counterfeiting difficult.

Why else would consumers want something more secure to protect their sensitive data? Data breaches, privacy issues, and other areas in the globe that have EMV are just a few examples that help support this demand.

Another note to point out is Vision Critical – a very well known market research firm has reported “69% of Americans believe that EMV chips will make their purchases more secure”. In fact only 5% believed that this technology would have a negative effect on security.

In an interview with Oliver Manahan, MasterCard’s Vice President of Electronic Payments, Oliver states that there’s been a nice migration to contactless at the same time as EMV. Adding contactless to EMV terminals will not only future proof merchants it will allow for a better customer experience as they will not have to worry about inserting their cards and entering their PIN.

EMV has worked very well for restaurants in Canada. Our team at Kubera has implemented countless mobile and wireless terminals that are carried to the table by the server. Here’s why it’s great: It’s easy for customers to use, and there is an added benefit where the tip option can be calculated by percentage or dollar amount. In addtion, according to Manahan, this has reignited very well with servers as many of them are receiving larger tips and there’s no money left on the table that could get lost or stolen.

Referring back to the Vision Critical survey “one in 10 respondents said they had already received their EMV chip card”.  If the survey is representative of the population of the united states that’s nearly 32 Million Americans! Finally by October of next year, all credit card companies are expected to move to EMV.


Not ready for payment processing or mobile payments? Here why you should be.

Posted on July 8, 2014

Bist150-45-degree-hd_w605usinesses in Canada are at risk if they do not progress with modern technology and consumer trends. That is if they continue to accept cash-only as a form of payment.


Supporting evidence in a study conducted by the Rotman School of Management shows that businesses who use “cash only”, hurt themselves in the long term and will be lost by competitors who adopt electronic payments in form of credit card, debit card, mobile payments and NFC payments.


In addition, a recent article by the Globe And Mail highlights that for businesses that do accept credit cards, the benefits of accepting credit cards far outweigh the costs of the 2-3 percent transaction fees associated with accepting credit and debit.


They also suggested 10 tips that we feel are very relevant if you are a business concerned about transaction fees.


Cash Is Not Free

The direct and indirect costs from cash include, processing time – counting, re-counting and waiting to be deposited, security, security personnel, and lost cash by theft or error.


Ethical Operations

Accepting credit and debit can help your business operate ethically, this means no lost or unaccounted cash.


Credit Card Processing Enables Higher Average Sales Price

People are carrying less cash these days, and cash is typically used for lower value transactions. Use this opportunity to increase your ASP for the convenience of the consumer.


Customer Service Comes First
If the majority of your customers have cards that offer rewards, let them use their cards at your location. Make purchases quick, painless and easy. This even gives your employees more time to spend interacting with customers instead of counting cash and dealing with a register.


Go Beyond Bricks & Mortar

Payment processing companies have the tools to allow your business to operate online as well as in-store. This way you can sell your goods from anywhere and increase your market share.


Support International Customers
If you live in a major city, chances are you’re getting visitors from all over the world in your business. Don’t limit yourselves by not accepting their cards if they don’t have cash on had.


Speed Up Your Cash Flow

With payment processing for credit and debit cards online and in store, funds are transferred immediately into your merchant account and then directly deposited into your business account shortly after.


Data Is King

According to the study and the Globe, “[Data analysis has] allowed for the development and deployment of strategies that have enhanced sales, customer satisfaction, repeat business and hence business growth and profitability.”  – Globe and Mail

If you use payment processing you are given all of this great data in store or online to leverage. Use it to offer a better customer experience, cut costs where needed and create efficiencies.


Cost Benefit Analysis

Typically the benefits outweigh the costs for payment processing. If you aren’t sold by now, conduct a cost benefit analysis and realize the difference with increased throughput and other opportunities that come from accepting payments. At the end of the day your fees end up being a minimal expense.


Get A Good Point Of Sale System

Having several check out stations or faster payments acceptance like contactless will make transactions effortless and provide a better customer experience. Consider renting terminals to try different solutions before purchasing one.


Canada is one of the most affluent countries when it comes to technology. Although change can be hard, it’s worth adapting to consumer demands. Digital opportunities provide better service and according to the report outlined in the beginning, the upside is significant.





Mobile, NFC & Contactless payments: Better Customer Experience, Better Sales

Posted on June 26, 2014

Mobile, NFC & Contactless Payments are all great ways for your business to enhance its customer experience. Happy customer’s means return customers and you know what that means – increased sales and better business!









No matter what type of business you are; a gift shop, a café, ski resort, gas station even a grocery store, by making it easier for customers to make purchases with their credit or debit card, your bottom line can really grow.

So how can you really make a difference and enhance your customer experience?



1. Let your customers know they can pay with contactless or NFC and that it’s faster and EASIER.

No PIN? No Problem! All your customers have to do is tap and go. No PIN or signature necessary just smiles. Bonus – if customers have a smart phone they can even use their smart phone to pay too with NFC.

2. Let your customers know that NFC, Contactless, & mobile payments are secure.

They more secure than using a swipe solution or even a chip & PIN solution. Most people are not convinced yet but explain to them that it’s safer because it sends encrypted data back and forth between the card and the terminal. Click here to learn more about how it works.

3. Stay ahead of the curve – get NFC and Contactless Payments enabled terminals.

Contactless_LogoMasterCard’s VP of advanced Payments looks at NFC, Contactless, and EMV payments as technologies that should be implemented at the same time. He quotes “Do it once, do it right, and future proof yourself as much as possible”. In addition, total spend is also 54% higher for customers who use MasterCard contactless vs. those who do not.

Your customers will enjoy the convenience once they get a better understanding on it. Put your self in their shoes, what would they want the most? Convenience, security, technology? I think so, it pays to make it easier for your customers to purchase your products and services.

If you would like to learn more about these benefits, we highly recommend reading Accenture’s survey on the Mobile Payments habits of North Americans. You can download the PDF here.

Is Mobile Payments Ready to take off?

Over the past few years we’ve seen several mobile payments ventures gain plenty of momentum but never take off or become mainstream.

Another mobile payments system has launched today – Paym. Paym links your cellphone number to your bank, which enables you to pay with your mobile device.

Let’s hope that Paym is able to make a reasonable impact to mobile payments innovation.

Google Wallet

We would also expect that with the wearable tech trend and its symbiotic relationship with mobile payments it seems that it’s only a matter of time before mobile payments become the norm. For example the Samsung Galaxy Gear 2 watch will enable people wearing the watch to pay with paypal using their watch.

Not too long ago, Ariel Bardin, the head of Google payments stressed their commitment to mobile payments. Google Wallet has struggled over the past few years but is still a major contender. It recently opened up its cloud-based technology “host card emulation” or HCE to developers, which enables anyone to leverage NFC. This also allows merchants to embed easy payments buttons into their websites that where customers can use the Google wallet to pay. With Google’s commitment, it’s very possible in the next few years they will be making a serious impact to mobile payments.

Something potentially more impactful is Apple.

Apple’s large customer base and iTunes infrastructure poises Apple to be at the frontline of mobile payments. They now have 800 million iTunes accounts linked to customer credit cards, which Amazon only has a fraction of this.

iPhone fingerprint ID

With this customer base and their technology improvements, they can turn iTunes into a total e-commerce and mobile payments business. Touch ID – where a customer uses their fingerprint to unlock a phone can be used as a verification process to approve transactions. This helps consumers “feel” more secure than a typical PIN or passcode.

iBeacon is another technology is already on its way where a Bluetooth signal is sent to a consumer’s phone and their device will show an alert for some discount close to the consumer’s location.

So when will mobile payments take off?
Consumers are ready for it, so it seems like only a matter of time. What needs to happen in addition is the proper technology needs to be developed, then adopted by merchants and businesses alike. Once the technology problem is solved, businesses will be the last caveat before mobile payments becomes mainstream.

Three POS Skimmers

Posted on March 31, 2014


What is a skimmer?

A Skimmer is a small electronic device used to steal credit or debit card information in a legitimate transaction.

You may have heard about card skimming in restaurants. Typically a victim’s card is taken out sight where it is scanned by a skimmer. Call centres and gas stations are also other areas where skimming could happen easily.

In this blog article we will be going over a few skimming scenarios that have been highlighted by Krebs on Security recently. Krebs has an amazing blog series on many common skimmers that is worth a read.

Our goal here is to educate our merchants and their customers on common skimming tactics so that credit card fraud can be detected and avoided.

Would you have spotted the fraud?

Krebs highlights this skimmer from 2009 that was attached to the front of a Citibank ATM in California and asks if we would be able to see the device.

Via Krebs on Security

Most people probably would have never noticed this skimmer. We are constantly on the go and wouldn’t even notice or think about looking at the device that is taking their credit card information. This is why it is our responsibility as merchants to routinely monitor devices as much as we possibly can.

via Krebs on Security

This device is quite sophisticated, it snaps on top of the ATM’s card reader and looks like part of the actual ATM. It even has a pinhole camera that is designed to capture the card victim’s PIN number as they enter it.

Skimmers like these can be homemade or bought online from criminal forums. Some are so sophisticated that they can send the victim’s card data by SMS message to a thief’s mobile number.

Simple But Effective Point-of-Sale Skimmer

This skimmer is very sophisticated and is for Verifone POS. It’s an easily installed overlay that is highly unnoticeable. Recently some fraudsters installed this system at a Nordstrom department store while the employee who operates the register was distracted. Nordstrom later discovered the skimming device on their POS.

As a merchant or a customer, would you have spotted that one?

Fake ATMs

Krebs’ blog has identified many interesting skimmers. This one however is probably the most interesting of them all. Credit & Debit card thieves went through the trouble of creating a completely fake ATM that stacks right on top of a legitimate ATM. IT was discovered in November 2013, when a customer at the Bank of Brazil tried using his ATM but was denied. The customer called the cops with suspicion and the police removed the skimmer from the machine. See what it looks like below:

via Krebs on Security

The skimmer was made from a disassembled laptop and skimmer pieces.

via Krebs on Security

Something that gives away these skimmers are spelling mistakes similar to the ones you would see in a phishing email or fraudulent popup window from a website.

Customers: Remember to take notice to the machine you are using every time you use a credit or debit card, especially when traveling.

Merchants: Pay attention to your hardware, regulate it for fraudulent technology and make your greatest effort to abide by PCI compliance standards. This will save you tons of money and can prevent you from loss of reputation.

Choosing A Secure Password


As we continue to use technology we require more and more passwords to access things. You might already know these basic tips:

  1. Never reuse your old passwords. “One bad apple ruins the bunch”
  2. Don’t change your password unless you think it’s compromised.
  3. Consider two-factor authentication.

Although you might have a handle on the basics, below are a few password tricks you might not be familiar with, starting with a scenario for hacking a password.

Scenario for breaking a password:

Offline password-guessing attack

Attacker obtains a file of encrypted passwords like the LinkedIn breach in 2009. The attacker(s) would then unencrypt these passwords to authenticate themselves into the compromised accounts where more information can be stolen.

The attacker would do this by running a commercial program or hacker tool on their computer to guess as many passwords as possible. If correct (which often happens) then they would have access to your accounts.

With this method of guessing passwords, two factors are at play: efficiency and power.

Efficiency is how easily the program can guess a password. Some programs are so incredibly effective that they are able to guess common passwords first. They have special dictionaries that combine different words to guess common passwords. Common passwords typically have both a root and an appendage and do not have to be in any particular order. Example “passwords1234” or “p4s5w0rd12”

Modern password cracking programs will run common roots and appendages until they find a match. This is why using individual words and characters is no longer great for making passwords.

Password crackers will also feed in any information that may be related to the person’s compromised account. This includes names, addresses, postal codes, meaningful dates and any other meaningful information.  Some programs can even scan a target hard drive for clues and spend time scanning it for this information.

Obviously all of this work requires a good amount of processing capacity. Well, what helps password-cracking programs be so efficient? The processing power available to run these programs. As computers have developed over time and processing power has increased, these programs are able to process more and more passwords per second. In fact one program advertises eight million per second!

So what are some best practices for choosing a password?

Schneier scheme

Take a sentence and turn it into a password. Example: “Holy smokes! Would you look at that.” or hs!…wyl@t

Having a memorable sentence really makes it easy to create a password that is long and easy to remember. These are atypical, generally harder to crack but still not completely “fool proof” as software and hackers continue to get better with time.

Use a password managing service

Some password managers will generate new passwords for every app you use with a random password generation tool. This way your passwords are always different and always random.

While these tips might be useful, there’s certainly a positive correlation between Internet security and attacker sophistication.  If you aren’t able to go with a password manager, you’re always better off using two-factor authentication and using a randomly generated password.


Types of POS Malware part 2

Posted on February 25, 2014

The aftermath of the Target breach has raised concern and hopefully greater awareness to the benefits of PCI Compliance.

To help increase awareness on POS Malware we’ve covered a few in our previous post, and will continue to cover more in today’s post. First up, Dexter:


Dexter is another Windows-based POS Malware that has several active variants. Like BlackPOS, “”parses memory dumps of specific POS software related processes looking for Track 1 and Track 2 data” Track 1 data is cardholder name and account numbers and Track 2 is the credit card number and expiration date.

One of its variants, Stardust also extracts internal network traffic information from the company under attack. It’s possible that some of Dexter’s variants are delivered to POS systems via phishing emails or other malicious actors that can access systems remotely. Learn more about Dexter here. 




A supposed successor to Dexter, VSkimmer also targets Windows-based systems. VSkimmer has nearly all the same functionality as Dexter however it is unique in that if the Internet is not available, it does not need to use the Internet to transfer data. In the case with no Internet, it collects all the data and waits for a USB device with a specific name to be connected to the infected machine. Once connected, it then transfers all the information to that USB. Want to learn exactly how it works? Check out McAfee’s blog on the Malware here.

We strongly recommend that businesses running POS systems should follow best security practices and maintain PCI Compliance. Please use strong passwords, multi-step authentication, update your applications when available and disallow remote access unless necessary.

Want more tips on how to beef up your payments security? Give us a call.



We would be proud to earn your business

Contact Us