What is the cost of a data breach?

Posted on September 16, 2014
eric.milic@kubera.cc

In 2013, there were 1,367 confirmed data breaches and 63,437 security incidents in 95 different countries according to Verizon’s 2014 Data Breach Investigations Report. 2013 may be considered as the “year of the retailer breach” as many larger retailers had confirmed large-scale data breaches that risked its customer’s data. Target having suffered the most, and more recently Gmail, Central Utah Clicnic, JP Morgan, Home Depot, and George Mason University have all confirmed breaches.

So what is the actual cost of a data breach?

On a global scale, the Ponemon institute produced some interesting results in their “2013 Cost of Data Breach Study: Global Analysis”.

The report goes into great detail in analyzing business costs associated data breaches including detection, escalation, notification, and post response expenses. It also analyzes the economic impact post breach in terms of diminishing customer trust and confidence.

According to Ponemon, Germany and the US had the most expensive data breaches – with an average per capita cost of a data breach at $199 and $188, respectively.

Screen Shot 2014-09-15 at 8.24.41 PM

 

 

The US actually experienced the highest average total cost of data breaches with an average of $5.4 million dollars per company.

Screen Shot 2014-09-15 at 8.26.37 PM

In their analysis, there are seven factors that influence the cost of a data breach. These seven factors include:

  1. The company had an incident management plan
  2. The company had a relevatively strong security posture at the time of the incident
  3. The company met with CISO or an information security professional
  4. Data was not lost due to a third party
  5. The company had a quick response system for notifying victims
  6. The data breach involved stolen items or devices
  7. Consultants were engaged post breach

The three factors that increase the cost of a data breach are: Third Party Error, Lost or Stolen Devices, and Quick notification.

Screen Shot 2014-09-16 at 9.29.26 PM

Based on the Ponemon report, what significantly decreases the cost of a data breach are (see above): consultants engaged, CISO appointment, Incidence response plan, and a strong security posture.

In addition, the report points out that there is a direct relationship between abnormal churn rate of customers (which is what is likely to happen post breach) and higher costs of a data breach. The highest lost business cost due to abnormal customer churn is an average cost of over $3.03 million, which was experienced by US companies.

Screen Shot 2014-09-16 at 9.09.34 PM

To put this into perspective, it’s been nearly a year since Target had its data breach in December 2013, and the incident cost shareholders a whopping $148 million which was partially offset by insurance receivables totaling $38 million.

Preventative measures are the most significant way to reduce your risk and costs associated with a data breach. The more secure your company is, the less likely it would be for important data to be stolen – The ROI is much higher on preventative measures than believing something wont happen to your organization.

What is the difference between Ingenico & VeriFone?

Posted on August 13, 2014
Kubera

Ingenico and VeriFone are the two leading manufacturers of stand-alone point-of-sale terminals. Understanding the differentiators between the two may be useful to business owners and merchants.

The two manufacturers are quite alike. Ingenico was founded in 1980 in Paris, and VeriFone in 1981 in San Jose. In 2013, Ingenico and VeriFone generated similar revenue at 1.89 billion and 1.7 billion respectively.

Despite their similarities in revenue,  VeriFone had a 51.5 percent share of all US terminal shipments where Ingenico held 17.4 percent of the US market last year.  Although it seems that VeriFone is a dominant force in the market, VeriFone’s shipments had a 17 percent drop from the previous year, while Ingenico’s share increased by 47 percent. However on a global scale, Ingenico holds a 30 percent shipment share, while VeriFone holds a 18.6 percent share.

With the changing U.S. market moving towards EMV compatible terminals, Ingenico seems to be on the rise this year. Ingenico’s expertise on EMV terminals and advanced security protocols could continue to bring an increase in sales and shipments. Noticing this trend, last year VeriFone replaced their CEO, bringing in Paul Galant, who remodeled the company’s strategic plan, in hopes to stay on top of the market. (via Pymnts.com)

Under Paul Galant’s new company vision to “become our clients’ most trusted, most secure and innovative partner by delivering terminals, payment as a service and commerce enablement solutions.” VeriFone has been identifying internal areas of improvement and is working to reduce complexity across the company and increase security protocols.

2014 will be a defining time to see if VeriFone’s new strategic plan and redefined operations can combat Ingenico’s seemingly rising share of terminal shipments.  Want to learn more about the two companies? Take a look at the below infographic (via Pymnts.com):

 

Why protecting cardholder data is good for your business

Posted on August 7, 2014
Kubera

More than 800 million computer records with sensitive information have been a part of data breaches in the U.S. since 2005 (privacyrights.org).  Moreover, because many small merchants have minimal security for cardholder data, over 80% of attacks target small businesses.

The PCI Security Standards Council explains that if you are at fault for a security breach, fallout can be as follows:

  • Fines and penalties
  • Termination of ability to accept payment cards
  • Lost confidence, so customers go to other merchants
  • Lost sales
  • Cost of reissuing new payment cards
  • Legal costs, settlements and judgments
  • Fraud losses
  • Higher subsequent costs of compliance
  • Going out of business

As stated by the PCI Council,

“Merchant-based vulnerabilities may appear almost anywhere in the card-processing ecosystem including point-of-sale devices; personal computers or servers; wireless hotspots or Web shopping applications; in paper-based storage systems; and unsecured transmission of cardholder data to service providers. Vulnerabilities may even extend to systems operated by service providers and acquirers, which are the financial institutions that initiate and maintain the relationships with merchants that accept payment cards.”

Some requirements by the PCI Security Standards Council that can enhance security are to maintain a firewall, and protect stored cardholder data:

Maintaining a firewall to protect cardholder data

Firewalls control your computer network’s traffic, allowing you to deny all traffic from untrusted networks and potentially denying criminal attacks. Identify all connections to cardholder data and configure a firewall that allows only the necessary connections.

Protecting stored cardholder data

Cardholder data should only be stored if absolutely necessary. When stored, cardholders trust the merchant to go through precautions to protect sensitive data from criminal attacks. Data storage should be limited to the time required for business purposes. Consider using truncation, index tokens, and securely stored pads to improve your security. In addition, restrict access to cardholder data to a need-to-know basis. Individuals should only be authorized to sensitive data if it is necessary information to perform a job.

To learn more about PCI standards and compliance, visit the PCI Security Standards Council, or give us a call.

 

Are American consumers ready for EMV chip cards?

Posted on July 29, 2014
eric.milic@kubera.cc

Pymnts a leading payment blog cited a recent internal survey conducted by MasterCard that showed 57% of MasterCard holders would be interested in receiving Chip cards within 6 months or less.

Although consumers might not understand the technology behind EMV Chip & PIN, there’s enough additional support that shows they understand that it is more secure, devalues data and makes counterfeiting difficult.

Why else would consumers want something more secure to protect their sensitive data? Data breaches, privacy issues, and other areas in the globe that have EMV are just a few examples that help support this demand.

Another note to point out is Vision Critical – a very well known market research firm has reported “69% of Americans believe that EMV chips will make their purchases more secure”. In fact only 5% believed that this technology would have a negative effect on security.

In an interview with Oliver Manahan, MasterCard’s Vice President of Electronic Payments, Oliver states that there’s been a nice migration to contactless at the same time as EMV. Adding contactless to EMV terminals will not only future proof merchants it will allow for a better customer experience as they will not have to worry about inserting their cards and entering their PIN.

EMV has worked very well for restaurants in Canada. Our team at Kubera has implemented countless mobile and wireless terminals that are carried to the table by the server. Here’s why it’s great: It’s easy for customers to use, and there is an added benefit where the tip option can be calculated by percentage or dollar amount. In addtion, according to Manahan, this has reignited very well with servers as many of them are receiving larger tips and there’s no money left on the table that could get lost or stolen.

Referring back to the Vision Critical survey “one in 10 respondents said they had already received their EMV chip card”.  If the survey is representative of the population of the united states that’s nearly 32 Million Americans! Finally by October of next year, all credit card companies are expected to move to EMV.

 

Not ready for payment processing or mobile payments? Here why you should be.

Posted on July 8, 2014
eric.milic@kubera.cc

Bist150-45-degree-hd_w605usinesses in Canada are at risk if they do not progress with modern technology and consumer trends. That is if they continue to accept cash-only as a form of payment.

 

Supporting evidence in a study conducted by the Rotman School of Management shows that businesses who use “cash only”, hurt themselves in the long term and will be lost by competitors who adopt electronic payments in form of credit card, debit card, mobile payments and NFC payments.

 

In addition, a recent article by the Globe And Mail highlights that for businesses that do accept credit cards, the benefits of accepting credit cards far outweigh the costs of the 2-3 percent transaction fees associated with accepting credit and debit.

 

They also suggested 10 tips that we feel are very relevant if you are a business concerned about transaction fees.

 

Cash Is Not Free

The direct and indirect costs from cash include, processing time – counting, re-counting and waiting to be deposited, security, security personnel, and lost cash by theft or error.

 

Ethical Operations

Accepting credit and debit can help your business operate ethically, this means no lost or unaccounted cash.

 

Credit Card Processing Enables Higher Average Sales Price

People are carrying less cash these days, and cash is typically used for lower value transactions. Use this opportunity to increase your ASP for the convenience of the consumer.

 

Customer Service Comes First
If the majority of your customers have cards that offer rewards, let them use their cards at your location. Make purchases quick, painless and easy. This even gives your employees more time to spend interacting with customers instead of counting cash and dealing with a register.

 

Go Beyond Bricks & Mortar

Payment processing companies have the tools to allow your business to operate online as well as in-store. This way you can sell your goods from anywhere and increase your market share.

 

Support International Customers
If you live in a major city, chances are you’re getting visitors from all over the world in your business. Don’t limit yourselves by not accepting their cards if they don’t have cash on had.

 

Speed Up Your Cash Flow

With payment processing for credit and debit cards online and in store, funds are transferred immediately into your merchant account and then directly deposited into your business account shortly after.

 

Data Is King

According to the study and the Globe, “[Data analysis has] allowed for the development and deployment of strategies that have enhanced sales, customer satisfaction, repeat business and hence business growth and profitability.”  – Globe and Mail

If you use payment processing you are given all of this great data in store or online to leverage. Use it to offer a better customer experience, cut costs where needed and create efficiencies.

 

Cost Benefit Analysis

Typically the benefits outweigh the costs for payment processing. If you aren’t sold by now, conduct a cost benefit analysis and realize the difference with increased throughput and other opportunities that come from accepting payments. At the end of the day your fees end up being a minimal expense.

 

Get A Good Point Of Sale System

Having several check out stations or faster payments acceptance like contactless will make transactions effortless and provide a better customer experience. Consider renting terminals to try different solutions before purchasing one.

 

Canada is one of the most affluent countries when it comes to technology. Although change can be hard, it’s worth adapting to consumer demands. Digital opportunities provide better service and according to the report outlined in the beginning, the upside is significant.

 

 

 

 

Mobile, NFC & Contactless payments: Better Customer Experience, Better Sales

Posted on June 26, 2014
eric.milic@kubera.cc

Mobile, NFC & Contactless Payments are all great ways for your business to enhance its customer experience. Happy customer’s means return customers and you know what that means – increased sales and better business!

D2D96B_2566261b

 

 

 

 

 

 

 

No matter what type of business you are; a gift shop, a café, ski resort, gas station even a grocery store, by making it easier for customers to make purchases with their credit or debit card, your bottom line can really grow.

So how can you really make a difference and enhance your customer experience?

 

 

1. Let your customers know they can pay with contactless or NFC and that it’s faster and EASIER.

No PIN? No Problem! All your customers have to do is tap and go. No PIN or signature necessary just smiles. Bonus – if customers have a smart phone they can even use their smart phone to pay too with NFC.

2. Let your customers know that NFC, Contactless, & mobile payments are secure.

They more secure than using a swipe solution or even a chip & PIN solution. Most people are not convinced yet but explain to them that it’s safer because it sends encrypted data back and forth between the card and the terminal. Click here to learn more about how it works.

3. Stay ahead of the curve – get NFC and Contactless Payments enabled terminals.

Contactless_LogoMasterCard’s VP of advanced Payments looks at NFC, Contactless, and EMV payments as technologies that should be implemented at the same time. He quotes “Do it once, do it right, and future proof yourself as much as possible”. In addition, total spend is also 54% higher for customers who use MasterCard contactless vs. those who do not.

Your customers will enjoy the convenience once they get a better understanding on it. Put your self in their shoes, what would they want the most? Convenience, security, technology? I think so, it pays to make it easier for your customers to purchase your products and services.

If you would like to learn more about these benefits, we highly recommend reading Accenture’s survey on the Mobile Payments habits of North Americans. You can download the PDF here.

Is Mobile Payments Ready to take off?

Over the past few years we’ve seen several mobile payments ventures gain plenty of momentum but never take off or become mainstream.

Another mobile payments system has launched today – Paym. Paym links your cellphone number to your bank, which enables you to pay with your mobile device.

Let’s hope that Paym is able to make a reasonable impact to mobile payments innovation.

Google Wallet

We would also expect that with the wearable tech trend and its symbiotic relationship with mobile payments it seems that it’s only a matter of time before mobile payments become the norm. For example the Samsung Galaxy Gear 2 watch will enable people wearing the watch to pay with paypal using their watch.

Not too long ago, Ariel Bardin, the head of Google payments stressed their commitment to mobile payments. Google Wallet has struggled over the past few years but is still a major contender. It recently opened up its cloud-based technology “host card emulation” or HCE to developers, which enables anyone to leverage NFC. This also allows merchants to embed easy payments buttons into their websites that where customers can use the Google wallet to pay. With Google’s commitment, it’s very possible in the next few years they will be making a serious impact to mobile payments.

Something potentially more impactful is Apple.

Apple’s large customer base and iTunes infrastructure poises Apple to be at the frontline of mobile payments. They now have 800 million iTunes accounts linked to customer credit cards, which Amazon only has a fraction of this.

iPhone fingerprint ID

With this customer base and their technology improvements, they can turn iTunes into a total e-commerce and mobile payments business. Touch ID – where a customer uses their fingerprint to unlock a phone can be used as a verification process to approve transactions. This helps consumers “feel” more secure than a typical PIN or passcode.

iBeacon is another technology is already on its way where a Bluetooth signal is sent to a consumer’s phone and their device will show an alert for some discount close to the consumer’s location.

So when will mobile payments take off?
Consumers are ready for it, so it seems like only a matter of time. What needs to happen in addition is the proper technology needs to be developed, then adopted by merchants and businesses alike. Once the technology problem is solved, businesses will be the last caveat before mobile payments becomes mainstream.

Three POS Skimmers

Posted on March 31, 2014
eric.milic@kubera.cc

 

What is a skimmer?

A Skimmer is a small electronic device used to steal credit or debit card information in a legitimate transaction.

You may have heard about card skimming in restaurants. Typically a victim’s card is taken out sight where it is scanned by a skimmer. Call centres and gas stations are also other areas where skimming could happen easily.

In this blog article we will be going over a few skimming scenarios that have been highlighted by Krebs on Security recently. Krebs has an amazing blog series on many common skimmers that is worth a read.

Our goal here is to educate our merchants and their customers on common skimming tactics so that credit card fraud can be detected and avoided.

Would you have spotted the fraud?

Krebs highlights this skimmer from 2009 that was attached to the front of a Citibank ATM in California and asks if we would be able to see the device.

Via Krebs on Security

Most people probably would have never noticed this skimmer. We are constantly on the go and wouldn’t even notice or think about looking at the device that is taking their credit card information. This is why it is our responsibility as merchants to routinely monitor devices as much as we possibly can.

via Krebs on Security

This device is quite sophisticated, it snaps on top of the ATM’s card reader and looks like part of the actual ATM. It even has a pinhole camera that is designed to capture the card victim’s PIN number as they enter it.

Skimmers like these can be homemade or bought online from criminal forums. Some are so sophisticated that they can send the victim’s card data by SMS message to a thief’s mobile number.

Simple But Effective Point-of-Sale Skimmer

This skimmer is very sophisticated and is for Verifone POS. It’s an easily installed overlay that is highly unnoticeable. Recently some fraudsters installed this system at a Nordstrom department store while the employee who operates the register was distracted. Nordstrom later discovered the skimming device on their POS.

As a merchant or a customer, would you have spotted that one?

Fake ATMs

Krebs’ blog has identified many interesting skimmers. This one however is probably the most interesting of them all. Credit & Debit card thieves went through the trouble of creating a completely fake ATM that stacks right on top of a legitimate ATM. IT was discovered in November 2013, when a customer at the Bank of Brazil tried using his ATM but was denied. The customer called the cops with suspicion and the police removed the skimmer from the machine. See what it looks like below:

via Krebs on Security

The skimmer was made from a disassembled laptop and skimmer pieces.

via Krebs on Security

Something that gives away these skimmers are spelling mistakes similar to the ones you would see in a phishing email or fraudulent popup window from a website.

Customers: Remember to take notice to the machine you are using every time you use a credit or debit card, especially when traveling.

Merchants: Pay attention to your hardware, regulate it for fraudulent technology and make your greatest effort to abide by PCI compliance standards. This will save you tons of money and can prevent you from loss of reputation.

Choosing A Secure Password

FacebookPasswordHacker2

As we continue to use technology we require more and more passwords to access things. You might already know these basic tips:

  1. Never reuse your old passwords. “One bad apple ruins the bunch”
  2. Don’t change your password unless you think it’s compromised.
  3. Consider two-factor authentication.

Although you might have a handle on the basics, below are a few password tricks you might not be familiar with, starting with a scenario for hacking a password.

Scenario for breaking a password:

Offline password-guessing attack

Attacker obtains a file of encrypted passwords like the LinkedIn breach in 2009. The attacker(s) would then unencrypt these passwords to authenticate themselves into the compromised accounts where more information can be stolen.

The attacker would do this by running a commercial program or hacker tool on their computer to guess as many passwords as possible. If correct (which often happens) then they would have access to your accounts.

With this method of guessing passwords, two factors are at play: efficiency and power.

Efficiency is how easily the program can guess a password. Some programs are so incredibly effective that they are able to guess common passwords first. They have special dictionaries that combine different words to guess common passwords. Common passwords typically have both a root and an appendage and do not have to be in any particular order. Example “passwords1234” or “p4s5w0rd12”

Modern password cracking programs will run common roots and appendages until they find a match. This is why using individual words and characters is no longer great for making passwords.

Password crackers will also feed in any information that may be related to the person’s compromised account. This includes names, addresses, postal codes, meaningful dates and any other meaningful information.  Some programs can even scan a target hard drive for clues and spend time scanning it for this information.

Obviously all of this work requires a good amount of processing capacity. Well, what helps password-cracking programs be so efficient? The processing power available to run these programs. As computers have developed over time and processing power has increased, these programs are able to process more and more passwords per second. In fact one program advertises eight million per second!

So what are some best practices for choosing a password?

Schneier scheme

Take a sentence and turn it into a password. Example: “Holy smokes! Would you look at that.” or hs!…wyl@t

Having a memorable sentence really makes it easy to create a password that is long and easy to remember. These are atypical, generally harder to crack but still not completely “fool proof” as software and hackers continue to get better with time.

Use a password managing service

Some password managers will generate new passwords for every app you use with a random password generation tool. This way your passwords are always different and always random.

While these tips might be useful, there’s certainly a positive correlation between Internet security and attacker sophistication.  If you aren’t able to go with a password manager, you’re always better off using two-factor authentication and using a randomly generated password.

 

We would be proud to earn your business

Contact Us