The Home Depot Breach: What you can do and how to protect your credit card information

Posted on September 23, 2014
eric.milic@kubera.cc

As you already may know, on September 8th, 2014, Home Depot confirmed that their data systems were breached which impacts customers who used a credit or debit card at one of their U.S. or Canadian retail stores.

 

Home Depot also confirmed that the malware used to steal credit and debit cardholder data was eliminated on September 18th. There is also no evidence that debit PIN numbers were compromised or that users who shopped at HomeDepot.ca were impacted.

 

If you shopped at Home Depot since the month of April 2014 your best bet would be to renew your credit card or debit card that you used.

At a minimum you should monitor your account for strange activity and consider calling Home Depot. Home Depot is offering customers 12 months of free credit monitoring and identity protection services.

 

For protecting your credit card information in the future, consider these tips:

 

Quick tip 1: Use mobile payments

Craig Young, a security researcher from Tripwire states “technology that avoids you having your credit card in your hand in a store is safer”.

For example, when you add a credit card to Apple Pay, card numbers are not stored on the device, a unique number is associated with that credit card and is securely stored through encryption on your device. When transactions are made, the device account number instead of your credit card’s data is passed on to validate each transaction.

 

The drawback is not many retailers have caught on with this technology and only people with an iPhone 6 can use it.

 

Quick Tip 2: Monitor your credit card account activity

Most banks allow you to login to your account and view transactions made a few days post purchase. If you monitor your account activity every week or so, not only is it easy to see where most of your money is being spent, you’ll be able to identify strange transactions should it ever happen to you.

Most of the time, Thieves will use your card to charge for smaller amounts to test if the card works and is monitored or not. They also may be stealing small amounts from millions of cards looking for a bigger payout.

 

Credit cards are without a doubt the easiest way to pay. Merchants owe a responsibility to their customers to protect their data. As technology continues to evolve, expect your cardholder data to be more secure in the future, as it will continue to be a bigger priority for both banks and businesses alike.

 

Looking for more info on the breach? Check out this great infographic:

breach_infographic_homedepot_620

 

What is the cost of a data breach?

Posted on September 16, 2014
eric.milic@kubera.cc

In 2013, there were 1,367 confirmed data breaches and 63,437 security incidents in 95 different countries according to Verizon’s 2014 Data Breach Investigations Report. 2013 may be considered as the “year of the retailer breach” as many larger retailers had confirmed large-scale data breaches that risked its customer’s data. Target having suffered the most, and more recently Gmail, Central Utah Clicnic, JP Morgan, Home Depot, and George Mason University have all confirmed breaches.

So what is the actual cost of a data breach?

On a global scale, the Ponemon institute produced some interesting results in their “2013 Cost of Data Breach Study: Global Analysis”.

The report goes into great detail in analyzing business costs associated data breaches including detection, escalation, notification, and post response expenses. It also analyzes the economic impact post breach in terms of diminishing customer trust and confidence.

According to Ponemon, Germany and the US had the most expensive data breaches – with an average per capita cost of a data breach at $199 and $188, respectively.

Screen Shot 2014-09-15 at 8.24.41 PM

 

 

The US actually experienced the highest average total cost of data breaches with an average of $5.4 million dollars per company.

Screen Shot 2014-09-15 at 8.26.37 PM

In their analysis, there are seven factors that influence the cost of a data breach. These seven factors include:

  1. The company had an incident management plan
  2. The company had a relevatively strong security posture at the time of the incident
  3. The company met with CISO or an information security professional
  4. Data was not lost due to a third party
  5. The company had a quick response system for notifying victims
  6. The data breach involved stolen items or devices
  7. Consultants were engaged post breach

The three factors that increase the cost of a data breach are: Third Party Error, Lost or Stolen Devices, and Quick notification.

Screen Shot 2014-09-16 at 9.29.26 PM

Based on the Ponemon report, what significantly decreases the cost of a data breach are (see above): consultants engaged, CISO appointment, Incidence response plan, and a strong security posture.

In addition, the report points out that there is a direct relationship between abnormal churn rate of customers (which is what is likely to happen post breach) and higher costs of a data breach. The highest lost business cost due to abnormal customer churn is an average cost of over $3.03 million, which was experienced by US companies.

Screen Shot 2014-09-16 at 9.09.34 PM

To put this into perspective, it’s been nearly a year since Target had its data breach in December 2013, and the incident cost shareholders a whopping $148 million which was partially offset by insurance receivables totaling $38 million.

Preventative measures are the most significant way to reduce your risk and costs associated with a data breach. The more secure your company is, the less likely it would be for important data to be stolen – The ROI is much higher on preventative measures than believing something wont happen to your organization.

What is the difference between Ingenico & VeriFone?

Posted on August 13, 2014
Kubera

Ingenico and VeriFone are the two leading manufacturers of stand-alone point-of-sale terminals. Understanding the differentiators between the two may be useful to business owners and merchants.

The two manufacturers are quite alike. Ingenico was founded in 1980 in Paris, and VeriFone in 1981 in San Jose. In 2013, Ingenico and VeriFone generated similar revenue at 1.89 billion and 1.7 billion respectively.

Despite their similarities in revenue,  VeriFone had a 51.5 percent share of all US terminal shipments where Ingenico held 17.4 percent of the US market last year.  Although it seems that VeriFone is a dominant force in the market, VeriFone’s shipments had a 17 percent drop from the previous year, while Ingenico’s share increased by 47 percent. However on a global scale, Ingenico holds a 30 percent shipment share, while VeriFone holds a 18.6 percent share.

With the changing U.S. market moving towards EMV compatible terminals, Ingenico seems to be on the rise this year. Ingenico’s expertise on EMV terminals and advanced security protocols could continue to bring an increase in sales and shipments. Noticing this trend, last year VeriFone replaced their CEO, bringing in Paul Galant, who remodeled the company’s strategic plan, in hopes to stay on top of the market. (via Pymnts.com)

Under Paul Galant’s new company vision to “become our clients’ most trusted, most secure and innovative partner by delivering terminals, payment as a service and commerce enablement solutions.” VeriFone has been identifying internal areas of improvement and is working to reduce complexity across the company and increase security protocols.

2014 will be a defining time to see if VeriFone’s new strategic plan and redefined operations can combat Ingenico’s seemingly rising share of terminal shipments.  Want to learn more about the two companies? Take a look at the below infographic (via Pymnts.com):

 

Why protecting cardholder data is good for your business

Posted on August 7, 2014
Kubera

More than 800 million computer records with sensitive information have been a part of data breaches in the U.S. since 2005 (privacyrights.org).  Moreover, because many small merchants have minimal security for cardholder data, over 80% of attacks target small businesses.

The PCI Security Standards Council explains that if you are at fault for a security breach, fallout can be as follows:

  • Fines and penalties
  • Termination of ability to accept payment cards
  • Lost confidence, so customers go to other merchants
  • Lost sales
  • Cost of reissuing new payment cards
  • Legal costs, settlements and judgments
  • Fraud losses
  • Higher subsequent costs of compliance
  • Going out of business

As stated by the PCI Council,

“Merchant-based vulnerabilities may appear almost anywhere in the card-processing ecosystem including point-of-sale devices; personal computers or servers; wireless hotspots or Web shopping applications; in paper-based storage systems; and unsecured transmission of cardholder data to service providers. Vulnerabilities may even extend to systems operated by service providers and acquirers, which are the financial institutions that initiate and maintain the relationships with merchants that accept payment cards.”

Some requirements by the PCI Security Standards Council that can enhance security are to maintain a firewall, and protect stored cardholder data:

Maintaining a firewall to protect cardholder data

Firewalls control your computer network’s traffic, allowing you to deny all traffic from untrusted networks and potentially denying criminal attacks. Identify all connections to cardholder data and configure a firewall that allows only the necessary connections.

Protecting stored cardholder data

Cardholder data should only be stored if absolutely necessary. When stored, cardholders trust the merchant to go through precautions to protect sensitive data from criminal attacks. Data storage should be limited to the time required for business purposes. Consider using truncation, index tokens, and securely stored pads to improve your security. In addition, restrict access to cardholder data to a need-to-know basis. Individuals should only be authorized to sensitive data if it is necessary information to perform a job.

To learn more about PCI standards and compliance, visit the PCI Security Standards Council, or give us a call.

 

Are American consumers ready for EMV chip cards?

Posted on July 29, 2014
eric.milic@kubera.cc

nfc mobile payment norway

Pymnts a leading payment blog cited a recent internal survey conducted by MasterCard that showed 57% of MasterCard holders would be interested in receiving Chip cards within 6 months or less.

Although consumers might not understand the technology behind EMV Chip & PIN, there’s enough additional support that shows they understand that it is more secure, devalues data and makes counterfeiting difficult.

Why else would consumers want something more secure to protect their sensitive data? Data breaches, privacy issues, and other areas in the globe that have EMV are just a few examples that help support this demand.

Another note to point out is Vision Critical – a very well known market research firm has reported “69% of Americans believe that EMV chips will make their purchases more secure”. In fact only 5% believed that this technology would have a negative effect on security.

In an interview with Oliver Manahan, MasterCard’s Vice President of Electronic Payments, Oliver states that there’s been a nice migration to contactless at the same time as EMV. Adding contactless to EMV terminals will not only future proof merchants it will allow for a better customer experience as they will not have to worry about inserting their cards and entering their PIN.

EMV has worked very well for restaurants in Canada. Our team at Kubera has implemented countless mobile and wireless terminals that are carried to the table by the server. Here’s why it’s great: It’s easy for customers to use, and there is an added benefit where the tip option can be calculated by percentage or dollar amount. In addtion, according to Manahan, this has reignited very well with servers as many of them are receiving larger tips and there’s no money left on the table that could get lost or stolen.

Referring back to the Vision Critical survey “one in 10 respondents said they had already received their EMV chip card”.  If the survey is representative of the population of the united states that’s nearly 32 Million Americans! Finally by October of next year, all credit card companies are expected to move to EMV.

 

Not ready for payment processing or mobile payments? Here why you should be.

Posted on July 8, 2014
eric.milic@kubera.cc

Bist150-45-degree-hd_w605usinesses in Canada are at risk if they do not progress with modern technology and consumer trends. That is if they continue to accept cash-only as a form of payment.

 

Supporting evidence in a study conducted by the Rotman School of Management shows that businesses who use “cash only”, hurt themselves in the long term and will be lost by competitors who adopt electronic payments in form of credit card, debit card, mobile payments and NFC payments.

 

In addition, a recent article by the Globe And Mail highlights that for businesses that do accept credit cards, the benefits of accepting credit cards far outweigh the costs of the 2-3 percent transaction fees associated with accepting credit and debit.

 

They also suggested 10 tips that we feel are very relevant if you are a business concerned about transaction fees.

 

Cash Is Not Free

The direct and indirect costs from cash include, processing time – counting, re-counting and waiting to be deposited, security, security personnel, and lost cash by theft or error.

 

Ethical Operations

Accepting credit and debit can help your business operate ethically, this means no lost or unaccounted cash.

 

Credit Card Processing Enables Higher Average Sales Price

People are carrying less cash these days, and cash is typically used for lower value transactions. Use this opportunity to increase your ASP for the convenience of the consumer.

 

Customer Service Comes First
If the majority of your customers have cards that offer rewards, let them use their cards at your location. Make purchases quick, painless and easy. This even gives your employees more time to spend interacting with customers instead of counting cash and dealing with a register.

 

Go Beyond Bricks & Mortar

Payment processing companies have the tools to allow your business to operate online as well as in-store. This way you can sell your goods from anywhere and increase your market share.

 

Support International Customers
If you live in a major city, chances are you’re getting visitors from all over the world in your business. Don’t limit yourselves by not accepting their cards if they don’t have cash on had.

 

Speed Up Your Cash Flow

With payment processing for credit and debit cards online and in store, funds are transferred immediately into your merchant account and then directly deposited into your business account shortly after.

 

Data Is King

According to the study and the Globe, “[Data analysis has] allowed for the development and deployment of strategies that have enhanced sales, customer satisfaction, repeat business and hence business growth and profitability.”  – Globe and Mail

If you use payment processing you are given all of this great data in store or online to leverage. Use it to offer a better customer experience, cut costs where needed and create efficiencies.

 

Cost Benefit Analysis

Typically the benefits outweigh the costs for payment processing. If you aren’t sold by now, conduct a cost benefit analysis and realize the difference with increased throughput and other opportunities that come from accepting payments. At the end of the day your fees end up being a minimal expense.

 

Get A Good Point Of Sale System

Having several check out stations or faster payments acceptance like contactless will make transactions effortless and provide a better customer experience. Consider renting terminals to try different solutions before purchasing one.

 

Canada is one of the most affluent countries when it comes to technology. Although change can be hard, it’s worth adapting to consumer demands. Digital opportunities provide better service and according to the report outlined in the beginning, the upside is significant.

 

 

 

 

Mobile, NFC & Contactless payments: Better Customer Experience, Better Sales

Posted on June 26, 2014
eric.milic@kubera.cc

Mobile, NFC & Contactless Payments are all great ways for your business to enhance its customer experience. Happy customer’s means return customers and you know what that means – increased sales and better business!

D2D96B_2566261b

 

 

 

 

 

 

 

No matter what type of business you are; a gift shop, a café, ski resort, gas station even a grocery store, by making it easier for customers to make purchases with their credit or debit card, your bottom line can really grow.

So how can you really make a difference and enhance your customer experience?

 

 

1. Let your customers know they can pay with contactless or NFC and that it’s faster and EASIER.

No PIN? No Problem! All your customers have to do is tap and go. No PIN or signature necessary just smiles. Bonus – if customers have a smart phone they can even use their smart phone to pay too with NFC.

2. Let your customers know that NFC, Contactless, & mobile payments are secure.

They more secure than using a swipe solution or even a chip & PIN solution. Most people are not convinced yet but explain to them that it’s safer because it sends encrypted data back and forth between the card and the terminal. Click here to learn more about how it works.

3. Stay ahead of the curve – get NFC and Contactless Payments enabled terminals.

Contactless_LogoMasterCard’s VP of advanced Payments looks at NFC, Contactless, and EMV payments as technologies that should be implemented at the same time. He quotes “Do it once, do it right, and future proof yourself as much as possible”. In addition, total spend is also 54% higher for customers who use MasterCard contactless vs. those who do not.

Your customers will enjoy the convenience once they get a better understanding on it. Put your self in their shoes, what would they want the most? Convenience, security, technology? I think so, it pays to make it easier for your customers to purchase your products and services.

If you would like to learn more about these benefits, we highly recommend reading Accenture’s survey on the Mobile Payments habits of North Americans. You can download the PDF here.

Is Mobile Payments Ready to take off?

Over the past few years we’ve seen several mobile payments ventures gain plenty of momentum but never take off or become mainstream.

Another mobile payments system has launched today – Paym. Paym links your cellphone number to your bank, which enables you to pay with your mobile device.

Let’s hope that Paym is able to make a reasonable impact to mobile payments innovation.

Google-wallet

We would also expect that with the wearable tech trend and its symbiotic relationship with mobile payments it seems that it’s only a matter of time before mobile payments become the norm. For example the Samsung Galaxy Gear 2 watch will enable people wearing the watch to pay with paypal using their watch.

Not too long ago, Ariel Bardin, the head of Google payments stressed their commitment to mobile payments. Google Wallet has struggled over the past few years but is still a major contender. It recently opened up its cloud-based technology “host card emulation” or HCE to developers, which enables anyone to leverage NFC. This also allows merchants to embed easy payments buttons into their websites that where customers can use the Google wallet to pay. With Google’s commitment, it’s very possible in the next few years they will be making a serious impact to mobile payments.

Something potentially more impactful is Apple.

Apple’s large customer base and iTunes infrastructure poises Apple to be at the frontline of mobile payments. They now have 800 million iTunes accounts linked to customer credit cards, which Amazon only has a fraction of this.

iphone

With this customer base and their technology improvements, they can turn iTunes into a total e-commerce and mobile payments business. Touch ID – where a customer uses their fingerprint to unlock a phone can be used as a verification process to approve transactions. This helps consumers “feel” more secure than a typical PIN or passcode.

iBeacon is another technology is already on its way where a Bluetooth signal is sent to a consumer’s phone and their device will show an alert for some discount close to the consumer’s location.

So when will mobile payments take off?
Consumers are ready for it, so it seems like only a matter of time. What needs to happen in addition is the proper technology needs to be developed, then adopted by merchants and businesses alike. Once the technology problem is solved, businesses will be the last caveat before mobile payments becomes mainstream.

Three POS Skimmers

Posted on March 31, 2014
eric.milic@kubera.cc

 

What is a skimmer?

A Skimmer is a small electronic device used to steal credit or debit card information in a legitimate transaction.

You may have heard about card skimming in restaurants. Typically a victim’s card is taken out sight where it is scanned by a skimmer. Call centres and gas stations are also other areas where skimming could happen easily.

In this blog article we will be going over a few skimming scenarios that have been highlighted by Krebs on Security recently. Krebs has an amazing blog series on many common skimmers that is worth a read.

Our goal here is to educate our merchants and their customers on common skimming tactics so that credit card fraud can be detected and avoided.

Would you have spotted the fraud?

Krebs highlights this skimmer from 2009 that was attached to the front of a Citibank ATM in California and asks if we would be able to see the device.

Via Krebs on Security

Most people probably would have never noticed this skimmer. We are constantly on the go and wouldn’t even notice or think about looking at the device that is taking their credit card information. This is why it is our responsibility as merchants to routinely monitor devices as much as we possibly can.

via Krebs on Security

This device is quite sophisticated, it snaps on top of the ATM’s card reader and looks like part of the actual ATM. It even has a pinhole camera that is designed to capture the card victim’s PIN number as they enter it.

Skimmers like these can be homemade or bought online from criminal forums. Some are so sophisticated that they can send the victim’s card data by SMS message to a thief’s mobile number.

Simple But Effective Point-of-Sale Skimmer

This skimmer is very sophisticated and is for Verifone POS. It’s an easily installed overlay that is highly unnoticeable. Recently some fraudsters installed this system at a Nordstrom department store while the employee who operates the register was distracted. Nordstrom later discovered the skimming device on their POS.

As a merchant or a customer, would you have spotted that one?

Fake ATMs

Krebs’ blog has identified many interesting skimmers. This one however is probably the most interesting of them all. Credit & Debit card thieves went through the trouble of creating a completely fake ATM that stacks right on top of a legitimate ATM. IT was discovered in November 2013, when a customer at the Bank of Brazil tried using his ATM but was denied. The customer called the cops with suspicion and the police removed the skimmer from the machine. See what it looks like below:

via Krebs on Security

The skimmer was made from a disassembled laptop and skimmer pieces.

via Krebs on Security

Something that gives away these skimmers are spelling mistakes similar to the ones you would see in a phishing email or fraudulent popup window from a website.

Customers: Remember to take notice to the machine you are using every time you use a credit or debit card, especially when traveling.

Merchants: Pay attention to your hardware, regulate it for fraudulent technology and make your greatest effort to abide by PCI compliance standards. This will save you tons of money and can prevent you from loss of reputation.

We would be proud to earn your business

Contact Us