Would Your Business Survive A Crisis? Learn how to protect your business Presented By Peg Jackson BP…Tiger Woods…Arthur Andersen… These businesses have experienced major crises causing severe financial and brand damage or wiping them out entirely. While it is difficult to prepare for the unknown, there are key steps every company ó big and small – should take to ensure their business recovers from a crisis. Peg Jackson, risk management expert and author of the widely-acclaimed book “Reputational Risk Management ó The Essential Guide to Protecting Your Reputation in Crisis Situations,” helps business executives prepare for and survive a crisis. She teaches you the key elements to include when designing a crisis response plan and how to put into action when needed. Sadly, many businesses never recover from a crisis and shut their doors forever ó even if they have adequate insurance coverage. If your company had a crisis today, would it still be around tomorrow? In this webinar, you’ll learn how to: ï Construct a crisis response plan to ensure your company is well-prepared ï Create a crisis communication plan that sends the right message ï Prepare your employees to deal with a crisis ï Interact with the media during a crisis that inspires confidence As an added bonus, the first 50 registrants receive a Crisis Communication Plan tip sheet to help you implement the teachings from this virtual business training course. Tuition: $99 Business Executives, Business Owners and Risk Management Leaders “What a great learning experience! This webinar program is a terrific way to develop our team without breaking the bank.” – Small Business Owner Economical, efficient, effective training for everyone in your business

Similar Posts:

• The Latest in Fraud Prevention
• ALERT RE: businessownersonline.com
• iovation Partners with Merchant911 to Educate Online Retailers About Device-based Fraud Prevention Solutions
• PCI Compliance – Do it or cease doing business
• PCI Hard to Justify?

The latest method of getting card information is a more sophisticated version of an older scheme. It’s a new attack targeting debit cards at ATMs. That doesn’t make a big bang for merchants because the bad guys go for cash but you can bet it’s going to hurt a lot of banks. Because the attacks are targeting debit cards with PINs, cardholders will be feeling the pain as well.

Earlier ATM skimming techniques involved installing a device over the legitimate card reader and also placing a camera near the reader to visually record the PIN as it was entered.

An article on ATM shimming in Networkworld makes it clear that this attack is not trivial but it is almost undetectable. A .1mm shim is inserted inside the existing card reader. According to the article, these devices are already being mass produced in Europe.

Once again, we’ve moved one step forward to the bad guys two.
Similar Posts:

• Real Time Keylogging
• Card Companies Insecure About Security
• PIN Crackers Nab Holy Grail
• Chip and PIN, terrorism, and boy are we in trouble
• Visa Creates Another Fraud Monster

US merchants, are you ready for an increase in fraud? It will happen after October when Chip and PIN becomes mandatory in Canada.

Here are some facts.

According to Visa Canada APACS reported a 35% reduction in fraud losses to UK merchants. If these things are as secure as the Association’s hype wants us to believe, why is there only a 35% improvement?

There’s more. Notice that the report says losses at UK retailers are down by 35% since 2005. They are talking about Card Present (CP) merchants. At the same time, there was a 43% increase in Card Not Present (CNP) transactions. And they are talking about UK merchants. Overseas CNP fraud on UK cards skyrocketed. “Overseas” from the UK perspective translates to a lot of US merchant victims.

Another section of the referenced website claims that, “fraud related to lost and stolen payment cards has decreased by more than half since the adoption of Chip & PIN in 2004. I think that’s significant because lost or stolen cards more frequently result in CP transactions. CNP fraud normally results from the data hacks so the on-line merchant sees no added benefit from the lost or stolen card protection.

I haven’t seen any recent articles in reference to the magnetic strip but, according to a 2008 article in SecureIDNews, the strip technology will be accepted until 2015. And the Visa Canada website does tell us that the readers will read both technologies.

Chip and PIN effect in the on-line fraud world.

In fairness to the Chip and PIN technology, it’s reasonably successful at doing what it was supposed to do; reduce CP fraud.

Unfortunately, it has pushed fraud to the CNP realm. In October, Canada goes totally Chip and PIN. A lot of their fraud will go to just about the only place it can. The US.

Stand by, US merchants. There’s more coming!
Similar Posts:

• Chip and PIN, terrorism, and boy are we in trouble
• Chip and PIN is hackable too
• Real Time Keylogging
• Walmart: “My Way or the Highway”
• United States – Credit Card Fraud is about to increase

Debit card issuers are projecting a $5 Billion loss in revenue with the new laws expected to pass this week. Do you wonder who will make up those losses? Nobody seems to be saying but you can bet they’ll find a way and we shouldn’t be surprised if it isn’t the cardholder. That leaves the merchant holding the (money) bag again.

Never forget that the merchant is the path of least resistance because of the contractual relationship with the Association. Recent laws have made it tougher for the banks to stab us in the back but they still hold the knife.

A good analysis of what’s going on can be found here.

Similar Posts:

• The Hidden Cost of Contactless Payment Systems
• Credit card quote of the week
• 7-Eleven Protesting Credit Card Fees
• Interchange Fees May Drop
• On line credit card fraud is going to soar

If you have a POS terminal with a PIN pad there’s another PCI that will affect you. It’s called PCI PTS – PCI PIN Transaction Security. It’s aimed at PIN pad devices but brick and mortar merchants need to know about it.

If you’re planning on buying a new PIN pad device between now and May of 2011, choose wisely. It may not be compliant when the new standards come into play.

For some details on this new problem, there’s a good article over at Evan Schuman’s Storefront Backtalk. It has some good references including where to find a list of approved devices.

Go on over and give it a read!

Similar Posts:

• Card Breach Victim Gets Twenty Years ‘Probation’
• PCI Hard to Justify?
• A bit of good news for PCI compliance – but only in Washington
• PCI has ROI?
• PCI Recognition Isn’t PCI Compliance

Think PCI compliance isn’t important? Dave & Busters restaurant chain got 20 years of ‘probation’ for being a non-compliant victim.

Dave & Buster’s is one of a long list of merchants that was hacked by Albert Gonzales. Gonzalez is currently spending 20 years in Federal prison for his part in a string of data breaches that resulted in the compromise of over 170 million credit and debit cards. Dave & Buster’s only had 130,000 card numbers stolen.

An article in Evan Schuman’s Storefront Backtalk reported this morning that, as a result of that breach, Dave & Buster’s must submit to no less than 20 years of scrutiny by the Federal Trade Commission.

You read that right. The FTC has ruled that the restaurant chain “engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security for personal information on its computer networks.” In other words, they were not PCI compliant. As a result, Dave & Buster’s will spend the next 20 years reporting their compliance standards to the FTC.

The price of being a victim of a crime.
Similar Posts:

• Anther data breach victim Part 2
• The Last of the Heartland Breach
• Top Fraud Incidents of 2008
• Here’s a way to fight back
• PCI Hard to Justify?

Walmart has decided that the U.S should migrate to Chip and PIN cards with comments like, “Let’s go directly to Chip-and-PIN” and, “As far as we are concerned, signature is a waste of time. It has to be PIN or nothing.”

I have to wonder when Walmart decided it could decide what’s good for the rest of us, but there’s more. Not the least of which is the fact that we know it isn’t as secure as the card companies would like us to believe.

I’ve blogged about RFID technology and its flaws. You can see what I’ve turned up here. There are several entries on the subject.

It’s important to note that RFID contactless cards and Chip and PIN are different. Contactless cards are not secure. They can’t be cloned easily but it’s easy to get the information off the chip and they still have the mag strip on the back. Chip and PIN technology is considerably more sophisticated but if you’ve gone through the archives, you know that the technology has been hacked. And they will continue to have mag strips for some time to come so they can be used on older POS terminals.

There is one other very important factor; End to end encryption. I don’t have to tell you that end to end encryption isn’t universal. Not by a long shot. Ask Heartland Payment Systems. They, and others, are pushing for it but we’re just not there yet.

So why is Walmart pushing for Chip and PIN? We can assume it’s all about money.

Sources for this post:

http://www.storefrontbacktalk.com/securityfraud/wal-mart-its-time-for-chip-and-pin-in-the-u-s/

http://www.storefrontbacktalk.com/securityfraud/chip-and-pin-hack-is-so-scary-because-it-surprised-no-one/

Similar Posts:

• Real Time Keylogging
• Are you ready for an increase in credit card fraud?
• Chip and PIN, terrorism, and boy are we in trouble
• Chip and PIN is hackable too
• United States – Credit Card Fraud is about to increase

I wish you all a wonderful Memorial Day holiday. As you enjoy it, and you should, please keep these two powerful images in mind as a reminder of what the holiday is about.

Thank you to all who served!

Similar Posts:

• I need to share this
• The Webinar was a success!
• Merchant Account Cash Reserves
• I Stand Corrected. There Are RFID Cards in the U.S.
• The State of Merchant911

Thanks to a huge push by 7-Eleven and some others, there may be some relief from high interchange rates. The Senate has passed an amendment to the finance reform bill that will limit the interchange rate on debit cards. Interchange is the fee that merchants pay to accept the card.

Merchants have been fighting a loosing battle with the card companies on this for years and most are delighted to see the amendment in place. Whether or not it becomes law is yet to be seen.

As frequently happens with government intervention, there could be some unintended consequences.

According to the estimates in the trade journals, the Visa and MasterCard combined revenue from interchange fees was in the rather large neighborhood of $35 billion in 2007. I’d guess it’s around $40 billion this year. When those fees are lowered, and they will be, the card issuers will make up the lost revenue somewhere. They always do.

The industry has three main sources of revenue in this game; Interchange fees, interest on credit balances, and the miscellaneous fees that target cardholder and merchant alike. One of those sources will make up the lost revenue.

As I mentioned in my last post, the merchant is the lowest person on the hill. For that reason, I’ll bet that interchange fees on credit card transactions will be increased to recover the revenue. It won’t be a one to one transition either. Credit card use is shrinking in favor of the debit card. There are less credit transactions these days so you can look for those rates to increase.

Even if I’m wrong, one this is sure. The $35 billion won’t be lost. It will just be re-sourced.Similar Posts:

• 7-Eleven Protesting Credit Card Fees
• Banks predicted to loose $5 Billion in revenue
• Credit card quote of the week
• The Hidden Cost of Contactless Payment Systems
• Credit card crackdown too late?

One of my big problems with PCI compliance is that it means nothing. The card brands will come in after the fact and find something, anything, to claim that the merchant wasn’t compliant when the breach occurred. That puts everything on the merchant. As always, the merchant is the low man on the hill, and we all know which way on the hill the stuff runs. If you don’t believe me, ask any PCI compliant merchant that was breached. That’s why the brands claim that no PCI compliant merchant was ever breached. They find something.

The fact is that a merchant can spend huge sums of money to become PCI compliant but it doesn’t give them safe harbor. Until now. But only in the State of Washington.

A new law signed by Washington’s Gov. Chris Gregoire finally gives a break to the State’s merchants. If they are compliant, they are protected from the card brands. The Washington law mandates that if a merchant is certified as PCI compliant by an annual assessment, that compliance is non-revocable for a year. The processors and issuing banks cannot go after the merchant for losses.

The law isn’t perfect, of course. They seldom are. There is no mention of consumer losses. We know that consumers suffer no direct monetary losses from credit card breaches but they do suffer lost time and aggravation in trying to get things straightened out. We can assume the merchant won’t have protection from them.

Still, the Washington law is pro merchant and a big step in the right direction. If nothing else, it gives the merchant some justification for the resources expended in getting compliant.

Now can Federal lawmakers get on board? Similar Posts:

• Anther data breach victim Part 2
• Heartland PCI Compliance Revalidated
• Free E-book: PCI Compliance for Dummies
• PCI Hard to Justify?
• PCI Compliance – Do it or cease doing business