January 4th, 2010
Albert Gonzalez, the TJX intruder, has accepted a plea agreement on charges that he faces. The charges are that he hacked into Hannaford Brothers, Heartland Payment Systems, 7-Eleven, and two other retailers that remain unnamed in the nation.
The attorney representing Gonzalez filed documents in the New Jersey US District Court, where charges were filed by Heartland Payment Systems this past August.
On Tuesday, a federal judge transferred the case to Massachusetts, where Gonzalez has pleaded guilty to two other cases.
Gonzalez is a former informant for the Secret Service known by the online aliases “Cumbajohhny” and “segvec.” He was charges in August with two hackers from Russia. The accusations are that they stole over 130 million credit and debit cards from Heartland Payment Systems, a credit card processing company, and the other companies mentioned above.
In May 2008, Gonzalez was charged with ten other people in NY and in August 2008 in MA with intrusions onto the security of OfficeMax, TJX, Dave and Busters, and other unmentioned companies. He pleaded guilty and in both cases, he was scheduled to be sentenced December 21.
It was expected that he receive 15 to 20 years in prison for his actions. The sentencing will probably now be delayed to allow him to plead guilty to the new charges against him. To account for the NJ charges, the government and its offices need time to recalibrate their sentencing positions.
January 4th, 2010
When Visa speaks, the industry listens. As a necessary add on to PCI DSS, Visa says that all merchants who accept cards electronically consider upgrading their networks to have data-field technology installed.
Visa has written a paper that makes five important recommendations to merchants.
1. Protect devices that are cryptographic against software and firmware compromises.
2. Given a merchants geographical location, use key management that is consistent with security standards.
3. Use cryptographic algorithms that are consistent with security standards based on geographical locations.
4. Limit clear text (unencrypted) to “point of encryption and point of decryption.”
5. In lieu of the complete card number, use an alternate transaction identifier for business practices.
The Senior Business Leader of Visa’s Risk Department, Eduardo Perez, believes merchants are currently looking for guidance in what should be done to protect card data.
He says, “…the intent of these best practices is to provide a foundation, or a primer, for merchants considering these solutions on how to implement them and then how to evaluate them… So the goal here is to support merchants and ultimately to effectively deploy the use of encryption solutions within their payment card environment.”
Data Field Encryption
End-to-end encryption is another name for data-field encryption. Many in the industry feel that it is necessary in order to safeguard data. Data that is encrypted cannot be decryption without the correct key.
When the card is swiped, end-to-end encryption begins. The encrypted data is taken from the merchants’ private network, and then goes through the public network to the acquirers system. That is where the information is decrypted in order to process.
Not Mandated
The guidelines of Visa do not mandate merchants to have end-to-end technology, or to have providers that use end-to-end technology. But it is an important way to protect cardholder data.
PCI DSS strives to have complete data security, which includes data at rest (stored) and data in motion (transmitted). End-to-end encryption focuses mainly on data as it is transmitted, or is in motion.
Data that is in motion is attacked by malware, which is malicious software that finds cardholder data and transmits if back to people committing fraud.
Along with PCI DSS, Data-field encryption can help keep the data of your cardholders safe.
Public Vs. Private
Tim Cranny, the Chief Executive Officer of Panoptic Security Incorporated, says that the most current version of PCI DSS is mainly focused on the security of stored data and data transmitted publicly, not the security of private networks.
The best approach to security is a layered one, according to Bob Russo, the GM of the PCI Security Standards Council, also known as PCI SSC. He says, “Which specific technologies an organization chooses to implement to meet the requirements of DSS is discretionary. Organizations seeking to deploy security technologies must recognize that secure implementation is as important as the decision to implement itself.”
He goes on to say that PCI SSC is in the feedback process. They want opinions on how the PCI DSS will evolve.
November 3rd, 2009
To keep up with security threats, the rules of PCI compliance change frequently, especially for PIN Entry devices and payment applications. This complicates compliance, and makes it difficult for merchants to understand.
PCI DSS has tried to make things simpler by creating specific timelines that depict when updates on payment terminals need to be completed. But, compliance enforced by the card brands themselves, not PCI DSS.
Individual acquirers can adjust the rules if they are eager to ensure compliance and avoid liability for data breaches and rule violations. Since different acquirers are handling PCI in varying manners, it makes it difficult for the merchants, ISO’s, and merchant level salespeople to comprehend and get a clear view of what is going on and what needs to be done.
The Dates
For pin-entry terminals, July 2010 and December 2014 are important dates. Terminals manufactured before 2004 must be swapped out by the first date above. Terminals manufactured between 2004-2007 need to be swapped out by the second date. They cannot be used after 2014 and they haven’t been legally sold since 2007.
Terminals that were made after 2007 contain Triple DES, or Data Encryption Standard, encryption and as of today, can be used indefinitely.
Some additional rules have been formed that create further confusion. As an example, Visa has required that summaries of PCI DES-compliant terminals and attendant POS activity be submitted by October of 2009.
Additional Fees
Many acquirers will be charging noncompliance fees. Acquirers are held liable when the merchant is non compliant, so this is a way to levy the costs of a breach if one should occur.
If terminals do not have the PIN debit feature, there is no need to get rid of them. But, for security purposes, having an updated terminal is always a good idea.
The questionnaire sent out to merchants by PCI SSC failed to ask whether or not PIN-entry devices were used. The questionnaire will be updated to do so.
May 20th, 2009
Heartland Payment Systems announced on January 20, 2009 that they had experienced a huge data breach. This breach came almost soon after the breaches of Hannaford and TJX, two other payment system companies. Despite the arrival in PCI DSS data breach laws there has been an increase in data compromises of 47% from 2007-2008. It makes one think, if companies are PCI DSS complaint then how could private data be at risk of breach?
Many writers have recently written about their views on the PCI DSS. Many believe that the breach is evidence that the PCI DSS system of data protection is inefficient. Despite the opinions of these writers, the increase of data breach does not prove, or show evidence of a flawed system. It does show however, the difficulty to effectively protect personal data.
There are several aspects that must be considered when investigating a data breach, such as, the type of data being stored, how and why it is stored, and how it is being protected. The way that data is compromised should also be given thought. To predict every threat to data is almost impossible, the best one could do is limit the risk to an acceptable degree.
PCI DSS compliance issues have become the main focus with companies in the industry rather than security. Some feel that it is better for business if the merchants and other companies are not well informed on the PCI DSS. The companies put their trust in the PCI DSS and expect there information to be kept safe and not at risk. Many companies have not been interested in understanding information security and the difficulty in protecting data. Many are hiring experts for PCI compliance and expecting data security when the PCI DSS standards are not up to par.
In short, data thieves are winning the battle of data security. Education of security strategies and risk management should be the goal of companies instead of a compliance based approach to risk management. Data thieves are always becoming more creative, organizations need to become more creative in protecting the data. All companies are experiencing difficulties on data security as shown by the Heartland data breach. Clearly, the PCI DSS data security standard should be reevaluated.
March 17th, 2009
FOR IMMEDIATE RELEASE
South Easton, MA- MSI Merchant Service announced its Better Business Bureau Accreditation today with BBB. BBB has over 400,000 Accredited Businesses and more than 128 offices in North America.
“We are pleased to be a BBB Accredited Business because it signifies our commitment to customer service, reliability, and trust,” said MSI Merchant Service Spokesperson.
“BBB Accreditation indicates that MSI Merchant Service has agreed to adhere to the BBB Accreditation Standards, which sets the business apart from their competitors. Accreditation clearly defines what a business has achieved, what it stands for, and what it promises to consumers,” said Kevin J. Sanders, President and CEO of BBB. “BBB Business Accredited Businesses pledge to follow through on their commitments, deliver on their promises, and right any wrongs if an honest mistake has been made.” According to Princeton Research (2007), 7 in 10 consumers say they will be more likely to buy from a business designated as a BBB Accredited Business.
BBB provides the ability to check out 3 million businesses nationwide, that consumers can access anytime via BBB’s website, bbb.org. Consumers can make an education decision on who they want to do business with by researching the business. BBB responds to millions of such inquiries each year, providing information about charity organizations; helping resolve customers’ disputes with businesses through conciliation, mediation, and arbitration; and promoting trust, ethical business standards, and voluntary regulation of business practices.
As a BBB Accredited Business, MSI Merchant Service may display the widely recognized BBB Accredited Business seal. BBB Accredited Businesses are setting the standard to Start With Trust.
About BBB
BBB is an unbiased organization that sets and upholds high standards for fair and honest business behavior. Businesses that ear BBB Accreditation contractually agree and adhere to the organization’s high standards or ethical business behavior. BBB provides objective advice, free business BBB Reliability Reports and charity BBB Wise Giving Reports, and educational information on topics affecting marketplace trust. To further promote trust, BBB also offers complaint and dispute resolution support for consumers and businesses when there is difference in viewpoints. The first BBB was founded in 1912. Today, 128 BBBs serve communities across the United States and Canada, evaluating and monitoring more than 3 million local and national businesses and charities. Please visit www.bbb.org for more information about the BBB System.
January 30th, 2009
FOR IMMEDIATE RELEASE – January 30, 2009
South Easton, MA – Companies that want to make credit and debit card payments more accessible to their clients have two new options to choose from in the Merchant Service Inc. product line. The company’s new credit processing machines enable faster, more reliable Ethernet access to the Internet.
“We are delighted to offer our clients a better way to serve their customers,” said Chris Tobiaz, MSI’s President and CFO. “Our two new additions are designed to enable merchants to forego old fashion phone line connections in favor of more secured Internet access to billing services, if they so desire. This means transactions can take place much more expediently and companies don’t have to go to the expense of adding phone lines to accommodate credit card payments.”
The new additions to the product line are the:
• Nurit 8400 IP – This is a countertop payment device that offers unparalleled flexibility. The Nurit 8400 offers configurable options that make it a favorite in a number of environments. This model is best suited for small to medium-sized businesses that need durability, reliability and performance. The machine can handle debit, credit, EMV and value added applications, such as gift cards and loyalty programs. This model offers plenty of options in regard to connectivity. In addition to LAN via Ethernet and RS-485, it also accommodates GPRS wireless connections, dialup and USB host. MSI offers the Nurit 8400 for $479 on a flat purchase basis or on a lease-to-own plan at $19.95 a month.
• VeriFone Vx570 – Delivered by one of the most trusted names in the industry, the VeriFone Vx570 is a credit card machine that’s designed to be very easy for customers to read and use. It offers a large, highly visible ATM type backlit display. This device can accommodate credit, debit, gift card, EBT and even check authorization purchases. Communication options for the Vx570 include LAN via Ethernet, RS-485, GPRS wireless, USB host and even dial-up if a customer so desired. This machine costs $449 to purchase and $17.95 a month on a lease-to-own plan.
“With the days of cash transactions all but over, most businesses need to have credit card machines available to help their customers make purchases,” said Tobiaz. “Our latest product line additions help businesses close their sales without breaking their banks in the process. Both the VeriFone and Nurit models are designed to deliver a number of options while staying in a very affordable price range. They also process transactions within seconds because they are already connected to front end of the approval server. This cuts processing time way down, which is great for businesses that have extreme busy times -such as diners at lunch time, night clubs Saturday at midnight or coffee shops at 7 am.”
For more information about MSI or its products, contact Chris Tobiaz at 877-877-9592 or visit www.msimerchantservice.com.
About MSI
Merchant Service Inc. is dedicated to helping businesses of all sizes meet their needs to process payments in a secure, expedient fashion. The company carries an extensive line of credit card machines and also offers a host of options for businesses that need to be able to accept online payments. It is MSI’s goal to make doing business a pleasure for its clients and their own customers.
####
January 23rd, 2009
Heartland Payment Systems Security Breach
Heartland Payment Systems of Princeton, NJ reported on Tuesday that a security breach may have comprised tens of millions of credit/debit card transactions last year. If figures are accurate, this makes the Heartland incident one of the largest data breaches ever reported.
Here’s a quick run down:
1. Sometime in late 2008, there was a security breach at Heartland, which processes payments for more than 250,000 businesses nationwide.
2. Heartland uncovered the breach when they were notified by the credit card companies of fraudulent charges coming in.
3. Stolen data includes names, card numbers and expiration dates, but not Social Security numbers, addresses, phone numbers, or unencrypted PIN’s.
4. Heartland doesn’t know who is responsible and exactly how many businesses were affected, but now believes that the breach is closed.
In a press release found at the company’s website, Heartland indicates that “cyber thieves breached its system in 2008 and stole credit card information.” The company says it was alerted by Visa and MasterCard of suspicious activity surrounding cards that had all been used at merchants which rely on Heartland to process payments. An investigation uncovered malicious software that compromised data that crossed Heartland’s entire network.
President and CFO Robert Baldwin indicates that intruders had access to Heartland’s system for “longer than weeks” in late 2008; the malware was planted on the company’s network, and therefore recorded data as it was being sent for processing to Heartland by the company’s clients. Baldwin ascertains that since no SSN’s, addresses, phone numbers, or PIN’s were stolen, there is no risk for identity theft. He assures cardholders that if their information was compromised, they are not liable for the fraudulent charges.
Heartland now believes that the security breach is closed.
Deceptive Disclosure, or Just Good Timing?
With the disclosure of the security breach falling on Barack Obama’s inauguration day, many industry officials are questioning Heartland’s timing of the news release. Says Avivah Litan, fraud analyst with Gartner Inc., “This looks like the biggest breach ever disclosed, and they’re doing it on inauguration day? I can’t believe they waited until today to disclose. That seems very deceptive.”
Baldwin counters, saying that Heartland worked to disclose the breach last week, but couldn’t due to legal procedures. He claims that Heartland considered holding back another day, but ultimately decided it was important to get the information out as soon as possible, “recognizing of course that this is not an ideal day from the perspective of visibility.”
So on a day where most of America are glued to the coverage of the Presidential inauguration, is this considered deceptive, or just good timing (from Heartland’s standpoint, that is)?
Is Your Processing Company Safe?
The Heartland disclosure follows a year of similar breach disclosures at several major U.S. cards processors. In 2008, both RBS Worldpay and Hannaford Brothers Co. disclosed breaches of their payment systems that may have affected millions of credit/debit card accounts. Similarly, TJX Companies Inc. disclosed a number of breaches in 2007 that exposed more than 45 million account holders. In 2005, a breach at payment card processor CardSystems Solutions jeopardized roughly 40 million credit and debit card accounts. The increasing number of incidents suggest that cyber-crooks may be targeting payment processors more and more – sparking security concerns across the entire payment processing industry. Because Heartland maintains that they are compliant with the Payment Card Industry Data Security Standards (security controls mandated by major credit card companies), the breach adds to growing doubt about the effectiveness of PCI rules. Can what happened to Heartland happen again?
Merchant Service Inc., or MSI, is a credit card processing company that provides the merchant accounts, credit card machines, and software that allow businesses to accept credit and debit card transactions. MSI’s security has never been breached.
December 8th, 2008
On October 15th 2008, MSI was awarded the 2008 Best of New England Award by the U.S. Local Business Association (USLBA). The award was given in the category of Credit Card/Credit Plans Equipment & Supplies. It is truly a fantastic honor which underlines the fact that we do everything we can to provide the best quality services to our clients. We are delighted to win this award and to be recognized in such a high profile way – but we also see it as a challenge to further improve on our services. Some business people are unaware of the benefits of the various merchant services that are on offer, and we want to do all we can to make this avenue of payment processing much easier to understand.
We hope that our website helps you better understand how each of our products and services work. We recognize that every single person who gets in touch with us will need something different – that’s why we take care to get to know you and your business, so we can provide the best solution for you. We never operate purely for profit – as far as we’re concerned, the customer will always want the best service for the best price, and that is what we aim to deliver every single time.
Browse our site to find out more about us and the products we have to offer. At MSI, we do much more than just merchant accounts. We are known for making what can be a complicated area more easily accessible, and we are committed to helping business both small and large. Our customers can also use our services to accept payments securely over the internet, and can benefit from the impressive range of credit card machines that we have in stock.
December 5th, 2008
Welcome to the MSI Merchant Service blog. Here, you will find information about our products and services – as well as news about merchant accounts and the credit card processing industry. We love getting feedback, so please share any thoughts and comments that you may have.
