Visa Security Alert Threat Landscape: Pin Pad/POS Skimming

June 3, 2016

Incident Details

Visa Global Payment System Risk is aware of increasing incidents involving suspects placing skimming devices on point-of–sale (POS) terminals for the purpose of collecting payment card information, including PIN numbers. Perpetrators use this information to create counterfeit cards re-encoded with the stolen card information and make unauthorized ATM withdrawals. The primary targets for these recent skimming events are self-checkout terminals in supermarkets. However, any POS terminal may be at risk, including those that are often unattended, such as terminals near deli counters, coffee stands, etc. The perpetrators are mobile and will target multiple stores within a geographic area for a period of time before moving on to a new location. Most entities targeted are using payment devices that have not yet been upgraded to accept EMV cards.

Placement of Skimming Devices

Skimming devices can be placed at any time of the day but placement usually occurs during slower times of business when the perpetrators can go undetected by employees or other customers. The perpetrators will usually work in teams of two or more with one person being a lookout, one person placing the skimming device on the POS terminal and another creating a barrier so that no one can observe the skimming device being placed. Perpetrators have been known to use large items such as packs of paper towels to block the view of POS terminals. In some instances, it was reported that the suspects created a distraction in the store by faking a medical incident or causing commotion that distracted the attention of store personnel away from the POS terminals. The skimming devices will mimic the look of the front of the POS terminal.

Recommended Inspection & Response Actions

1. Prevention Through Device Inventory Management

  • In accordance with PCI DSS Requirement 9.9, ensure implementation of security controls to protect POS devices from tampering and substitution. Examples include:

Maintain a list of devices including the device serial number or other method of unique identification. 

Keep a list of device location either by store or physical location within the store itself (i.e., self-checkout, deli counter, manned checkout). 

Train personnel to be aware of suspicious behavior and to report tampering or substitution of devices.

 Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.  

2. Physical Inspection of POS Devices

  • Implement security procedures to inspect POS devices at least twice each day and at random times.
  • Physically examine the device. Skimming devices are typically attached with minimal adhesive allowing them to be place and removed with ease, so devices may be detected by giving the front of the POS/PED a good grab-and-pull. Weighing the devices may also identify tampering.
  • Please note some skimming devices are Bluetooth enabled and data can be captured without the device needing to be recovered.
  • When inspecting devices, use backup security personnel to monitor from a distance as suspects may watch compromised terminals and suspects are trained in counter surveillance to avoid detection/arrest.

3. Device Recovery Response

  • If a skimming device is discovered on a POS terminal, do not handle it, as evidence may be damaged.
  • Notify local law enforcement and the FBI or USSS office so they can recover the skimming device.
  • Protect any video surveillance that may be used to identify any perpetrators and confirm timing of when the device was placed on the POS terminal.
  • Initiate incident response procedures and notify your Acquirer so that Visa can assist with the investigation.

 

Information from VISA April 2016

For other questions, please contact Cyber Intelligence & Investigations via email at USFraudControl@visa.com

Additional Resources:

What To Do If Compromised

insightRS_blkblu

 

Advertisements

Support for older versions of Internet Explorer Ended

May 31, 2016

What is end of support?

Beginning January 12, 2016, only the most current version of Internet Explorer available for a supported operating system will receive technical support and security updates. Internet Explorer 11 is the last version of Internet Explorer, and will continue to receive security updates, compatibility fixes, and technical support on Windows 7, Windows 8.1, and Windows 10.

Internet Explorer 11 offers improved security, increased performance, better backward compatibility, and support for the web standards that power today’s websites and services. Microsoft encourages customers to upgrade and stay up-to-date on the latest browser for a faster, more secure browsing experience.

What does this mean?

It means you should take action. After January 12, 2016, Microsoft will no longer provide security updates or technical support for older versions of Internet Explorer. Security updates patch vulnerabilities that may be exploited by malware, helping to keep users and their data safer. Regular security updates help protect computers from malicious attacks, so upgrading and staying current is important.


Potential risk of using older versions of Internet Explorer:

Security

Without critical browser security updates, your PC may become vulnerable to harmful viruses, spyware, and other malicious software which can steal or damage your business data and information.

Compliance

Businesses that are governed by regulatory obligations such as HIPAA should conduct due diligence to assess whether they are still able to satisfy compliance requirements using unsupported software.

Lack of ISV Support

Many Independent Software Vendors(ISVs) no longer support older versions of Internet Explorer. For example, Office 365 takes advantage of modern web standards and runs best with the latest browser.

Click here to read more

 


Chargebacks on Credit Cards Happening NOW! #EMV

May 10, 2016

RETAILERS ON THE HOOK FOR COUNTERFEIT TRANSACTIONS

Chargebacks are on the rise following the October 2015 EMV liability shift, and convenience retailers are fighting back.
May 10, 2016

NEW YORK – Beginning with the October 2015 EMV liability shift, retailers that have not upgraded their payment terminals to accept EMV chip-card transactions are

on the hook

for counterfeit transactions, writes the Wall Street Journal, and this particular cost of fraudchargebacks—is adding up.

The news source reports that chargebacks among small and medium-size merchants increased 15% in Q4 of 2015 from a year earlier, according to a Strawhecker Group survey, adding that the volume of chargebacks has likely increased even more since then. Although the group didn’t put a dollar figure on the chargebacks, other experts put the total around the tens-of-millions of dollars mark.

Since the October 2015 EMV liability shift, many retailers are experiencing an outrageous increase in chargebacks that are mostly erroneous. Mike Lindberg, payment solutions manager at CHS Inc., commented during the Conexxus Annual Conference last week that some smaller retailers have reported a $10,000 to $15,000 increase in chargebacks per week, while larger retailers are experiencing $1 million in chargebacks per week.

I can’t imagine what will happen at the pump come October 2017,” Lindberg warned.

The No. 1 chargeback reason code since October 2015 is

merchandise not received,”

he said, which in theory makes no sense for the big box retailers. Some retailers are even seeing multiple chargebacks on the same credit card, and indicating that there is very little interest from card issuers or acquirers to help solve this costly problem.

Due diligence, however, can pay off. Convenience retailers experiencing a higher volume of chargebacks can successfully reverse the charges on challenge because convenience retailers aren’t within the October 2015 liability shift specification for type and applicability (i.e., the fuel dispenser).

“The banks will hopefully learn from the first October 2015 liability shift what is chargeable, because right now it’s a

‘charge it all back and see what gets challenged’

approach,” said Gray Taylor, executive director of Conexxus. He previously told NACS Daily that this approach to chargebacks “will have dire consequences for small to mid-size retailers, who can scarcely afford dedicated chargeback staff.”

NACS Online article found here


EMV is real, like it or not.

March 31, 2016

CAN WE GET A ‘MEH’?

Survey finds that consumers don’t seem to care whether payment terminals are EMV capable.

March 31, 2016

​NEW YORK – Forbes writes “there was a lot of hoopla” surrounding the October 1, 2015, EMV liability shift date, where retailers that did not upgrade to EMV-capable payment technology would become liable for any fraudulent purchases that resulted from chip-card transactions.

According to a recent CardHub survey, 42% of retailers have not updated terminals in their stores to make them EMV-compliant—and consumers don’t seem to care, writes Forbes. The publication added that CardHub found “some 56% of people surveyed don’t care if a retailer’s payment terminal is chip-enabled, and 41% of consumers say they don’t have—or don’t know if they have—a chip-enabled credit card.”

Of the retailers CardHub included in its survey, only 60% that said they would complete equipment upgrades by the October 1, 2015, liability shift deadline have finished updating all of their terminals.“We were a little bit surprised by just how slow the uptake is here,” Jill Gonzalez, an analyst at CardHub, told Forbes, adding, “The banks did their part, the financial institutions got their chip-enabled cards out, and the retailers really are taking their time.” She also says that retailers “aren’t feeling the pressure of being responsible for fraudulent activity” because it hasn’t become a financial reality.

However, as Conexxus Executive Director Gray Taylor points out, many retailers haven’t flipped the switch to accept EMV payments “because they can’t, reasonably or unreasonably.” There’s also strong indication from retailers that the October 1, 2017, liability shift for outdoor payment equipment (i.e., dispensers) will be difficult to reach for those same reasons. “What has resulted is retailer abuse—starving innovation, paying premiums for development, putting equipment into the market with the understanding that multiple site-down visits will be required—has never been seen before in any mandate,” he told NACS Daily.

Furthermore, the card companies aren’t calling EMV a mandate, but for retailers who don’t do it, chargebacks will go from a light sprinkle to a massive downpour.”

Forbes writes that installing EMV-compliant terminals is a dual-cost process for retailers. The first cost is upgrading (or in some instances replacing) all of their terminals, and the second cost is terminal activation. For consumers, their “meh” attitude is likely because education about EMV chip cards hasn’t emphasized the security aspect.


Retailers may have a “Meh” attitude but EMV is real and MUST be addressed.  It’s a difficult process for everyone but our QIR Certified Staff can help to answer your questions. Don’t wait until the chargebacks start to happen, as was the case with one of our customers.

Give us a call – 518-633-4111 x 103
EMV Chip
 insightRS_blkblu

BACKUP YOUR DATA!

March 30, 2016

 

spring-clipart

That means spring forward

change the batteries on the smoke detectors

and

   —   BACKUP YOUR DATA   —

Backing up your data is like flossing your teeth.

You don’t have to floss them all

 just the ones you want to keep.

backup-backup


MAKING PEOPLE SMILE in Seattle

March 28, 2016

A Chevron gas station in Seattle uses its sign to entertain customers, rather than inform.
March 28, 2016

​SEATTLE – Usually signs are in the business of letting potential—and current—customers know about sales, special events and other information related to the company. Most convenience stores use outdoor signage to highlight specials and products, but the Wallingford Chevron gasoline station and convenience store has taken a different tack: humor.

For more than a decade, this station’s sign has posted amusing sayings to the delight of customers and residents. The genesis of the humorous postings is traced back to when the owners replaced an auto repair shop with a convenience store. To get the word out about the change, the owners hit on the idea of entertaining signage, the News Republic reports.

Popular messages include:

  • Ban pre-shredded cheese—make America grate again.
  • If attacked by a mob of clowns, go for the juggler.
  • When it’s raining cats & dogs, don’t step in a poodle.
  • A clear conscience is the sign of a fuzzy memory.
  • Hold the door open for a clown. It’s a nice jester.
  • Ever stop to think and forget to start again?
  • The past, present & future walk into a bar. It was tense.
  • I child-proofed my house but the kids still get in.
  • If pride comes before a fall, humility should come by winter.
  • I checked into the hokey-pokey clinic & I turned myself around.

The station has a dedicated Facebook page for the Wallingford Sign with photos of its most popular ones.

Full article found here:

NACS online


CHIP CARD DELAY FRUSTRATES RETAILERS

March 24, 2016

Delays in POS equipment certification have many retailers frustrated and worried about huge spikes in chargebacks.

March 24, 2016

​NEW YORK – Avi Kaner, a co-owner of the Morton Williams supermarket chain in New York, has spent about $700,000 to update the payment terminals at his stores to accept EMV chip cards. However, he can’t turn them on, writes The New York Times, a bottleneck in offering a more secure payment process that is frustrating retailers—both large and small—across the United States.

Since the EMV liability shift took place on October 1, 2015, retailers have been essentially put on hold to get their payment terminals certified to accept chip cards.

The Times reports the cost of waiting is piling up. “It’s been very frustrating,” Kaner told the news source, noting that he purchased most of the upgraded POS equipment before the Oct. 1 deadline, and he’s still waiting for certification. The delay, he says, has cost him thousands of dollars in payments for fraudulent purchases. “There’s no recourse,” he said.

“The long delays are just the latest black eye for the deployment of the new systems,” writes the Times, noting that some consumers haven’t even received new credit and debit cards with the embedded EMV chip.

First Data, one of the largest payment processors, told the Times that about 20% of the four million American merchants it works with are in the process of being certified, a procedure than can take weeks to months.

Mallory Duncan, general counsel at the National Retail Federation, told the Times that the payments industry was unprepared to handle the flood of certification requests around the Oct. 1 liability shift deadline. “They didn’t allow for enough time or people to perform this certification,” he said. “Merchants have gotten slammed because they weren’t able to get certified, because the networks failed to provide the necessary resources to do that.”

Kaner commented that since Oct. 1, customers who have contested charges made with their EMV-enabled cards have been successful in reversing transactions, and he’s worried that some customers will use the Oct. 1 liability shift to get out of paying for legitimate purchases. Chargebacks, he said, have increased significantly. “It started out as a trickle, and now it’s turning into a flood,” he told the Times. “In the first couple months, it might have been a few hundred dollars a month. Now, it’s thousands a month.”

“The convenience and fuel channel has numerous retailers in the same situation, having invested upwards of $30,000 per site to be hardware-ready for EMV, only to be put on perpetual hold with approved software,” said Gray Taylor, executive director of Conexxus. “These retailers are trying to avoid the inevitable manufacturing and installation bottlenecks to do the right thing and get ahead of the curve, only to be on perpetual hold by an over-burdened vendor community trying to navigate late specifications and complex certifications. This is what happens when you simply choose a deadline, like the card brands did, without diligence. The premium retailers will pay for this ‘hurry up and wait’ situation and it will result in higher consumer prices.”

=====================================

Thanks NACS for this article. Retailers aren’t the only ones frustrated, resellers share equally in the frustration.

http://www.nacsonline.com/Media/Daily/Pages/ND0324161.aspx?utm_content=NACS%20Daily%20032416:%20newsarticle1%20(Chip%20Card%20Delay%20Frustrates%20Retailers)&utm_source=NACS%20Daily&utm_campaign=NACS%20Daily%20032416&utm_medium=email&utm_term=343490#.VvQaOOIrK70

 

 


%d bloggers like this: