A restaurant may be in trouble with Visa/MC

Posted by: Curtis Stevens on December 1st, 2009

It saddens me to read something like this article.  A restaurant in Ohio recently had their credit card information stolen.  The manager said he was notified a month ago that the system was hacked into and credit card data was stolen during the months of July & August.   Police have been notify local residents that their credit card data may have been compromised.  The restaurant has hired an outside firm to monitor the system and paid a $5K fine.   This is another example of why it is so important for merchants to understand the importance of being PCI compliant and ensuring your system & networks are safe.  From the consumer standpoint, most get worried with their credit card data is stolen.  I wish everyone knew that they are not liable for a penny if they never lose the physical card itself.  It is just a hassle but nothing more.  In summary, be sure whomever you choose as your credit card processing provider, that your system is definitely PCI compliant.

2009, the year of mega data breaches

Posted by: Curtis Stevens on December 1st, 2009

2009 looks like it will be a year with a lot of big mega data breaches, including credit card data.  The government has reported over 400 breaches for 2009.   The big problem is the amount of data that is tied to credit card info, ssn and medical records.  Last year it was around 35 million and 2009 will see over 8 times that much.  Many would consider that an explosion of growth.  The whole credit card industry has had way too many breaches these past few years.  All the data breaches that are related to solten credit cards have played a big role in the formation of PCI compliance among the credit card processing. Because of so many big merchants like TJMax that had their systems compromised, PCI was created to help reduce the problem as it is very expensive for an issuing bank that must reissue all those cards that were stolen. 5 years ago, PCI didn’t exist and all the credit card data breaches during the past 5 years is a major part of why it was created.

A POS vendor is being sued

Posted by: Curtis Stevens on December 1st, 2009

Radiant Systems has found themselves in a lawsuit filed by a group of 7 restaurants in the Louisiana area.  Their claim was the POS system they sold was not PCI compliant and therefore was hacked by someone overseas.   The suit states that the POS system stored all the credit card data which is in violation of PCI standards.   The POS system named is called Aloha. Aloha was originally owned by a POS company, but was purchased by Radiant Systems, which also  does credit card processing. Computer World was also mentioned in the suit. They allegedly installed a program that allows their techs to remotely access the systems, but did not secure the program. They used the default ID & password, which created a big vulnerability. The hackers then gained accessed through the software program and installed malware that grabbed the stored credit card data. One of the plaintiffs stated that he was forced to hire a forensic team to investigate the breach, which cost him thousands. He was then fined by Visa & MasterCard for the breach. In total, the breach cost him $50K. I see why they created the lawsuit, as both companies involved should have taken measures to prevent this. Computer World should not have done what they did and Aloha should never store the credit card data. It generally is not a good idea to store that kind of sensitive information.

What to ask your shopping cart vendor about PCI Compliance

Posted by: Curtis Stevens on November 24th, 2009

There are a few questions you should ask your shopping cart vendor about PCI compliance.  PCI compliance is a hot topic today and has been for several years now.  Most shopping carts must be PA-DSS certified.  Unless your cart is not storing or passing payment information, then it needs to be in compliance.  The mandated deadline for banks to ensure all vendors, merchants and agents are in compliance is July 2010.   Merchant merchants with a shopping cart will also need to use an Internet gateway service with built-in credit card processing. That should also be PCI compliant. How do you know if your cart is in compliance? Ask the vendor for this information. What should you do it your cart is not PCI compliant? Ask them if they have applied for certification and are waiting. If nothing has been submitted or done about it, I would consider using another cart that is. Merchants are responsible for everything they do and use, including vendor’s products & services.

Is there such a thing as secure security software

Posted by: Curtis Stevens on November 21st, 2009

Heartland’s CEO Steven doesn’t believe there is such a thing as secure software and probably will never be.  Steven learned the hard way when he was brought on board at the company to find out that their network had been compromised for months and millions of credit card numbers had been stolen.  The actual numbers are unknown, but the fact that they process more than 100 million transactions a month for more than 250K merchants, that should almost guarantee it has been among the largest breach in history.  They lost more than 500 million due to the breach.   The credit card processing giant has announced that they have plans to develop and release software and hardware to implement end-to-end encryption to ensure the data’s security from point a to point b. According to Steven, end-to-end encryption has been avoided for many years mainly because of the cost. Due to all the breaches in the past few years, the industry may have no other choice but to embrace it and absorb the expense. The TJ max breach a few years back is another large breach that has also helped bring attention to implement this type of encryption. I personally think encryption is important, but it is vulnerable like anything else. If hackers want something, you can’t stop them. You simply try to stay ahead of them and beat them at their own game.

PCI Compliance, be ready

Posted by: Curtis Stevens on November 21st, 2009

Are you PCI compliance ready? Many merchants are not PCI DSS compliant and face stiff penalties and fines for not doing so. The good thing is almost all credit card processing companies are PCI compliant. Starting last October, PCI went from recommended to mandatory. If you process more than one million transactions a year, you must be using a certified PCI provider.

Acquiring banks are required to report any merchants that are not compliant to the card associations. Many merchants believe they only need to fill out the self-assessment questionnaire. This isn’t true if they collect the credit card data themselves instead of letting their payment gateway do the job. Merchants also need to have their networks scanned quarterly if they store, transmit or process the transactions. This is even true for MOTO merchants that use a virtual terminal. If they are keying in the information through a web site, they need to ensure their own personal computer is safe & secure. This would include running a firewall and anti-virus software. To help educate merchants and provide them with the tools necessary to tackle the job, most credit card processors charge a PCI compliance fee. Some pass along a monthly fee and others charge a yearly fee. Consult with your provider to see if they have one., Inc. releases 3rd Qtr Income Results

Posted by: Curtis Stevens on November 14th, 2009

Ipayment recently released their 3rd qtr profit results. There are a few things I noticed that was interesting. N ot only did their revenues decrease compared to last year, but their revenue net of Interchange went down as well. However, their net income actually stayed the same. Why is this you may ask? Many companies are charging for what the credit card processing industry calls PCI Compliance. Most of your major players charge some type of fee each year, whether it is a monthly or yearly fee. When Ipayment started charging their merchant bases, they charged $30 a year for the first year. When the next year came around, they increased that to $129 a year. I understand most companies have had a big cost when it comes to implementing PCI compliance and ensuring their own company is in compliance, but the first year at $30 per client should have covered most of that costs. So the next time they charged $129, that was mostly all profit. If you multiple that times their 140,000 customer base, you can see how that possibly played a big role in their net income staying the same.

Merchant Accounts | Credit Card Logos | Ecommerce Blog
Merchant Account Articles | Resources | Link-to-Us | Privacy Policy