transnationalbankcard

TransNational Supports the Small Business Community

In Uncategorized on September 10, 2014 at 10:00 am

TN-SBAC

TransNational Supports the Small Business Community

TransNational announced today that the Rosemont-based payment technology firm has officially become a major sponsor of the Small Business Advocacy Council, a non-partisan Illinois-based advocacy group that empowers the state’s small business community.

The SBAC is dedicated to empowering small business owners, influencing legislation focused on improving the Illinois economy, and providing the small business community a level playing field. The organization also provides savings programs, educational services and makes valuable connections to its members.

“As a company that tirelessly advocates on behalf of our clients, we see a lot of value in the concept behind small to mid-size business advocacy and empowerment,” says Perry Tatooles, VP Strategic Partnerships at TransNational. “We hope that a partnership with SBAC enables us to bring SBAC opportunities to our clients, as well as help communicate and engage in small business educational and economic programs across the state.”

TransNational has always strongly supported small business owners and entrepreneurs, because they are the engine that drives the economy. “Small business owners are not just our clients, they are our colleagues, as well,” continues Tatooles. “We look forward to working with the SBAC to provide the small business community with a strong voice, now and into the future.”

ABOUT TRANSNATIONAL: As a leading electronic payments processor headquartered in Rosemont, IL, TransNational maintains an A+ rating with the Better Business Bureau and has been voted runner up for one of the industry’s highest honors, the 2013 National Electronic Payments Sales Organization of the Year!

As a company, we are open and honest in our business dealings, starting with our consultative sales approach and continuing through our ongoing customer support. Our strong commitment and ability to adapt to the individual needs of a rapidly changing market have facilitated unprecedented success and growth for our organization. 

One Breach, Two Breach, Three Breach. When Will it be Your Breach?

In Uncategorized on September 8, 2014 at 9:50 am
by Perry Tatooles
Home Depot is investigating the possibility of a potentially massive data security breach this week.  Last week, there were reports that the Albertson family of grocery stores, which includes Jewel-Osco, was potentially breached.  But did you know that the Department of Homeland Security announced last month that hackers attacked over 1000 U.S. businesses in the same fashion that Target and other major retailers were attacked.  The national media focuses almost entirely on the major retailers; however, this blog speaks to small business and those of us who work with small businesses.  I heard it again today from a colleague of mine who was speaking with a smaller account of his doing roughly $50k in monthly credit card processing. When instructing the business to take the PCI SAQ and IP scans to avoid NON-PCI fees and help PROTECT their business, their response was, “Those hackers are not going after small businesses like ours.”  It is that exact sentiment that is going to contribute to small businesses getting taken to the cleaners by cyber criminals.

In Trustwaves’ 2014 security report, they site the following:

·      “Our (Trustwave) volume of data breach investigations increased 54 percent in 2013, compared to 2012″

·      “Point-of-sale (POS) breaches accounted for 33 percent of our investigations”

·      “59 percent of victims reside in the United States, 14 percent in the United Kingdom and 11 percent in Australia”

·      “96 percent of applications scanned by Trustwave harbored one or more serious security vulnerabilities”

·      “100 percent of the mobile applications we tested contained at least one vulnerability”

This list goes on and on and on.  The full Trustwave report can be retrieved thru www.secretservice.gov, this is a really eye opening and well put together report.

Time to wake up

I will be the first to admit that I was one of those detractors to “NON PCI COMPLIANCE FEES”.  I was guilty of telling merchants that their processor was greedily charging this fee to make more money.  My view now has shifted 180 degrees.  If the average small or mid-sized business owner cares so little about protecting their business and their customers, then paying $20 a month is a small price pay.  The whole “It can’t happen to me,” or even worse, “I am too small for it to happen to me” notion is no longer acceptable.  This type of crime has reached an all time high and is only showing signs of getting worse.  I don’t want to just throw small business owners under the bus.  I will agree that many are simply mis-informed by merchant processing sales people trying to get a sale by following the path of least resistance and informing their clients or prospective new clients that they are not in harms way, or the likelihood anything that ever happens to them is too small for them to pay any attention.  I personally detest sales people like this that give our industry a bad reputation, and make bad problems worse.

For those of us who are fighting the battle of simply getting businesses that process payments to become PCI compliant, there is no assurance that we win.  The unfortunate part of this is that becoming and maintaining PCI compliance does not actually prevent a breach or even detect one.  It can and will if done properly point out vulnerability in your network, which can prevent or at least make it more difficult once the vulnerability is patched for a criminal to infect your systems.  Simply by taking the PCI SAQ you will be asked questions on internal policies on how card holder data is handled amongst employees, who has access to sensitive data, escalation procedures, etc.  Many business owners do not maintain policies on how card-holder data is handled that PCI requires, but at the very least it will open their eyes to what they should be doing and hopefully some or all of the requirements are implemented.  Every little bit helps.

According to Trustwave, 71 percent of compromise victims did not detect the breach themselves.  Regulatory, card brands and merchant banks detected 58 percent of data compromises.  FYI, 58 percent of the time:  too bad, so sad.  The damage has already been done.

I have unfortunately had to notify a mid-sized business with a name and brand nobody would recognize that we received notification from two card brands via a CPP report indicating their business as being the triangulated source of thousands of stolen credit cards.  My team and I took hundreds of calls from this merchant in a panic trying to figure out the Who and How.  The business then had to deal with two security assessors, tens of thousands of dollars in fees to those assessors, and many hours of lost sleep pondering, “What will happen to my business and my employees if the breach was proven to come from us?”  It’s simply not worth it.

I’ll end this by saying if you are a small business or work with small and mid-sized business, and refuse to minimally protect your business and its customers from criminals, walk to your security system and unplug it.  Take down your cameras and stop paying the monthly fees, leave your safe open and put a sign on your front door that says “please steal from us”

Do you get the point?

Hopefully, this gets the point across.  Unfortunately this is going to be a topic we hear more and more about (once a week at the current rate).  Lets agree to be a part of the solution and not the problem.  Pass on good information, take the time to help business owners.  If you own or run a business take the time to understand the full scope of “securing” your business/network beyond locks on the doors and cameras or a simple firewall.  We are in new era of criminal and I promise you they will not be breaking thru your doors, your cameras will not see them, and what they are stealing is more difficult to replace than money.

PCI 3.0 is here and comes with some major changes.  In my next post we will explore the most major changes as it pertains to small and mid sized businesses.

About Perry:  Perry Tatooles is a 10-year veteran of the Merchant Services industry.  He is currently managing several sales channels for an award-winning ISO and MSP based out of Chicago.  In his years of service, he has worked with thousands of merchants ranging from Fortune 500 to startup sole proprietorships.

Card Data Security: The Harsh Reality for Retail SMBs

In Uncategorized on June 20, 2014 at 8:58 am

TNBCIPartnersLogo2_Gray

Card Data Security:  The Harsh Reality for Retail SMBs

Last week I was having a meeting with the CTO of a 130-location retail business.  This gentleman, whom we’ll call William, is way ahead of the curve as it pertains to his knowledge and insight of payments, POS systems and network security (he is truly a pleasure to speak and work with).  The private equity company that owns his current employer recently purchased a new group of restaurants on the east coast.  They sent William to assess the current state of technology within the restaurants.  Within five minutes of inspection William noticed Linksys routers (the kind you get at your local big box electronics store) sitting next to their relatively new POS systems servers.  William asked the current (probably not for long) IT guy if those routers were secured, to which the IT guy responded with a timid “Yes..by the firewall provided by the manufacturer.”  Dumbfounded, William realized that the only line of security between the restaurant’s network and the world, was an out-of-the-box firewall.  William self-admittedly does not even possess the skills of a low-level hacker, but within 5 minutes he was able to bypass the firewall, access the restaurant’s network, and secure their IP addresses.  For those of you who may not know, once you are this far, installing malware/keyloggers and stealing sensitive data is not difficult.This story can be told about thousands of small to medium sized businesses (SMBs) in the US.

Funds are tight as it is, and most would argue that the money is needed to operate their business.  Many SMBs I work with struggle some months to cover the litany of expenses just to keep their doors open.  Then there is the other side of the coin, SMBs who are doing well, making money, and investing in their company’s growth.  Many businesses focus on everything BUT their payments and data security infrastructure.

The Harsh Reality

These statistics were taken from the 2014 Symantic Internet Security Threat Report, and this is just a fraction of the data in the report.  I would encourage anyone who is interested in taking a deeper dive into this topic to download the full 97-page report.  Caution, it is scary.-The average cost to a business that suffers a breach in the US is $199 per record.
-The US has the highest average total organizational cost of a breach at $5.5+ Million.
-37% of breaches are the result of a malicious malware or other virus or CRIMINAL INSIDERS.
-62% of the data stolen when a business experiences a data breach is credit card data.
-E-commerce websites are the number one target for hackers.
-The average malicious data breach takes 80 days to detect and 180 days to resolve.
-Business with 1-500 employees comprise 41% of all attacks.I am parading these numbers in front of you because SMBs are targeted often and have the most to lose.  They are also targeted because they are the easiest to infiltrate and usually do not possess the resources to quickly catch the intruder.   The cost of a breach will put most SMBs into bankruptcy.  The Symantic ISTR report goes on to tell stories of businesses that were forced to seek bankruptcy protection, because the costs associated with the breach were, as the report states, “prohibitive”.

If you are a SMB, calculate how many unique transactions you run in an 80-day period of time and multiply that by $199.  Consider this number the low end of what a breach would cost your organization.

Simple steps to secure your business?

1. KNOW YOUR NETWORK:
Your organization’s Local Area Network, LAN, is the doorway into your business.  Like the example in the story at the beginning of this article, if someone can get past your LAN’s firewall and access your IP address, it is game over and you’re breached, the hacker will have their way with you and, most importantly, your valued customers’ data.
– Have a clear understanding of all the devices that connect your LAN to the internet and                 know what your exposure is.  If you are the owner of a company and don’t have any idea                  about how your network is secured, consider this your wake up all and take the                                        opportunity to find out.
– Know who has access and control over your network.  29% of data losses were                                       accidentally made public and 9% are due to insider theft.2. BECOME PCI COMPLIANT:
One of the most simple ways to begin determining how secure your business is, is to take the PCI Compliance SAQ and scan your IP addresses.  Call your current credit card processor and ask them what services they provide to accommodate this.  My company provides these resources to our merchants at no cost through an online portal that allows you to take the PCI SAQ, as well as enter your IP address to be scanned.  I would imagine most processors offer this service by now,  hopefully at no cost.  Scanning your IP addresses will determine whether or not they are secured, as well as if there are steps to remediate.3:  BEST PRACTICES:
Develop processes and procedures on how sensitive data is handled and secured.  By putting together best practices regarding sensitive data, you can protect your business simply by understanding the flow of information, who has had access to it, and where possible internal vulnerabilities reside.  Maintaining these are a part of being a PCI compliant organization.  It is scary how many businesses have no plan or even clue as to how sensitive data is handled within their organization.

4.  BRING IN AN INDUSTRY EXPERT:
Bring in an outside firm.  There are hosts of companies that can assist you with securing your network.  These experts will assess your network, find the vulnerabilities, and propose methods and technology to keep your organization from suffering any losses.

In Closing

Bottom line is that falling victim to a hacker or internal criminal attack is a very harsh reality.  Is it a pain to go through? YES.  Can is cost you money? YES.  Is taking some simple steps more costly in time and resources compared to a data compromise? NO.  We need to secure our businesses for the same reasons we pay for health and life insurance.  We may not need it today, but it’s a guarantee we will need it at some point sooner than later.  Most of you reading this have probably felt the effects of a data breach already.  The next time you get a new credit card in the mail with a letter that tells you your card may have been compromised, remember that costs a business about $200, on average.  Don’t allow yourself to be a victim of negligence.  Take the time to understand your liability and take the appropriate action from there.
Perry T.
About Perry T.:  Perry Tatooles is a 10-year veteran of the merchant services industry.  He currently manages several sales channels for TransNational Bankcard.  In his many years of service, he has worked with thousands of merchants ranging from Fortune 500 companies to startup sole proprietorships.
Follow

Get every new post delivered to your Inbox.

Join 72 other followers