Card Data Security: The Harsh Reality for Retail SMBs

In Uncategorized on June 20, 2014 at 8:58 am


Card Data Security:  The Harsh Reality for Retail SMBs

Last week I was having a meeting with the CTO of a 130-location retail business.  This gentleman, whom we’ll call William, is way ahead of the curve as it pertains to his knowledge and insight of payments, POS systems and network security (he is truly a pleasure to speak and work with).  The private equity company that owns his current employer recently purchased a new group of restaurants on the east coast.  They sent William to assess the current state of technology within the restaurants.  Within five minutes of inspection William noticed Linksys routers (the kind you get at your local big box electronics store) sitting next to their relatively new POS systems servers.  William asked the current (probably not for long) IT guy if those routers were secured, to which the IT guy responded with a timid “ the firewall provided by the manufacturer.”  Dumbfounded, William realized that the only line of security between the restaurant’s network and the world, was an out-of-the-box firewall.  William self-admittedly does not even possess the skills of a low-level hacker, but within 5 minutes he was able to bypass the firewall, access the restaurant’s network, and secure their IP addresses.  For those of you who may not know, once you are this far, installing malware/keyloggers and stealing sensitive data is not difficult.This story can be told about thousands of small to medium sized businesses (SMBs) in the US.

Funds are tight as it is, and most would argue that the money is needed to operate their business.  Many SMBs I work with struggle some months to cover the litany of expenses just to keep their doors open.  Then there is the other side of the coin, SMBs who are doing well, making money, and investing in their company’s growth.  Many businesses focus on everything BUT their payments and data security infrastructure.

The Harsh Reality

These statistics were taken from the 2014 Symantic Internet Security Threat Report, and this is just a fraction of the data in the report.  I would encourage anyone who is interested in taking a deeper dive into this topic to download the full 97-page report.  Caution, it is scary.-The average cost to a business that suffers a breach in the US is $199 per record.
-The US has the highest average total organizational cost of a breach at $5.5+ Million.
-37% of breaches are the result of a malicious malware or other virus or CRIMINAL INSIDERS.
-62% of the data stolen when a business experiences a data breach is credit card data.
-E-commerce websites are the number one target for hackers.
-The average malicious data breach takes 80 days to detect and 180 days to resolve.
-Business with 1-500 employees comprise 41% of all attacks.I am parading these numbers in front of you because SMBs are targeted often and have the most to lose.  They are also targeted because they are the easiest to infiltrate and usually do not possess the resources to quickly catch the intruder.   The cost of a breach will put most SMBs into bankruptcy.  The Symantic ISTR report goes on to tell stories of businesses that were forced to seek bankruptcy protection, because the costs associated with the breach were, as the report states, “prohibitive”.

If you are a SMB, calculate how many unique transactions you run in an 80-day period of time and multiply that by $199.  Consider this number the low end of what a breach would cost your organization.

Simple steps to secure your business?

Your organization’s Local Area Network, LAN, is the doorway into your business.  Like the example in the story at the beginning of this article, if someone can get past your LAN’s firewall and access your IP address, it is game over and you’re breached, the hacker will have their way with you and, most importantly, your valued customers’ data.
– Have a clear understanding of all the devices that connect your LAN to the internet and                 know what your exposure is.  If you are the owner of a company and don’t have any idea                  about how your network is secured, consider this your wake up all and take the                                        opportunity to find out.
– Know who has access and control over your network.  29% of data losses were                                       accidentally made public and 9% are due to insider theft.2. BECOME PCI COMPLIANT:
One of the most simple ways to begin determining how secure your business is, is to take the PCI Compliance SAQ and scan your IP addresses.  Call your current credit card processor and ask them what services they provide to accommodate this.  My company provides these resources to our merchants at no cost through an online portal that allows you to take the PCI SAQ, as well as enter your IP address to be scanned.  I would imagine most processors offer this service by now,  hopefully at no cost.  Scanning your IP addresses will determine whether or not they are secured, as well as if there are steps to remediate.3:  BEST PRACTICES:
Develop processes and procedures on how sensitive data is handled and secured.  By putting together best practices regarding sensitive data, you can protect your business simply by understanding the flow of information, who has had access to it, and where possible internal vulnerabilities reside.  Maintaining these are a part of being a PCI compliant organization.  It is scary how many businesses have no plan or even clue as to how sensitive data is handled within their organization.

Bring in an outside firm.  There are hosts of companies that can assist you with securing your network.  These experts will assess your network, find the vulnerabilities, and propose methods and technology to keep your organization from suffering any losses.

In Closing

Bottom line is that falling victim to a hacker or internal criminal attack is a very harsh reality.  Is it a pain to go through? YES.  Can is cost you money? YES.  Is taking some simple steps more costly in time and resources compared to a data compromise? NO.  We need to secure our businesses for the same reasons we pay for health and life insurance.  We may not need it today, but it’s a guarantee we will need it at some point sooner than later.  Most of you reading this have probably felt the effects of a data breach already.  The next time you get a new credit card in the mail with a letter that tells you your card may have been compromised, remember that costs a business about $200, on average.  Don’t allow yourself to be a victim of negligence.  Take the time to understand your liability and take the appropriate action from there.
Perry T.
About Perry T.:  Perry Tatooles is a 10-year veteran of the merchant services industry.  He currently manages several sales channels for TransNational Bankcard.  In his many years of service, he has worked with thousands of merchants ranging from Fortune 500 companies to startup sole proprietorships.

What is the EMV Mandate, Chip and PIN?

In Uncategorized on June 19, 2014 at 3:42 pm


What is the EMV Mandate, Chip and PIN?  How Does it Effect Merchants in the US?

EMV Mandate- Europay, Mastercard and Visa Mandate.

Arguably one of the largest changes in the landscape of payments in the USA is set to happen by October of 2015.  At this time, all retailers, no matter how big or how small, are mandated to begin accepting payments through Chip and Pin compliant equipment (congrats equipment manufacturers).  What is Chip and Pin?  In most other countries, credit cards are issued with a security chip in them and an associated PIN number, much like your debit card today.  The United States is the largest holdout to adopting this technology.  Chip and Pin cards eliminate the need for a magnetic stripe. In place of “swiping” the card, it has a micro-processor chip imbedded in it and is inserted into a slot on the machine where the “chip” is read and the cardholder is subsequently asked for their PIN number.

The purpose of this is to reduce fraud in a card-present environment (this is not applicable to non-card present business, e-commerce, etc).  I have a small business, why do I need to do this? Simple answer is nobody is immune to card fraud.  Card present fraud is rampant in the US, and today the card issuing banks assume the liability of loss when a fraudulent card is swiped in a card present environment. Naturally, the card issuers would prefer to stop paying out millions due to fraudulent sales and would love a good reason to shift that liability to the merchant.  I am sure there is a strong element of protecting their card holders from the consequences of having their card data compromised.  So does it work?  In the US this is still TBD, although in countries that currently have this technology in place, the rate of fraud in a card present environment is significantly lower than the US, where this technology has yet to be deployed to the masses.

How does this impact my business?

Simply put, by October of 2015 it makes good sense to adopt a terminal that is Chip and PIN EMV compliant.  If by this date you do not adopt compliant equipment, your business will be held liable in the event it accepts a fraudulent credit card (liability shift).  Currently you are protected against fraud (when a card is swiped and you have taken the proper steps to validate signatures), and the card issuing banks take the hit.  Furthermore, for those of you who care about being compliant, the new PCI regulations have significantly narrowed down the types of equipment that will be PCI compliant.  As of May 2014, processors have been instructed to no longer build files for and reprogram equipment that is not EMV Chip and PIN compliant.  Bottom line:  not becoming compliant  will cost you more than trying to dodge it.

There may also be Interchange implications (interchange is the cost per transaction that consists of a percentage and a transaction fee. Interchange is set by the card issuers/issuing banks and is the universal cost per transaction for all merchant processors).  There is rumor that the cost of accepting a card via the traditional means (swiping) will come with a higher interchange cost than if the card is taken via its chip and corresponding PIN (this is still speculation).  This would make sense given a portion of “interchange” that issuers collect is allocated toward the costs they pay due to fraudulent sales.  Given the liability of fraud will shift to the merchant who is not EMV compliant, the losses to issuers theoretically will decrease allowing them to charge lower interchange rates for Chip and PIN sales.


A change of this magnitude particularly as it is applied to the physical equipment and method in which a card is accepted in a swiped environment has not occurred since 1984 when the ZON Jr. entered the market and businesses could run a card electronically and ditch their knuckle buster; or in 1991 the Verifone Tranz 460 came out with its revolutionary integrated printer.  We saw a brief glimpse of this around 2004 when “Smart Cards” were first seriously being discussed in the US, and some Verifone terminals had a “smart card” reader integrated into them.  The 2015 deadline, and an influx of Chip and PIN terminals, open the flood gates for all kinds of invasive sales species to infect business owners with scare tactics and excessively high priced equipment or, even scarier, FREE equipment to mask high rates and hidden fees.  Be careful of who you let in your doors to discuss this with.  Often times you will find them hiding behind “state of the art compliant equipment” with rates and fees that are followed by an *.  FYI an * following rates and fees is never a good thing, it’s basically telling you that the rate we are showing you will only apply to about 5% of your transactions and everything else will get slapped with a big fat surcharge (stay away).

Bottom Line…

Yes, you need to get compliant.  Yes, you will need new equipment sooner, rather than later.  Do you need to drop everything you’re doing today?  NO, the date of compliance is October of 2015.  Today, and even more so in the coming months, this equipment will be as available as air.  If you process with a reputable company the equipment should cost no more than $200-$300.  Yes, I said $200-$300 (free equipment usually comes at a greater cost on the back-end sooner or later) and I have seen some companies selling for over $500-$1000.  The nominal cost most small merchants will pay beats the pants off the hundreds of thousands to many millions mid sized to big box retailers will have to pay.  As unlikely as it may seem to most business owners, being compliant and protecting your business is a heck of a lot better than footing the bill if and/or when you accept a fraudulent card.  If you are considering or going to change processors anytime soon, now is a good time to get compliant equipment, should make for an easy transition.

One last word of advise on this:  if you need new equipment DO NOT BUY or ACCEPT NON-Chip and PIN equipment, and DO NOT LEASE IT and pay thousands for 48+ months!  Much sooner than later you will be getting something new and need to retrain your staff, yet again.

Call your current processor and discuss becoming compliant with them.  If you don’t have a dedicated account manager to call or get lost in a calling tree, or just want a second opinion, you know what to do…


Perry T.

About Perry T.:  Perry Tatooles is a 10-year veteran of the merchant services industry.  He currently manages several sales channels for TransNational Bankcard.  In his many years of service, he has worked with thousands of merchants ranging from Fortune 500 companies to startup sole proprietorships.

TransNational Not Affected by Heartbleed Security Bug

In Uncategorized on April 16, 2014 at 10:48 am

TransNational Not Affected by Heartbleed Security Bug

ROSEMONT, IL (15 April 2014) – TransNational Bankcard, the leading payment technology provider in the Chicagoland area, issued a statement today that TransNational is not impacted by the Heartland bug.

“TransNational does not use OpenSSL for certificate management of protected information and is not vulnerable to Heartbleed. We have ensured all partners and platforms are secure,” says President Jae Haas of TransNational.

The Heartbleed bug affects the OpenSSL framework and is a serious vulnerability that enables access to protected information, such as secret keys used to encrypt traffic and identify service providers, usernames and passwords of users, and the content associated with the site.

Internet users could be affected by this bug if they use OpenSSL sites, including social sites, commercial sites, software installation sites, or even government-run sites. On sites where security has already been restored, TransNational recommends regularly resetting all passwords. For more information on the Heartbleed bug, go to or call TransNational’s customer service line at 1-(888)-998-6224.



Get every new post delivered to your Inbox.

Join 70 other followers