Thank You to ALL Veterans!

12 Common Cybersecurity Mistakes and How to Help Avoid Them

12 Common Cybersecurity Mistakes and How to Help Avoid Them

While it may not constitute end times for a business, an incident that can result in stolen data, diminished customer confidence, reputational harm, compliance penalties and legal fees isn’t exactly a drop in the bucket either.

A study last fall found that the average data breach costs victim companies $15.4 million, up 19 percent year over year. Nobody in good faith wants to cost their company money because of a compromise, CEOs included.

Look, we all do dumb things. The key is learning from them and not making them habits. Because, as you know, the definition of insanity is doing the same thing over and over again – and expecting a different result.

Here is a list, in no particular order, of 12 cybersecurity mistakes you should avoid making in the current era of modern cybercrime. If something is missing from the list that you think should be on it, please drop us a note in the comments.

1) Failing to Map Where Data Flows and Lives

It can’t be said enough: Your data is your company’s lifeblood. Assessing and charting where that data flows (especially if it’s going outside of your organization), with whom it’s shared and where it lives at rest is paramount to knowing what you need to protect. When challenged with being right all the time – and the attackers typically needing to be correct just once – visibility is everything.

2) Neglecting Security Testing

Vulnerabilities reside across your databases, network and applications – and now also extend to devices like mobile and Internet of Things. These require regular testing through both automated vulnerability scanning and deep-dive penetration testing. Remember: Test, don’t guess.

3) Concentrating Too Much on the Perimeter

Prevention is not exactly an anachronism, but considering how advanced threats have become, attackers will inevitably make it through your border defenses. And once they’re inside, they will look to acquire privileges that will camouflage them as trusted users. They may evade you for a long time, unless you have strong visibility and an actionable understanding of indicators of compromise.

4) Blanking on the Basics

Oftentimes, it’s the simple things that will get you. To avoid having that “Doh!” moment, make sure all of your staff uses strong passwords (passphrases are preferred) and are following the principle of least privilege, and all of your network components are properly segmented to minimize access to confidential data, adequately configured to avoid undesirable changes, and up to date with the latest patches.

5) Disregarding Security Awareness Training

You’re likely familiar with the campaign “If you see something, say something.” Just as in the physical world, security enforcers rely on the population at large to stop attacks at their source – or at least make them aware of malicious attempts. Train your staff in everything from laptop protection to social engineering identification. And don’t forget to retrain because the scams continue to get sneakier.

6) Ignoring Security Monitoring

If you’re like most businesses, you don’t have the budget to stand up your own security operations center. But that doesn’t relieve you from needing around-the-clock monitoring and intelligence that will help you investigate automated alerts, hunt for threats, escalate serious incidents and minimize attacks.

7) Resisting Vendor Risk Assessments

Some of the most ignominious breaches of late were caused by attackers first infiltrating one of the victim company’s vendors. You must have a plan in place with the third-party entities to which you outsource to ensure that they are taking security and risk as seriously as you are.

8) Overlooking “Shadow IT”

Your endpoints are like ivy – growing mightily and quickly getting out of control. The good ol’ days of only needing to concern yourself with desktop and laptop computers are long gone. Your employees are now accessing so-called shadow applications and devices that are not supported by IT. If you can’t stop it, at least don’t be blind to it. First profile your risk, then institute controls.

9) Thinking it’s Just About Malware

Malware is still a critical part of attackers establishing their initial foothold. But once inside, they often use different strategies to laterally advance across your network. In many cases, that means flying under the radar by using legitimate administrator or ethical hacking tools to harvest sensitive data and detect vulnerabilities.

10) Believing a Breach Won’t Happen to You

Perhaps you’re still holding out hope that cybercriminals will show you mercy and pass over your business, but the reality is that companies of any size are targets. Preparing your defenses to also include response will help you react faster and minimize the fallout if – or more likely, when – your day comes.

11) Dismissing Your Bosses and the Boardroom

Security maturity is the holy grail of any infosec professional’s job objectives. In instances where businesses have reached high levels of maturity, security is ingrained in the culture, from the corner offices on down. Obtaining boss- and board-level support may be uncomfortable, but in today’s climate, it is imperative.

12) Trying to Do It All On Your Own

The cybersecurity skills shortage is no joke. Estimates place the worldwide shortage at one million positions and growing. Whether you’re a small business that lacks any security skills at all, or a larger outfit that needs help enhancing certain areas like penetration testing, security monitoring or incident response, doing more with less just isn’t going to work.

Partnering with a managed security services provider like Trustwave is a viable option. And such an arrangement doesn’t have to result in reduced headcount either – it just means you and your team can instead focus on and expedite IT projects that will have real effect on the top line of your business, while leaving security responsibilities to someone else with deep expertise and scale. This can actually result in elevated job security for your IT staff and fewer worries over losing a skilled in-house security staffer due to the industry’s notoriously high turnover.

Dan Kaplan is manager of online content at Trustwave and a former IT security reporter and editor.

What Could Mobile / Digital Payments Save Your City?

WHAT COULD DIGITAL PAYMENTS
SAVE YOUR CITY?
Over the last decade, the world has gone
digital. Communications, entertainment and
commerce have moved online—bringing
significant benefits to consumers, businesses
and economies.
In this new digital society, payments are more
important than ever—providing the foundation
for new experiences and business models. With
this explosion of connectivity, digital payments
are growing exponentially as well.
It took 60 years for Visa to reach 3 billion
accounts, but we’re now on the cusp of a true
revolution that will see this number explode.
Hundreds of millions of new connected
devices are coming online and they’re all ways
to pay or be paid. The Internet of Things is
expected to reach 20 billion devices by 2020
and these connected devices will be able to
facilitate a range of commercial experiences,
including payments.
However, alongside the digitization of
commerce and payments, cash continues to
play a large role in certain sectors and markets
around the world, which could potentially
hinder economic growth in these communities
and industries.
To better understand the impact cash
can really have on economic growth, Visa
By Visa commissioned economics consulting and
research firm, Roubini ThoughtLab, to analyze
the use, acceptance and cost-benefit impact
of physical versus digital money in 100 cities
across the world. “Cashless Cities: Realizing
the Benefits of Digital Payments” is a unique
study that quantifies the net benefits that
cities, their residents and businesses could
realize by significantly increasing the use of
digital payments.
The study demonstrates that economies that
are moving toward digital payments and away
from cash, could benefit substantially. The
study estimates that reaching an “achievable
level of cashlessness”—defined as the entire
population moving to digital payment usage
equal to top 10 percent of users in that city
today—across the 100 cities examined, could
result in total direct net benefits of up to
US$470 billion per year. These benefits are
derived from many factors, ranging from
time savings among consumers from cashrelated
activities, to increased sales revenues
among businesses, to reduced government
administrative costs.
There are many instances where cash is more
costly than digital payments. The study found
that cash and checks cost businesses 7.1 cents
of every dollar received compared to 5 cents of
every dollar collected from digital sources.
Unbanked consumers across the 100 cities
spend an average $7 to $15 a month on cash
withdrawal activities like check cashing. By
reducing their reliance on cash, each unbanked
consumer could save an estimated $84 to $180
per year, on average. Furthermore, the study
shows the greater adoption of digital payments
could lead to a reduction in cash-related crime,
which benefits not just consumers, but also
governments by reducing criminal justice costs.
The shift to digital payments could also have
a catalytic effect on the city’s overall economic
performance, including GDP, employment,
wage and productivity growth. The study
predicts the combination of greater economic
activity, lower crime and greater ease of living
could make these cities more attractive to
businesses, talent and tourists.
We’ve seen what immediate and longterm
benefits could stem from the greater
adoption of digital payments. So, what now?
What can cities and governments do to help
usher in a more cashless future? The study
sets out 61 actions in a detailed roadmap for
policy makers.
Here are just five immediate and
actionable steps they can consider
taking to reduce cash reliance:
1Undertake targeted financial literacy
programs to help welcome the unbanked
into the banking system and offer secure digital
payment solutions for government benefits to
those who do not have bank cards.
2Phase out cash and check payments to and
from the government by adopting an allelectronic
payment and disbursement system,
meaning all government benefits, relief funds, tax
disbursements, collection and other payments
made to and from government institutions are
shifted to digital format.
3Promote a clear, innovationfriendly
regulation framework
4Ensure that digital payments are a
key component to all “smart city”
plans and strategies
5Implement secure open-loop
payment systems across all
transportation networks
The report is also supplemented by an
online data visualization tool, which
can be used to explore the benefits of
a more cashless world.
From mobile payments using
scanned codes to cards using
biometric authentication, billions
of connected devices such as
smartphones, watches, cars and
fitness trackers are now able to
send (and receive) payments. The
data shows that as communities and
cities become less reliant on cash
and better equipped to offer fully
digital payment experiences, their
businesses and economies could
grow, allowing their populations to
benefit and thrive

Payment Security Questions That Keep Merchants Up at Night

Payment Security Questions That Keep Merchants Up at Night

Payment Security Questions That Keep Merchants Up at NightBeing a part of a payments and security company, my colleagues and I have the opportunity to speak with merchants on a regular basis, during which we hear a lot of questions. Some are confused about which payment solution is the best fit for their business needs, while others are looking to understand how they can do more with their terminals. One of the biggest concerns they have is payment security.

Below are some of the most common security questions we hear from merchants. I’ll go more into depth on these in our upcoming webinar, “PCI at the POS / What’s New, What’s Next and What Merchants Can Do to Simplify Compliance.”

The webinar will take place this week, but I want to give you a glimpse of some of the topics we’ll be covering. Let’s take a look at some of the most commonly asked security questions that are keeping merchants up at night:

“What is PCI-DSS?”

It is extremely important for all merchants to understand the Payment Card Industry Data Security Standard (PCI DSS). The security standard set by the council not only protects customers’ data but the merchant’s business as well. PCI recently announced the release of its PCI DSS version 3.2. Following these security guidelines is one way for merchants to stay ahead of the changing requirements.

We also hear lots of questions around the difference between PCI DSS, PCI PA-DSS, and PCI PTS, and with all of these different acronyms, we understand why this is creating so much confusion. During the webinar, we’ll break down the differences between these standards so you can finally have a clear understanding of what each one means and which ones apply to you.

“How do I become PCI compliant?”

Merchants are also concerned about becoming PCI compliant. The PCI Council has fined merchants that aren’t following their security regulations. Moving to PCI compliance is a multi-step process that can vary by merchant.

We’ll be talking about PCI-DSS in depth during our webinar, and about the steps you need to take to ensure compliance with the latest standard.

“What is point-to-point encryption (P2PE)?”

This is a very common question that comes from all types of merchants. With the U.S. EMV migration still underway, retailers have been upgrading their payment technology to support chip cards, but they have also taken the opportunity to implement encryption services to protect their businesses from data breaches.

Even though these major retailers remain a major target for cyber criminals, small merchants are also vulnerable to such attacks. According to the U.S. Department of Homeland Security, 31% of all cyberattacks now target small businesses with fewer than 250 employees, and 44% of small businesses have reported being victims of hacking.

This threat environment should encourage merchants of all sizes to gain a better understanding of how they can protect their business and their customer’s sensitive data.

This is where point-to-point encryption (P2PE) comes into play. According to the PCI Security Standards Council, P2PE “is a combination of secure devices, applications and processes that encrypt data from the point of interaction until the data reaches the solution provider’s secure decryption environment.”

In simple terms, this means converting confidential payment card data and information into encrypted code at the time the card is swiped, so it cannot be hacked or stolen. A P2PE system provides the infrastructure and processes to perform this encryption and protect payment data from the point of sale to the point of the payment processor, which safely decrypts the data for bank authorization.

“How do I know if I’m already using P2PE?”

A lot of merchants we speak to are under the impression that they’re already using a P2PE solution, but the reality is that this isn’t always the case. There is a common misconception that encryption solutions, such as P2PE, are already part of the payment solution provided to the merchant. A P2PE solution doesn’t come built into a point of sale device and needs to be added to existing payment solutions. Merchants should check with their payment solution provider or seek third party expertise to review their current system and ensure they are actually using P2PE.

Do you have similar questions regarding payment security? Ingenico Group’s VP of Security Solutions, Dr. Rob Martin and I discussed the most commonly asked payment security questions we hear from merchants in our recent webinar “PCI at the POS / What’s New, What’s Next and What Merchants Can Do to Simplify Compliance.”  Get the answers you’ve been looking for around P2PE, PCI compliance, and other payment security related topics.

Rounding Up The Chip Card Hold Outs

 

What Might It Take for the EMV Holdouts To Join the Chip-Card Fold?

Jim Daly  2 hours ago Acquiring, Breaking News, Competitive Strategies, Credit Cards, Debit Cards, Fraud & Security, News, Smart Cards, Transaction Processing

 

The number of U.S. merchants that accept EMV chip cards at the point of sale is increasing rapidly, according to recent figures from Visa Inc.,  but it’s going to take some work by merchant acquirers and payment card networks to convince the holdouts to convert.

Executives from two of those holdouts on Wednesday explained their EMV skepticism at the Electronic Transactions Association’s Strategic Leadership Forum in Dana Point, Calif. One came from Aaron’s Inc., an Atlanta-based furniture retailer. Aaron’s stores have EMV-capable POS equipment, according to Seth Pelletier, senior manager of payment technology at the 1,100-store chain, but the company has yet to turn on chip card acceptance.

“That business case doesn’t work out in our favor,” Pelletier told the conference attendees.

The risk Aaron’s is taking is that under the card networks’ October 2015 liability shifts, it will be responsible for counterfeit fraud on any transaction in which the cardholder presented an EMV chip card but the store’s POS equipment couldn’t read it, forcing its system to use the card’s more vulnerable back-up magnetic stripe. Some retailers that did not have chip card readers at the ready after the liability shifts took effect complained of massive increases in chargebacks.

But the costs to train staff in EMV procedures and related operational expenses far outweigh the chargebacks Aaron’s is incurring by not taking EMV cards, according to Pelletier.

“I have a very drastically different chargeback profile than most retailers,” he said. “The amount of money that I’ve seen in EMV-related chargebacks wouldn’t even cover the learning and development effort to roll it out with you for even two days.”

Aaron’s would rather spend money that would otherwise go to EMV on technology that “increases my top-line revenue” or helps it operate more efficiently, Pelletier said.

The second executive, Hubert Williams, chief information officer of Maverik Inc., a 300-location convenience-store and petroleum retailer operating in 10 Western states, said the company is taking a very deliberate approach to upgrading its unattended fuel pumps for EMV acceptance. New stores and remodeled ones are getting EMV-capable pumps, but upgrades at existing, un-remodeled locations are going much slower.

The reason is that an EMV retrofit costs about $2,000 per pump, and the typical Maverik location has 16 pumps. Plus, while pumps that accept only mag-stripe credit and debit cards can be targets for fraud, including when criminals place skimmers on them to capture cardholder data, Williams said actual fraud losses at pumps are quite low.

“EMV solves one problem, it solves the problem of okay, it’s a secure transaction, but it doesn’t solve the bigger problem, which is theft, and most of it’s online,” he said.

The bank card networks late last year postponed their October 2017 unattended fuel-pump EMV liability shifts for three years in recognition of the problems c-stores and gas stations were having in converting. Even so, Williams predicts that many gasoline retailers will not make the 2020 date because there are, according to him, only 3,000 certified technicians available to perform EMV upgrades at the nation’s 150,000-plus gas stations.

One attendee from a gateway company questioned Williams about the risks of not implementing EMV, but Williams responded that “the cost just does not win … it’s not even close right now.”

EMV might be more attractive, according to Williams, if the card networks and payment-services providers could figure out  ways to make it work smoothly with retailers’ loyalty and target-marketing programs. Maverik’s Adventure Club rewards program includes an automated clearing house debit card that gives the customer 6 cents off per gallon on gasoline purchases. Deals like that are possible with low-cost ACH payments, but not with EMV cards on the major networks, according to Williams.

What Might It Take for the EMV Holdouts To Join the Chip-Card Fold?

Jim Daly  2 hours ago Acquiring, Breaking News, Competitive Strategies, Credit Cards, Debit Cards, Fraud & Security, News, Smart Cards, Transaction Processing

The number of U.S. merchants that accept EMV chip cards at the point of sale is increasing rapidly, according to recent figures from Visa Inc.,  but it’s going to take some work by merchant acquirers and payment card networks to convince the holdouts to convert.

Executives from two of those holdouts on Wednesday explained their EMV skepticism at the Electronic Transactions Association’s Strategic Leadership Forum in Dana Point, Calif. One came from Aaron’s Inc., an Atlanta-based furniture retailer. Aaron’s stores have EMV-capable POS equipment, according to Seth Pelletier, senior manager of payment technology at the 1,100-store chain, but the company has yet to turn on chip card acceptance.

“That business case doesn’t work out in our favor,” Pelletier told the conference attendees.

The risk Aaron’s is taking is that under the card networks’ October 2015 liability shifts, it will be responsible for counterfeit fraud on any transaction in which the cardholder presented an EMV chip card but the store’s POS equipment couldn’t read it, forcing its system to use the card’s more vulnerable back-up magnetic stripe. Some retailers that did not have chip card readers at the ready after the liability shifts took effect complained of massive increases in chargebacks.

But the costs to train staff in EMV procedures and related operational expenses far outweigh the chargebacks Aaron’s is incurring by not taking EMV cards, according to Pelletier.

“I have a very drastically different chargeback profile than most retailers,” he said. “The amount of money that I’ve seen in EMV-related chargebacks wouldn’t even cover the learning and development effort to roll it out with you for even two days.”

Aaron’s would rather spend money that would otherwise go to EMV on technology that “increases my top-line revenue” or helps it operate more efficiently, Pelletier said.

The second executive, Hubert Williams, chief information officer of Maverik Inc., a 300-location convenience-store and petroleum retailer operating in 10 Western states, said the company is taking a very deliberate approach to upgrading its unattended fuel pumps for EMV acceptance. New stores and remodeled ones are getting EMV-capable pumps, but upgrades at existing, un-remodeled locations are going much slower.

The reason is that an EMV retrofit costs about $2,000 per pump, and the typical Maverik location has 16 pumps. Plus, while pumps that accept only mag-stripe credit and debit cards can be targets for fraud, including when criminals place skimmers on them to capture cardholder data, Williams said actual fraud losses at pumps are quite low.

“EMV solves one problem, it solves the problem of okay, it’s a secure transaction, but it doesn’t solve the bigger problem, which is theft, and most of it’s online,” he said.

The bank card networks late last year postponed their October 2017 unattended fuel-pump EMV liability shifts for three years in recognition of the problems c-stores and gas stations were having in converting. Even so, Williams predicts that many gasoline retailers will not make the 2020 date because there are, according to him, only 3,000 certified technicians available to perform EMV upgrades at the nation’s 150,000-plus gas stations.

One attendee from a gateway company questioned Williams about the risks of not implementing EMV, but Williams responded that “the cost just does not win … it’s not even close right now.”

EMV might be more attractive, according to Williams, if the card networks and payment-services providers could figure out  ways to make it work smoothly with retailers’ loyalty and target-marketing programs. Maverik’s Adventure Club rewards program includes an automated clearing house debit card that gives the customer 6 cents off per gallon on gasoline purchases. Deals like that are possible with low-cost ACH payments, but not with EMV cards on the major networks, according to Williams.

ATM Higher Fees

Credit Card Processing

As Out-of-Network ATM Fees Climb to an All-Time High, Cash Gets More Expensive

John Stewart  2 mins ago              ATMs, Debit Cards, Pricing, Transaction Processing

 

In the age of electronic payments, cash is getting more and more expensive—even when accessed via electronic means. Nationwide, it costs consumers $4.69 to withdraw money from a so-called out-of-network ATM. That’s up 2.6% from a year ago, according to the latest data from Bankrate Inc., a New York City-based consumer-research firm.

 

That may not seem like a whopping increase, but that fee has now reached a record high for the 11th consecutive year, according to Bankrate. In fact, it has climbed fully 55% over the past 10 years, Bankrate said. Over the same time period, debit cards were increasingly accepted in stores, making it less necessary for consumers to carry as much cash as they once did.

 

 

McBride: “No one’s worried about alienating a non-customer.” (Image credit: Bankrate)

Indeed, reduced demand for cash at ATMs figures into the higher out-of-network fee, according to Greg McBride, chief financial analyst at Bankrate. “There are fewer out-of-network transactions, so the cost of maintaining the ATM network is spread over fewer transactions,” he tells Digital Transactions News.

 

Machines must still be depreciated and serviced, and couriers must still be dispatched to load cash. Banks find it relatively easy to pass that cost on to consumers, McBride says. “It’s low-hanging fruit,” he says. “It’s a convenience charge and consumers aren’t terribly price-sensitive.”

 

The out-of-network fee is made up of two components, a fee levied by the ATM owner and a separate charge from the cardholder’s bank. That first fee, known as a surcharge, is significantly higher than the second, but the charge from the cardholder’s bank is rising faster. The former is $2.97 on average, up 2.4% in the past year, according to Bankrate’s data. The latter fee is $1.72, up 3%. Both fees are all-time highs, Bankrate says.

 

McBride, though, predicts surcharges will soon start surging at a faster clip. “I certainly see that continuing to go higher,” he says. “No one’s worried about alienating a non-customer.” That impact could be softened, however, by networks that have adopted no-surcharge policies in recent years.

 

The fee from the customer’s bank, on the other hand, is less predictable. “If it increases, it will be at a slower pace and not in a straight line,” McBride predicts.

 

ATM fees are highest in Pittsburgh, where the average per transaction is $5.19, followed closely by New York City ($5.14), Washington, D.C. ($5.11), and Cleveland $5.11), according to the data. The least expensive place is Dallas, at $4.07, followed closely by Milwaukee ($4.19) and San Francisco ($4.23).

 

In separate findings, Bankrate reported 38% of non-interest checking accounts bear no fees, down by half since 2009. However, another 61% of accounts will waive the fee if the account holder uses direct deposit. The most common monthly fee is $12.

 

The rate at which banks charge for checking accounts has been a closely watched number since the Durbin Amendment went into effect in 2011. The amendment, part of the Dodd-Frank Act, caps the income large banks can earn on debit card interchange, a move that led opponents of the law to argue that banks would rein in free checking accounts.

 

Meanwhile, just 2.5% of accounts levy a fee on debit card transactions at the point of sale. This fee ranges from 35 cents to $2, and when charged it is incurred only by PIN-debit transactions, according to Bankrate’s research.

Agents Warned To Adopt New Way Of Thinking

Processing Execs Push ISOs to Adopt New Thinking on Topics From Pricing to Technology

A panel of processing executives on Thursday sought to shake an audience of merchant-sales representatives out of traditional ways of thinking about critical matters ranging from pricing to new technology.

In some cases, years-old tactics came under attack. “How many of you are giving a free terminal away and competing on price?” asked Terry Wilson, senior vice president and general manager at First Data Corp. “If you’re doing that, you’re the walking dead.”

Instead, independent sales organizations should focus on selling new technology that can streamline payments and other operations for merchants. Devices and software that make business easier, he said, will sell and will also cement the relationship between merchant and ISO in ways that can pay off over the long term. That’s because the technology can solve difficult problems for merchants.

An example is the sales tax, which Wilson said most small merchants dread calculating and tracking. “You should have a sales-tax app so the business owner never has to track that again,” Wilson said.

The panelists acknowledged ISOs may resist shifting to a solutions-based business after years of following the free-terminal strategy, but they said there’s little choice now that the technology is readily available. “You the ISO are going to have to take those non-traditional, disruptive solutions and sell them,” said Jason Rupert, senior vice president at Vantiv Inc. The panel was held last week at the Western States Acquiring Association’s annual meeting in Rancho Mirage, Calif.

Indeed, Wilson warned that ISOs will soon have no other significant source of income. “The day is coming quickly when the fee for processing will have to be given away,” he said. “You’ll have to make your money on solutions.”

And when it comes to pricing, Robert O. Carr, chief executive and founder of Beyond, a processing startup, cautioned the audience to play it straight. “More important than technology is how you treat your merchants,” he said. “It’s the secret of success.”

Carr contended many merchants don’t examine their monthly statements, leaving the door open to “lock the customer into a contract they don’t look at.” The ISO is then tempted to keep raising fees, Carr said, taking advantage of that price insensitivity. He likened the trend to a drug addiction. “It’s the cocaine problem,” he said. But he also warned it’s a short-term fix. “It’s not going to work forever,” he added.

But Carr also blamed investors who put pressure on ISO operations to boost their returns. “We have a lot of private-equity firms that have somehow made it a sin to make only 20 or 25 basis points in operating margin,” he observed.