The Extortionists Behind Ransomware Are Demanding Dramatically Higher Sums

Phishing attacks, typically launched via email, were the vector in 30% of cases, with software weaknesses accounting for the remainder. For the fourth quarter, the number of unique phishing reports received by the Anti-Phishing Group, a cross-industry research organization, totaled 239,910, down from 264,483. But the reason for the drop, says the APWG in its latest quarterly report, is that it’s getting harder to detect phishing sites “because phishers are obfuscating phishing URLs with multiple redirections.”

Financial-services firms sustained 3.4% of ransomware attacks in the first quarter, according to the Coveware data, while retailers were victimized in 5.2% of cases and consumer services in 6%. The biggest victims were professional-services firms (22.4%) and companies offering software services (17.2%).

But even if victims pay up, they don’t always recover their data. The Coveware report indicates that the decryption key received after sending the ransom failed in 4% of cases. “Files and servers can be damaged during or after the encryption process and this can affect data-recovery rates even when a decryptor tool is delivered,” the report says.

Also, even if the tool works, firms don’t always get all of their data back. Recovery averaged 93% in the quarter, according to the report, which notes, “sometimes the decryption tools are simply prone to error.”

Of course, firms can always protect against ransomware attacks by backing up their data. But, depending on how much data must be copied and on how many servers, it sometimes turns out to be cheaper to pay the ransom, experts caution.

Five Firms Hit by ‘Crypto-Sweep’ in Alabama as Regulators Step up Operation

Cease and desist letters have been sent to five crypto companies operating in Alabama, as part of the ongoing “Operation Crypto-Sweep.” The campaign, led by the North American Securities Administrators Association, is targeting ICO projects and blockchain startups suspected of fraudulent activities and violations of existing securities laws. Actions have been taken already by NASAA members in a number of states and provinces in North America.

Three LA-Based Companies Among the Targeted

The Alabama Security Commission (ASC) has recently taken enforcement actions in five investigations as part of “Operation Crypto-Sweep.” The international crackdown on fraudulent Initial Coin Offerings (ICOs) and crypto-related investment products is coordinated by the North American Securities Administrators Association (NASAA), a voluntary organization whose membership consists of 67 state, provincial, and territorial securities administrators in the US, Canada and Mexico, of which the ASC is also a member. The Commission has issued a total of five cease and desist orders “to protect Alabamians”, according to an official announcement.

Five Firms Hit by ‘Crypto-Sweep’ in Alabama as Regulators Step up OperationThe respondents are ICO organizations that have been targeting residents in more than one state. That’s why Alabama regulators have teamed up with their colleagues from Texas and New Jersey to go after the firms implicated in illegally soliciting investors. “Fraudulent activity involving ICOs and cryptocurrency-related investment products is a significant threat to Main Street investors in Alabama,” said ASC director Joseph Borg. The Commission is “committed to swiftly and effectively protecting investors from schemes and scams involving these products,” he added, noting that the measures taken are just the tip of the iceberg.

Cease and desist letters have been sent to three Los Angeles based companies. Extrabit Ltd., a purported crypto mining operation, offered through an ad the project’s EXB token at half price, conducting, according to regulators, an illegal and unregistered securities offering. Potential investors were told they had to spend $20,000 in the presale and expect the tokens within 48 hours. A 185 percent quarterly return was promised to those keeping a constant positive EXB balance. Returns were said to come from mining bitcoin, monero and zcash. The second firm form California, Leverage, has advertised itself as a crypto lending platform offering to investors a variable, daily interest. This case is again about an unlicensed security, the ASC said. Pool Trade is the third sanctioned company from LA.

Platinum Coin, another of the targeted crypto businesses, from Miami, Florida, has been caught offering investors an annual return of at least 320 percent. It has been issued with cease and desist order based on the same accusations – conducting sales of unregistered securities and making unrealistic promises. The fifth recipient of a cease and desist letter is an entity that purports to conduct business as an Internet-based escrow company. According to the ASC announcement, Chain Group Escrow Service is based in Kirkland, Washington.

Regulators Across North America Join “Crypto-Sweep”

Regulatory authorities in other states have also taken similar actions against dubious crypto businesses. The blockchain firm Shipchain, an operator of an etherium-based logistics platform, has received a cease and desist order from the Office of the Attorney General of South Carolina. The startup has been trying to sell its Shipcoin tokens without proper registration in the state, advertising its project to local investors. The state’s legislation treats investment contracts as securities and the tokens should have been registered as such. A permanent cease and desist order has been delivered to a company in neighboring North Carolina – Power Mining Pool. Another firm, Adosia LLC, has received a consent order in the state.


According to NASAA’s website, cease and desist orders and letters have been sent so far to crypto and blockchain businesses in the following states: Missouri, Texas, Colorado, Maryland, New Jersey, and Ohio, as well as in the Canadian provinces of Quebec, British Columbia and New Brunswick.

“Operation Crypto-Sweep” is coordinated by NASAA which has united the efforts of more than 40 state and provincial securities regulators in the US and Canada for a series of investigations into ICOs and crypto-related investment products. There have been more than 70 inquiries and investigations so far, as well as 35 pending or completed enforcement actions since the beginning of May. The campaign was recently applauded by the chairman of the US Securities and Exchange Commission (SEC), Jay Clayton, as reported.

The security of pretty much every computer on the planet has just gotten a lot worse

(CNN)The security of pretty much every computer on the planet has just gotten a lot worse, and the only real solution — which,of course, is not a solution — is to throw them all away and buy new ones that may be available in a few years.
On Wednesday, researchers announced a series of major security vulnerabilities in the microprocessors at the heart of the world’s computers for the past 15 to 20 years. They’ve been named Spectre and Meltdown, and they operate by manipulating different ways processors optimize performance by rearranging the order of instructions or performing different instructions in parallel. An attacker who controls one process on a system can use the vulnerabilities to steal secrets from elsewhere on the computer.
This means that a malicious app on your phone could steal data from your other apps. Or a malicious program on your computer — maybe one running in a browser window from that sketchy site you’re visiting, or as a result of a phishing attack — can steal data elsewhere on your machine. Cloud services, which often share machines amongst several customers, are especially vulnerable. This affects corporate applications running on cloud infrastructure, and end-user cloud applications like Google Drive. Exactly how, we don’t know yet.
Information about these flaws has been secretly circulating amongst the major IT companies for months as they researched the ramifications and coordinated updates. The details were supposed to be released next week, but the story broke early and everyone is scrambling.
Patching against Meltdown can degrade performance by almost a third. And there’s no patch for Spectre; the microprocessors have to be redesigned to prevent the attack, and that will take years.
“Throw it away and buy a new one” is terrible security advice, but expect it more and more. Several trends are converging in a way that makes our current system of patching security vulnerabilities harder to implement.
The first is that these vulnerabilities affect embedded computers in consumer devices. Unlike our computers and phones, these systems are designed and produced at a lower profit margin with less engineering expertise. There aren’t security teams on call to write patches, and there often aren’t mechanisms to push patches onto the devices.
We’re already seeing this with home routers, digital video recorders, and webcams. The vulnerability that allowed them to be taken over by the Mirai botnet last August simply can’t be fixed.
The second is that some of the patches require updating the computer’s firmware. This is much harder to walk consumers through, and is more likely to permanently brick the device if something goes wrong. It also requires more coordination. In November, Intel released a firmware update to fix a vulnerability in its Management Engine (ME): another flaw in its microprocessors.
But it couldn’t get that update directly to users; it had to work with the individual hardware companies, and some of them just weren’t capable of getting the update to their customers.
The final reason is the nature of these vulnerabilities themselves. These aren’t normal software vulnerabilities, where a patch fixes the problem and everyone can move on. These vulnerabilities are in the fundamentals of how the microprocessor operates.
It shouldn’t be surprising that microprocessor designers have been building insecure hardware for 20 years. What’s surprising is that it took 20 years to discover it. In their rush to make computers faster, they weren’t thinking about security. They didn’t have the expertise to find these vulnerabilities. And those who did were too busy finding normal software vulnerabilities to examine microprocessors.
Security researchers are starting to look more closely at these systems, so expect to hear about more vulnerabilities along these lines.
Spectre and Meltdown are pretty catastrophic vulnerabilities, but they only affect the confidentiality of data. Now that they — and the research into the Intel ME vulnerability — have shown researchers where to look, more is coming — and what they’ll find will be worse than either Spectre or Meltdown.
There will be vulnerabilities that will allow attackers to manipulate or delete data across processes, potentially fatal in the computers controlling our cars or implanted medical devices. These will be similarly impossible to fix, and the only strategy will be to throw our devices away and buy new ones.
This isn’t to say you should immediately turn your computers and phones off and not use them for a few years. For the average user, this is just another attack method among many. All the normal security advice still applies: watch for phishing attacks, don’t click on strange e-mail attachments, don’t visit sketchy websites, patch your systems immediately, and generally be careful on the Internet.
You probably won’t notice that performance hit once Meltdown is patched, except maybe in backup programs and networking applications. Embedded systems that do only one task, like your programmable thermostat or the computer in your refrigerator, are unaffected. Small microprocessors that don’t do all of these fancy performance tricks are unaffected. Browsers will figure out how to mitigate this in software. Overall, the security of the average Internet-of-Things device is so bad that this attack is in the noise compared to the previously known risks.
It’s a much bigger problem for cloud vendors; the performance hit will be expensive, but I expect that they’ll figure out some clever way of detecting and blocking the attacks.
But more are coming, and they’ll be worse. 2018 will be the year of microprocessor vulnerabilities, and it’s going to be a wild ride.

Biometrics Scare Sends a Reminder About the Need for Thorough Data Protection

What appears to be only a scare about a breach of fingerprint data from a kiosk deployer is sending a reminder to the payments industry that biometrics are no panacea for data-security problems.

“Any security system is not 100% bulletproof,” says David Lott, payments risk expert at the Federal Reserve Bank of Atlanta. “Anything can be penetrated. You have to take very strong steps to protect that data.
The scare came late last week when Tukwila, Wash.-based Avanti Markets Inc., a deployer of payment card-accepting kiosks that dispense food and snacks in company break rooms, disclosed that malware compromised an undisclosed number of its kiosks. Some of the compromised machines were provisioned with fingerprint readers that enable cashless payments through Avanti’s Market Card, a payment and loyalty service that includes a mobile app. The malware may have captured Market Card users’ fingerprint data as well as names and email addresses, Avanti said in a notice on its Web site late last week.

The KrebsOnSecurity news service reported that many of the kiosks did not use point-to-point data encryption. Later, however, Avanti updated a notice on its Web site to confirm that the biometric data were protected.
“In an abundance of caution, our original notice advised customers who used their Market Card to make payment that they may have had their names and email addresses compromised, as well as their biometric information if they used the kiosk’s biometric verification functionality,” the notice says. “We are happy to report that we are now able to confirm all kiosk fingerprint readers supplied by Avanti include end-to-end encryption on such biometric data, and as such this biometric data would not be subject to this incident as it is encrypted.”

The company did not make a spokesperson available to Digital Transactions News for further comment.
Avanti Markets, which claims 1.6 million customers, said the breach affected about 1,900 kiosks. The malware, which the company believes got into its system shortly before July 4 through a workstation belonging to a third-party vendor and became active July 2, may have captured cardholder names, account numbers, and expiration dates of the payment cards used by employees who weren’t paying with cash or the Market Card. Avanti turned off the cashless-payment functions on the compromised machines soon after discovering the breach on July 4.
Avanti said it worked with the vendor to remove the malware within hours of discovering the attack. The company is working with a forensics investigator to investigate the attack, the perpetrators of which aren’t yet known. Avanti Markets in May began working with its partner operators to provision all of its kiosks with point-to-point encryption technology, a project that as of last week was about half done.

Lott of the Atlanta Fed, who moderated a panel about biometrics at a recent payment-industry conference, notes that biometric technologies convert fingerprints, voice patterns, irises, and other physical attributes into data, which means where and how that data are stored is highly important. For example, Apple Inc.’s iPhone stores fingerprint data on the phone’s secure element, which means a compromise of one phone is limited to that device, whereas systems that store biometric data in central databases could be the source of widespread damage if hacked.
“If they compromise a central database … they could compromise thousands, millions of records,” Lott says.
Security experts say biometrics are most effective as part of a so-called layered security approach that includes other data protections. Rather than relying on physical attributes, some companies are rolling out so-called passive biometric systems that record consumers’ physical motions and usage patterns of payment-originating mobile phones and computers.

Al Pascual, senior vice president and research director at Pleasanton, Calif.-based Javelin Strategy & Research, says it is not surprising that fraudsters are interested as usage of biometrics increases. The Avanti incident is the kind of event “that the industry needs to learn from before biometrics are even more broadly deployed,” Pascual says by email. “If true, it is fortunate that the biometric data is encrypted, but there are undoubtedly a wealth of systems where biometric data is co-located in the clear with other data of value” such as payment information and customer personal identifying information.

“If this type of data was consistently compromised, then it would diminish consumers’ perception of the security value of biometrics,” says Pascual.

COMMENTARY: A Look at the Top 4 Security Trends for 2017 in the Payments Industry

After years of card-data breaches and other bad news, four very encouraging trends are emerging that bode well for better security. Here’s a quick look at all four:

Integrators are taking the QIR program seriously. When the PCI Security Standards Council and Visa Inc. initially released the Qualified Integrator and Reseller (QIR) certification program in 2015, it was welcomed with little to no enthusiasm. Many thought the short timeline for QIR certification was unfair; most did not take it seriously. The initial due date overlapped with the EMV liability shift, and resources were strained just to keep up with EMV certifications.

In fact, only 73 companies completed and passed the QIR program in 2015 with the original due date of Jan. 1, 2016. The PCI Council and Visa took quick notice and moved the due date to Jan. 31, 2017, when, under Visa rules, acquirers had to begin using only QIRs for integration work with small merchants.

In 2016, with the help of associations such as the Retail Service Providers Association (RSPA), which helped promote QIR awareness, and companies such as Vantiv Inc., which helped sponsor QIR certifications, many more companies jumped on the QIR bandwagon. In fact, 233 U.S. companies received their QIR certification in 2016.

This trend is continuing to grow. Another 51 companies have passed their certification so far in 2017, and it is expected that the number of companies to pass this certification will rise in the coming years, which is good news since it doesn’t look like PCI will extend the due date again. However, with an estimated 5,000 ISVs and VARs in the U.S. alone, there is still have a long way to go.

More payment solutions are seeking P2PE validation. When the PCI Point-to-Point Encryption (P2PE) certification requirements were first released three years ago, the process was very costly and somewhat ambiguous. This is probably why, until recently, only a few companies in the U.S. pursued and completed their PCI P2PE validation.

A little over a year ago, the PCI Council released its new certification requirements with more transparent rules. It also allowed companies to certify in the individual components that they participate in in the P2PE chain. For example, key-injection facilities (KIFs) are allowed to obtain certification for the key-injection, key-management, and device-tracking services required by PCI for a P2PE- validated solution. One such company to explore this was ScanSource, which was part of one of the initial validated solutions in the U.S., completed its PCI validation in January as a standalone PCI P2PE-validated KIF. This allows any gateway to use ScanSource’s key-injection services.

The demand for a PCI-certified P2PE solution is also on the rise. Since merchants can’t be out of scope or obtain reduced scope status without a PCI-validated solution for credit card processing, more merchants are putting the PCI validation in their requests for proposals to reduce the risks and costs of compliance associated with having credit card data in their network. For these reasons, more payment providers will pursue their P2PE certification in 2017, keeping qualified security assessors in heavy demand.

EMV certifications are faster and more robust. In 2015, EMV certifications came at a snail’s pace, and most were not released until after the liability shift due date. The few that were released were basic, excluded debit support, and only included one processor. Some of the EMV upgrades even broke the transaction process and had to be turned off shortly after being implemented.

Now that the initial certifications are complete and everyone has been trained on how to get EMV-certified, we are seeing more merchants with EMV fully deployed.

The EMV solutions are also more complex now, including debit, near-field communication, and a shorter transaction time, as well as being available for more intricate environments, such as pay at the table and health care. Certified solutions are being released much faster because of changes made around “faster EMV” and Visa’s allowing acquirers to self-certify their merchants’ solutions. This increased pace for EMV-certified solutions will continue well into 2019 now that many have figured out the EMV puzzle that until recently plagued the payment industry.

End users are willing to pay for security. Data breaches, credit card fraud, and cyber attacks are the new normal. Gone is the shock that we felt when we first heard of the TJX Cos. Inc. and Target Corp. breaches. Every other day, we hear of yet another breach, shrug our shoulders and move along. These days, it isn’t about if a merchant will be breached but a matter of when. For that reason, there are more and more services that help meet PCI compliance.

Many resellers have developed a software-as-a-service solution for PCI services for things such as patch management, antivirus monitoring, password management, and terminal management. Merchants are willing to outsource these services instead of developing and maintaining the tools to stay in PCI compliance. Additionally, merchants are also willing to invest in PCI security in order to protect themselves. In many cases, merchants are even electing to outsource these services as an added layer of protection.

‘I Need Knowledge:’ Merchants Express Befuddlement About EMV, Breaches, System Issues

Merchants would like nothing more than to decipher what they call the “mysteries” of the payments universe, a select group of them told attendees Thursday at the Western States Acquirers Association conference in Scottsdale, Ariz.

These mysteries, they said, include knowing whom to call when a problem crops up, what to know about EMV chip cards, and how to protect their point-of-sale systems from hackers.

For merchants, much of the mystery is wrapped up in the problem of how to avoid juggling payments issues while also trying to manage a retail business. “We don’t want to think about it,” J. Brandon Maxwell, president and chief executive of M Culinary Concepts, a Phoenix-based catering business, said of payments. “We don’t want to be burdened by it.”

For Jim Buhr, chief financial officer and chief information officer at Bashas’ Supermarkets, a Chandler, Ariz.-based grocery chain, knowing what’s going on with payments is a constant attention getter. “If we’re down for an hour we can lose millions,” Buhr told attendees. The chain’s payment system did indeed fail for a few hours in August, costing the company $1 million in sales, some of which was not recoverable, Buhr said. Seventy percent of its overall transactions are made with credit, debit, or electronic benefits transfer cards.

When something like that happens, or when there is a breach, the merchants agreed they need someone to help them understand what happened and how it can be corrected.

For many merchants, like Michelle Simpson, controller and chief financial officer at Thunderbirds Charities, a charitable organization that distributes funds raised by the Waste Management Phoenix Open golf tournament, her merchant-sales provider is the go-to resource. “We want to have the best experience for our customers,” Simpson said. “We have huge payments coming in the lead-up to the Open. When the Open hits, people want to instantly use their credit cards for $20.”

Buhr discovered which payments organizations could help him in the aftermath of a data breach that occurred a few years ago. “You don’t really find out who can help you until you have a breach,” he said. Contacting the card brands and processors Bashas’ Supermarkets used yielded little aid until a fraud expert at First Data Corp. guided him.

Merchants also are perplexed by the lack of a unified message about EMV adoption from the payments industry.

“The chip has always confused me,” Maxwell said. His business usually involves a contract covering a large upfront payment, and secondary payments in a workplace café. “I know where that person works,” he said, alluding to employees patronizing the café. “All I care about is the speed of transaction on that second type of transaction. If chip ever becomes the rule, it needs to become a hell of a lot faster.”

Others have been more proactive about chip enablement.

“I spent millions of dollars and I get chargebacks,” Buhr said. Bashas’ Supermarkets achieved 100% EMV enablement in July, and installed the terminals in 2014 while it waited for its payments vendors to be EMV-certified. “It’s very important that we work together,” he said. “I ask the industry to start with the retailer. He’s the guy who eats it all,” referring to the costs of implementing EMV.

“What is frightening is this chip business,” said Kerry Dunne, principal of R Entertainment, a Scottsdale, Ariz.-based event-production company. “We have to get our customers in and out in seconds,” he said. “One fear we have is chip takes so much longer to process.” Impatient consumers, especially when they’re at an entertainment event and just want to grab a beer and return to the event, won’t like waiting for a chip transaction, Dunne said.

He too admitted he knows little of how payments work, calling it a “mystery.” His advice for the payments industry is to do a better job educating merchants. “I need knowledge,” Dunne said.

Credit Card Surcharging Expected To Continue Despite Rejection of Interchange Settlement

“Visa is disappointed by the decision of the U.S. Court of Appeals for the Second Circuit,” a Visa spokesperson says in a statement. “We are reviewing the specifics of the ruling and will decide our next steps. Visa remains committed to working with retailers to grow their businesses and provide them with efficient and valuable payment options.”

Though MasterCard Inc. and Visa Inc. have their own rules for surcharging, generally the amounts are capped to actual acceptance costs, or 4%, whichever is lower. The rules also require consumer disclosure. Debit card surcharges are not permitted.

According to a person familiar with surcharging practices, no changes are anticipated, at least for Visa’s rules.

Others, too, expect that surcharging will remain in place.

“If anything, this upset is more likely to increase exposure to the existing petitions for the Supreme Court to hear this case, and eventually decide that surcharging should be legal everywhere,” says David Leppek, president of Transactions Services, an Omaha, Neb.-based payments provider.

The company offers a surcharging program for merchants in the 42 states that allow it, Leppek says. Certain merchant types are good candidates for it, including those that don’t accept payment cards because of costs and those that deal primarily with business-to-business transactions. Other prime candidates include providers of highly emotional purchases, those frustrated by payment-acceptance costs, and merchants selling high average-ticket items that consumers are more likely to use credit cards than debit cards to pay for.

Leppek views the appeals court’s veto of the settlement as based on procedural issues pertaining to class-action lawsuits. “As a result, the card brands changed their rules and have no motivation to now change them back,” Leppek says.

At Berwyn, Pa.-based JetPay Corp., which late last year debuted its Limitless program that enables merchants to offer discounts to consumers who pay with cash, Peter Davidson, vice chairman, expects a similar outcome.

“Given the reasons why the settlement was overturned—that it was essentially being too lenient towards the card networks for the merchants in the later class—it should have no long-term impact on JetPay’s Limitless program,” Davidson says via an email. “We believe any future final settlement will incorporate the allowance for different prices for cards versus other payment forms.”

Others, however, are less than enthused about surcharging in general.

“The new ruling by the appeals court is a significant victory for merchants,” says Alex Nouri, president of EFT Direct, an Ann Arbor, Mich.-based payments provider. “I applaud the reversal. The 2012 settlement is effectively null and void. While it’s usually good to have a choice, surcharging should not have been one of the facets of the lawsuit because it would hurt merchants more than not. Consumers frown on having to pay for extras, let alone an added fee for using their credit card.

Nouri says he would be surprised at a discontinuation of surcharging, but he argues nonetheless that the networks should ban the practice “because it never made practical sense and is being used by some merchants to increase their bottom line instead of counting it as a business expense.”

Nouri says the 4% cap often results in some unscrupulous independent sales organizations and agents setting the discount rate automatically at 4% and also charging “hefty” terminal-lease fees, “thereby guaranteeing themselves a huge windfall on the back of both merchants and consumers.”

Both Visa and MasterCard have online forms for consumers to complete if they suspect a merchant violation of the surcharging rules.

“There are limits on what we can do about proactive compliance with over 9 million merchants in the U.S. alone,” says a MasterCard spokesperson. “However one thing ensures an investigation: It’s receiving a compliant form from a cardholder who believes that he or she has been wrongly surcharged.”

Eye on Data Breaches: A ‘Scary’ Legal Standard; Details Released on the Coming PCI Update

As federal regulators increasingly zero in on data breaches, lawyers at a payments conference on Wednesday warned that organizations that suffer breaches are likely to have a tougher time avoiding legal liability in the years ahead. And the PCI Security Standards Council disclosed some of the major changes in its upcoming version 3.2 of the Payment Card Industry data-security standard, including a requirement for multi-factor authentication by anyone with administrative access to cardholder data.

Until recently, regulators and the class-action bar have had a tougher time establishing liability in cases where they cannot show that consumers suffered any losses from breaches of card data, speakers said during a session at Transact16, an event in Las Vegas sponsored by the Electronic Transactions Association, the merchant-acquiring industry trade group. But that standard is changing, the speakers said.

Breached entities “have been able to deflect [regulators] if they can show no consumer harm,” said Leonard Gordon, a partner at Venable LLC, a New York City-based law firm. “That worked until last year, when a court ruled that fear of harm alone was sufficient injury for a case to go forward.”

Gordon warned the audience to “keep an eye” on this development. “It’s a scary case going forward,” he said.

In payment card data breaches, consumers are often reimbursed under the terms of their card agreements in cases of fraudulent use of their cards. In a well-known breach, that of the Wyndham Worldwide Corp. hotel chain, the Federal Trade Commission sued the chain but “couldn’t find any consumer who was out of pocket,” leading to a settlement that was “mild” in its terms toward Wyndham, Gordon said. That sort of outcome now might be more difficult to achieve for breached entities when consumers suffer no loss, Gordon warned.

The FTC sued Wyndham in 2013 after the chain sustained three breaches that the regulator said involved more than half a million card accounts and $10.6 million in fraud losses.

At the same time, the smallest merchants are still struggling to comply with the PCI data-security standard years after PCI was introduced and as a new version is under development. Gregory Holmes, another expert who spoke during the session, cited an estimate that just 40% of so-called Level 4 merchants are “truly compliant with PCI.” Holmes is a San Francisco-based director at PwC, a consulting firm that acts as a qualified security assessor for PCI compliance.

Level 4 merchants are those that process fewer than 1 million card transactions annually.

Meanwhile, the Wakefield, Mass.-based PCI Council, which administers the main PCI rule set and its related standards, plans to release version 3.2 of the PCI DSS later this month. The Council this week posted on its blog some of the key changes that card-accepting merchants, processors and other entities that handle general-purpose credit and debit cards can expect.

One change will be a requirement for multi-factor authentication for anyone with administrative access to computer systems containing card data. Multi-factor (sometimes called two-factor) authentication means at least two sets of credentials are required to access the data, for example, a password, a token or smart card, or a biometric.

The existing standard required two-factor authentication when access to cardholder data is coming from a so-called “untrusted” remote environment.

“The significant change in PCI DSS 3.2 adds multi-factor authentication as a requirement for any personnel with administrative access into the cardholder data environment, so that a password alone is not enough to verify the user’s identity and grant access to sensitive information, even if they are within a trusted network,” PCI Council chief technology officer Troy Leach said in the post. He later added: “This applies to any administrator, whether it be a third party or internal, that has the ability to change systems and other credentials within that network to potentially compromise the security of the environment.”

The update also will include several new requirements for service providers, the individuals or companies that help merchants set up and maintain card-accepting systems. Third parties often do poor work regarding data security and have been the sources of numerous data breaches.

A summary of the coming changes can be accessed here.

New Visa Security Requirements Aim To Reduce Small Merchants’ Data Breaches

Visa Inc. has announced new data-security requirements for small merchants, one of which says that beginning Jan. 31, 2017, merchant acquirers must annually validate compliance by their so-called Level 4 merchants with the Payment Card Industry data security standard.

Other new Visa requirements involve qualified integrators and resellers, or QIRs. These are entities that install business-management software, or integrate such applications, for use with point-of-sale terminals and payment applications. Effective next March 16, newly boarded Level 4 merchants may only use QIRs that are certified by the PCI Security Standards Council, the body that oversees the PCI DSS and its related standards, to install POS terminals and software. Effective Jan. 31, 2017, the QIR requirement will apply to all Level 4 merchants.

The new requirements are listed in an Oct. 29 Visa security bulletin. Visa did not make a spokesperson available to comment on the bulletin, but the company indicated that one of the deadlines might be delayed in early 2016.

“Using QIR companies provides small merchants some protection against a common vulnerability exploited by criminals,” the bulletin says. “However, this alone will not prevent small-merchant compromises. As such, Visa is expanding its PCI DSS validation program to include Level 4 merchants. Effective 31 January 2017, acquirers must ensure their Level 4 merchants validate full PCI DSS compliance annually.”

Visa is trying to fill two well-known security holes in card payments. Level 4 merchants, the smallest among the four tiers by which Visa ranks merchants, are businesses that process up to 1 million Visa transactions annually, or fewer than 20,000 Visa e-commerce transactions. Level 4 merchants represent more than 90% of the 5-million-plus card-accepting merchants in the U.S., and they also account for a lot of data breaches—some 94% of the compromises Visa tracked in 2015, according to an October Visa presentation for small merchants. Unlike breaches involving big, Level 1 merchants such as Target Corp. or The Home Depot Inc., breaches at Level 4 businesses are small in scale and rarely make headlines, but collectively they present a security headache for the card networks, acquirers and issuers.

All card-accepting merchants must comply with the PCI rules, but only big and medium-sized ones currently must validate their PCI compliance through annual tests and probes that can be complicated and expensive. With Level 4 merchants, Visa requires PCI compliance but leaves actual validation up to the acquirer. The network says acquirers must attest to their Level 4 merchants’ PCI compliance and recommends merchants complete a self-assessment questionnaire.

The bulletin notes that acquirers can avoid the new annual validation requirement if they participate in Visa’s incentive program to grow EMV chip card payments. Dubbed the Technology Innovation Program, or TIP, the program says a merchant does not need annual PCI validation if it submits 75% of its Visa transactions through EMV terminals, and does not store sensitive cardholder data after transaction authorizations.

Visa has never publicly stated small merchants’ PCI compliance rates, usually terming them as “moderate,” but the trade group the Merchant Acquirers’ Committee has estimated it at 39%.

At the same time, because of their lack of technical expertise, many small merchants rely on tech providers to protect their POS terminals and and back-office networks. These providers sometimes do slip-shod work, setting up payment systems with easily guessed default passwords and other vulnerabilities. But many such companies, including value-added resellers (VARs) and integrated software vendors (ISVs), are coming into the payments realm because merchants increasingly want POS applications that do much more than simply process card transactions.

Visa and the PCI Council are offering an incentive for VARs and ISVs to become PCI Council-endorsed QIRs. Companies that enroll in a Visa QIR training program by year’s end can receive a discounted price of $197.97 per person, the bulletin says. The standard price wasn’t listed.

While the new PCI validation requirement could affect millions of merchants, Dallas-based payment-security consultant Branden R. Williams doesn’t see Visa’s changes as radical.

“I see this as more of a nudge than a massive policy shift,” Williams tells Digital Transactions News by email. “Visa—and the other payment brands—have always said that Level 4 merchants must be compliant but were only recommended to validate. I see this impacting acquirers who have not built merchant-compliance programs more than those who have. In this case, the nudge from Visa may be to push acquirers and merchants into products and services that qualify for the Technology Innovation Program.”

Buy Buttons Have Some Traps for Retailers

Buy buttons are shaping up to be the next battleground in tech-driven retail, and retailers are gearing up to take the field on social media sites like Twitter, Pinterest and others. But the new payments technology presents challenges that retailers must consider.

It’s a shift that threatens to upend retail, which, until recently, viewed social media platforms largely as a way to promote products online or to give customers a way to share reviews and seek help with product issues. In the traditional social media retail model, sites like Pinterest and Twitter served as a way to build product awareness and direct potential customers to the retailer’s main site to complete a purchase.

“Buy buttons” are clickable buttons that can be integrated into a social media site to allow visitors to purchase a product without leaving the platform.

It makes sense that the next retail revolution will take place on social media, which is generating an increasingly large share of ecommerce revenue overall. According to an Internet Retailer report, the 500 top retailers generated well over $3 billion in revenue from social media shopping in 2014, a 26% increase over the previous year’s total.

Buy buttons give social media platform users greater purchasing power than ever before. Instead of having to leave one site to visit another to find and purchase a product seen on social media, users can buy products directly via the social media platform. Buy buttons take much of the friction out of the purchasing process, but they present new challenges for retailers:

Less incidental product exposure.Buy buttons are an impulse buyer’s dream, but there’s a downside for retailers; by eliminating the need for the customer to visit the retail site, fewer customers will view other listed products.

Social media platform fees. Retailers who pursue a buy button strategy will incur fees for making it easy for shoppers to instantly purchase their wares. It will be necessary to analyze that aspect of campaigns to determine true ROI.

Managing payments and inventory. It’s necessary to integrate inventory and product information into social platforms since purchases made using buy buttons are typically completed through a separate process than payments made via the retail site.

Updates between retailers and social media platforms. Retailers and social media platforms will have to regularly and consistently update each other when product information changes. Alternatively, they can use a product content management system to streamline the process.

New testing needs. As a brand-new channel, each social media platform will require retailer testing to ensure the retailer is reaching the right audience. Platforms have different audiences, so it may take time to find the right showcase for specific products.

Need to tread lightly to preserve brand integrity. While social media audiences can appreciate the right appeals, buy buttons can also be interpreted as an interruption of the user experience, so it’s important to make sure content and ads are relevant and aligned.

Buy buttons have much promise as a retail channel, but retailers should proceed with caution and make sure they address each of these challenges to ensure a smooth the transition. It’s also important to recognize that while social media is an excellent way to inform and influence customers by facilitating information sharing, its primary purpose is not to persuade users to make a purchase now.

For that reason, it’s crucial for retailers to manage their own expectations about ROI from buy button campaigns. Those who do so successfully can gain a powerful competitive edge in the next retail revolution.