Staples urges diligence post breach, stakeholders point fingers

Adata security breach involving Staples Inc., initially reported in October 2014, has been confirmed by the Framingham, Mass-based retail office supply chain. The far-reaching event impacted 119 of the 1,500 Staples locations in 35 states. Malicious software discovered inside cash registers was intercepting credit card transactions and transmitting cardholder data to a criminal host network. The company believes that up to 1.16 million credit cards may have been affected by the breach.

A company press release issued on Dec. 19 stated that "malware may have allowed access to some transaction data at affected stores, including cardholder names, payment card numbers, expiration dates, and card verification codes. At 113 stores, the malware may have allowed access to this data for purchases made from August 10, 2014 through September 16, 2014. At two stores, the malware may have allowed access to data from purchases made from July 20, 2014 through September 16, 2014."

Staples urges consumer due diligence

Staples spokesman Mark Cautela reported that the company is working closely with law enforcement in an ongoing investigation. "We take the protection of customer information very seriously, and are working to resolve the situation," Cautela said, adding that consumers will not be held responsible for any fraudulent activity that is reported in a timely manner.

Staples published a list of affected locations from Alabama to Wyoming. Located at http://staples.newshq.businesswire.com/statement, it includes each store's window of vulnerability from the malware's initial installation date to the time of its removal. Consumers are urged to review credit card statements and promptly notify card issuing banks of any suspicious charges. Staples is also offering free identity protection services and credit reports to customers who used their cards at affected stores during the relevant time periods.

Same malware, different store

Forensic analysts have noted similarities that link the Staples data compromise with an earlier incident reported in January 2014 by Michaels Stores Inc., an Irving, Texas-based arts and crafts retailer that is the parent company of Michaels and Aaron Brothers stores. Malware used in tampered POS devices at both Staples and Michaels was found to be communicating with the same criminal host network.

The January 2014 attack was the latest in a series of data breaches for Michaels, beginning with a May 2011 attack involving what the company described as "90 individual PIN pads that showed signs of tampering" that were subsequently disabled. While the incident affected less than one percent of its stores, the company installed 7,200 PIN pad readers in all 964 stores as an added precaution. Unfortunately, this costly measure proved to be insufficient protection from further data attacks. A press release issued on April 17, 2014, disclosed additional, ongoing malicious activities.

The release stated: "Regarding Michaels stores, the attack targeted a limited portion of the point-of-sale systems at a varying number of stores between May 8, 2013 and January 27, 2014. Only a small percentage of payment cards used in the affected stores during the times of exposure were impacted by this issue. The analysis conducted by the security firms and the Company shows that approximately 2.6 million cards may have been impacted, which represents about 7 percent of payment cards used at Michaels stores in the U.S. during the relevant time period. The locations and potential dates of exposure for each affected Michaels store are listed on www.michaels.com ."

Meanwhile, controversy erupted as a result of a survey released by the Independent Community Bankers of America, whose members reported reissuing approximately 7.5 million payment cards in the wake of the The Home Depot U.S.A. Inc. breach, at a total cost of $90 million.

In a Dec. 18 press release about the survey, John Buhrmaster, ICBA Chairman and President, stated, "Community banks continue to absorb exorbitant costs due to data breaches, and they do so upfront because their primary concern is to protect their customers. However, this is money—more than $90 million—that could be used for lending in local communities to homeowners, small business owners and budding entrepreneurs to spur local economic growth and stability. For this reason, we continue to advocate that the costs associated with data breaches be borne by the party that experiences the breach. Communities and customers should not suffer for the faults of retailers.”

In addition, the ICBA stated it promulgates the following five data security principles:

1. The costs of data breaches should ultimately be borne by the breached party.
2. All participants in the payments system — including merchants — should be subject to Gramm-Leach-Bliley Act–like data-security standards.
3. A national data-security breach and notification standard should be implemented to replace the current patchwork of state laws.
4. Unnecessary barriers to effective threat-information sharing between law enforcement and the financial and retail sectors should be removed.
5. While community banks and other financial institutions continue to move to chip technology for debit and credit cards, these technologies alone may not have prevented the recent retailer breaches and do not protect against fraud in “card-not-present” transactions, such as online purchases.

In response, executives from several leading retailers' associations, including the National Retail Federation, Retail Industry Leaders Association and Merchant Advisory Group, released a letter to the ICBA claiming that these principles are "based in part on misinformation and at best incomplete."

This is just the latest volley of finger pointing between retailers and financial institutions seeking to assign blame and consequences for the data breaches plaguing our payment systems.

EMV prioritized

One positive development to arise from the recent epidemic of security data breaches can be seen in the retail community's heightened sense of urgency about upgrading and securing existing card payment systems. Staples stated it plans to enhance the security of its POS systems with up-to-date tokenization and point-to-point encryption technology. Home Depot and Target Corp. plan to install EMV readers in 2015, a move that reflects a majority of Level 1 retailers' near-term objectives. Target has reportedly committed $148 million in upgrades to its processing systems in the wake of its massive credit card breach.

Deborah Baxley, Principal at Capgemini, and an active member of Princeton, N.J.-based Smart Card Alliance, sees EMV (Europay, MasterCard and Visa) enablement of the POS infrastructure as a positive step for the retail community. "While EMV doesn't offer 100 percent protection from security attacks, it will greatly reduce vulnerabilities, because EMV cards store payment information in a secure chip rather than on a magnetic stripe," Baxley said. "A counterfeit EMV card that is stolen from a database will fail because the issuer will recognize it as a chip card, and not a magnetic stripe card."

Baxley mentioned that merchants who migrate to EMV ahead of the Oct. 1, 2015, deadline will be further protected from financial liability in the event of a costly data breach. She stressed the need for all payments industry stakeholders to work together to correct vulnerabilities in older legacy infrastructures and protect the integrity of payment card processing systems.

---

New Year's Eve countdown to PCI DSS 3.0
Friday, December 26, 2014

When the ball drops at 12 a.m. on Jan. 1, 2015, it will mark the beginning of a new year, as well as the deadline for implementation of a new set of security standards. The PCI Security Standards Council released Payment Card Industry (PCI) Data Security Standard (DSS) 3.0 in January 2014, and gave merchants and payment services providers one year to review and upgrade their PCI DSS 2.0-compliant systems.

The security community embraced the new standards, noting the enhanced protections for e-commerce, widely considered to be a leading point-of-entry for cyber attacks. Many security analysts emphasize that security best practice requires constant vigilance that extends far beyond required scans, penetration tests and self assessment questionnaires.

Sustainable best practices are business-as-usual

Suraj Srinivas, Director of Security Consulting at ANX, a Michigan-based data security organization, sees the spirit of constant vigilance reflected in the business as usual (BAU) concept introduced in PCI DSS version 3.0.

"ANX Qualified Security Assessors (QSAs) were early adopters of this concept, having seen its success in other audit program," Srinivas said. "The key to success for any compliance program is its sustainability. Sustainability is achieved by having a methodical process for ensuring that all the necessary preparatory steps are performed during the course of the year, easing the burden of the annual PCI assessment."

He added that a common piece of advice that ANX offers clients is to "measure twice and cut once," which is aligned with the company's overall approach. ANX supports customers' BAU initiatives with a blended approach that leverages a software-as-a-service compliance tool with the hands-on expertise of the company's QSAs. He believes the company's focus on sustainable best practices keeps compliance in the forefront as a systematic, year-round process for its customers.

Protecting the transaction life cycle

Frank Stornello, Chief Marketing and Strategy Officer for Verifi, noted that the impact of omni-channel trends on payment technology has made full life cycle transaction protection critical for best-in-class online commerce. For retailers, protecting omni-channel payments from start to finish while ensuring a seamless shopping experience requires a careful blend of pre- and post-sale security and fraud prevention.

"The landscape of payments is quickly evolving and new payment options and technologies are emerging rapidly – giving consumers many choices for payment: mobile, online, cash, credit, loyalty points and digital currencies to name a few," Stornello said. "Unfortunately, security lapses change shopper behavior. Studies show a direct correlation between a data breach and consumer confidence - threatening the merchant's ability to remain in business."

E-commerce: not one-size-fits-all

PCI DSS 3.0 guidelines categorize e-commerce merchants by matching self-assessment questionnaires (SAQs), scans and testing levels to each group's degree of exposure to cardholder data. Many security analysts believe e-commerce merchants who implement PCI 3.0 security controls will significantly mitigate the risk of cyber attacks.

Following are three distinct forms of e-commerce and their respective SAQ's:

• SAQ A merchants, as defined by the PCI SSC, are card-not-present merchants that do not store cardholder data in electronic format and do not process or transmit any cardholder data on their systems or premises. These companies outsource credit card processing to third party service providers, and do not need to conduct penetration testing or scans. A 14 question SAQ A and Attestation of Compliance are their only requirements.
• SAQ A-EP merchants are e-commerce merchants who partially outsource their e-commerce payment channel to PCI DSS validated third parties and do not electronically store, process, or transmit any cardholder data on their systems or premises. SAQ D
• SAQ D, which comprises 335 questions, is the most rigorous PCI DSS 3.0 SAQ due to the increased risk of fraud by merchants and payment service providers in this category. These types of processing environments include e-commerce merchants who accept cardholder data on their websites and merchants who store electronic data.

Merchants remain first line of defense

Verifi's Stornello noted that as payments become more complex, merchants will increasingly be called upon to shoulder the "full burden of true as well as friendly fraud" as consumers increasingly rely on them to protect the integrity of their payment transactions.

"Merchants are facing confusing statements, changing compliance requirements, determined hackers, and no shortage of processing fees, multiple discount rates, and chargebacks," Stornello added. "Consumers expect merchants to protect their payments at all phases of the transaction lifecycle - even identity theft - which occurs before the payment card even enters the payment stream."

---

Congress of two minds about legal pot
Tuesday, December 23, 2014

The U.S. Department of Justice has been ordered to stop making trouble for individuals and businesses that take advantage of state medical marijuana laws. However, the demand, attached to the $1.1 trillion federal budget bill that was signed into law Dec. 16, 2014, is not a total condemnation of the federal government's efforts to stamp out marijuana legalization initiatives.

"It merely restricts the use of funds in a one-year budget bill," noted a web post by the National Law Review. "The bill does not exempt marijuana has as an illegal Schedule I drug under the federal Controlled Substances Act."

In fact, the very same bill includes a provision that blocks Washington, D.C., from implementing a local referendum legalizing possession of marijuana there. Washington, a city of almost 700,000, is a "federal district" under the exclusive jurisdiction of Congress, which can veto any local laws.

A budgetary maneuver

Typically when the voters of the "district" approve controversial laws opponents will attempt to invalidate those measures with budgetary maneuvers. Tucked into the 701 page budget bill signed into law last week was a provision stating: "None of the Federal funds contained in this Act may be used to enact or carry out any law, rule, or regulation to legalize or otherwise reduce penalties associated with the possession, use, or distribution of any Schedule I substance under the Controlled Substances Act."

The budget bill is an omnibus package of legislation that appropriates funds for federal agencies and programs through Sept. 30, 2015. It was a must-pass bill, because without operating funds the government would have had to shut down. Often lawmakers will use a must-pass bill such as a budget measure to advance initiatives that might lack support to pass on their own. Appropriately enough, these omnibus legislative initiatives are known as "Christmas trees" among Washington insiders.

The budget bill provision addressing medical marijuana addresses funds appropriated to the Department of Justice, and specifically refers to medical marijuana laws in 12 states and Washington, D.C. It instructs that no funds appropriated to Justice Department "may be used" to prevent those states and Washington "from implementing their own State laws that authorized the use, distribution, possession or cultivation of medical marijuana."

Last year, the Justice Department stated it would back off efforts to challenge state laws legalizing recreational pot use, provided those states establish strong regulatory regimens.

---

Ingenico spots six payments trends to watch in 2015
Friday, December 19, 2014

At the close of 2014, payments leaders are reflecting on the year's highlights and looking ahead to what many believe will be a defining year for the industry. An unprecedented number of disruptions have occurred over the past twelve months, led by emerging technologies, the expanding role of data analytics, and changes in purchasing behaviors and banking environments.

The digital transformation of payments is perhaps most evident in the changing role of payments industry equipment manufacturers. Top brands have evolved from device-centric models to holistic, end-to-end solutions that are compatible with diverse populations of POS hardware and software.

Thierry Denis, North American President of Ingenico Group, a global enterprise dedicated to seamless payments with U.S. headquarters in Atlanta, expects to see more disruption in 2015, as EMV (short for Europay, MasterCard and Visa) adoption, mobile payments and improved security standards continue to shape the future of merchant services. For this article, Denis discussed six top payments trends Ingenico identified for 2015.

1. Security to remain a key driver in payments

As the last region in the world to adopt EMV, the United States became an easy target for cyber criminals who found it relatively easy to steal cardholder data processed on mag stripe card readers, compared with the more secure method of smart card payment processing. A record number of data security breaches occurred in the North American region in 2014.

Ingenico Group advises all merchant services providers to work closely with retailers to address this. Many companies are revisiting security strategies to improve their protection of card data environments in conformance with guidelines of the PCI Security Standards Council (PCI SSC).

2. Companies to combine P2PE and EMV to optimize security

Also known as end-to-end encryption, P2PE encrypts card data from the entry point of a merchant's POS device to a point of secure decryption outside the merchant's environment, such as a payment processor.

Many Tier 1 and 2 merchants are preparing for the Oct 2015 EMV liability shift with a shortcut approach that links EMV and P2PE planning, an approach that Ingenico calls "semi-integrated." This aims to take the entire merchant environment out of Payment Card Industry (PCI) Data Security Standard (DSS) scope and solve the EMV piece at the same time via a seamless payments system that addresses both PCI and EMV compliance.

3. Security upgrades, outsourcing expected to grow in 2015

Ingenico noted that small to midsize business owners have been slower to implement EMV technology that would help protect their processing systems from malicious attacks. This is puzzling, considering that a majority of data security breaches have taken place at Level 4 merchants, according to data provided by the PCI SSC.

Even the upcoming liability shift has not made a significant impact on EMV adoption in this segment. Ingenico predicts that over half of Tier 3 and 4 merchants will not have implemented EMV payment processing by the October 15, 2015 deadline.

Ingenico believes online fraud and chargebacks will become increasingly complex to manage in the global marketplace, as merchants shift their focus to international markets and mobile commerce continues to drive growth in many developing countries.

Fraud rates in cross-border and mobile commerce experience generally exceed those of domestic e-commerce. Ingenico expects merchants to increasingly outsource fraud management to online payment or fraud specialists in 2015.

4. In-store mobile payments to drive merchant-consumer engagement

Merchants of all sizes and categories have expressed the desire to partner with their customers in every step of the commerce journey. Many brick-and-mortar retailers have implemented in-store mobile POS solutions with smart posters and kiosks that facilitate consumer purchasing decisions without being overly intrusive. Solutions such as iBeacon help retailers stay connected to their consumer base and better understand and track who's shopping in their stores, Ingenico noted.

In an ongoing effort to support customers' preferred payment methods, many Tier 3 and 4 merchants are upgrading processing systems to support near field communication and Apple Pay. Ingenico sees increasing adoption of ApplePay by Tier 3 and 4 merchants as evidence that Apple is inspiring technology upgrades in this market where EMV could not.

5. Role of e-commerce to expand

Consumers, increasingly willing to spend online, have been driving the global expansion of e-commerce and adoption of new, more secure methods of online shopping.

According to Ingenico, mobile commerce is driving overall online commerce growth in many international markets. Consumers increasingly expect a seamless buying experience that's integrated across multiple platforms, including mobile devices, automobiles and wearable technology.

Merchants will require a developer-centric approach from vendors with easy access to modern application programming interfaces to be able to sell goods and services in the omni-channel world.

6. Data analytics, trusted relationships to optimize performance

Ingenico also expects advanced data analytics and visualization software to play a central role in identifying and removing bottlenecks in the payment process and improve conversion rates. Many enhanced intelligence solutions enable merchants to benchmark payment performance against peers and discover new market opportunities.

Greg Boardman, Senior Vice President of Product Development at Ingenico Group, sees the next several years as challenging but exciting times for large and small retailers. He has been involved in a number of payments industry initiatives focused on improving adoption of P2PE and EMV, technologies that he considers as critical priorities.

Boardman believes broad implementation of these solutions will require more than just technical savvy; it will increasingly depend on the cooperation of all stakeholders in the value chain, and partnerships that are based on respect and trust. Both retailers and acquirers have benefitted from the new collaborative model, and Boardman and his colleagues expect to momentum to continue in the New Year.

"The fundamental but long overdue technology implementations of P2PE and EMV acceptance requires a long runway and will dominate most budgets and human resources, [and] unfortunately comes at a time when innovation in payments is at a fever pitch," Boardman said. "Choosing the right strategies to benefit from both sides of this equation can be difficult. Satisfying the base requirements while also entertaining the possibilities for new payment schemes and mobility initiatives demands a level of focus and partnership that very few organizations in payments understand."

---

Charge Anywhere breach puts spotlight on TPSPs
Wednesday, December 17, 2014

Recent news of a security breach at Charge Anywhere has raised concerns about vulnerabilities that may exist in payments industry middleware and third-party service providers (TPSPs).

Charge Anywhere, a New Jersey-based payment gateway, has long been considered an innovator in the mobile payments space, marketing payment solutions and services through ISO and reseller distribution channels since 2002. Now, the company is working with its channel partners to help them mitigate risk, as well as teaming up with security specialists to forensically investigate malware initially discovered on Sept. 22, 2014. The malware has since been removed.

In a written notice posted on the company's website, Charge Anywhere stated its investigation had "revealed that an unauthorized person initially gained access to the network and installed sophisticated malware that was then used to create the ability to capture segments of outbound network traffic. Much of the outbound traffic was encrypted. However, the format and method of connection for certain outbound messages enabled the unauthorized person to capture and ultimately then gain access to plain text payment card transaction authorization requests.

"While we discovered the malware on September 22, 2014, it required extensive forensic investigative efforts to de-code it and determine its capabilities. During the exhaustive investigation, only files containing the segments of captured network traffic from August 17, 2014 through September 24, 2014 were identified. Although we only found evidence of actual network traffic capture for this short time frame, the unauthorized person had the ability to capture network traffic as early as November 5, 2009."

The malicious act struck a collective nerve in the vast, interconnected payments ecosystem. Other reports of high-profile data breaches such as those at Bebe Stores Inc., The Home Depot Inc., and Target Corp. made no mention of the processors or middleware service providers behind compromised big-box brands.

However, the Charge Anywhere breach provided news media with a rare behind-the-scenes peek at the payments industry. Charge Anywhere senior management said they appreciate the gestures of support received from industry friends and colleagues and told The Green Sheet the company needs a bit more time before its representatives can make further comments. The ultimate impact the apparent five-year intrusion will have on Charge Anywhere's business is as yet unknown.

PCI provides guidance, not guarantees

Chris Bucolo, ControlScan's Senior Manager of Security Consulting, noted that hackers have become more advanced, sophisticated and innovative at exploiting vulnerabilities in merchant and processor environments, prompting some clients to debate the overall effectiveness of Payment Card Industry (PCI) Data Security Standard (DSS) security.

"Some of our clients claim that PCI security doesn't go far enough because you can pass a couple of tests but still be at risk for a data breach," Bucolo said. He added that PCI is designed to provide guidelines but not guarantees. He recommended that payment professionals and merchants perform due diligence when vetting prospective service providers and make sure they fully understand the potential providers' security practices. He would like to see more clients push for detailed explanations about the ways in which service providers manage security.

"We encourage clients to ask the tough questions," Bucolo said. "When their processor says, 'We're compliant,' clients can ask processors how frequently they test security levels and how they assess the compliance of other third-party service providers in their networks."

Build relationships with trusted TPSPs

ControlScan is a member company of Third-Party Security Assurance Group, a special interest group of The PCI Security Standards Council (PCI SSC) that's focused on security best practices by TPSPs. The committee published a report in August 2014 providing guidance to businesses that use TPSPs to "store, process, or transmit cardholder data on the entity's behalf, or to manage components of the entity's cardholder data environment (CDE), such as routers, firewalls, databases, physical security, and/or servers."

The comprehensive 44-page report covers everything from how to identify an appropriate TPSP to how to perform risk assessments and maintain a satisfactory, ongoing relationship with aligned interests and optimal security practices. The guidelines list five milestones in a business relationship with a third party: setting expectations, gaining transparency, establishing communications, requesting evidence and obtaining information about PCI compliance.

The report gives several reasons that justify the time and effort involved in developing and implementing a strong TPSP monitoring program. Such a program:

• Improves the security of the cardholder data environment
• Sets expectations for businesses and their service providers
• Keeps the lines of communication open with a formal monitoring program
• Shows businesses how to actively participate in protecting their card data environments by taking a proactive—instead of reactive—position
• Can demonstrates compliance with a key section of the PCI DSS if requested by a party performing an assessment

Biff Matthews is President of CardWare International, a full-service provider of hardware, software, supply logistics and call center services in Heath, Ohio. Matthews saw similarities in the PCI SSC guidelines and the federal guidelines that require banks to know their customers. He noted that all financial institutions, ISOs and merchant level salespeople should really know their vendors, including the individuals who download their POS and PIN entry devices.

Matthews advised to ask plenty of questions before establishing a working relationship. "Is that service provider PCI compliant, and a certified ESO [encryption services organization]?" Matthews said. "Don't hesitate to validate their computer system, physical location security and perform employee background checks. Be secure."