Transaction Trends September 2010 by Content Communicators, LLC

The Official Publication of the Electronic Transactions Association

| September 2010

FS-ISAC President and CEO William B. Nelson reveals how this quiet organization strives to keep merchants safe

COVERT

OPS

ALSO INSIDE: Level 4 Compliance Best Practices Pace Slows for Startups

2010 Strategic Leadership Forum Preview

Âť

Focus. Stability. Trust. In turbulent times… experience becomes infinitely more important.

Selecting the right payments processor has always been important. In today’s economy it is absolutely critical. Choose Elavon – a partner who is focused solely on the payments business. You can rely on Elavon to continue making the investments necessary to successfully navigate the changing payments landscape. One World. One Source for Payment Processing...Worldwide.

www.elavon.com

Transaction trends The Official Publication of the Electronic Transactions Association

Vol. 15 | No. 9

cov e r s to ry

10 Covert Ops

By Julie Ritzer Ross Every day, the Financial Services Information Sharing and Analysis Center works behind the scenes to protect the U.S. financial infrastructure. President and CEO William B. Nelson explains how. 10

F EATU RES

The Education of Level 4 By Richard H. Gamble The July 1 deadline has passed, but getting small merchants compliant remains tough. Experts share tips for getting them on the bandwagon.

SP EC IAL S ERIE S

Startup Stories: Slow, But Steady, Wins the Race By Julie Ritzer Ross Progress cools off for our three new ISOs.

Preview: 2010 Strategic Leadership Forum Get an insider’s look at the high-impact, high-level discussions planned for ETA’s Strategic Leadership Forum.

d epa rtm e n tS

President’s Message

Industry News

Insights from ETA’s elected leader Trends, strategies, and news in the payments business

ISO Corner

Streamlining operations during tough times

Data Security

26 28

Ad Index

Fundamental tips for keeping merchants secure

Industry Insider Ardent Giving Solutions helps nonprofits raise much-needed money

Transaction trends | September 2010 3

Gain More FreedoM and Control ® TM

the ultimate boarding and data management tool built for your success. OnBoard is EVO’s proprietary boarding and information management system. We built an advanced infrastructure including a suite of proprietary products and services based on the needs of our partners. Our goal is to provide you with the foundation that you need to build your business. Take a closer look at OnBoard… account Management — view profiles down to the individual level… merchant, sales rep, and iso office. you can view batches, transaction and settlement information from multiple front ends, and receive daily chargeback updates. plus, full roll up and drill down commission performance reporting at all organization levels. Boarding System — single point of entry workflow management tool (front-ends/back-end/amex/ discover). you have the power to control the workflow process. e-statement access — evo’s electronic monthly merchant statements including statement history are available to you through onBoard. Our newest proprietary product! Your Corporate identity — personalize onBoard with your own graphics through a customized url and branded onBoard portal. onBoard api — real time programming interface to board and manage accounts. leverage our infrastructure to automate your processes.

partner with evo and Give Your BuSineSS the FreedoM to Grow. CoMpetitive advantaGeS:

oNBoard—The Ultimate Boarding and Tracking System e-stateMeNts—Online Merchant Statements eVo CharGe—Specialized Computer POS Software MerChaNt fuNdiNG—Merchant Advance Program exCeptioNal priCiNG direCt

StrateGiC advantaGeS:

Growth Capital BiN relatioNships owNership/portaBility riGhts Multiple froNt eNds iNCludiNG our proprietary froNt-eNd platforM

Visit us online at www.goevo.com

Call today to disCuss a growth plan and to sChedule a visit to our Corporate headquarters. Call Jim Fink @ 1.800.Cardswipe (1.800.227.3794) ext.7800, and reference code ad3010a

Electronic Transactions Association 1101 16th Street NW, Suite 402 Washington, DC 20036 202/828-2635 www.electran.org ETA Chief Executive Officer Carla Balakgie ETA Director, Communications & PR Thomas Goldsmith Transaction Trends Publishing office: Stratton Publishing & Marketing Inc. 5285 Shawnee Road, Suite 510 Alexandria, VA 22312 703/914-9200 Publisher Debra Stratton Features Editor Angela Hickman Brady Managing Editor Josephine Rossi Art Director Janelle Welch Contributing Writers Brad Caldwell, Richard H. Gamble, Bryan Ochalla, Julie Ritzer Ross Advertising Sales Steve Schwanz or Fox Associates (800/440-0232; adinfo.eta@foxrep.com) Fox Associates Offices Chicago 312/644.3888 Atlanta 800/699.5475 Los Angeles 213/228.1250

New York 212/725.2106 Detroit 248/626.0511 Phoenix 480/538.5021

Ad Production/Billing Carrie Wood Editorial Policy: The Electronic Transactions Association, founded in 1990, is a not-for-profit organization representing entities who provide transaction services between merchants and settlement banks and others involved in the electronic transactions industry. Our purpose is to provide leadership in the industry through education, advocacy, and the exchange of information. The magazine acts as a moderator without approving, disapproving, or guaranteeing the validity or accuracy of any data, claim, or opinion appearing under a byline or obtained or quoted from an acknowledged source. The opinions expressed do not necessarily reflect the official view of the Electronic Transactions Association. Also, appearance of advertisements and new product or service information does not constitute an endorsement of products or services featured by the Association. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is provided and disseminated with the understanding that the publisher is not engaged in rendering legal or other professional services. If legal advice and other expert assistance are required, the services of a competent professional should be sought. Transaction Trends (ISSN 1939-1595) is the official publication, published monthly, of the Electronic Transactions Association, 1101 16th St. N.W., Suite 402, Washington, DC 20036; 800/695-5509 or 202/828-2635; 202/828-2639 fax. Postage paid at New Richmond, Wisconsin and additional mailing offices. POSTMASTER: Send address changes to the address noted above. Copyright © 2010 The Electronic Transactions Association. All Rights Reserved, including World Rights and Electronic Rights. No part of this publication may be reproduced without permission from the publisher, nor may any part of this publication be reproduced, stored in a retrieval system, or copied by mechanical photocopying, recording, or other means, now or hereafter invented, without permission of the publisher. Nonmembers, government agencies, $150 per year; single copy, $20. Subscriptions are available for 12-month periods only, at the quoted rates.

President’s Message

Forum Focus: Idea Exchange

ur business is changing at a dizzying pace. There is much uncertainty out there: What will the broader economic outlook mean for us? How will ground-breaking payments law affect the business? How can companies not only cope, but also take advantage of opportunities and succeed? To find out, you might go to the trouble of rounding up, in one place, industry leaders and prognosticators. You might organize panels full of the best talent to discuss critical issues. You might call hundreds people to join you, so that they could talk to you and one another to share information. You might. But you won’t. And you need not. Because the ETA will do that for you. We have it all worked out. We have thought about what you need to know. We have called upon those who can impart that information to you. We have encouraged thought leaders and peers to attend. And they will all be at the 2010 Strategic Leadership Forum at The Breakers in Palm Beach, Florida, October 26-28. The Forum is the only industry event that focuses participants on the strategies they’ll need to grow their companies. That makes the program unique and draws the sharpest, most successful executives there. The meeting is where critical strategic questions are raised. The more intimate setting ensures that nothing is handed down from the stage—it’s all put on the table for discussion. Opinions are freely given. Assumptions and ideas are measured against the collective knowledge and experience of more than 300 veterans of the business. The event brings together today’s and tomorrow’s industry leaders. They share a commitment to their businesses and our industry. They also know that to make good on those commitments, they need an informed vision that looks beyond the next quarterly report. The topics for discussion this year are industry dynamics, technology, and critical business issues. For each topic area, Forum planners have assembled an impressive collection of speakers. Don’t miss the Forum preview in this issue of Transaction Trends. It’s worth your time to take a look at that article and get registered. The past two years have been characterized as a turning point in the history of the payments business. Business models are changing, the underlying economics are shifting, and the road ahead is anything but clear. If you’re a regular Forum attendee, be sure to join us in October. The 2010 event promises to be one of ETA’s best. If you’ve never attended a Forum, it’s time to step up and be a part of the future of our industry. Either way, I look forward to seeing and exchanging ideas with you in Palm Beach.

Warm regards, Holli Targan Holli Targan is president of ETA and a partner at Jaffe, Raitt, Heuer & Weiss, P.C.

Transaction trends | September 2010 5

INDuSTRYnews info graph

Restaurant and Retailer Card Sale Declines Moderate

Payment Type Mix: Dollar Volume (Visa and MasterCard Q1 2010)

Credit

Debit

45.1%

54.9%

45.7%

54.3%

50%

100%

Source: ETA/Strawhecker Group’s U.S. Economic Indicators Q2 2010 Report

“Main Street” brick-and-mortar retailers and restaurants experienced the 11th consecutive quarter of year-over-year credit and signature debit card sales declines, continuing a trend that began for restaurants in Q3 2008 and for retailers in Q2 2007, according to the most recent Small Business Credit Sales (SBCS) Report by Capital Access Network Inc. (CAN). Same-store card sales for Q2 2010 also dropped about 6 percent from their Q2 2009 levels, the lowest year–over-year declines since Q4 2008. “The data indicate that businesses that have been operating for 10 to 15 years experienced less year-over-year card sales decline in the second quarter than newer businesses this quarter,” says Glenn Goldman, CAN’s president and CEO. “A bright spot also appeared

Visa Launches MicroSD-Based Contactless System in Turkey Customers of Turkish retail bank Akbank will soon be able to use a microSD-based mobile payments system, according to a press release from Visa Europe. The company has partnered with the bank and technology provider, DeviceFidelity, to bring contactless payments to Turkey and plans for further expansion. Given a relatively low number of mobile devices have integrated near field communications (NFC) technologies, the solution allows smartphone owners to use mobile payments features via DeviceFidelity’s In2Pay microSD card slot and Visa’s contactless technology. The project will begin with a number of Blackberry handsets popular with Akbank’s customers and will expand to include devices from manufacturers including HTC, Samsung, LG, Nokia, and Motorola. The microSD card can be used for digital data storage as well.

6 September 2010 | Transaction trends

in the restaurant sector. Higher-end restaurants experienced year-over-year card sales growth for the first time in seven quarters. Overall, while card sales are still declining, the trends are moderating, and if they continue, we may see card spend growth across all sectors and markets some time in 2011.” Other highlights from the report: • Year-over-year credit sales declines seem to be moderating.The Q2 2010 figures are consistent with the Federal Reserve’s Statistical Release, which reported consumer credit is down at an annual rate of more than 4 percent. • For seven quarters, all size cities have experienced declining year-over-year samestore credit sales. Larger cities (populations of 1 million or more) have been hardest hit since Q4 2008.

Youth Cards Present Marketing Opportunity Prepaid cards that carry network brands are gaining in popularity, but primarily as gift cards, according to Cardbeat, a research report published by Auriemma Consulting Group. Of the 528 cardholders who participated in the Cardbeat survey, 42 percent of respondents have claimed they have received an open-loop gift card in 2010 compared with 26 percent in 2005. In particular, youthoriented, general-purpose reloadable cards were shown as an area of potential growth for the prepaid sector; about one third of parents surveyed were receptive to the product. “Prospect parents liked the idea of their child having a card to use in an emergency (64 percent) and felt the card offered greater security for their child than carrying cash (59 percent),” says Nancy Stahl, editor of the report.“Issuers should emphasize the security benefits and position the product as a prepaid debit card, which many consumers perceive as safer than a credit card.”

ISO Corner

Recession’s Silver Lining

Rocky economy offers opportunities to introduce automation and sharpen business strategy By Richard H. Gamble

hen the recession began to take hold, many ISOs and acquirers began streamlining operations to cope. For some, however, the changes revealed new revenue opportunities and imparted lessons that will carry into future business planning. Seizing opportunities in a weak economy,Total Merchant Services of Basalt, Colorado, expedited several projects, according to Scott Mabry, chief operations officer. First, the company consolidated two call center work groups into one and crosstrained all call center staff to respond to any type of inquiry.T his provides for “better staff utilization and reduced wait time for merchants,” says Mabry. TMS also re-engineered its application processing work, using Lean Six Sigma methods, and now a group of four people manages the process, rather than one person processing each application. Mabry says the change cut costs by 25 percent and reduced processing time from one to three days down to as little as 30 minutes. The company also continues to use “intelligent automation” to guide service representatives through common tasks, such as terminal swaps and account cancellations. “Now, we can process these requests in a more automated and accurate manner,” says Mabry. “ What used to involve two or three people and hours, if not days, can be done in seconds, in realtime, during a phone request. “All of the things we’ve accomplished are permanent improvements, not Band-Aids to get through lean economic times,” Mabry notes.“These are all smart initiatives that we intended to do at some point. Now we have the time and resources to get them done.”

Sharper Focus Streamlining in a down economy for ACCELERATED Payment Technologies (APT), in Pleasant Grove, Utah, meant divesting itself of the POS software line of business to focus exclusively on being a high-tech ISO, explains CEO Roy Banks.“In 8 September 2010 | Transaction trends

“Companies need to find new, more efficient ways to operate our businesses while we drive revenue growth.”

—Roy Banks ACCELERATED Payment Technologies

a challenging economy like this one, you don’t want to be distracted with multiple lines of complementary businesses. You want to focus on what you do best and where your growth prospects are brightest and do it even better,” he says. Because APT is now selling tools to leverage technology and reduce traditional operating expenses by relying heavily on people and paper, he figures that he’s streamlining the business to sell streamlining services to his clients.“Companies, including us, need to find new, more efficient ways to operate our businesses while we drive revenue growth,” he points out. “We’re investing heavily in technology that replaces operations procedures that don’t bring efficiencies.” Unlike many other ISOs, APT is not burdened by a need to borrow money to fund its investments in technology or its acquisitions of other ISOs. It was bought by a private equity investor in 2008 and taken private. Among its efficiency-enhancing technology investments are a new payment gateway processing platform, customer relationship management system, and a new IP-based phone system, Banks reports.

Time to Build If streamlining means economizing, Joyce Cook is not interested.The CEO of International Cybertrans, an ISO based in Nashville, sees the current economy as a golden opportunity to spend more money and expand the business.That’s largely due to the availability of good people at reasonable prices. “We’re increasing our sales force.We’ve

been able to hire good regional managers and support them in building sales in their territories,” she explains.“We’re interviewing and hiring aggressively and spending down cash reserves to do it,” reports Cook, the sole owner of the ISO. “Whatever we do is self-funded. Basically, I’m investing in myself. We’re not cutting back at all, and we never had to.We see the cutbacks that our competitors are making as an opportunity for us.” In the current economy, there are better opportunities to hire managers than to hire salespeople, Cook reports. “At the manager level, there are people who want the jobs at reasonable compensation.They are willing to take less up front in order to advance a solid career with a stable company. It’s still a challenge to find competent, motivated sales reps.” Rather than entering new markets, International Cybertrans is focused on increasing penetration in markets it has traditionally served, Cook adds. Along with expanding staff, the ISO has brought products and services it previously had outsourced in-house. Similarly, electronic payments consultant Paul Martaus is skeptical of streamlining. “You don’t wake up in a recession and discover a need to be efficient. If you are a good business leader, you built an efficient organization and the people and processes are all justified. A lot of streamlining is gaining short-term profitability by sacrificing long-term viability,” insists the president of Martaus & Associates in Mountain Home, Arkansas. Lay people off and double up on duties and you increase productivity on paper, but you have to worry about what isn’t being done and what damage that could cause over time, Martaus insists.“Cutting corners can be a fatal mistake.” Of course, continuing to spend money you don’t have can also be fatal, he concedes. TT Richard H. Gamble is a contributing writer to Transaction Trends. Reach him at gamble10@earthlink.net.

Comprehensive Card Based Solutions.

www.ftpsllc.com 513.534.5160 For over forty years, Fifth Third Processing Solutions has been a premier source of payment acceptance services for leading businesses nationwide. Partnering with over 180,000 locations worldwide, no one is better suited to help with your payment processing needs. FIFTH THIRD DIRECTSM | PROPRIETARY/PRIVATE LABEL PROGRAMS GIFT CARD AND LOYALTY PROGRAMS | AGENT BANK PROGRAM CREDIT, DEBIT AND ELECTRONIC BENEFITS TRANSFER (EBT) ACCEPTANCE

10 September 2010 | Transaction trends

[ COVER STORY ]

Up Close:

COVERT

OPS

WILLIAM B. NELSON TALKS ABOUT THE FS-ISAC, A COLLABORATIVE EFFORT OF FINANCIAL SERVICES COMPANIES AND FEDERAL AGENCIES TO MINIMIZE DATA SECURITY THREATS By Julie Ritzer Ross

Photo by James Kegley

nformation sharing is essential to protecting the infrastructure of the financial services sector and minimizing the effects of cyber and physical attacks on and threats to financial data, according to Dulles, Virginia-based Financial Services Information Sharing and Analysis Center (FS-ISAC). FS-ISAC was launched in 1999 by the financial services sector in response to a Presidential Directive that mandated the public and private sectors share information about physical and cyber security threats and vulnerabilities to help protect the country’s critical infrastructure. The group’s mission, in collaboration with the U.S. Department of Treasury and the Financial Services Sector Coordinating Council (FSSCC), is to “enhance the ability of the financial services sector to prepare for and respond to cyber and physical threats, vulnerabilities, and incidents, and to serve as the primary communications channel for the sector,” explains William B. Nelson, FS-ISAC president and CEO.

FS-ISAC is the designated operational arm of the FSSCC, a group of more than 30 private-sector firms and financial trade associations that works to help reinforce the financial services sector’s resilience against terrorist attacks and other threats to the nation’s financial infrastructure.The FS-ISAC assists both FSSCC and the Department of Treasury in identifying, prioritizing, and coordinating the protection of critical financial services, infrastructure services, and key resources, as well as by facilitating the sharing of information. Transaction Trends recently talked with Nelson to learn more about the organization’s work and priorities.

Transaction Trends: How is FS-ISAC progressing against its objectives? What are some examples of recent achievements? Nelson: While we have much work to do, we have come very far in the past few years in fulfilling both pieces of our mission. At our inception, Transaction trends | September 2010 11

[ COVER STORY ] member-to-member information-sharing was the exception rather than the rule, with many players operating under the assumption that talking about these issues would give something away to the competition. However, this is no longer the case; more and more “sources” are approaching us with information about threats or incidents within their organizations.The more diverse the sources from which we draw information, the more effective our members can be in preparing for and responding to all cyber and physical threats. While member education has helped to foster anonymous information-sharing, other initiatives introduced have pushed the envelope. For example, we now provide an anonymous information-sharing capability across the entire financial services industry. Upon receiving a submission, industry experts verify and analyze the threat and identify any recommended solutions before alerting members. Just as our support of anonymous information-sharing allows us to meet our goal of serving as a sector communications hub for timely, accurate cyber and physical threat information, so, too, does our Critical Infrastructure Notification System (CINS). CINS lets us speed security alerts to multiple recipients near-simultaneously, while providing for user authentication and delivery confirmation. Moreover, it ensures that member firms are clued in on the latest tried-and-true procedures and best practices for guarding against known and emerging security threats. Consistent with our objective to provide an effective forum for information-sharing within the financial services sector, other critical infrastructure/key resource organizations, and the U.S. government, we are engaged in a four-member pilot with the Department of Defense.The pilot is aimed at creating an information-sharing framework around the massive amount of threat signatures seen at the federal level. As far as the push to identify and implement new services that add value to the membership, FS-ISAC recently formed an Account Takeover Task Force. The task force has three working groups that have been charged with developing and recommending tools to stop those attempting account takeovers from succeeding with their plans. 12 September 2010 | Transaction trends

More About FS-ISAC The organization’s strategic objectives—derived from founder and federal agency feedback—include: ■ providing an effective forum for information-sharing within the financial ser-

vices sector, with other critical infrastructure/key resource (CI/KR) organizations, and the U.S. government; ■ offering, through subject matter expert analysis, feedback to the FSSCC and the

Financial and Banking Information Infrastructure Committee (FBIIC ) on relevant threats, vulnerabilities, and incidents; ■ identifying critical financial services sector operational support issues and

requirements, and articulating them to the Department of Treasury and Department of Homeland Security; ■ and serving as the sector communications hub by conveying timely and

accurate cyber and physical threat information and vulnerability/incident alerts to its membership. The organization also serves as the sector communications hub during emergen-

Toward the same end, we last year formed the Payments Processing Information Sharing Council (PPISC), an information-sharing forum geared specifically toward the payments processing community and its special needs. PPISC opens lines of communication and collaboration among processors, with the intention that the greater the openness and the higher degree of collaboration, the stronger the barrier against the specific threats to these industry players and the organizations they serve.

Transaction Trends: Can you share a few case studies to illustrate the role FSISAC has played in cyber and physical incidents that threatened data security? Nelson: Hurricane Katrina, in August of 2005, represents a good example. As news of the storm’s approach became widespread and mandatory evacuation orders were issued, we raised the alert level for the financial services sector. In the aftermath, daily updates on the impact to the financial services community, as well as real-time information on such critical infrastructures as transportation, telecommunications, wa-

ter, and health care, were issued. Information on processes for requesting assistance, such as loans for hurricane victims, was disseminated to our constituency. We also issued special reports about economic and other impacts brought upon by the storm. In another instance, an e-mail scam was perpetrated on retail financial services customers. Keystroke monitoring software was secretly installed on company computers to capture customers’ account information. A total of 16,000 “keystroke logs” containing customer information were found on an online “dumpsite” and provided to us.We provided a list of compromised accounts to member institutions.These accounts were legitimate and were locked by the bank to protect against fraud, and account owners were notified. Involvement with FS-ISAC saved the financial institution from monetary loss. We also cooperated with the Department of Homeland Security, the U.S. Secret Service, and the FBI on the post-incident investigation.

Transaction Trends: Between February 9 and 11 this year, FS-ISAC conducted the Cyber Attack Against Payment Proces-

cies by delivering rapid notifications and communications to and among the FS-ISAC and FSSCC members; identifies and implements new services that add value to the membership and support the mission of the FS-ISAC; and collaborates with the Department of Treasury and the FSSCC to foster awareness of the benefits of information-sharing within the sector, among additional CI/KR organizations, and with the government. FS-ISAC also educates the financial services sector on key infrastructure protection issues, vulnerabilities, threats, risk management, and compliance issues; and coordinates with other public and private sector CI/KR organizations to ensure sector awareness and emergency preparedness. The nonprofit organization currently has 4,200 members, including financial service firm provider organizations (among them processors and ISOs); banking firms and credit unions; securities firms; insurance credit card and mortgage banking companies; financial services sector utilities; and “appropriate” financial industry associations. Five membership levels are priced at $850 to $49,550 per year. Member benefits, which are based on the tier of service selected, include early notification of security threats and attacks, anonymous information-sharing across the financial services industry, regularly scheduled member meetings, biweekly conference calls, webinars, and more. Members can access threat information and news pertaining to their particular area of operation via a password-protected, customizable Web portal.

sors (CAPP) Exercise. What was this exercise, and what spurred it? Nelson: The impetus for CAPP was a need to achieve six strategic objectives, which, if unattained, would foster continued data vulnerabilities and exposure to risk. Our first goal was to test the ability of financial institutions, card processors, business/government users, and retailers to respond to major cyber attacks against payment processes of all types. We also wanted, through an analysis of data from surveys completed by participants at the end of the exercise, to raise financial firms’ awareness of cyber threats to their enterprises, processors, and customers; recommend improvements to cyber incident response procedures; evaluate and develop appropriate risk mitigation recommendations in response to cyber attacks against payment processes used in the exercise; engage participants going forward on the need to share threat, vulnerability, and incident information; and develop an “after-action” report to be used for workshops, webinars, and ongoing educational sessions regarding lessons learned from this endeavor.

The exercise, which was voluntary with no charge to participants, consisted of four separate components involving four separate sectors: processors, retailers, business/government users, and financial institutions. Participants included processors, retailers, business/government users, and organizations from the financial sector. We subjected each processor to a spear phishing attack directed at one of its executives, as well as to a Distributed Denial of Service (DDoS) attack. The successful infections resulted in malware that spread through processors’ internal networks, quickly locking out enough internal and customer accounts to swamp the help desk. The networks became so ineffective that many employees attempted to work at home using their laptops, but because the laptops were infected, the problems continued to spread faster than it was possible to clean up machines. On the second day, numerous “card-not-present” charges were found to be fraudulent, and it became evident that an organized crime ring had stolen enough data to manufacture working debit cards for 100 percent of the customers in the processor database.

The retail attack scenario featured two independent attacks, with the first beginning when law enforcement issued a notification about a wave of fraudulent gift card returns. Criminal activity in this area can be difficult to detect. Pointof-sale (POS) systems were found to be compromised at the time of the fraudulent transactions. A second attack started when accounts payable operations fell victim to a targeted spear phishing attack. Clicking a link in an e-mail made to appear as if it had been sent to a manager by a family member resulted in the loading of malicious software. The attackers subsequently gained full access to the companies’ electronic online banking systems.

Transaction Trends: Based on that exercise, what should ISOs and processors—as well as their merchant customers—do to improve enterprise security and decrease operational risk? Nelson: Both ISOs and merchants must educate their employees and customers about specific and general risks to data security, taking into account social engineering and imparting a list of computer security best practices. Building internal relationships and, in turn, engaging in cross-department event/incident sharing, is critical, as is installing dedicated, nonnetworked computers for accessing online banking and initiating payments. Assessing existing information security technologies and practices and all software and hardware systems in place also ranks high on the list, along with implementing fraud detection and predictive analysis solutions. Long-term infrastructure solutions, not short-term fixes, need to be developed. Merchants must actively and consistently monitor card reversal transactions in order to truly detect fraudulent activity; instituting procedures for handling these transactions is paramount. Finally, all sectors must partner with law enforcement agencies to decrease exposure to risk and share even the smallest bits of information about possible problems. Remember that above all, knowledge is power. TT Julie Ritzer Ross is a contributing writer to Transaction Trends. Reach her at jritzerross@gmail.com. Transaction trends | September 2010 13

[ FEATURE]

The Education of

LEVEL 4 WITH A CURRICULUM OF CONSTANT COMMUNICATION AND SEVERAL HIGH-TECH TOOLS, GROWING NUMBERS OF SMALL MERCHANTS MAKE THE GRADE

By Richard H. Gamble

KEY NOTES 8

ow that the compliance deadline has N passed, the card schemes will be less lenient, says one expert. “That was the date when excuses ran out.”

I f software vendors will only sell and distribute compliant applications, then the merchants who use those products will not be storing card data and will be “de facto compliant,” but many legacy systems are still in use.

ommunications supporting compliance C must be multi-faceted and multimedia—using mailings, e-mail, text messages, and phone calls.

T oo often, PCI compliance is viewed as a technology challenge when many Level 4 merchants don’t use much technology at all. It’s not their terminals or software applications that need to be fixed; it’s the way they handle cards and card numbers.

14 September 2010 | Transaction trends

he July 1 deadline for all small (Level 4) merchants to be using PCI compliant software or be fully PCI compliant was a milestone, but not the finish line. The deadline’s approach prompted acquirers to step up education efforts, employ creative marketing techniques, and generally encourage or mandate that their merchants comply, says Doug Klotnia, executive vice president for product and strategic sales at Chicago-based Trustwave, an information security and compliance solutions firm. “Programs that had been optional are now mandated, with fees that are automatically charged to uncooperative merchants.We’ve seen a real change in the past 18 months. The mandates now have teeth.” Now that the deadline has passed, “the card schemes will be less lenient,” predicts Kurt Schaeffer, senior vice president of operations at Global Payments in Atlanta. “That was the date when excuses ran out.” But a “mandate” with a firm deadline can be less definitive than it seems. “The card schemes can declare mandates and set deadlines, but if the acquirers don’t enforce them, not much happens,” Klotnia points out. And the problem is the sheer mass of the Level 4 universe, the lack of technological sophistication among these small

merchants, and the questionable economics of converting every last one of them. When you get down to really small merchants, universal PCI compliance may be cost-prohibitive, notes Donna Embry, senior vice president for strategic product development at Payment Alliance International in Louisville, Kentucky. “Go to an art fair or flea market and watch the way vendors there write down credit card numbers by hand or use a knuckle-buster to imprint the full number on a paper slip they carry around,” she suggests. “Are you really going to convert those merchants to PCI compliance?” And how badly do you need to? Security breaches at Level 4 merchants usually occur because a person steals a card number, not because a hacker breaks into stored data, Embry explains. “It’s mostly perpetrated by employees who handle cards physically, and PCI compliance won’t stop that.You can mandate compliant software, but a lot of the compromises don’t involve software.The hackers go after the gateways and networks where there are lots of numbers.”That is where PCI compliance efforts have been properly focused, she says.

Built-In Compliance Instead of pursuing individual mom-andpop merchants, acquirers have found a more efficient way to attack the problem:

They go after software vendors, a much smaller, more sophisticated, and more cooperative group.“If you can get the vendors to only sell and distribute compliant applications, then the merchants who use those products will not be storing card data and will be de facto compliant,” Schaeffer says. The challenge is one of marrying Level 4 merchants with compliant software applications, which is more manageable than getting them to build a secure IT infrastructure. “Most Level 4 merchants are mom-and-pop businesses. They’re responsible for their data security, but they don’t employ software network engineers and they can’t tell you very much about the software they’re using.” It’s relatively easy to enforce a mandate when merchants are boarded, when they change processors, or when they install new equipment provided by the acquirer, processor, or ISO, Embry says. But merchants that simply drift along within the status quo are very difficult to detect unless something goes wrong like a breach. “I’m not seeing any systematic review of all old accounts to determine compliance,” she says.“The numbers are just too great.” But when it comes to boarding new merchants,“underwriting will turn them down if they’re not using the right version of the right software.” Even with a software focus, huge numbers of legacy applications are in use. Each vendor has multiple model numbers and multiple release numbers.“It’s an unbelievably complex task to identify them all and see whether they pass the PADSS (Payment Application Data Security Standard) test,” says electronic payments consultant Paul Martaus, president of Martaus & Associates in Mountain Home,Arkansas. However, not every small merchant has to be converted, Schaeffer points out.“The vast majority of these merchants don’t use third-party applications. We already know what they’re using, because we provided the applications and know them to be compliant.These merchants are not a concern. The group that is a concern is a minority subset of a whole merchant portfolio.”

Communicating Compliance Getting small merchants to meet PCI compliance standards has been going on long enough that best practices have been deTransaction trends | September 2010 15

[ FEATURE]

Learn Without Leaving Your Desk A new series of online, cutting-edge, educational seminars to help enhance your knowledge in a wide variety of payment topics.

Choose the online course that’s right for you:  Introduction to Electronic Processing  Introduction to Sales and Marketing  Introduction to Operations  Sales Channel Development

Member $195/each Non-Member $295/each Register online:

www.electran.org Or call ETA:

1-800-695-5509

16 September 2010 | Transaction trends

veloped and are paying off for people like John Bartholomew, vice president of sales at SecurityMetrics, a PCI compliance and data security firm based in Orem, Utah. The first step to get senior management buy-in at the ISO or acquirer level, he says. “The marching orders have to be clear as to which groups of merchants are to be targeted and what incentives will be used.” Then it’s all about communication, says Bartholomew, who undertakes some of that communication on behalf of SecurityMetrics clients. “You can’t overestimate the importance of communication. It needs to be multi-faceted and multi-media.” A standard mailing or message on statements will get a low response, he says.“You have to repeat and repeat and repeat, using mailings, e-mail, text messages, and phone calls.” But with the right messages from the ISO or acquirer and enough repetition, it can work impressively, Bartholomew says. He’s worked with one acquirer that has 3,700 merchants and 99 percent of them are enrolled in PCI compliant programs.Another acquirer has reached 96 percent.A larger one with 20,000 merchants has reached 80 percent compliance. Generally, the larger the acquirer or ISO, the more merchants will be compliant but a lower percentage of the total, he notes. While hitting 90-some percent is exceptional, Schaeffer insists that Global’s Level 4 merchants that are not using PCI- compliant applications are now “anomalies. Nobody can be perfect, and a compliant merchant today could buy a noncompliant application tomorrow and we wouldn’t know,” he says, “but we don’t have many that are not compliant.” The acquirers and ISOs that get above 80 percent compliance generally run at least three communication campaigns, each with multiple messages. “You run a campaign. Then you reload and run another one. Then you do it again. That’s how you get the small merchants engaged,” Bartholomew says. In its communication campaigns, SecurityMetrics always uses the brand that merchants recognize as their card processing connection, be it an ISO, processor, gateway, or bank, Bartholomew reports, and all the messaging is determined by and comes from the ISO or acquirer.

Incentivizing Compliance Besides repetitive communication, incentives can help to convert small merchants to PCI compliance, Bartholomew says. Generally, the incentive is notice that a fee will be charged if the merchant has not complied by a deadline. But fees really are a minor part of the effort to achieve compliance, says consultant Cliff Gray, an associate of the Strawhecker Group. They come in several flavors and are often called noncompliance fees, but many acquirers use them not so much to compel compliance as to build a slush fund to cover expenses when a breach occurs, he explains. But “there’s no evidence that fees drive compliance,” Gray says. “Merchants whine but pay them as a cost of business.At best, they have a small impact on compliance.” Global uses a “generic PCI fee” that most of its merchants pay, Schaeffer says, but they don’t call it a penalty fee. Global

relies on persuasion,“educating them that there are serious repercussions, financial and reputational, to a breach, and that it is in their best interest to support safety and security.” A personal interview is another tactic. In other words, sit down with the merchant to determine just what cardhandling practices they’re using and what steps they need to take to comply, Bartholomew suggests.“A lot of small merchants won’t have much technical expertise. A preliminary interview allows us to classify the merchant in the right category. It isn’t always obvious to the merchant which bucket they belong in. If they pick the wrong one, they’ll go through a lot of frustration and encounter a lot of technical questions they can’t handle and don’t really need to,” he says. “It can be a hard enough process when you start with the right bucket. They often need guidance, and giving them guidance and removing roadblocks will do a lot to encourage them to comply,” he explains. Too often, PCI compliance is viewed as a technology challenge when, in fact,

many Level 4 merchants don’t use much technology at all, Bartholomew says. It’s not their terminals or software applications that need to be fixed; it’s the way they handle cards and card numbers. In this low-technology Level 4 universe, 70 percent of merchants don’t use the Internet at all for transaction processing, he points out.

Innovating Compliance Various high-tech tools are also vying to be part of the solution. Trustwave’s TrustKeeper Agent works automatically and reports daily to the merchant and the acquirer on the status of any point-ofsale applications the merchant may have running and whether they are PCI DSScompliant, Klotnia explains. “It will show what is not compliant and how much risk it poses,” he explains. If track data is stored anywhere on the merchant’s system, this software will reveal it.“It’s a powerful tool, much better than simply relying on selfassessment questionnaires,” says Klotnia, who adds that about 80,000 copies of the software have been installed.

How you fix the water heater.

What will really solve the PCI compliance challenge? The coming of tokenization and end-to-end encryption, insists Gray. When they are properly implemented, merchants will never see a card number. “They will be near-compliant right out the door. All they would have to do is fill out a questionnaire and they’re done.” Heartland Payment Systems of Princeton, New Jersey, which has invested heavily in end-to-end encryption and has recently rolled out its core product, is betting that encryption will be the answer to PCI compliance.“We’re seeing pretty quick up-take by merchants of all categories, including Level 4,” reports Steve Elefant, chief information officer. Everything helps, but education seems to be helping most of all. “Merchants are getting smarter about PCI and liability,” says Gray.“Most of them want to be compliant for the right reasons, to be safe and keep the system safe.” TT Richard H. Gamble is a contributing writer to Transaction Trends. Reach him at gamble10@earthlink.net.

How you charge for it.

Your mobile merchant customers are out in the field every day using the tools of their trade to fix their customers’ problems. Now you have a sophisticated tool to fix the way they charge for their services. AprivaPay™ gives mobile merchant customers the ability to perform credit card transactions right on their smartphones. It’s easy, cost efficient and simplifies credit card transactions. Now anywhere and everywhere becomes a point of sale. No matter how complicated the job, charging for it has never been this easy.

Find out which product is right for your customers. Call 877.277.0728 or visit www.aprivapay.com. Visit us at Western States Acquirers Association, October 13-14, San Diego, CA

Transaction trends | September 2010 17

Startup Stories:

A special series following three newly launched ISOs (11th installment)

LET US PROFILE YOUR COMPANY! If you launched a new ISO in the last 12 months and would like to be considered for the second Startup Stories series, contact abrady@strattonpublishing.com.

Slow, But Steady,

Wins the Race Entrepreneurs grapple with unforeseen delays in their progress By Julie Ritzer Ross

» ACCELERATED Payment Technologies, Pleasant Grove, UT » Leap Payments, Agoura Hills, CA » Paymint Associates, Brooklyn, NY ISOs We’re Following:

18 September 2010 | Transaction trends

low, but steady, progress is the watchword for Transaction Trends’ three ISO startups. Some new initiatives are beginning to bear fruit, but at a less rapid clip than had originally been anticipated or with unforeseen complications.Yet at the same time, other efforts undertaken to bolster the bottom line and beat the competition are earning the stamp of success. “Stops and starts are something to be expected,”says Steven Feldshuh, vice president, business development at Paymint Associates. “Any new ISO that doesn’t recognize that, and work around it, is very short-sighted.” Earlier this year, Paymint Associates signed an agreement with UP Solution, a Hackensack, New Jersey-based hardware, software, and payment processing services provider. The agreement calls for Paymint Associates to initially market the vendor’s POS system in tandem with a value-added reseller (VAR), and to subsequently become an UP Solution VAR under the umbrella of the latter’s reseller program. While Feldshuh believes the transition will eventually happen, the ISO is no longer in as much of a hurry to make a transition to full-fledged UP Solution VAR. “We are starting out very slowly not because of anything on (the vendor’s) end, but simply because the full process of getting merchants upand-running on the POS system takes longer than we had thought,”Feldshuh explains. He considers merchants’ time frame for this process “drastically optimistic,” noting that proceeding through all of the necessary steps—from configuration, to establishing the proper connections, to staff training— is a far more complex endeavor than simply installing credit card terminals. Each step, he adds, further extends the time frame.

Qualifying new business owners for POS system financing has also proven to be difficult, unless the prospect in question has excellent credit. “So we are tiptoeing into this arena,” Feldshuh says. Paymint Associates has also been slower to break out of the high-risk merchant processing gate—again as a result of the longer-than-expected time frame (three to five weeks) for boarding merchants. Underwriting requires “so many additional documents beyond the typical application, imprinted check, and proof of business,” Feldshuh says. Plus, several merchants whose applications the ISO has submitted to processors lack current financial statements or have filed for extensions on their corporate tax returns. Others merely receive spreadsheets, rather than the requisite processing statements, from their existing processors. “Getting high-risk merchants up-and-running requires a lot more energy from our staff,” Feldshuh says.“Hopefully, the greater profit margins from this venture” will render it worthwhile. Meanwhile, Paymint Associates is reaping the benefits of a new alliance with Payment Alliance International (PAI) of Louisville, Kentucky. The ISO previously maintained a direct relationship with Global Payments, but made the switch based on its need for a complete support system that would enable management to focus on developing products and leads as well as becoming a reseller of POS systems. “Our goal is to remain a marketing/sales organization and be responsible for our own agent support,” Feldshuh says.“Moving under the PAI umbrella has eliminated concern about maintaining merchant support, and when we are overloaded, we can even have their infrastructure handle programming of terminals.” Transaction trends | August 2010 18

Picking Up Speed Meanwhile, Pleasant Grove, Utah-based ACCELERATED Payment Technologies has been experiencing some delay-related challenges of its own as it continues to “settle in”to its new integrated operating model.ACCELERATED was formed this past spring when CAM Commerce sold its point-of-sale software division to Robertson Piper Software Group (RPSG), enabling its integrated payments division to transition into an ISO/payment processing organization. In the integrated model,ACCELERATED’s proprietary payment technology interfaces with other software used by merchant clients. “Refocusing a firm as comprehensively as we have is never going to be clear sailing,” says Richard Davis, director of business development. Collaborating with software resellers with which ACCELERATED’s payment processing solution is integrated has entailed a larger time investment than initially anticipated because of the need to assist reseller partners in “shouldering some of the burden of ‘putting right’ current software that hasn’t been updated or maintained as well as” the ISO would have liked, Davis explains. To speed up the process, ACCELERATED is assuming as much of this burden as its reseller partners, despite the fact that its own software doesn’t require tweaking to allow for flawless integration and utilization by merchant clients.“From the very beginning, our CEO, Roy Banks, made it clear to everyone that establishing deep relationships with our partners was the key to success and that it was everybody’s responsibility to ensure” all critical steps would be taken to attain that goal, Davis says. Integration snafus have not deterred the ISO from introducing new programs. In mid-July, ACCELERATED was on the cusp of launching a new PCI compliance assistance program designed to effectively lead merchants through the steps needed to adhere to PCI mandates.

The ISO now follows several practices intended to prove its integrity to potential and existing clients of all sizes.Among those practices is analyzing merchants’ monthly statements to ensure they’re receiving the best “deal” possible, and emphasizing to prospects that the “wholesale rates” promoted by some of Leap Payments’ competitors don’t save them any money. “The general concept of cutting out the middleman sounds good, but for financial services it simply doesn’t translate, as merchants are buying a service, not a product, and there aren’t multiple hands through which the service passes before it reaches merchants,”Detterman says.“Going direct to a processor for Visa/MasterCard defines the workings of most credit card processing organizations—so almost all rates are ‘wholesale’ rates.This is no great deal merchants are getting.” The ISO also eschews the practice of charging merchants monthly “PCI non-compliance” or data security fees, regardless of whether or not they have certified that their businesses are compliant. Leap Payments works with its merchants to complete the PCI certification process, ensuring that they aren’t at risk for data breaches and avoiding the assessment of “junk” fees.“We believe that once merchants have completed the PCI certification process, they should not be charged a monthly fee for it,” Detterman says.“ISOs need to make money—but new programs, not sneaking fees onto statements, is the way to go.” TT Julie Ritzer Ross is a contributing writer to Transaction Trends. Reach her at jritzerross@gmail.com.

Out-Running Fraudsters For Leap Payments Inc., an initiative to garner more exposure via the Internet has had positive effects—as well as an unanticipated adverse side effect.While the ISO’s enhanced online visibility via a more detailed Web site has brought a flurry of inquiries from prospective clients, it’s also made Leap Payments a target for criminal activities.“Criminals have set up new businesses with stolen identities, and are trying to establish merchant accounts so they can run transactions on stolen credit cards,” says Will Detterman, CEO. Several such “fraudsters” contact Leap Payments each week, and while Detterman and his team can generally recognize their true intentions, staying one step ahead of them is a challenge.“It’s not a new game these criminals are playing; it’s just unfortunate to see that the frequency is increasing and their sophistication, meaning we need to be vigilant,” Detterman says.“They obviously put a lot of time and effort into making everything appear legitimate, and it’s sad. If they put as much energy into a legal business venture, I think they’d be much better off in the long run.” Over the past few months, the ISO has boarded several large merchants.“We’ve always thought of ourselves as the company to which merchants ‘graduate’ once they have been through the school of hard knocks with our competitors, but more prospects report that they are simply fed up with constant rate changes and statements that they can’t understand,” Detterman says. Transaction trends | September 2010 19

[ FEATURE]

Preview:

2010 ETA Strategic

Leadership Forum THE FUTURE OF PAYMENTS, TODAY OCTOBER 26-28, 2010 PALM BEACH, FLORIDA

s fall settles around most of the country, leading electronic payments professionals will descend on The Breakers resort in Palm Beach, Florida, for three days of high-impact, high-level discussions on the future of the industry. ETA’s Strategic Leadership Forum (SLF) has become the most important high-level networking event for many of the industry’s leaders. Attendees will get a sharper view of what’s ahead and insights into how they can refine their strategic vision to outperform competitors when economic conditions improve. The 2010 Forum will tackle three main topics: Electronic Payment Dynamics,Technologies and Products, and Critical Business Issues. Each will be the theme for multiple sessions, organized to help you make the connections and put all the pieces together. One important highlight will be a keynote address from Mort Kondracke, executive director and columnist for Roll Call, the nonpartisan Capitol Hill newspaper. A veteran journalist and political commentator, Kondracke will bring his unique perspective to bear on the electronic payments business environment.

Here’s a closer look at the sessions planned for the 2010 SLF. ■ Alternative Payments: Opening Up New Merchants or Competing for Your Income? The 2010 marketing launch of Square and the 10th anniversary of PayPal serve as interesting bookends to the alternative payments sector. What is the future of this dynamic and exciting space, and what are important trends that will determine the outcomes? What role does merchant aggregation play, and what determines when it is friend or foe? The rules have ostensibly been set for some time, but how do they affect alternative payment methods? How do different pay20 September 2010 | Transaction trends

ment methods conform to the rules, or how will the rules conform to them? This session will explore all these areas, and more. ■ Economic Indicators & Trends: The changing economy has become an important variable that must be considered when doing business in the payments industry. This presentation will focus on macroeconomic data, explain what it potentially means for your company, and demonstrate how you can best prepare for the impacts of the underlying economic conditions. This “outsiders’” look at the payments industry will also show how the industry performed through the recession and why the payments industry is attractive to outside investors. ■ Industry CEO Roundtable—Sail On to Better Waters: This invigorating exchange of information, ideas, and insights will feature an unparalleled collection of industry veterans who have successfully navigated their companies through the recent economic storms and are now positioning their organizations for the waters ahead. ■ E2EE and Tokenization: All Encryption Is Not Created Equal—A Review of Encryption and Tokenization for Payment Card Data: Recently, we’ve all seen much

discussion and many opinions regarding the strength of encryption and the value of tokenization related to protection of payment card data and PCI compliance. In the midst of a constant stream of press releases announcing data breaches and a persistently changing regulatory environment, how can acquirers, ISOs, technology providers, and merchants filter through the noise and make sense of what the market has to offer? ■ Mobile Technology Solutions—Is 2011 Finally the Year? Year after year, we continue to hear, “The time has come for mobile!” But the future requires—and merchants are asking for—mobility for a variety of reasons involving emerging technology, data security, and recent marketplace developments. These environmental changes include new PCI requirements, chip-and-pin expansion, new vertical markets, the emergence of smartphone apps, pay-at-the-table, line busting with scanning, and so many more that seemingly emerge every day. Solutions have come from all corners of the globe, leveraging competing technologies such as terminals vs. smartphones, direct con-

nectivity vs. gateways, and integrated vs. standalone. Now more than ever, mobile technologies have a place across the globe. ■ Interchange: Interchange is no longer a secret. (Was it ever?) This session will review the current status on various state legislative actions, federal legislation, and what the merchant community is saying about interchange. Information about the results from other countries’ efforts to manage interchange will be covered. While interchange has been part of the landscape for many decades, we will hear about what’s driving the discussion now and how it will impact your business and the business of your customers. ■ Industry Economics—Alive and Well: Industry experts will discuss the impact of trends related to the positive shift from paper/cash to electronic payments, trends with same-store sales, and Schedule At-a-Glance the de velopment of DAY TIME DESCRIPTION 5:30-7:30pm Opening Reception new emerging market Tuesday, October 26 sectors and mobile pay- Wednesday, October 27 7:30-8:30am Networking Breakfast ments. This session will 8:00-11:15am Electronic Payment Dynamics also address interchange as part of the industry’s 11:15am-1:15pm Technologies and Products economic equation, as 2:00-6:00pm Networking Activities well as the privatization of previously publicly 10:00pm-Midnight Afterglow Party held companies or reThursday, October 28 9:00am-12:30pm Critical Business Issues capitalization of major industry participants using third-party debt, and recent actions of major industry bank-owned acquirers and sponsors to recapitalize and partner with other industry participants. Of course, it wouldn’t be an ETA event without activities that are fun and that provide opportunities to rub elbows with your peers. Consider taking advantage of the Breakers’ fine offerings with these ETA-planned activities: ■ Wine and Cheese Tasting—$90 per person (limit of 30 people): Experience this one-of-a-kind opportunity for both wine aficionados and novices alike that will combine wine appreciation, education, and the finer points of tasting wine. ■ Catamaran Cruise—$90 per person (limit of 35 people): The cruise includes beverages (beer, water, and soda), snacks, snorkeling gear, and music. Enjoy a guided three-hour cruise and see some of Palm Beach’s historical landmarks. ■ 9 Holes of Golf—$90 per person (limit of 40 people): With fairways that weave between sandy hazards, the Breakers’ Ocean Course rewards wit over power. (Sponsored by SecurityMetrics) TT Transaction trends | September 2010 21

ISO Corner DATA SECURITY

Merchant Vulnerabilities Exposed

Seven common pitfalls every ISO should know—and every merchant must avoid By Brad Caldwell

n all of the publicity over stolen credit card data, one issue that is frequently overlooked is the fact that many breaches are caused by the same handful of vulnerabilities. Despite continuous preaching by the security industry, smaller merchants in particular fail to follow even the most basic rules to hacker-proof their systems, leaving an open invitation to criminals. Consider the case of a two-site luxury resort that had 150,000 cards stolen, leading to $80,000 in PCI Data Security Standard (DSS) fines from card brands and $440,000 in customer reimbursements required by card issuers. An analysis by SecurityMetrics’ forensics team determined that the hacker entered through a poorly protected remote access program and then took advantage of inadequate data segmentation to install malware that was able to access the resort’s entire network. Both are common techniques seen repeatedly in compromise incidents. In another case, a mom-and-pop restaurant was forced to close after having 1,200 cards stolen and being hit with $10,000 in PCI DSS fines plus $110,000 in customer reimbursements. Here again, the hacker wormed his way in through an insecure remote access program and discovered a system without the segmentation that would have blocked him from accessing the restaurant’s payment application. In this case, however, the hacker harvested data in a different way—using a keylogger instead of a memory dumper. In addition, he found a remnant file from the POS vendor containing the IP addresses of 27 other small restaurants using the same system configuration and the same default password for remote access. With one successful breach, that attacker was able to reach 28 different data repositories. Although data thieves are continually inventing new ways to penetrate networks, breaches with known methodolo22 September 2010 | Transaction trends

gies are largely preventable by following a few simple guidelines. ISOs can help their merchants keep customer cardholder data under lock and key by helping them avoid these common pitfalls: 1. Improperly configured firewalls. In many cases, this is all it takes for a hacker to enter your merchant’s system. Nearly 50 percent of all Level 4 merchants investigated by SecurityMetrics’ forensics team lack a properly configured firewall. Firewall security problems can be dramatically reduced by following procedures such as doing a full system sweep before firewall installation to detect any viruses or malicious activity, deciding which programs will be allowed to access the Internet, and so on. Merchants should consult their computer technician and/or the PCI DSS for assistance. 2. Weak authentication for remote access. Too often, weak or default passwords make it easy to bypass merchants’ remote access systems. That was one of the problems that tripped up the luxury resort mentioned earlier. Users had common passwords such as “abc123” or “iloveyou.” The solution is to require a strong password—one that combines upperand lower-case letters, numbers, and special characters—or to create two separate steps to authenticate the user. This “two-factor authentication” typically requires something the user knows plus something the user has. One example is requiring the system to recognize a special computer access software “key” (what the user has) and a passphrase (what the user knows) before permitting the user to login. This forces an attacker to have the user’s key before he or she can guess the passphrase, making it much harder to access the merchant’s system. 3. Payment data stored with other traffic. Another common security mistake made by merchants is failure to seg-

regate day-to-day business and Internet traffic from the payment application. Without that segmentation, a hacker who does manage to get in the door has unrestricted access to everything on the network, including payment data. Separating the payment application forces an attacker to jump an additional hurdle before reaching the proverbial pot of gold. The best strategy is to operate separate servers—one for routine business and one for the payment application— and to segment them from each other by a firewall.This second firewall acts as an extra barrier that a hacker may not be able to penetrate, reducing the risk of data theft. 4. Poorly protected wireless transactions. The rising use of wireless payment applications has created another avenue for hackers to attack. This was the Achilles’ heel of T.J.Maxx, which is reported to have lost 45.7 million credit cards to hackers. If a merchant must process credit cards in a wireless environment, ensure that the wireless network is protected by

PCI COMPLIANCE? NO PROBLEM.

Simplify PCI Wondering how to help your merchants become PCI compliant and keep them happy? SecurityMetrics can help. As a leader in PCI-DSS we handle more than 100,000 merchant PCI calls every month. Our Simple approach works. Call today to receive a free PCI consultation for your business. 801-724-9600 www.securitymetrics.com

ISO Corner DATA SECURITY strong encryption. PCI DSS mandates the use of strong encryption and explicitly bans outdated wireless standards such as WEP (requirement 4.1.1). 5. Unencrypted payment applications. Payment data stored in clear-text format is easy pickings for a hacker. In one forensics case handled by SecurityMetrics, an attacker discovered unencrypted transaction logs dating back to 2004. In one fell swoop, that hacker was able to steal data from 64,000 cards without waiting weeks or months for malware to collect the information. The merchant was not even aware that the payment application was storing the logs. This problem can be solved by ensuring that the merchant’s payment application is compliant with current Payment Application Data Security Standards (PA-DSS) that prohibit storage of unencrypted credit card data. In addition, the application must be configured properly. If it is set to store transaction or error logs, those logs may contain unencrypted credit card data, which defeats the purpose of deploying a PA-DSS compliant payment system. 6. Outdated anti-virus software.

Operate separate servers—one for routine business and one for the payment application—and segment them from each other by a firewall. Sometimes merchants are meticulous about maintaining anti-virus/anti-spyware software on their servers but fail to realize that it also is imperative to protect individual POS terminals. This oversight enables hackers to install malware on merchants’ terminals and steal credit card data as each card is processed. Updated anti-virus software installed at the POS terminal will often detect and prevent this type of attack. 7. Failure to thwart data export. The final security layer that many merchants miss involves stopping successful hack-

ers from exporting the data they have reached. They typically accomplish this by using the File Transfer Protocol (FTP) to copy the data out of the system, or by using a covert SMTP server to automatically e-mail the captured data to themselves at frequent intervals. To limit the damage that can be done at this point, the merchant’s firewall should be configured so that data leaving the payment application can be sent only to the payment processor or other trusted sources. All other IP addresses should be blacklisted. In addition, since processors no longer require an FTP option, FTP traffic for the payment application should be disallowed. While there is no silver bullet that will keep hackers at bay, avoiding these Seven Deadly Security Sins will go a long way toward protecting merchants from credit card theft. ISOs and acquirers can help by educating their merchant portfolio in the basic rules of data security. TT Brad Caldwell is CEO of SecurityMetrics, a provider of PCI DSS security solutions. Reach him at brad@ securitymetrics.com.

Are You on the List? Sign up for a listing in the Transaction Trends’ 2010-2011 Products and Services Directory— THE resource to the electronic transaction industry— and receive a FREE listing in the new online ETA Payments Marketplace.

Plus,

this year’s Directory (a special supplement to the December issue) enjoys bonus distribution at the 2011 ETA Annual Meeting & Expo, ensuring maximum exposure for your company. Don’t miss this opportunity. Contact ajenkinson@strattonpublishing.com for more information. Deadline for entries is October 4.

24 September 2010 | Transaction trends

Brent

Meet the mastermind of prepaid processing:

Of course, Brent’s not the exception. Every member of the Visa® team is backed by our powerful, reliable global payments network and a proven issuer processing system. Which, in this case, helps Brent be much more than a Regional Sales Manager. He’s a diagnostic ace who can determine the right processing solution for every client, every time. Find out what Brent and his team can do for you at visadps.com.

Tr a n s a c t i o n P r o c e s s i n g

Risk Mitigation

Business Analytics

ETA 2009-2010 BOARD OF DIRECTORS OFFICERS PRESIDENT Holli Targan Partner Jaffe, Raitt, Heuer & Weiss, P.C. PRESIDENT-ELECT Rick Pylant President & Chairman COCARD Marketing Group, LLC

Kim Fitzsimmons Senior Vice President–First Data Services First Data Corporation

Advisory Council Robert Baldwin President & CFO Heartland Payment Systems, Inc.

Heidi Goff President & Managing Director, The Americas Hypercom, Inc.

Joe Cohane CEO Veracity Payment Solutions

Robert McCullen CEO Trustwave

TREASURER Eddie Myers President & COO Payment Processing, Inc. SECRETARY Roy Banks CEO ACCELERATED Payment Technologies™ IMMEDIATE PAST PRESIDENT Nick Baxter Senior Vice President First National Bank of Omaha DIRECTORS Todd Ablowitz President Double Diamond Group

Jeff Rosenblatt President EVO Merchant Services Debra Rossi Executive Vice President Merchant Payment Solutions Wells Fargo Bank Dave Siembieda President & CEO CrossCheck, Inc. Tom Wimsett President & CEO National Processing Company

Dean Leavitt Chairman & CEO Unicorn Partners, LLC Ed Myers U.S. President Global Payments, Inc.

ex-officio Carla Balakgie CEO Electronic Transactions Association Jan Estep President & CEO NACHA Sameer Govil Head of Acceptance Solutions Global Acceptance Visa Matt Johanson Vice President Acquirer Relations Discover Network

Deana Rich President Rich Consulting

Steve Carnevale Senior Vice President/ Group Head Commerce Development MasterCard Worldwide

Kurt Strawhecker Executive Partner The Strawhecker Group Buzz Stryker President & CEO POS Portal, Inc.

Bryan O’Malley Vice President American Express LEGAL COUNSEL Dave Goch Attorney at Law Webster, Chamberlain & Bean

Greg Cohen President Moneris Solutions

Advertisers index Phone

Web

Apriva

Company

480-421-1200

www.apriva.com

Authorize.Net

866-437-0491

www.authorize.net

Cynergy Data

800-933-0064 x5147

www.cynergydata.net

Elavon

678-731-5000

www.elavon.com

EVO Merchant Services

800-227-3794

www.goevo.com

Fifth Third Processing Solutions

513-534-7678

www.ftpsllc.com

First American Payment Systems

866-GO4-FAPS

www.go4faps.com

480-642-5000

mmitjans@hypercom.com

Security Metrics

801-724-9600

www.securitymetrics.com

Total Merchant Services, Inc

888-84-TOTAL x9727

www.totalmerchantservices.com

TransFirst

214-453-7711

www.transfirst.com

Trustwave

312-873-7291

mpetitti@trustwave.com

USA ePay

866-872-3729

www.usaepay.com

Visa

Hypercom Corporation

Page

26 September 2010 | Transaction trends

www.visadps.com

INTRODUCING TRUSTKEEPERÂŽ 3.0 Now you can achieve the highest adoption and compliance rates in the industry. Featuring our very own PCI Wizard, this groundbreaking technology guides merchants through the process, customizing certiďŹ cation every step of the way. Finally, a cure for the common Level 4 compliance problem. Download your free white paper today at www.trustwave.com/Level4PCI

www.trustwave.com | 888-878-7817 | info@trustwave.com

Industry Insider

A Gift for Giving Ardent Giving Solutions finds success by specializing in the often-ignored markets of churches and nonprofits By Bryan Ochalla

“H

ow many people in the payment processing industry think, when they drive by a church, There’s an opportunity for me?” asks Bryce Collman, founder of Ardent Giving Solutions. Few, if any, he says, which is why he opened the company in late 2009. His goal for the Dallas/Fort Worth-based company (and also a First American Payment Systems ISO) is to give churches, schools, and nonprofits tools to increase their donation income while decreasing their expenses. The first part of that goal is especially important since all of the market segments served by Ardent survive on giving and,“as you might imagine, they’re all struggling in this down economy,” says Collman. The Ardent team helps churches, schools, and nonprofits facilitate doIf you want to earn the trust nations and decrease spending by of these often-overlooked providing them with basic payment processing products and services— organizations, “you have to such as credit card, debt card, and ask the right questions, and ACH processing, as well as remote you can’t do that if you don’t deposit capture—that were developed to meet their unique needs. have a deep understanding of Such basics are necessary because their industries.” most of these organizations are just —Bryce Collman starting to dip their toes in the waters of electronic giving and “are not aware of all the tools that are available to them,” Collman says.“So we bring them to their doorstep.” Almost all of the organizations Ardent works with have some sort of annual offsite fundraiser, such as a golf tournament.“You wouldn’t believe how common it is for these organizations to manually imprint the credit cards for that offsite function, which usually includes a silent auction,” Collman adds. “Then they spend the next two days calling in for authorizations.That not only increases their expenses significantly, but it also eats up their valuable time.”

The Proper Products Ardent Giving Solutions’ suite of products helps alleviate man-power and expense issues as well as other problems commonly experienced by churches, schools, and nonprofits. 28 September 2010 | Transaction trends

For example, Ardent’s Web-based donor-management program includes a recurring payment component, which is very important to churches whose donation collections “usually tank in the summer,” Collman says. “If they can interest their members in recurring giving, they’ll not just level-off but grow their overall level of giving.” Similarly, many churches do not accept credit card donations from parishioners. As a result, Ardent recently added a debit-only giving solution to its product mix.The function uses the company’s established systems to block credit card transactions from being processed and prompt members to resubmit their pledge using a debit card. “It has been a need [for these organizations] for a long time, but it was believed it couldn’t be done,” Collman says.“That just goes to show how much the payment processing industry has ignored this market segment over the years.”

Vertical Attention When asked how Ardent Giving Solutions differentiates itself from competitors in the payment processing space, Collman answers:“We don’t take a one-size-fits-all or a onesolution-fits-all approach. We take the time to learn about each client’s specific goals and needs.We try to figure out where they are, what challenges they face, and where they see themselves going, and then we provide them with solutions that will fit those needs. “We specialize in these verticals,” he adds. “And that specialization carries with it experience and knowledge and an understanding of our customer and prospect base—none of which someone who just stumbles across churches or schools or nonprofits would have.” If you want to earn the trust—and the business—of these often-overlooked organizations,“you have to ask the right questions, and you can’t do that if you don’t have a deep understanding of their industries.” That’s not to suggest Collman and his crew are without challenges.Their biggest challenge at the moment involves finding motivated agents who are “geographically where we need them,” Collman says. “Our slogan is ‘Our passion.Your mission,’” he adds.“So it’s important that our agents share our passion for these organizations and what they’re trying to accomplish.” TT Bryan Ochalla is a contributing writer for Transaction Trends. Reach him at bochalla@yahoo.com.

From Zero To TransFirst

Do you have a need for speed?

With 15 years of experience in secure transaction processing technologies and services, TransFirst® is now transforming the ISO/ISA arena. We’re more than a processor, we’re a valuable business partner, blending uncommon support to help streamline the merchant boarding process, as well as proprietary cutting-edge products. Whether it’s working capital, commission enhancements, or residual advance programs, TransFirst is here to keep your business on the fast track. • Proprietary leading-edge tools: TransLead, which delivers pre-qualified leads, and TransGuard®, alerting agents when their merchants might be at risk of leaving • Available investment capital • Aggressive revenue share program • Timely and accurate monthly residuals • 96%+ merchant application approval rate • State-of-the-art training

Ta k e Tr a n s F i r s t ® f o r a t e s t d r i v e t o d a y ! Contact us at 866.969.3350, salesrecruiting@TransFirst.com, or visit www.TransFirstSales.com.

Trust. Innovation. Collaboration. – TransFirst.

GivinG it to you straiGht. real reps. real success.

i first joined total Merchant services because I felt like I could believe them. I stayed because they keep their promises â&#x20AC;&#x201C; my overall monthly and residual revenues keep increasing, month after month. the underwriters are superb. I always feel like my customers are safe. I feel like I have total control over my portfolio. Even in uncertain times, I feel secure because I am with a good, ethical company. Without a doubt, aMplify is the pulse of my business. The amount and quality of the information available via the Account Management Portal has made me efficient, effective, and most importantly, profitable. i always know with certainty what is going on with my clients. I can depend on daily emails to notify me of any updates and changes. This lets me focus on growing my business because I know my merchants are safe, secure and satisfied.

Jeff Schafer Iâ&#x20AC;&#x2122;m helping my clients, making great money, and having fun in the process.

see the difference for yourself. Join the team with a proven track record. Check out Total Merchant Services program details at www.upfrontandresiduals.com or call us toll-free at 1-888-84-total ext. 9411 Total Merchant Services (TMS) is a Member Service Provider for: HSBC Bank USA, National Association, Buffalo, NY.