Payments Insider

Dear Valued Merchant,

As a business owner, protecting your business from fraud and the penalties associated with it is critical. If sensitive business or customer data is stolen or illegally accessed, you can get more than a bad reputation. You can be heavily fined and faulted for putting your patrons at risk for identity theft.

This issue of Payments Insider provides helpful information on what to do if you’re compromised and how to prevent it from happening in the first place. Read on, and you’ll also learn why it’s important to have an age verification system in place if your business sells age-restricted products such as alcohol and tobacco — or your customers must be of legal age to enter.

As always, if you have any questions about payments — including installing age verification systems and what to do if your data is compromised — please call your relationship manager, account manager or your Heartland servicing team at 888.963.3600. Feel free to also e-mail us at Heartland@e-hps.com.

Best regards,

Heartland Payment Systems

NEWS ALERT

As a merchant, there are some headaches you should try to avoid — and being compromised is one of them.

In a recent survey of credit card compromises, 54% were within the food services industry, and 25% were within the retail industry.1 If your business is compromised, private information — stored on items like a laptop, office server or point-of-sale (POS) system — may have been illegally accessed and could lead to credit card data theft, fraud and financial loss. In response to what this can mean to merchants and their customers, the Payment Card Industry Data Security Standard (PCI DSS) has raised data protection standards for businesses. They are now mandatory for every business that processes credit or debit card information — including merchants and third-party service providers that store, process or transmit credit/debit card data. But, even if you take steps to increase data security and follow PCI DSS, you still may be at risk. It’s important to know what to do if you’re compromised, as well as the steps to prevent it from happening.

What are the signs you’ve been compromised?
In some cases, if your business is compromised — by wily hackers or malicious software — you may discover the breach by your POS system behaving oddly or strange files with credit card data suddenly appearing. However, most times your POS system will function as it normally does and you won’t be able to tell that anything is different or wrong. You’ll likely find out you’ve been compromised when you’re contacted by an issuing bank, credit card company or law enforcement agency that has traced suspicious credit and debit card activity back to your business.

What are your next steps if you’ve been compromised?
Once it’s determined that your business has been compromised, it’s important to make sure you don’t do anything to your POS system in case investigators need to complete a forensic investigation. Investigators may use highly specialized tools to examine your system for evidence to help determine how and when your system was first compromised as well as identify cardholders who have been affected. Follow these steps to ensure an efficient investigation:

  1. Stop using the POS system. Don’t turn the system off, but do disconnect the phone and internet cables from the wall.
  2. Don’t make any changes to the system. Don’t log on, upgrade any software, add new software programs or change any passwords. By disconnecting your system without turning it off and not making any changes, data on your POS remains the same. You’ll avoid destroying any evidence that could help investigators track down the hacker and where and how the compromise occurred.
  3. Immediately contact your payments processor. Your IT team, local law enforcement and/or Secret Service can help you as well. Your payments processor will notify the card companies and issuing banks about the breach. The card companies will determine whether or not an independent forensic investigation is required.
  4. If an investigation is required, you’re responsible for finding a vendor/investigator the card companies have qualified to work on security incidents, also known as a Qualified Incident Response Assessor (QIRA). Visit Visa.com/cisp for the most recent list of qualified investigators.

What can you do to prevent a compromise?
How can data breaches be prevented? Many happen because businesses fail to take steps to protect their business and their customers. For example, a business may be running on POS software that is outdated — software that stores data, hasn’t been upgraded, or is one that’s known to be vulnerable to data breaches. Businesses that use their POS systems as general computers — for tasks such as surfing the internet or back office duties — also increase the risk of downloading malicious viruses that can compromise the system or make it easier for hackers to access your programs.

Being compromised can also happen if your business is not PCI DSS compliant. To be PCI DSS compliant, ask your POS installer and processor about the system you use and if it is up-to-date. Also, speak to your IT specialist about network and data access security, such as firewalls, remote access and external file transfer. Again, visit Visa.com/cisp for the latest PCI DSS requirements. (See the sidebar “Decrease Your Chances of Being Compromised” for more information.)

Your business’s data — and your customers’ information — are valuable. Be sure to protect yourself and your customers by using only up-to-date POS software and by making sure you’re PCI DSS compliant. Taking these steps can save you and your customers from the headaches that go along with being compromised — possible forensic investigations, damage to your reputation and the loss of loyal customers as well as stiff fines — ranging from tens of thousands to hundreds of thousands of dollars — from credit card companies.

_____________________________

1 Trustwave Global Compromise Statistic available from Trustwave.com


Here are some helpful guidelines to help you decrease your chances of being compromised:

  1. Make sure your specific POS software version meets PCI DSS standards, such as those listed on Visa’s Validated Payment Applications list found at Visa.com/cisp. Your payments processor — such as Heartland Payment Systems — can also tell you if your software is on the list of vulnerable systems. If your software is listed on the vulnerable systems list or isn’t listed on the Validated Payment Applications list, ask your POS installer about upgrading your system to a new version or changing to a different, validated application.
  2. Make sure your network in general is PCI DSS compliant. For more information, visit PCISecurityStandards.org.
  3. Don’t use your POS system as your personal computer — i.e., don’t use it to surf the internet, do your bills, etc. This also applies to your employees who use the POS system when you’re not around.
  4. Completely remove all files from your old POS software. You may have done the right thing by upgrading your system to a validated one, but simply uninstalling the old program doesn’t always remove all the files — or customer data and card information — from the hard drive, so talk to an IT person to make sure this is actually done.

NEWS ALERT

If your business sells alcohol, tobacco or other age-restricted items — or you operate a bar, nightclub, casino or theater that requires customers to be of legal age to enter — be sure you have an age verification system in place. Use it every time you need to check a customer’s identification to help ensure you don’t serve underage patrons. It will also help protect you from federal and state law enforcement agencies’ fines and penalties — which can range from losing your sales license to closing your business.

Did you know that the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF), a principal law enforcement agency within the Department of Justice (DOJ), requires state police departments to set up decoy operations? During a decoy — or “sting” — operation, a minor enters your business and attempts to purchase prohibited items or be served alcohol. If your business doesn’t check for proper identification and/or sells products to underage patrons — and you fail more than one decoy operation — you may lose the right to sell alcohol and tobacco products. Your liquor license can be revoked after three convictions for serving alcohol to minors. And, in many states, you are liable for serving minors who subsequently injure themselves. Failure to check a patron’s identification can also cost you thousands of dollars — even on a first offense. On top of this, you could spend thousands more on fines and court costs and may even have your business license suspended. Penalties differ by state. Some states may require you to install an age verification system after failing the first decoy operation.

The easiest way to avoid fines and penalties associated with improper age verification is to use a point-of-sale (POS) based age verification system or barcode reader. The barcode on a driver’s license provides information — such as date of birth, license number and expiration date — that can be swiped or recorded with a POS system. This system takes seconds to use. It can be installed in your credit card terminal so you can quickly swipe a license or ID card to verify age and determine if it’s a valid license.

A barcode scanner can also be used instead of a POS system. A POS-based age verification system or barcode reader also allows for special reporting — so you can provide proof that a specific license was checked if authorities request this information later.

Protect your business — and reduce the chance of fines and penalties — by having the right age verification system in place and training your employees to use it.