All posts by IP Solutions Marketing

pci-dss-compliance

Achieve and maintain security (PCI DSS) compliance in the most cost effective manner

Firstly, it’s important to note that any organization that stores, processes or transmits credit card data must be compliant with the Payment Card Industry Data Security Standards (PCI DSS), as such the security standards are mandatory for card handling organizations in Australia.

Businesses dealing with cardholder data need to be aware of their obligations regarding PCI DSS compliance. However, that doesn’t necessarily mean they know the best ways of achieving and maintaining PCI DSS compliance, and how to do so in the most efficient manner.

Bottom line
A business could initially hesitate over the cost involved in achieving and maintaining compliance, but what’s seldom understood is that it’s more cost effective to keep on top of PCI DSS compliance than letting it slip. In addition to which many companies in Australia underestimate the financial exposure associated with non-compliance.

Business partnership
A great way to do that is to have the right business partnership: we provide a range of products and services such as Level 1 PCI DSS certified cloud based services, credit card scanning & storage, tokenisation and payment services, and contact center solutions to name a few.

Practical steps
You’ll probably be aware that there are numerous controls and stages involved, including determining which merchant level you are, followed by answering a self-assessment questionnaire (SAQ) or the engagement of a qualified security assessor (QSA) if you businesses is classified as a Level 1 merchant.  

Here’s a brief overview of what you need to do to achieve and maintain PCI DSS compliance in the most efficient manner. They are three stages:

  • The first is assess – identifying cardholder data, taking an inventory of your IT assets and business processes for payment card processing, and analysing them for vulnerabilities that could expose cardholder data. Any historical credit card data which is no longer required should be eliminated to reduce the company’s financial exposure should a data breach occur.
  • The second is remediate – fixing vulnerabilities and not storing or processing cardholder data unless you absolutely need it.  
  • The third is report – compiling required remediation validation records and submitting compliance reports to interested parties, such as your financial institution.  

IPSI has helped many of Australia’s largest credit card processors to secure their credit card data and become compliant. We provide review, analysis and design consultancy services to fully managed remediation solutions.  

Maintaining compliance   
An important process in securing PCI DSS compliance involves tokenisation. The best way to store credit card data for recurring billing is by using a cloud-based third party credit card vault and tokenisation provider.

You’ll need a provider who can perform a requirement analysis to identify what’s right for your business, including all interactions with payment card data, your particular tokenisation needs and associated payment and reporting processes.

It’s important to leverage service providers such as IPSI to help your business minimize its initial and ongoing PCI DSS costs, lead times and risks.

“An important process in securing PCI DSS compliance involves tokenisation”

You’ll also need to find the right solutions for specific business requirements as merchants use a variety of technologies to implement e-commerce functionality. If you’re a contact centre, for example, consider AgentSecure, a cloud-based service which halts credit card data from entering your enterprise as a cost effective service option.

Credit card data scans
If you have historically stored or processed card data yourself, and you are concerned about the security of existing credit card storage locations, using a scanning service will expedite the process significantly while enabling a prioritized approach to minimize financial exposure as quickly as possible.

Independent parties
Part of achieving and maintaining compliance is to engage independent parties. They are: the Qualified Security Assessor (QSA), technology provider (e.g. IPSI) and remediator (e.g. IPSI). They’re all central to achieving and maintaining PCI DSS compliance. IPSI is unique within the Australian market in terms of the depth and range of its PCI DSS services and solutions.

With the increase of cybercrime and fraud and its continuing rise, it can be challenging for a business to achieve PCI DSS Compliance and then maintain it.  If you would like to speak with a PCI DSS consultant, please feel free to contact us to discuss your unique requirements.

Contact Us
data-breach

What are the best methodologies to prevent credit card fraud in your business?

Protection is key
Merchants handling sensitive credit card data are under increasing pressure maintaining PCI DSS compliance. When it comes to what are the best methodologies to prevent credit card fraud in your business there is one idea to keep in mind throughout: secure data protection

If you have systems in place such as the ones we’ve previously mentioned in other blogs– fraud screening and when to introduce it in the transaction process, you are heading in the right direction. What else can you do to prevent credit card fraud in your business? Let’s take a look at three areas that you need to be aware of to prevent credit card fraud.

  1. Mobile devices
    As we’re becoming an increasingly mobile workplace, you need to be confident you’ve reviewed how protected you are in relation to transactions involving mobile devices. As more customers use these devices to make payments or purchase products fraud and security around mobile payments have long been a key concern for merchants and banks.Hackers are well aware that mobile payments, whether through a physical POS terminal or online, are open to risk as smartphone security does not yet match traditional computer security: technical security measures are less common, operating systems are updated less frequently and mobile social networking applications sometimes lack detailed privacy controls.

    In addition, mobile malware has experienced a 40 per cent increase in recent years and mobile shoppers using web browsers are much more vulnerable to attacks such as phishing and website spoofing.

    “Mobile malware has experienced a 40 per cent increase in recent years”.

  1. Impact of a new transaction flow
    Another step involved in preventing credit card fraud is that a merchant will need to assess the operational impact of a new transaction flow, potential cost savings and the implications for customer relationships. In addition, the merchant must decide whether they prefer to manage confirmed or attempted sales. If, for example, the merchant operates a no-challenge policy — working on a straight accept/deny recommendation — there would be logic in handling fraud screening post-bank authorisation, when the precise value of the sales being denied is clear.
  1. Compliance is paramount
    More than anything, however, the best methodologies to prevent credit card fraud in your business is understanding what’s involved in maintaining PCI DSS compliance. After all, having all the steps in place, such as – building a secure network, protecting cardholder data and so on – are each designed to help you avoid a data breach.

Remember, if you’re subject to an Account Data Compromise (ADC) this will set off a chain of events which includes possible penalties, as well as damage to your business reputation.

Having the right prevention strategies in place with regards to mobiles device transactions, new transaction flow and making sure your business is PCI DSS Compliant are fundamental strategies to protect your business from credit card fraud.

Find out if your business is protected adequately against credit card fraud, to learn more, call us today on 1300 975 630.  Or you can book in a consult with a Compliance Specialist here.

Contact Us
fraud screening

Fraud screening – when is it appropriate to introduce this into your business processes?

If you’re an established business or a start-up and you deal with credit card transactions, you need to know that when it comes to determining when it is appropriate to introduce fraud screening into your business processes, the answer is – if you want peace of mind – as soon as possible.

Fraud screening tools can be used to lower your risk of being targeted by fraudsters. This is extremely beneficial to your business. By being proactive in relation to fraud screening, you are ensuring that the costs to your company are greatly reduced. A security breach would potentially result in penalties, fines and costs linked with poor security practices in relation to PCI DSS compliance. Plus, there’s your company’s reputation to consider, too. No monetary value can fully replace that.

Something merchants need to firstly consider when considering fraud screening is when to introduce it during the transaction process. Obviously, the decision to apply fraud screening before or after bank authorisation will have implications for business processes, transaction fees and customer experience.

Any move to adopt a different transaction flow process must be weighed carefully as it could have financially significant implications. The decision must take into account all fees along the payment chain, ensuring the return on investment stays positive.

When deciding how best to process payment transactions, it’s important to make the decision that is right for your business, based on all available information — whether this relates to costs or benefits that can be accurately measured or other business key performance indicators that cannot be so precisely assessed.

When considering whether to screen pre- or post-authorisation, a merchant will need to assess the operational impact of a new transaction flow, potential cost savings and the implications for customer relationships. In addition, the merchant must decide whether they prefer to manage confirmed or attempted sales. On the other hand, a merchant operating in an industry with higher levels of fraud and higher transaction values might seek the most  effective fraud detection tools available.

Fraud screening tools can be extremely beneficial to your business. This is an area we know something about and can offer you professional guidance about how fraud screening can be one of the best things to introduce into your business payment processes from the get-go.

To learn more about when to implement fraud screening or if you have any concerns around payment processes and compliance please contact us here.

 

Contact Us
credit-card-fraud

Acceptable fraud levels, is there such a thing?

There is a new five-letter “F word” on the scene and it’s a menace for any business involved in credit card transactions. The word is fraud and it’s spreading like wildfire across the global economy.

So the question needs to be asked: acceptable fraud levels, is there such a thing? Not for any company wanting to boost its profits, but there are steps you need to take to ensure your business will not be the next target.

As any industry pundit would know, credit card fraud is on the rise. Fraud on Australian payment cards continues to increase in the card-not-present space, reflecting a global trend both in online card fraud and in cybercrime in general. Card fraud rates in recent years have grown from below 50 cents to 60 cents for every $1,000 spent.

According to a study of consumer payments by the Reserve Bank of Australia, the proportion of card purchases made online, by telephone or mail order represent nearly 25 per cent of the total value of debit card purchases and about 40 per cent for credit cards.

Despite the readily available statistics on card fraud, merchants aren’t always on top of this. And not having a handle on fraud levels can greatly affect revenue and the brand or company’s reputation as well as fines given out by the by the card schemes when fraud goes over an “acceptable” level.

That means credit card merchants should fight fraud with up-to-date certified fraud prevention tools and leverage techniques to analyse cross-merchant fraud trends and behaviors, draw informed conclusions and enhance fraud detection processes that advance risk strategies and detect subsequent attempts.

The good news is there is a wide range of fraud prevention measures available to merchants, but, where these are not applied, fraud can happen at any time and with major consequences.

Through IP Solutions’ ability to offer multidisciplinary card fraud detection services from a payment gateway level, to advanced overlay services and call centre credit card filtering those risks are minimised.

A fraud screening model instantly approves or rejects an order by relying on a real-time, multidimensional fraud decisioning engine. This model need not hold up orders in a review state, and so it isn’t a burden on merchant resources or risks customers becoming annoyed.

To find out how IP Solutions can provide the services you need to protect your data, speak with one of our specialists today.

Contact Us
mandatory-data-breach-legislation

Australia’s New Mandatory Data Breach Legislation: How will it impact your business?

The Mandatory Data Breach Notification scheme is expected to be in place within the year in Australia.   This means that businesses will be legally obliged to notify the Privacy Commissioner and customers if they have experienced a data breach.

Who will it impact?

The scheme applies to organisations with a turnover of more than $3 million a year, government agencies and organisations governed by the Privacy Act. Meaning state government organisations and local councils, plus organisations with a turnover less than $3 million a year, fall outside the legislation.

What is a breach?

Has there been unauthorised access to, disclosure of, or loss of personal information? If so, is it likely to result in serious harm to individuals?

A breach includes events like malicious access to customers’ credit card data and/or personally identifiable information (PII); such as a hack, accidental loss of a hard drive or soft-copy documents and negligent or improper disclosure of information. Such information includes personal details, bank account & credit card data, credit reporting information, credit eligibility information, and tax file number information.

So what does your business need to know about mandatory data breach notification and how best to avoid a data breach in the first place?

Organisations who find they have been breached or have lost data will need to report the incident not only to the Privacy Commissioner but also notify affected customers within 30 days of becoming aware of a breach.

The notification must include a description of the data breach, the kind of information involved, and how customers should respond to the security incident.

Those who fail to notify the Privacy Commissioner could face fines of $360,000 for individuals and $1.8 million for organizations as well as other penalties covered under the Act.

How to prepare:

  • Ensure your organization has an up to date IT and Data Security policy
    • Know where your data is and how its secured
    • Appoint a data breach leader
  • Develop a data breach response plan
    • Both for the internal and external (Media) stakeholders
  • Ensure the board/management understand the cyber security risks that apply to your business
    • Evaluate the risks
    • What would a breach cost your business?
  • Implement best practice, business as usual data security policies
  • Manage third party providers
    • How are they managing your data

Will your business really be targeted?

The US based Rights Clearinghouse reported that in the first eight months of 2015 there were 120 million personal records breached globally, this is up from 70 million on 2014 figures.  Cybercrime can be very costly for a business. Up to 42 per cent of data breaches are malicious or criminal attacks, according to a recent survey across 10 countries by the Ponemon Institute. Each credit card breach costs around $145 per card and the industries which are a high-risk include: finance, education, communications and healthcare.

Given the rise of cybercrime and the need to comply with Australia’s Privacy Legislation, it’s important to be proactive when it comes to protecting your customer data.

Mandatory data breach laws will result effectively in companies publicizing that they are the victims of a data breach, this could, based on recent case studies result in negative brand exposure, lost customers, lost sales and revenue, and potentially penalties and fines

If you are not sure how to find, secure and process your financially sensitive data or need some help with PCI DSS Compliance, financial Data storage or payment processing please contact us (02) 9006 6406 or contact us here.

Here is a case study highlighting how we were able to help a hotel and gaming group to catch unsecure customer credit card date before anyone else could:

Download Case Study
fraud-trools

The importance of flexible real-time dynamic fraud tools

While fraud is an ever present and growing issue for Australian businesses, with the right technology you can start to reverse the trend to protect your business. That’s the importance of having flexible, real-time dynamic fraud tools.

When it comes to eCommerce, there are plenty of flexible, real-time dynamic fraud tools available to   help you and your business keep ahead of the game. It’s necessary to note, though, that the days of set-it-and-forget-it are long gone. And it’s important to realise you have to “play a game” against these fraudsters to remain vigilant against a cyber attack. You should establish and put fraud control practices in place to enable your business to flourish.

If you’re setting up an eCommerce site, for example, you might be so busy with the mechanics of it such as establishing a new market, adopting an aggressive marketing and promotions plan or program and it’s all happening so fast you need a protective system to be in place that can move with you at the same pace, if not faster.

You will need an expert team who can help you develop a fraud strategy that is in complete harmony with your business strategy. It’s a delicate balance between fighting fraud while growing your business. Your fraud control strategy needs to mirror and enhance those organisational goals. Unfortunately, many companies don’t know how hard it is to fight fraud and beat it, without hurting their core business.

But many large corporations and small-to-medium businesses do, including airlines, banks, insurance companies, retailers and the like. One international airline, for example, realised that as its international customer base grew, so did its incidents of online fraud. Tools used to clamp down on this rise included short notice booking prioritisation in the fraud screening process and the ability to view key transaction trends quickly with an online fraud prevention tool.

Another available fraud tool analyses hundreds of relevant variables and activity across the globe in real-time, providing accurate fraud protection thanks to proven technologies based on the specific needs of each customer, minimising fraud loss and the need for manual review of orders.

It’s important to be aware that a high performance fraud management system must interlock functions across a range of customer interaction contexts, payment methods and fraud detection approaches. It is important to have a fraud control service that offers speed and flexibility to perform comprehensive fraud control checks at each interaction point, such as pre-or-post authorization.

Managing these tools is complex which is one of the reasons many merchants, including those handling credit cards, have recognised the need to work with an experienced security service provider to orchestrate, administer and oversee the fraud tools and processes required.

Find out how IP Solutions can help you reduce your financial exposure.

Contact Us
fraud screening

Mobile devices linked to fraud

The trend began more than a year ago when, thanks to the boom worldwide in the popularity of mobile devices, they became linked to fraud as they became the target of phishing attacks.

As we enter 2017, that trend shows no sign of abating as our reliance on mobile devices grows. Mobile transactions are growing rapidly, but fraud is outpacing it as cybercriminals are moving to less protected, “soft” channels. In 2015, US experts noticed that 45 per cent of all transactions originated from the mobile channel while 61 per cent of fraud attempts were made from a mobile device.

As organisations continue to roll out more mobile services to customers and employees begin to depend on them in order to do business on their behalf, the mobile channel has become rife with cybercrime. Yet smartphones based processes are often poorly protected, and many people use them with less security savvy than they would a desktop computer.

A number of experts say the shift from spam attacks going to PCs to phishing on mobiles is because smartphone technology is moving so fast with more than 1.5 billion phones sold globally in 2015. And mobile devices are becoming the preferred platform for online banking and accessing business applications to name a few. Experts say the rise in fraud attempts originating from the mobile channel, increased by 173 per cent between 2013 and 2015.

The shift has been a challenge; it’s not easy to prevent cyber-attacks from happening on your employees’ BYOD devices which would all have app downloads, for example? As you would expect, there has been a growth in exploring all sorts of security options from biometric technology to more vigilant forms of authentication. Smartphones are vulnerable to the same virus, spyware and phishing threats as your home computer. Downloaded apps are the easiest way for hackers to compromise your phone’s security and it’s a good idea to educate your employees to only download from safe sources.

Fraud prevention approaches now require solutions which can extend to mobile and cloud environments. Even if attacks can’t be stopped completely, it is possible to change how we detect and respond to an attack to reduce the potential for loss or damage.

Having the right technology and an expert team who can explain the various security options available is half the battle.

Call us to discuss ways to secure your customer payment channels, online fraud decisioning tools, unencrypted data scanning and secure cloud based storage solutions.

To find out how IP Solutions can provide the solutions and services you need to protect your data and minimise your fraud exposure, speak with one of our experts today. http://www.ipsi.com.au/contact/

 

fraud-prevention

Staying on top of fraud prevention

Staying on top of fraud prevention will keep your business on its toes in 2017. Unfortunately there are still organisations out there who think it won’t affect them and they need not worry. They may be lucky and avoid being targeted, but why put your finances, corporate image and customers at risk?

There are quite a few areas you need to consider when working out how to stay on top of fraud prevention. One of the threats can be internal – sometimes disgruntled or just plain dishonest current or former employees can decide to take matters into their own hands. This theft can take many forms – from lost inventory to unethical accounting practices and the theft of financial assets.

Then there’s external fraud. This, too, can take many forms such as computer hacking, identify theft and credit card fraud; as such it should be a major concern. Talk to any security expert and they will tell you that there’s no quick fix when it comes to managing or preventing fraud – it requires ongoing monitoring and vigilance.

Your IT experts will need to work closely with a specialist organisation such as ours who fully understand fraud prevention and who can install a comprehensive fraud protection program.

It’s also a good idea to educate staff throughout your company about the importance of preventing fraud and the reasons why. After all, every employee can be affected by fraud losses because it impacts a company’s bottom line.

Your business will need to have an effective fraud detection program – one that has clearly defined fraud prevention responsibilities, comprehensive awareness training, continual risk assessment, investigation procedures, and constant auditing and monitoring.

Your fraud prevention plan needs to have a system for how the company will react to any suspected fraud, mitigate any issues, and  prevent future threats.

Above all, remain vigilant. As soon as you think you’ve got fraud prevention  locked fraudsters will have already found a way to zero in on your company’s system and device vulnerabilities. Don’t become a statistic or a headline anytime soon. Staying on top of fraud prevention is an integral part of your organisation’s raison d’etre in 2017 and beyond.

Fraud prevention is a must for your business. Staying on top of it is another thing. Speak with one of our Security and PCI DSS Specialists for more information.

credit-card-fraud-risk

Credit card fraud risk and how to keep it at bay

Credit card fraud is growing every year and any organisation or merchant who has their head in the sand about how to keep credit card fraud at bay is not going to have a productive 2017.

Credit card fraud is everywhere: online, via mobile devices, call centers, rogue employees and overseas cybercriminals. Credit cards are one of the most common payment methods around the world, yet they are also one of the least secure forms of payment.

Cyber criminals are targeting governments, businesses of all sizes and individuals worldwide via the internet. On an individual level, Australia experienced card fraud of $2.1 billion during 2014-15, double the $1 billion in 2010-11, according to Australian Bureau of Statistics (ABS) figures.

Hackers can be extremely sophisticated. That means credit card merchants must equally fight fraud with up-to-date fraud prevention expertise & technology, including an expert team, use sophisticated tools and techniques to analyse cross-merchant fraud trends and behaviours, draw informed conclusions and enhance fraud detection tools that boost risk strategies and detect subsequent attempts.

It’s not impossible though to keep credit card fraud at bay to the best of your capacity.  Retailers, for example, can achieve the levels of fraud detection required by card schemes without turning away genuine transactions and thereby losing income from these sales.

Through IP Solutions’ ability to offer multidisciplinary card fraud detection services from a payment gateway level to advanced overlay services and call centre credit card filtering those risks are minimised.  A fraud screening model instantly approves or rejects an order by relying on a real-time, multidimensional fraud decisioning engine. This model does not hold up orders in a review state, and so minimises merchant resources and any impact on the customer.

A critical point merchants have to face when working out fraud screening is when to introduce it during the transaction process. Obviously, the decision to apply screening before or after bank authorisation will have implications for business processes, transaction fees and customer experience.

To find out more about how to keep credit card fraud risk at bay in your organization, speak with a payments Specialist today.

government-data-breach-bill

Data Breach Notification Bill and how it will affect Australian business.

Data security breaches are an ongoing concern for businesses, retailers, merchants and customers globally and in Australia. As a result the Federal Government’s much-mooted data breach notification bill is expected to be introduced in parliament in the coming months. While the timeline is aggressive it’s important to note that the bill has previously had support from the Greens and the Labour party.

The general gist of the legislation would require companies which generate revenue over $3M to inform the commissioner and the people affected by a compromise of their personal data if there were a real risk of serious harm posed by the release of the information. For example, if a person’s credit card details, identification details, passwords or other information were leaked or obtained fraudulently. At the moment, companies report to the Privacy Commissioner on breaches on a voluntary basis.

The legislation raises questions, concerns and issues for all concerned and there have been opinions put forward that are both positive and negative from various industry and business groups. Some have argued the existing privacy laws are enough and that it may place extra burdens on businesses to report to government every time they had a data breach.

Mandatory data breach laws will result effectively in companies publicizing that they are the victims of a data breach, this could, based on recent case studies result in negative brand exposure, lost customers, lost sales and revenue, and potentially penalties and fines.

Similarly, some groups have said that the wording of the bill needs further debate and that elements such as the question of “harm” to an individual in a data breach may be hard to assess at times.

And will level 1 merchants, who already have stringent requirements regarding PCI DSS compliance, be affected by this legislation? While it will apply to all companies above the revenue threshold, it is clear that being PCI DSS compliant will minimize exposure with regard to credit card data loss.

What, for example, of the practicalities? It can take an average of 243 days, for instance, from when an entity is hacked and when it discovered the breach. It’s important to note that the draft legislation is based around the time of awareness.

While the government has been clear it wants to tackle cybercrime, with a $230 million strategy unveiled this year, large organisations such as Telstra and PayPal say the legislation places an unnecessary onus on the entity which had had the breach to notify authorities. Telstra argued it could be a case where various notifications are issued, meaning the consumer becomes confused about what’s going on.

As well, there is the issue of how to contact customers. It was pointed out that some cloud service contracts specifically limit the ability of the cloud service provider to access customer data. Microsoft pointed out “the provider is limited in its ability to make an accurate determination of whether or not serious harm has occurred”.

To find out more about the latest changes to the bill and how this impacts PCI DSS Compliance for your business, speak with a PCI DSS Specialist today here.