Home » General

Category: General

URGENT, You Do NOT Need to Read This!

We Already Have You Covered

You may have heard about a global issue in which Google researchers found unfixable vulnerabilities in commonly used encryption protocols. You may have also heard that, as a result, the PCI Council has delisted the vulnerable encryption protocols from being used for credit card processing. However, you may not understand what this means.

The encryption protocols of SSL and TLS have been in use for a long time. They essentially ‘scramble’ data during communications so that if the data is intercepted by an unauthorized individual, it cannot be read. In this manner, encryption is used for email, credit card data transmissions, ecommerce or any other sensitive data that needs to be protected. Specifically, the vulnerabilities apply to all versions of SSL and early versions of TLS, which is the more updated protocol.

What Do These Vulnerable Encryption Protocols Mean For My Business?

Nothing! Wind River is way ahead of the rest of the industry and so are you*. An article explaining TLS notes that 40% of merchants could be impacted, and when the merchant’s processor “flips the switch,” the merchant wouldn’t be able to process SSL or TLS 1.0. Their credit card processing would stop working for these transactions!

We have worked hard to communicate this critical change to our customers that were impacted well ahead of the looming deadline and taken the action needed to assure them their credit card processing would continue uninterrupted.

No need to send “Thank You” cards or gifts. It’s all in a day’s work here at Wind River and part of the After the Handshake Promise.

*We do have six customers we are still working with to overcome this obstacle. If you are one of these six, (you know who you are!) please read the PCI Council Specifics below and we will continue to work with you.

PCI Council Specifics

The PCI Council says that if you are involved in credit card processing, all entities must be off of all versions of SSL and TLS 1.0 by June 30, 2018 for PCI compliance. After this date, only TLS 1.1 or 1.2 should be used. Note that not all implementations of TLS 1.1 are immune from the vulnerability, so TLS 1.2 should be used if possible.

The PCI Council has provided guidance. Note that the June 30, 2018 deadline from the PCI Council is the end of a two-year extension that they originally provided due to the challenges of this global technology issue.

No Signature Required! What?

Late last year MasterCard, American Express, and Discover Card announced that in April of 2018 they would be eliminating the requirement for merchants to collect signatures for all purchases at the point of sale. They all pointed out that with their secure networks combined with new digital payment methods that include chip, tokenization, biometrics and other fraud capabilities have advanced so that signatures are no longer necessary to fight fraud. Visa followed suit early this year but specified that signatures will no longer be required when a Visa EMV card was being used at the point of sale.

What does that mean for you? MasterCard has pointed out that it expects this will speed up the checkout process and enhance the customer experience. However, it will take some time for the various point of sale systems and software to eliminate the signature line on the receipt. In the meantime, MasterCard has also suggested if a merchant is more comfortable obtaining a signature they still can. A signature will be optional, but starting April 2018 it will no longer be a requirement.

Stay tuned for more details as we are awaiting specific instructions from the card brands that we will share with you.

What will you be doing this New Year’s Eve?

We hope 2017 has been a good year for all of you! The year is not quite over and there is an important holiday yet to celebrate. If you have family and are looking for a fun time to spend it together, we would humbly suggest My Family New Year’s Eve.

My Family New Year’s Eve is geared toward kids of all ages, and will take place at the Monona Terrace, KEVA Sports Center, Madison Ice Arena, and Hartmeyer Ice Arena. This year’s event will include a magic show, puppet show, Circus train rides, face painting, bounce houses, music, crafts, balloon drop and so much more!

Wind River is proud to sponsor My Family New Year’s Eve. We believe it is important to be active within our community and give back whenever we can. Our employees take great pride in their volunteer efforts and participating in local charity events. We look to support local efforts that are in line with the goals and values of our family business.

We were fortunate enough to be able to pick a local charity and donate 150 tickets to this great family friendly celebration. It was a tough choice with so many great organizations in the Madison area, but we choose the YMCA with their rich 125-year tradition of providing valuable programs and services throughout Dane County. Every day, they work side-by-side with our neighbors to make sure that everyone, regardless of age, income or background, has the opportunity to learn, grow and thrive.

Have a great and safe New Year’s Eve, and we wish the very best in 2018!

Holiday Season Reminders: Prevent Fraudulent Transactions and Chargebacks

With the holiday shopping season upon us, it’s a good time to review some good practices in helping prevent your business from incurring losses from fraudulent transactions and chargebacks.

Face-to-Face Transactions
If the card presented for payment is not a chip card, always swipe the card. In the event of a Chargeback, this provides proof the card was present at the time of the transaction.

• If presented with a chip card and you have an EMV terminal, have your customer insert the card into the terminal and leave it there until the transaction is complete.  (If you have not yet upgraded to an EMV Terminal, please contact your Relationship Manager at 800-704-7253.)

• Obtain an authorization number for the full amount of the transaction.

• If an authorization is declined, do not accept it, attempt to split it into smaller amounts, attempt to obtain authorization at a later time, or try to force it through. Any of these attempts may leave your business vulnerable to a chargeback loss. Instead, ask the customer for another payment method.

• Have your refund policy printed on the receipt directly above or below the cardholder signature line in letters ¼” high.

Internet or Phone Transactions (Card Not Present)

• Obtain an authorization number for the full amount of the transaction.

• If an authorization is declined, do not accept it, attempt to split it into smaller amounts, attempt to obtain authorization at a later time, or try to force it through. Any of these attempts may leave your business vulnerable to a chargeback loss. Instead, ask the customer for another payment method.

• Verify the cardholder’s address via Address Verification Service (AVS). The best AVS response is ”Y” for Yes or “Match”. This means the cardholder has given you the same address as the billing address for the card. If you are still uncertain about the transaction (e.g., large transaction, first time customer, splitting sale amount between cards, etc), you can call the issuing bank or the Voice Authorization Center.

• Ask the customer for the CVV/CVC Code on the back of their card (front for Amex). This is a 3 or 4-digit number that is now commonly used to help verify that the customer possesses the physical card. Most terminals prompt you for this information and will return a negative response if the number provided is not correct.

• Ship the merchandise to the AVS address and obtain signed proof of delivery or other method available from your shipper.

• Charge the cardholder’s account at the time the merchandise is shipped.

• Have your checkout page designed such that a customer must acknowledge your cancellation or refund policy. Be able to produce the acknowledgement in the event of a chargeback resulting from a refund dispute. Have a clear and concise refund policy.

NOTE: If a card is not present at the time of sale, a merchant cannot verify that the legitimate cardholder authorized the sale. The steps noted above may help minimize disputes and fraud, but they cannot guarantee avoidance of chargebacks. Card not present transactions are inherently more risky than those in which the card is present.

I hope this is a good reminder and something you might wish to review with your staff.  If we can help or you have a concern you can always call Client Care at 800-704-7253 or email us at info@WindRiverFinancial.com.  Here is my contact information as well.

Wishing you a very Happy Holiday season.

 

 

Happy Hærfest: No, That is not a Misprint

I don’t know if you are like me, but I am always curious about where certain customs or traditions start. Like many, I had been taught that Thanksgiving celebration started at the first Thanksgiving in Plymouth Colony in 1621. But there is more to the story …

The word ‘harvest’ comes from the Old English word hærfest meaning ‘autumn’, aptly the season for gathering the food of the land. Harvest celebrations have been observed in different ways for as long as there have been people planting food. It was a vital time of year, when success was a genuine matter of life or death.

Many people today may not be thinking about “the harvest” during Thanksgiving. Life has changed a bit. But if we can take our minds back to those early times in history, it can bring an important perspective. Many of us don’t need to worry about the crop. What does remain, however, are two key ideas: bringing people together and being grateful.

We hope that each one of you reading this has the opportunity to be a part of a celebration with people that are important to you and can take the time to reflect on the “good things”. While not every day is a celebration, we have so much to be grateful for in our lives if we stop to think about it.

We, at Wind River, are grateful for all of you. The work we get to do brings us a harvest of satisfaction. It is our hope that you being part of the Wind River family makes your life simpler. We are truly grateful for you business and the opportunity to serve you.

So, to all of you, we want to wish a Happy Hærfest!

Gratitude For Their Service

On the 11th hour of the 11th day of the 11th month in the year 1919, guns stopped firing, and the “Great War” ended. That was the day the Allies and the Germans signed the armistice that ended “the war to end all wars”; the day was declared the First Armistice Day. It wasn’t until the second global war that we started assigning numbers to them, and “the war to end all wars” became “World War I.”
In 1954, President Dwight D. Eisenhower signed a bill into law that expanded Armistice Day to celebrate all veterans who have served in the military, and officially changed the name to Veterans Day.

On this Veterans Day, we at Wind River Financial salute our Veterans and extend our gratitude for their service. They are our relatives, friends, neighbors and co-workers, and they committed to a cause larger than their own by accepting the challenge to defend our nation.
In honor of Veterans Day, our offices will be closed Friday, November 10th 2017. We will resume normal business hours on Monday, November 13th, 2017.

Trick or Treat?

Children are anxiously awaiting the chance to celebrate Halloween by knocking on doors and exclaiming, “Trick or Treat!” For these children, it’s all treats. Unfortunately for far too many businesses, many customers of ours, there is a real game of “Trick or Treat” going on, and it is all tricks.

We have heard from several customers over that last couple weeks, that have told us they received a phone call from imposters representing that they are from their current merchant services provider or an “Industry Watchdog.” These dogs are saying they have noticed something wrong with their merchant services account and to simply fill out some paperwork to correct the problem, usually focusing on correcting a problem that will lower their rates. In the multiple cases that our customers have brought to us, this paperwork is actually an application, to not only switch their account over to them, but to lock them in to a long-term contract. Even worse, last week one of the “reps” on the phone tried to attempt to reprogram their terminal over the phone, over to that new processor!

There are no industry watchdogs in the merchant services industry. Although with these tricky tactics, there definitely should be!

Please enjoy this Halloween season. Treats for all the kids dressed as ghosts, goblins, heck, even the scary killer clowns, but please don’t fall for the tricks of the adults dressed up as industry watchdogs! Contact us if you receive one of these tricky phone calls or if you have any questions at all. We are here to help, who knows, maybe if you excitedly exclaim “Trick or Treat” we will send you out some candy treats!

Happy Halloween!

CYBER SECURITY AND THE ART OF WAR

Successful cyber-attacks can ruin businesses, livelihoods, and even the lives of Small and Medium Business (SMB) owners and their customers. The enemy continues to grow stronger, launching over 4,000 attacks at SMBs daily. And, the stakes could not be higher. This is not a game……this is a war.

• The majority of cyber-attacks are directed at SMBs, due mostly to the attacker’s perception of weaker defenses at SMBs as compared to larger enterprises with greater resources and defenses in place.
• Post-attack remediation costs of an attack can extend into the hundreds of thousands of dollars for an SMB
• 70% of SMBs attacked go out of business in less than 2 years after a significant breach

So, how do we win?

Oddly enough in these tech forward times, the answers may exist in a book written over 2,500 years ago.

Sun Tzu, the Chinese general, military strategist and philosopher who lived in the 5th century B.C. is best known for authoring, “The Art of War”. This seminal work has influenced military strategy from when it was written to present day. The Japanese military adopted many of the book’s principles as it built itself into a modern military power. During the Vietnam War, Ho Chi Minh had it translated and given to his officers for study, contributing to the Vietnamese Army’s success against the French and American forces. More recently, during the Gulf War American Generals Schwarzkopf and Powell employed Sun Tzu’s philosophies during that conflict. And to this day, “The Art of War” continues to be a part of the Marine Corps Professional Reading Program.

The following are a few key “Art of War” principles, rendered to address the cyber-security challenges faced by today’s business owner.


“Every battle is won before it’s ever fought.”

Sun Tzu speaks to the importance of being fully committed and prepared, well in advance of any engagement with the enemy. Did you know that approximately 80% of businesses are not fully PCI compliant? To extend the analogy, this means that 4 out of 5 businesses are already losing the battle.


“The expert in battle moves the enemy, and is not moved by him.”

An effective cyber-security strategy must be proactive, agile and restless. The advantage exists in forcing the cyber-criminal to react to the defenses being put in place. Ask yourself if you are acting, or reacting.


“A clever fighter is one who not only wins, but excels in winning with ease.”

This idea is similar to the modern day reference to people who exhibit mastery within their field. Elite athletes or artists for instance who, “make it look easy”. But as we all know, that mastery is the result of untold hours of consistent and focused practice of their craft. To “win” against cyber-attacks, you must persistently invest the time and energy necessary to excel at defending your enterprise.


“Let your plans be dark and impenetrable as night, and when you move, fall like a thunderbolt.”

This translates to the importance of establishing and maintaining a very powerful security schema, while remaining opaque to outside forces. This of course includes software solutions, but also includes well-defined security policies and even training protocols for employees, minimizing inroads for attackers. And in the event that an attack is detected, we must move swiftly and strongly to obliterate it.


“The greatest victory is that which requires no battle.”

This is the ideal state that we strive for. One in which the enemy chooses to not attack, as a result of the perceived strength of our defenses.

We at Wind River Financial in partnership with Trustwave are excited to offer our client partners the robust offering with in the Advanced Security Package (ASP) as we all continue to fight this battle. We encourage you to contact your Relationship Manager for your Login so that you can activate these enhanced tools immediately. These types of serial upgrades are critical to defend your business. Equally important is the commitment of the SMB owner to making cyber security a top priority. Having the very best tools in your arsenal, in tandem with a committed and vigilant philosophy is the best strategy for winning this war.

To learn more about the tools you can go here. To speak with a Relationship Manager call our Client Care 800-704-7253 ext. 6828

Who are you?

As a fraud expert, I recall a certain fraud conference I attended years ago with a presentation by one of the U.S. Attorney’s Offices in New York. The conference was hosted by the Int. Assoc. of Financial Crimes Investigators (IAFCI), an association for whom I now co-chair the Cyber Fraud Industry Group. The U.S. Attorney’s Office began their presentation with background music of Who Are You by The Who – the theme song of the original CSI TV series. They played this while running through a slide show of articles about identity theft which were endless. The salient point was that identity theft was already out of control at that time.

This memory is pertinent to discussions today about the Equifax breach and questions I’m getting from, seemingly, all directions. Most people are asking “what should I do?” Everyone from family members to clients are asking.

The issue has a long history and probably begins with the practice of entities using SSNs as a unique identifier for individuals. The SSN itself was only meant to be used for social security and I’ve heard that it’s actually illegal to use it for other purposes. However, I think you’ll agree that many entities still use it for identity purposes – both private and public sectors.

On top of this, the credit rating industry in the U.S. has private entities (credit reporting agencies) that make money by purchasing your payment history from creditors, creating profiles, and then selling a credit score to potential new creditors so that they can determine their risk. They also maintain consumer personal identifiers within the profiles that can be used to positively identify credit applicants. This is something U.S. financial institutions are required to do to help combat money laundering and other crimes. What could possibly go wrong with entities storing this sensitive information?

Another issue the financial services industry is struggling with are synthetic identities. These are identities that are completely false, but nevertheless, criminals are able to establish credit profiles at credit reporting agencies with the false identifiers and apply for credit under them.

Where does it end? That’s a good question. If I ask “Who are you?” giving me your first name may be enough if I know you. However, if I’m a financial institution and you’re applying for a loan or a credit card, I have to rely primarily on the credit profile as your “identity.”

This is where we turn back to the Equifax breach in which, at the time of this writing, was the compromise of approximately 143 million consumer profiles (about half the population of the U.S.) and 209,000 credit card numbers.

The compromised information can be used to open financial accounts such as credit cards, loans, lines of credit, etc. It could be used to file a false income tax return on your behalf in order to get an income tax refund. It can also be used for non-financial services related ID theft.

There are plenty of good resources for information on what to do now. One is the Financial Services Information Sharing & Analysis Center (FS-ISAC) and the Federal Trade Commission (FTC). These resources provide information that you can use to determine your personal best course of action that may be based on characteristics such as your age, your personal credit needs such as whether you need instant credit, or other parameters.

They also provide the links to complete any actions you may wish to complete such as checking to see if your information is known to have been included in the Equifax data compromise, signing up for credit monitoring, placing a freeze on your credit reports, placing a fraud alert on your credit reports, or taking other action.

Some actions you can take to be defensive against identity theft over the long term include:

• Filing your income tax return as soon as possible each year so that criminals can’t file a false one using your SSN

• Reviewing your credit reports each year free of cost (annualcreditreport.com). You can also run queries on the SSNs of your underage children to ensure that they come back blank or not on file. If they come back with accounts, you will want to investigate further and file consumer disputes on their behalf if necessary. This can be particularly important in the time period before your child graduates high school as they may be applying for student or other types of loans which is a bad time to find out they were the victims of identity theft with ruined credit.

• Utilizing credit monitoring services. There are some free services to do this such as certain credit card accounts that offer this as an included service, ¹Credit Karma, credit monitoring services offered by entities after they have been breached (Equifax is offering this), etc.

The Equifax data compromise was a large one, but they are certainly not the only one. Also remember that your information is on file with the federal government – several departments of which have experienced their own data compromises. The point being that you should assume your identity information is at risk and you should act accordingly over the long term while helping your children and older generations do the same. At the end of the day, if your credit becomes damaged from a fraudulent entry, you can file a dispute with the credit agency or agencies. Federal law requires the agencies to then take certain actions to verify with the reporting creditor or correct or remove the entry which should improve your credit rating situation.

So…who are you?

 

 

¹Wind River Financial does not endorse or promote any particular service. Those mentioned are for example purposes.

A New Form of Advocacy #WRF Proud Partner

Dove Healthcare has been consistently recognized as the provider and employer of choice for skilled nursing and rehabilitation services in their community and long-term care industry. With a diverse workforce of more than 1,000 employees, Dove Healthcare provides compassionate care and service to an average of 425 residents and patients every day.

“Our industry is in constant motion and we’re continually adapting to the needs of our clients including their changing payment preferences,” said Jeremy Kiley, Regional Director of Operations. “We saw a trend and need to expand our payment acceptance capabilities, and we wanted to get in front of it.”

Kiley felt that he wasn’t receiving the level of service and pro-active ideas from their previous payment processor so he reached out to Brian Schoeneck, VP of Financial and Regulatory Services at LeadingAge Wisconsin.

LeadingAge Wisconsin is a statewide Association comprised of more than 500 nonprofit organizations and serves as a valuable source of information to assist their membership, and advance the fields of long-term care, assisted living and retirement living. LeadingAge Wisconsin had been a Wind River client since 2012, and Schoeneck suggested that Kiley talk to Wind River.

“It gave us a lot of comfort that Wind River came as a referral from one of their current clients in LeadingAge Wisconsin, whom we trust,” said Kiley. “In addition, Wind River has great online reviews.”

Wind River identified that Dove Healthcare was introducing more training and certification courses, and saw a desire for their clients to self-serve, and make payments on their own schedule.

“The team at Wind River helped us implement a payment technology platform that not only meets our current needs, but is scalable to add additional payment channels such as website payments in the future. Wind River’s process has been very good and different from what we had experienced with other payment providers in the past. From the initial sales engagement, to implementation and ongoing support, they have a team to support us with an organized, detailed approach.”

Do you have questions about your current payment platform, or interested in a free consultation to help you plan for the future, contact Wind River now.