Home » For Merchants

Category: For Merchants

URGENT, You Do NOT Need to Read This!

We Already Have You Covered

You may have heard about a global issue in which Google researchers found unfixable vulnerabilities in commonly used encryption protocols. You may have also heard that, as a result, the PCI Council has delisted the vulnerable encryption protocols from being used for credit card processing. However, you may not understand what this means.

The encryption protocols of SSL and TLS have been in use for a long time. They essentially ‘scramble’ data during communications so that if the data is intercepted by an unauthorized individual, it cannot be read. In this manner, encryption is used for email, credit card data transmissions, ecommerce or any other sensitive data that needs to be protected. Specifically, the vulnerabilities apply to all versions of SSL and early versions of TLS, which is the more updated protocol.

What Do These Vulnerable Encryption Protocols Mean For My Business?

Nothing! Wind River is way ahead of the rest of the industry and so are you*. An article explaining TLS notes that 40% of merchants could be impacted, and when the merchant’s processor “flips the switch,” the merchant wouldn’t be able to process SSL or TLS 1.0. Their credit card processing would stop working for these transactions!

We have worked hard to communicate this critical change to our customers that were impacted well ahead of the looming deadline and taken the action needed to assure them their credit card processing would continue uninterrupted.

No need to send “Thank You” cards or gifts. It’s all in a day’s work here at Wind River and part of the After the Handshake Promise.

*We do have six customers we are still working with to overcome this obstacle. If you are one of these six, (you know who you are!) please read the PCI Council Specifics below and we will continue to work with you.

PCI Council Specifics

The PCI Council says that if you are involved in credit card processing, all entities must be off of all versions of SSL and TLS 1.0 by June 30, 2018 for PCI compliance. After this date, only TLS 1.1 or 1.2 should be used. Note that not all implementations of TLS 1.1 are immune from the vulnerability, so TLS 1.2 should be used if possible.

The PCI Council has provided guidance. Note that the June 30, 2018 deadline from the PCI Council is the end of a two-year extension that they originally provided due to the challenges of this global technology issue.

No Signature Required! What?

Late last year MasterCard, American Express, and Discover Card announced that in April of 2018 they would be eliminating the requirement for merchants to collect signatures for all purchases at the point of sale. They all pointed out that with their secure networks combined with new digital payment methods that include chip, tokenization, biometrics and other fraud capabilities have advanced so that signatures are no longer necessary to fight fraud. Visa followed suit early this year but specified that signatures will no longer be required when a Visa EMV card was being used at the point of sale.

What does that mean for you? MasterCard has pointed out that it expects this will speed up the checkout process and enhance the customer experience. However, it will take some time for the various point of sale systems and software to eliminate the signature line on the receipt. In the meantime, MasterCard has also suggested if a merchant is more comfortable obtaining a signature they still can. A signature will be optional, but starting April 2018 it will no longer be a requirement.

Stay tuned for more details as we are awaiting specific instructions from the card brands that we will share with you.

PCI Relief with ASP (Advanced Security Package)

For most of my customers, PCI is not their favorite acronym! The mere mention of this acronym has caused adverse side effects such as: anxiety, frustration, and headaches for both business owners and IT professionals alike.

Over the last 8 years, I have been helping our Wind River Financial customers with the challenges of PCI and I am happy to introduce another acronym, ASP. ASP, or Advanced Security Package, includes a security toolkit that can easily be downloaded to any workstation that will help alleviate some of the negative side effects of PCI validation. These tools will help secure your sensitive data, and in turn will reduce the amount of time spent on PCI validation.

To learn more about ASP, what is included in the security toolkit and its many benefits to our customers, click here or give me a call. Important enrollment information will be sent via email to you soon, so be on the lookout and watch your inbox closely.

Holiday Season Reminders: Prevent Fraudulent Transactions and Chargebacks

With the holiday shopping season upon us, it’s a good time to review some good practices in helping prevent your business from incurring losses from fraudulent transactions and chargebacks.

Face-to-Face Transactions
If the card presented for payment is not a chip card, always swipe the card. In the event of a Chargeback, this provides proof the card was present at the time of the transaction.

• If presented with a chip card and you have an EMV terminal, have your customer insert the card into the terminal and leave it there until the transaction is complete.  (If you have not yet upgraded to an EMV Terminal, please contact your Relationship Manager at 800-704-7253.)

• Obtain an authorization number for the full amount of the transaction.

• If an authorization is declined, do not accept it, attempt to split it into smaller amounts, attempt to obtain authorization at a later time, or try to force it through. Any of these attempts may leave your business vulnerable to a chargeback loss. Instead, ask the customer for another payment method.

• Have your refund policy printed on the receipt directly above or below the cardholder signature line in letters ¼” high.

Internet or Phone Transactions (Card Not Present)

• Obtain an authorization number for the full amount of the transaction.

• If an authorization is declined, do not accept it, attempt to split it into smaller amounts, attempt to obtain authorization at a later time, or try to force it through. Any of these attempts may leave your business vulnerable to a chargeback loss. Instead, ask the customer for another payment method.

• Verify the cardholder’s address via Address Verification Service (AVS). The best AVS response is ”Y” for Yes or “Match”. This means the cardholder has given you the same address as the billing address for the card. If you are still uncertain about the transaction (e.g., large transaction, first time customer, splitting sale amount between cards, etc), you can call the issuing bank or the Voice Authorization Center.

• Ask the customer for the CVV/CVC Code on the back of their card (front for Amex). This is a 3 or 4-digit number that is now commonly used to help verify that the customer possesses the physical card. Most terminals prompt you for this information and will return a negative response if the number provided is not correct.

• Ship the merchandise to the AVS address and obtain signed proof of delivery or other method available from your shipper.

• Charge the cardholder’s account at the time the merchandise is shipped.

• Have your checkout page designed such that a customer must acknowledge your cancellation or refund policy. Be able to produce the acknowledgement in the event of a chargeback resulting from a refund dispute. Have a clear and concise refund policy.

NOTE: If a card is not present at the time of sale, a merchant cannot verify that the legitimate cardholder authorized the sale. The steps noted above may help minimize disputes and fraud, but they cannot guarantee avoidance of chargebacks. Card not present transactions are inherently more risky than those in which the card is present.

I hope this is a good reminder and something you might wish to review with your staff.  If we can help or you have a concern you can always call Client Care at 800-704-7253 or email us at info@WindRiverFinancial.com.  Here is my contact information as well.

Wishing you a very Happy Holiday season.

 

 

Small Business Saturday – The Movement

Small Business Saturday November 25, 2017

In 2010, Small Business Saturday (SBS) was founded in effort to bring awareness to small businesses in America. American Express originally incentivized consumers to shop locally, however SBS has since outgrown these roots. While it is still a registered trademark of the American Express Corporation, it has now evolved into a powerful movement.

As the program continues to shift and became more prominent over the years, SBS has taken a life of its own. Anchored between Black Friday and Cyber Monday, Small Business Saturday is now widely recognized and as each year passes consumers are showing an increase in spending and involvement.

In 2016 more consumers visited local independent businesses on Small Business Saturday than ever before. An estimated 112 million shoppers showed their support based on the data released by the National Federation of Independent Business.

This powerful movement has even spread overseas as the UK adopted the shopping holiday by dedicating a day to encourage consumers to shop local and support small businesses in their communities.

As the SBS movement continues to build, American Express continues to help fuel the momentum. Their website provides free customizable marketing materials for physical locations, online shops as well as social media (https://www.americanexpress.com/us/small-business/shop-small/promote).

So kick off your holiday shopping by showing your support for small businesses near you! Make sure you document your shopping trip via social media and use #SmallBusinessSaturday to helps spread awareness!

For more information and ways to get involved, follow the link below:

https://www.sba.gov/about-sba/sba-initiatives/small-business-saturday

Trick or Treat?

Children are anxiously awaiting the chance to celebrate Halloween by knocking on doors and exclaiming, “Trick or Treat!” For these children, it’s all treats. Unfortunately for far too many businesses, many customers of ours, there is a real game of “Trick or Treat” going on, and it is all tricks.

We have heard from several customers over that last couple weeks, that have told us they received a phone call from imposters representing that they are from their current merchant services provider or an “Industry Watchdog.” These dogs are saying they have noticed something wrong with their merchant services account and to simply fill out some paperwork to correct the problem, usually focusing on correcting a problem that will lower their rates. In the multiple cases that our customers have brought to us, this paperwork is actually an application, to not only switch their account over to them, but to lock them in to a long-term contract. Even worse, last week one of the “reps” on the phone tried to attempt to reprogram their terminal over the phone, over to that new processor!

There are no industry watchdogs in the merchant services industry. Although with these tricky tactics, there definitely should be!

Please enjoy this Halloween season. Treats for all the kids dressed as ghosts, goblins, heck, even the scary killer clowns, but please don’t fall for the tricks of the adults dressed up as industry watchdogs! Contact us if you receive one of these tricky phone calls or if you have any questions at all. We are here to help, who knows, maybe if you excitedly exclaim “Trick or Treat” we will send you out some candy treats!

Happy Halloween!

Is it really ……. just that easy?

#WRFProudPartner winner!

Our Proud Partner program was just rolled out new this summer, but Lynn Aspinwall of Sonic Foundry isn’t new to Wind River. Her experience and trust in Wind River made it an easy connection when she became the Exalted Ruler for the Madison Elks Lodge #410. Lynn, thank you for sharing your “Happy Moment” story and taking the initiative of passing along our story to other Elks Clubs around the state.

Did you know the Madison Elks Lodge #410 is located on the beautiful shores of Lake Monona, within walking distance of the Capitol Square, Monona Terrace, several hotels and also includes a private pier for boats. The Lodge features a full service bar, restaurant, and banquet facilities for up to 250 people. And by the way, for your own personal “happy moment” I hear they have one of the best Old Fashioned’s in town that pairs very nicely with the Fish Fry that can rival any supper club! However, you must be a member of the Elks, a guest of an Elk or sponsored by a member to share in the fun. Learn more about joining this private club that has been in Madison since 1898.

We want to thank those who participated in sharing their great stories, “happy moments”, compliments and referrals since the introduction of our #WRFProudPartner program. As the winner for this quarter, Lynn will be selecting something from our choice of great thank you prizes (see below).

We appreciate and look forward to hearing and sharing more #WRFProudPartner “happy moments”, compliments, stories and/or referrals from you. Just pass them along to any staff member at Wind River or to Matt Tomlinson our “Director of Happy Moments” mtomlinson@WindRiverFinancial.com or call him 608-441-7362.

You will automatically be entered in our next quarterly drawing and could win your choice of:
1. Badger tickets
2. Packer Tickets
3. Kalahari 1 night stay + additional gift card
4. Wollersheim Winery special event + gift card
5. Vortex optics
6. Electronics (Apple watch/iPad/GoPro)
7. Kessler’s, AC Zuckerman or Goodman’s Bling

Yes, and it really is…. just that easy!

 

CYBER SECURITY AND THE ART OF WAR

Successful cyber-attacks can ruin businesses, livelihoods, and even the lives of Small and Medium Business (SMB) owners and their customers. The enemy continues to grow stronger, launching over 4,000 attacks at SMBs daily. And, the stakes could not be higher. This is not a game……this is a war.

• The majority of cyber-attacks are directed at SMBs, due mostly to the attacker’s perception of weaker defenses at SMBs as compared to larger enterprises with greater resources and defenses in place.
• Post-attack remediation costs of an attack can extend into the hundreds of thousands of dollars for an SMB
• 70% of SMBs attacked go out of business in less than 2 years after a significant breach

So, how do we win?

Oddly enough in these tech forward times, the answers may exist in a book written over 2,500 years ago.

Sun Tzu, the Chinese general, military strategist and philosopher who lived in the 5th century B.C. is best known for authoring, “The Art of War”. This seminal work has influenced military strategy from when it was written to present day. The Japanese military adopted many of the book’s principles as it built itself into a modern military power. During the Vietnam War, Ho Chi Minh had it translated and given to his officers for study, contributing to the Vietnamese Army’s success against the French and American forces. More recently, during the Gulf War American Generals Schwarzkopf and Powell employed Sun Tzu’s philosophies during that conflict. And to this day, “The Art of War” continues to be a part of the Marine Corps Professional Reading Program.

The following are a few key “Art of War” principles, rendered to address the cyber-security challenges faced by today’s business owner.


“Every battle is won before it’s ever fought.”

Sun Tzu speaks to the importance of being fully committed and prepared, well in advance of any engagement with the enemy. Did you know that approximately 80% of businesses are not fully PCI compliant? To extend the analogy, this means that 4 out of 5 businesses are already losing the battle.


“The expert in battle moves the enemy, and is not moved by him.”

An effective cyber-security strategy must be proactive, agile and restless. The advantage exists in forcing the cyber-criminal to react to the defenses being put in place. Ask yourself if you are acting, or reacting.


“A clever fighter is one who not only wins, but excels in winning with ease.”

This idea is similar to the modern day reference to people who exhibit mastery within their field. Elite athletes or artists for instance who, “make it look easy”. But as we all know, that mastery is the result of untold hours of consistent and focused practice of their craft. To “win” against cyber-attacks, you must persistently invest the time and energy necessary to excel at defending your enterprise.


“Let your plans be dark and impenetrable as night, and when you move, fall like a thunderbolt.”

This translates to the importance of establishing and maintaining a very powerful security schema, while remaining opaque to outside forces. This of course includes software solutions, but also includes well-defined security policies and even training protocols for employees, minimizing inroads for attackers. And in the event that an attack is detected, we must move swiftly and strongly to obliterate it.


“The greatest victory is that which requires no battle.”

This is the ideal state that we strive for. One in which the enemy chooses to not attack, as a result of the perceived strength of our defenses.

We at Wind River Financial in partnership with Trustwave are excited to offer our client partners the robust offering with in the Advanced Security Package (ASP) as we all continue to fight this battle. We encourage you to contact your Relationship Manager for your Login so that you can activate these enhanced tools immediately. These types of serial upgrades are critical to defend your business. Equally important is the commitment of the SMB owner to making cyber security a top priority. Having the very best tools in your arsenal, in tandem with a committed and vigilant philosophy is the best strategy for winning this war.

To learn more about the tools you can go here. To speak with a Relationship Manager call our Client Care 800-704-7253 ext. 6828

October 2017 Interchange and Network Fee Notification for Payment Processing

There are a number of new and revised fee structures effective October 1, 2017 being implemented by VISA. Wind River Financial believes in transparency of all association fees applicable to your merchant processing costs, so we will be passing through these new fees with no mark-ups or changes.

There are hundreds of fee structures and not all are applicable to all card types or to all merchants, so detailed below are the few that will affect most merchants’ day to day transaction processing costs. For a full listing of these new fees please go to our website in our Merchant Portal and Resource Library, Pricing and look for the title October 2017 Interchange Modifications.

VISA Interchange Fee Program Additions and Revisions – Visa will introduce new interchange programs for Corporate and Purchasing card transactions accepted at fuel businesses as well as revise some existing Commercial Card interchange rates and U.S. Government interchange programs. Click here for details.

Who are you?

As a fraud expert, I recall a certain fraud conference I attended years ago with a presentation by one of the U.S. Attorney’s Offices in New York. The conference was hosted by the Int. Assoc. of Financial Crimes Investigators (IAFCI), an association for whom I now co-chair the Cyber Fraud Industry Group. The U.S. Attorney’s Office began their presentation with background music of Who Are You by The Who – the theme song of the original CSI TV series. They played this while running through a slide show of articles about identity theft which were endless. The salient point was that identity theft was already out of control at that time.

This memory is pertinent to discussions today about the Equifax breach and questions I’m getting from, seemingly, all directions. Most people are asking “what should I do?” Everyone from family members to clients are asking.

The issue has a long history and probably begins with the practice of entities using SSNs as a unique identifier for individuals. The SSN itself was only meant to be used for social security and I’ve heard that it’s actually illegal to use it for other purposes. However, I think you’ll agree that many entities still use it for identity purposes – both private and public sectors.

On top of this, the credit rating industry in the U.S. has private entities (credit reporting agencies) that make money by purchasing your payment history from creditors, creating profiles, and then selling a credit score to potential new creditors so that they can determine their risk. They also maintain consumer personal identifiers within the profiles that can be used to positively identify credit applicants. This is something U.S. financial institutions are required to do to help combat money laundering and other crimes. What could possibly go wrong with entities storing this sensitive information?

Another issue the financial services industry is struggling with are synthetic identities. These are identities that are completely false, but nevertheless, criminals are able to establish credit profiles at credit reporting agencies with the false identifiers and apply for credit under them.

Where does it end? That’s a good question. If I ask “Who are you?” giving me your first name may be enough if I know you. However, if I’m a financial institution and you’re applying for a loan or a credit card, I have to rely primarily on the credit profile as your “identity.”

This is where we turn back to the Equifax breach in which, at the time of this writing, was the compromise of approximately 143 million consumer profiles (about half the population of the U.S.) and 209,000 credit card numbers.

The compromised information can be used to open financial accounts such as credit cards, loans, lines of credit, etc. It could be used to file a false income tax return on your behalf in order to get an income tax refund. It can also be used for non-financial services related ID theft.

There are plenty of good resources for information on what to do now. One is the Financial Services Information Sharing & Analysis Center (FS-ISAC) and the Federal Trade Commission (FTC). These resources provide information that you can use to determine your personal best course of action that may be based on characteristics such as your age, your personal credit needs such as whether you need instant credit, or other parameters.

They also provide the links to complete any actions you may wish to complete such as checking to see if your information is known to have been included in the Equifax data compromise, signing up for credit monitoring, placing a freeze on your credit reports, placing a fraud alert on your credit reports, or taking other action.

Some actions you can take to be defensive against identity theft over the long term include:

• Filing your income tax return as soon as possible each year so that criminals can’t file a false one using your SSN

• Reviewing your credit reports each year free of cost (annualcreditreport.com). You can also run queries on the SSNs of your underage children to ensure that they come back blank or not on file. If they come back with accounts, you will want to investigate further and file consumer disputes on their behalf if necessary. This can be particularly important in the time period before your child graduates high school as they may be applying for student or other types of loans which is a bad time to find out they were the victims of identity theft with ruined credit.

• Utilizing credit monitoring services. There are some free services to do this such as certain credit card accounts that offer this as an included service, ¹Credit Karma, credit monitoring services offered by entities after they have been breached (Equifax is offering this), etc.

The Equifax data compromise was a large one, but they are certainly not the only one. Also remember that your information is on file with the federal government – several departments of which have experienced their own data compromises. The point being that you should assume your identity information is at risk and you should act accordingly over the long term while helping your children and older generations do the same. At the end of the day, if your credit becomes damaged from a fraudulent entry, you can file a dispute with the credit agency or agencies. Federal law requires the agencies to then take certain actions to verify with the reporting creditor or correct or remove the entry which should improve your credit rating situation.

So…who are you?

 

 

¹Wind River Financial does not endorse or promote any particular service. Those mentioned are for example purposes.