To enable greater transparency, choice, and control for customers, from 18 April 2020 Visa is updating its rules related to transactions at merchants that offer free trials or introductory offers as part of an ongoing subscription service.
In August and September 2019, Visa Payment Fraud Disruption (PFD) investigated two separate breaches at North American fuel dispenser merchants. The attacks involved the use of point-of-sale (POS) malware to harvest payment card data from fuel dispenser merchant POS systems. It is important to note that this attack vector differs significantly from skimming at fuel pumps, as the targeting of POS systems requires the threat actors to access the merchant’s internal network.
Visa hosted a webinar to review requirements, procedures and timelines for reporting and responding to a suspected or confirmed account data compromise event. In addition, the webinar will explore compromise trends and fraud schemes and the suite of Visa security capabilities designed to prevent and disrupt payment fraud.
Starting in October 2018, merchants that meet specific volume thresholds for purchase returns on Visa accounts will be required to process a purchase return authorization for each return. All other merchants are required to process purchase return authorizations beginning in April 2019.
In June 2019, Visa’s Payment Fraud Disruption (PFD) analyzed a malware sample from the recent compromise of a North American hospitality merchant and identified the malware as a variant of the Alina Point-of-Sale (POS) malware family. Alina dates back to at least 2013, and is one of many malware strains that possesses a Random Access Memory (RAM) scraper, which is specifically designed to steal payment account information from the memory, or RAM, of the targeted system. Given the upload and compile dates, and recently observed operations leveraging Alina, PFD assesses Alina POS is in active use and remains a popular malware variant for POS targeting.
Tapping to pay is quickly becoming the standard way to pay at checkouts around the world. Driven by a continued focus on improving their member experience, Costco, a global retail leader, implemented contactless technology at the point-of-sale across more than 525 warehouses in the U.S. This case study provides an overview of their decision to make the transition to contactless, key steps they took and the impact they have seen as a result of implementation.
This document is designed to help merchants properly handle transactions that have been charged back to their business by their acquiring bank. Here you will find best practices targeted to the needs of both card-present and card-absent merchants.
Based on Visa Payment Fraud Disruption’s (PFD) analysis of eCommerce compromises throughout 2018, FIN6’s focus on the CNP environment has only amplified, suggesting that the cybercrime group has fully incorporated targeting CNP environments into their criminal methodology.
Visa’s Payment Fraud Disruption (PFD) team was the first to link the exact same PwnPOS malware file hash across seven recent point-of-sale breaches reported since March 2018 in North America. It was also found that each of the PwnPOS malware files recovered from the 2018 breaches were the same across all compromises, rendering PwnPOS an easily identifiable malware family.
Visa hosted a webinar on September 20, 2018 to cover a brief introduction to PCI SSC and PCI DSS, as well as a discussion on best practice to review PCI DSS validation documents, including samples and examples of PCI DSS documents.
Visa is aware of recent incidents in the U.S. in which criminals are committing fraud through processing fraudulent purchase return transactions. The fraud scheme involves cloned POS devices and funds are cashed out at ATMs after the purchase returns have been posted to the cards. The purpose of this Visa Security Alert is to provide clients with an understanding of the threat landscape and best practices for securing the environment.
Starting in October 2018, merchants that meet specific volume thresholds for purchase returns on Visa accounts will be required to process a purchase return authorization for each return. All other merchants are required to process purchase return authorizations beginning in April 2019.
Visa hosted a webinar covering the threats from website add-ons and e-commerce breach trends. The webinar reviewed the common attack vectors and methods, malware injection techniques and overall e-commerce security trends and best practices.
Visa hosted a webinar focusing on ATM cash out trends and issuer preventive measures. The session reviewed ATM cash out fraud and how the attacks are carried out. This is to provide an understanding of how to protect and defend against these schemes, as well as how Visa can help.
A growing industry trend to deploy online chat and non-voice channel services within call centers and merchant online environments may introduce potential risks to the users of these services. Visa Payment Systems Intelligence (PSI) identified increasing instances of criminals targeting these online services to obtain payment data. The purpose of the attached Visa Security Alert is to provide clients with an understanding of the threat landscape and best practices for securing this environment.
Visa has been working with merchants, acquirers, and fuel-industry providers to support migration to the more secure EMV technology. The EMV liability shift is designed to better protect all parties. With the new rules, the party that is the cause of a chip transaction not occurring, either the issuer or acquirer, will be held financially responsible for any resulting card-present counterfeit fraud losses. However, due to challenges with EMV Automated Fuel Dispensers (AFD) solution readiness, Visa is delaying the U.S. domestic AFD EMV liability shift date to 1 October 2020.
Visa hosted a webinar providing an overview of machine learning; specifically, how machine learning is applied in the payment industry, decision making with machine learning, threats from machine learning based attacks, and managing and monitoring of machine learning.
This flyer provides clarification of the rules which detail how a merchant should identify the proper location for all transactions processed through the Visa system. Providing the proper information helps prevent unnecessary cardholder disputes and reduces additional risk to the Visa system.
Visa hosted a webinar to highlight new data security resources available to small merchants through the Payment Card Industry Security Standards Council (PCI SSC). The webinar reviewed recent updates to the Qualified Integrator and Reseller Program and other educational resources designed to help small merchants better understand how to protect their acceptance environment and the Visa payment system.
New options for merchants in the U.S. & Canada From 14 April 2018, EMV-enabled merchants in the U.S. and Canada have the option to stop capturing signatures as a method of cardholder verification. Those same merchants will also no longer be required to retain and store transaction receipts.
As the payment system has evolved, instances in which a transaction is initiated with a stored credential based on a cardholder’s consent for future use have increased to significant levels. To help merchants and acquirers understand the Stored Credential and Merchant Initiated Transaction framework, Visa is summarizing the requirements and implications through this supplemental document. Please refer to October 2016 VisaNet Business Enhancement Global Technical Letter and Implementation Guide for full details.
eCommerce malware infections are a continued contributor to global fraud in the Card-Not-Present space. To help merchants combat fraud resulting from these global and persistent attacks, Visa is providing guidance and best practices for merchants to help secure their online stores.
Visa has become aware of the rise in phishing campaigns throughout the payments ecosystem. The primary cybercriminal exploitation method begins with a phishing e-mail and relies on the Dynamic Data Exchange (DDE) protocol for infection instead of malicious macros or an exploit kit. Visa is providing this alert to ensure awareness of the cyber threats actively exploiting this Microsoft Windows feature.
Visa hosted a webinar for clients to present an overview of Visa's new monthly client data security communication. To assist clients in managing their sponsored merchant and third party agent compliance with Visa’s data security validation requirements, effective November 2017, Visa will provide clients with a monthly report listing all merchants and third party agents due to revalidate compliance against the Payment Card Industry Data Security Standard and/or PCI PIN Security Requirements.
As counterfeit fraud becomes more challenging for fraudsters globally, they have shifted their focus to the card-not-present channel. Cybercriminals are targeting e-commerce transactions to exploit common vulnerabilities and compromise static payment data. In particular, the e-commerce space has seen developments in malware, modified source codes and database triggers.
Visa Claims Resolution, a new global initiative will replace Visa’s existing dispute resolution process. VCR will simplify dispute processing by migrating from a litigation-based approach to a liability-assignment-based approach. This flyer describes the new process, consolidation of reason codes, and merchant benefits.
Visa understands the challenges faced by merchants when it comes to staying on top of account information changes. Outdated credential-on-file information can lead to declined transaction and cardholder inconvenience. Increase authorization approvals and reduce customer service issues and expense with Visa Account Updater (VAU). VAU offers two solutions that solve this problem; VAU and Real Time VAU.
Visa hosted a webinar to discuss the topics and key take-aways from the 2017 Visa Security Symposium. This webinar highlighted the importance of securing a connected world. In today’s digital age, proper checks on data security and risk management are essential to defending the payments ecosystem.
Fuel dispenser chip card acceptance is the more secure way to accept Visa cards at your fuel dispensers, and the best way to avoid liability for counterfeit fraud. The sooner it is done the better for a number of reasons.
Do you know who handles your data? Working with the right partners is crucial to protecting the cardholder environment. Ensuring that players prioritize security can help you score a security home run this summer.
Visa has observed an increase in network intrusions involving service providers, re-breaches of merchant payment environments and skimming incidents involving Point of Sale (POS) device overlays. Visa is issuing this alert to make Members and entities aware of their obligations to investigate and immediately report all data compromise events.
Visa hosted a webinar providing an overview of the trends in the global payment system – from protection to authentication. This webinar highlights the effects more players and digitization have on the payments ecosystem and what that might mean for data security, fraud management and cyber intelligence in the future.
The information contained in the Visa Payment Acceptance Best Practices for U.S. Quick-Service Restaurants guide is geared toward the actions and decisions most pertinent to quick-service restaurants and operators in the U.S. It also includes best practices and on-the-job support tools for managers and employees.
Visa provides a Partial Authorization service that provides an alternative to declining a transaction when the card’s available balance is not sufficient to approve a transaction in full. This flyer provides information about the benefits realized, how to use the service, and answers to frequently asked questions.
Webinar deck highlights tools and resources that are available to clients and merchants to mitigate risks when selecting a service provider partner. Additional highlights include Third Party Agent Risk Program initiatives, including unregistered agent campaigns and multiple tool enhancements.
Multiple information security firms have reported on the emerging threat of a new malware variant identified as “Flokibot.” While Flokibot attacks have focused on the LAC region to date, this malware may represent a broader threat to the payments ecosystem. Visa is publishing this alert in order to provide clients and stakeholders with technical information, including background on the malware, indicators of compromise and suggested mitigation activities to protect the payments ecosystem.
It is always a great opportunity to set goals and make plans to achieve them. While motivation is at an all-time high, consider taking the following actions to help secure the payments ecosystem at the merchant level.
Download this comprehensive manual for all businesses that accept Visa transactions in the card-present and/or card-absent environment. This guide provides the latest information and best practices to help merchants process Visa transactions, understand Visa products and rules and protect cardholder data while minimizing the risk of loss from fraud.
As the US market migrates to EMV chip, the fraud threat from criminals placing skimming devices on, or in, attended and unattended point-of–sale (POS) devices for the purpose of collecting payment card information, including PIN numbers, increases. Perpetrators use skimmed payment information to quickly create counterfeit cards re-encoded with the stolen card information typically resulting in ATM withdrawals. To help clients combat skimming, Visa is providing guidance on recommended inspection and response actions. This data security alert may be disseminated to all payment system stakeholders.
Chip card technology in the U.S. has created new challenges for committing fraud at the physical point of sale. Data compromises continue to occur, with fraud migrating online and into other card-not-present channels. As a result, some merchants may experience an increase in chargebacks and transaction declines, cutting into their profitability. In this webinar, learn about current fraud trends and strategies to mitigate fraud in e-commerce. Visa shares common flags for card-not-present fraud and methods for managing and resolving transaction disputes.
Global eCommerce sales are expected to double from 2015 to 2019. While growth in this sales channel creates great opportunities for merchants, it also has the ability to attract high levels of fraud activity. With the holiday season fast approaching, merchants should understand how to best protect against Card Not Present Fraud.
Recognizing the signs of a cyber-attack can make the difference between falling victim to a Point-of-Sale compromise and stopping a breach in progress or preventing one altogether. Through research and intelligence gathered from payment data breach investigations, Visa identified many common tactics, attack characteristics and malware types across breaches in every merchant vertical. Learn some of the new developments in Point-of-Sale network attacks and gain insights into data exfiltration methods as well as how to spot the common warning signs of a breach within the payment environment. Knowing the attacker’s tactics and tools goes a long way in building better defenses.
With steady progress and growth of EMV since October 1, 2015, there are now more than 1.46 million chip-enabled businesses and 363 million chip-enabled Visa cards, making the U.S. the largest Visa chip card market in the world. The number of Visa chip transactions surpassed half a billion in the month of August, representing a 1,000+ percent annual increase. As we reach the one-year anniversary of the EMV liability shift, many questions remain regarding the process behind the migration and the advancements made in the past year. This session discussed why the U.S. moved to EMV, the progress the industry and Visa has made in the past year, analyze early results and updates on further enhancements, such as Visa Quick Chip.
As part of a broader effort to mitigate small merchant breaches, Visa Payment System Risk established new data security program requirements for U.S. and Canadian acquirers with an effective date of January 31, 2017. This infographic addresses the most common questions on the topic of the small merchant validation and Qualified Integrator/Reseller (QIR) requirements.
Visa has seen an increase in global ATM cash-out fraud, which can extract millions of dollars from financial institutions in a short time. The key to limiting losses is quick detection and decisive action, carefully coordinated with Visa. ATM cash-out fraud can happen at any time, anywhere in the world. It often affects issuers in one country and acquirers in another. To help clients combat this global and sophisticated type of fraud, Visa is providing guidance and best practices.
In late August 2016, Visa became aware of a recent ATM malware compromise in SoutheastAsia and is providing indicators of compromise (IOCs) in order to enable security and incident response teams of financial institutions and ATM manufacturers to check and secure network environments. While these IOCs are specifically associated with an investigation involving ATMs in the Southeast Asia incident, Visa notes that the methods employed by the criminals in this incident represent a broader criminal threat to ATM manufacturers/models worldwide and their deployers.
Visa previously published a technical analysis on malware, including filenames, malware hashes, and criminal methodology involved in a separate ATM Jackpotting incident in the Asia-Pacific region. While there are similarities between the two events, this notification serves to highlight key differentiators –including malware and methodologies - pertaining to the incident in Southeast Asia.
Mobile purchases increased to nearly one in five online orders and generated about $69.1 billion during the most recent holiday season. As mobile payments grow, fraud risks increase. Knowing the differences between eCommerce and mCommerce fraud is a critical first step in protecting merchants. Visa and CyberSource experts explain how a process-based approach can help clients detect and control mobile fraud.
On Monday, 8 August 2016, Oracle Security informed Oracle MICROS customers that it had detected malicious code in certain legacy MICROS systems. Oracle is currently investigating the compromise, and as of 12 August 2016, the company has not published details about the cause/s.Visa is issuing this alert to provide indicators of compromise (IOCs) associated with cybercrime threats known to have previously targeted Oracle systems.
The PCI Security Standards Council convened a small merchant business taskforce to provide guidance and feedback to prepare resources that simplify data security for some of the most vulnerable businesses preyed upon by cybercriminals. Relying on cross-industry expertise to help small merchants understand why and how to protect payment card data and resolve risks to their businesses the taskforce has developed a toolkit to aid this effort.
Visa highlights the ATM “Jackpotting” incidents in the attached data security alert. This publication provides information regarding indicators of compromise (IOCs) as well as recommendations for response.
Magento is a popular open-source, e-commerce platform written in PHP. Several critical and high vulnerabilities were discovered and patched on the Magento platform in January 2016. Merchants who have not deployed security patch SUPEE-7405, as required by PCI standards, are vulnerable to remote exploits that can compromise account data. Document shares a description and impact of Magento and provides detection and mitigation steps.
In March 2016, the PoSeidon (point-of-sale) PoS malware was modified with the incorporation of a persistence monitoring capability. PoSeidon malware now actively monitors the PoS system processes in order to maintain the infection and malware functionality. If the malware is removed from the system, the monitor process waits two (2) minutes and re-infects the system. Document provides an overview of the threat and risk description and best practices to mitigate against PoSeidon.
In response to a rise in incidents in which skimming devices were placed on POS terminals to collect payment card information, Visa shares typical skimming events that affect self-checkout terminals and the ways in which perpetrators carry out these attacks and how merchants can identify and properly manage these incidents.
The Payment Card Industry Security Standards Council (PCI SSC) has published version 3.2 of the PCI DSS, which provides a baseline of technical and operational requirements designed to protect cardholder data. The bulletin includes key updates, effective dates for implementation and additional resources.
A Visa security alert describing recent incidents involving suspects placing skimming devices on point-of–sale (POS) terminals for the purpose of collecting payment card information, including PIN numbers.
The Payment Card Industry Standards Security Council (PCI SSC) which is responsible for defining the technical and operation standards for the protection of payment card data will release an update to the PCI Data Security Standard (PCI DSS) in late April 2016. Visa’s representatives on the PCI SSC will provide information on what to expect with Version 3.2, review the key changes associated with this release and outline dates and impacts to Visa compliance programs.
Following Visa’s requirements for processing a refund will help keep your customers informed and reduce the number of questions you may receive as the result of a return. This flyer describes best practices in processing a refund to a cardholder’s account.
Many merchants are creating an omni-channel experience for their customers that provides convenient, seamless and secure delivery across all of their channels, including in-store, eCommerce, telephone, mobile web, and mobile app. This flyer describes the omni-channel experience depending on the payment and delivery option selected by the customer.
Visa and a guest speaker from FireEye explain how financially motivated attackers are targeting customer data and the payment ecosystem. The session dived into security vulnerabilities and techniques hackers use to steal customer information, including payment card data. Visa subject matter experts also provide valuable cyberthreat indicators, risk mitigation strategies and practical guidance on how to detect these threats and secure systems from attack.
Visa provides an overview of the risks third parties may introduce into the payment ecosystem and recent program updates and mandates (including small merchant and use of Qualified Integrators and Resellers). Additionally, highlights tools and resources available to issuers, acquirers and merchants when selecting service provider partners.
Visa highlights “Kuhook” Point-of-Sale (POS) malware, a variant from the “ModPOS” malware family. This point of sale malware, “Kuhook”, is one of the most sophisticated and difficult to detect payment card stealing malware identified. Visa experts and Mandiant highlight the malware capabilities, indicators of compromise and mitigation steps.
Updates to the small merchant data security requirements for U.S. and Canada acquirers. These requirements involve the use of Qualified Integrators and Resellers (QIRs) and required PCI DSS validation. This document includes Frequently Asked Questions about the data security requirements.
Visa has identified multiple malware families targeted the lodging industry, including casinos and resorts. To name a few, “FindPOS” (or “Poseidon”), “FrameworkPOS”, and “rawpos” are confirmed in several Visa investigations, suggesting the industry continues to be attractive to attackers interested in payment card data. This publication provides information on each malware family along with security best practices to mitigate this threat.
Visa highlights “BlackPOS” malware, a malicious payment card-stealing software targeting point-of-sale systems. “BlackPOS” collect payment card data in ways that are difficult to identify and detect. Visa experts explains how it works, its methods of communication and maintaining stealth, and provides indicators of compromise for detection and eradication.
Lists qualification criterial for custom payment service rates available to retail merchants in the electronic commerce space. Also provides information about key Visa products for validating the identity of cardholders.
Visa has identified a variation of malware (from the ModPOS malware family) targeting Point-of-Sale (POS) systems designed to run on Microsoft Windows. Codenamed “Kuhook,” the malware utilizes keylogger and memory scraping/parsing functionality. The malware is a sophisticated set of kernel mode device drivers written for the Windows XP platform and is compressed to make the source code and data unreadable.
Visa and CyberSource experts explore CNP risk methodologies to optimize the consumer experience and reduce false declines while minimizing fraud losses. Additionally, Visa tools such as CVV2, AVS, Verified by Visa – among others – were covered in great detail as well as CyberSource’s Decision Manager
Requirements for U.S. and Canada acquirers to ensure that their small merchants take steps to secure their point-of-sale (POS) environment. Merchants must use Qualified Integrators and Resellers (QIRs) and Level 4 merchants must validate PCI DSS compliance.
Valuable information for small merchants, including franchisees, highlighting the importance of protecting their customer's cardholder data, explaining the Payment Card Industry (PCI) Data Security Standards (DSS), and providing tools, solutions and strategies to use to help mitigate the risk of fraud and data breaches.
Visa analyzes the underlying causes of recurring breaches and the downsides to "check the box" cyber incident response. Breach preparedness and incident response best practices are provided to help respond to a breach the right way.
Microsoft will no longer support or issue security fixes for Windows Server 2003 after July 14, 2015. This poses a greater risk to the data security of a company utilizing Windows Server 2003. Furthermore, as of July 15, 2015 companies using this software may no longer be in compliance with Payment Card Industry Data Security Standard (PCI DSS).
Visa reviews how flat networks or networks without adequate network segmentation make it easy for an attacker to pivot and traverse the network after it has gained entry. Properly segmenting the network can greatly reduce PCI scope, controls, and costs. Also provided are recommendations, benefits and principles of network segmentation, and how to best defend against network threats and vulnerabilities.
This document provides guidance for issuers that plan to develop or use a third-party dynamic Cardholder Verification Method (CVM) service to authenticate their cardholders. Dynamic CVMs, such as One-Time Passcodes (OTP), are becoming more prevalent for on-line banking and e-commerce transactions as financial institutions aim to strengthen their customer authentication capabilities. Visa developed the following dynamic CVM best practices for issuers to consider and assess the security features of these solutions.
Recent data compromises have demonstrated the need for third party payment application integrators and resellers to maintain security processes that go beyond providing software that is compliant with the Payment Application Data Security Standard (PA-DSS).
Visa shares best practices to help defend against poor implementation, maintenance and support processes that have led to merchant and agent data compromises. Visa advises acquirers, merchants, agents and payment application vendors to contact their licensed integrators and resellers, and insist that these best practices be immediately adopted. Merchants and agents should also consider including these best practices as a condition of their service level agreements with third party integrators and resellers.
Recent payment card data compromises have demonstrated the critical need for payment application companies to maintain mature software processes for their customers that go beyond Payment Application Data Security Standard (PA-DSS) compliant software. Acquirers, merchants and agents should review Visa’s best practices and insist that their payment application vendors, integrators and resellers fully adopt these practices
In October 2009, Visa published the Visa Best Practices for Data Field Encryption to promote the proper encryption of sensitive card data that is transmitted, processed or stored by stakeholders throughout the payment system. As part of these best practices, Visa recommended that entities use tokens (such as a transaction ID or a surrogate value) to replace the Primary Account Number (PAN) for use in payment-related and ancillary business functions. Tokenization can be implemented in isolation or in concert with data field encryption to help merchants eliminate the need to store sensitive cardholder data after authorization. Entities that properly implement and execute a tokenization process to support their payment functions may be able to reduce the scope, risks and costs associated with ongoing compliance with the Payment Card Industry Data Security Standards (PCI DSS).
To reinforce its commitment to protecting consumers, merchants, and the overall payment system, Visa is pursuing a global security objective that will enable merchants to eliminate the storage of full PAN and expiration date information from their payment systems when not needed for specific business reasons. To ensure consistency in PAN truncation methods, Visa has developed a list of best practices to be used until any new global rules go into effect.
Corporate Franchise Servicer entities operate in a number of merchant segments, including lodging and food service. In an effort to address the increasing threat of data compromises that affect franchise businesses, effective immediately, Visa will extend the Third Party Agent Program to include a new category of agents, called “Corporate Franchise Servicers.” Corporate Franchise Servicers (CFS) operates in a number of merchant segments, including food service and lodging. The inclusion of Corporate Franchise Servicer agents in the Visa Third Party Agent Program will help ensure that Corporate Franchise Servicer agents protect card data by at a minimum complying with the Payment Card Industry Data Security Standards (PCI DSS).
It is common practice for some card issuers to print the full PAN on each page of a cardholder’s billing statement; however, Visa strongly recommends that, as a “best practice,” issuers truncate or eliminate the printing of the cardholder PAN on billing statements and other cardholder communications.
Visa Operating Regulations specify that all Visa clients, including issuers and acquirer financial institutions, must comply with the Payment Card Industry Data Security Standard (PCI DSS). This bulletin specifies the requirements and recommendations necessary for facilitating this compliance.