By Doug

On 2/9 at 10:00am CST, Trustwave, Wind River Financial's PCI compliance partner vendor will be hosting a free webinar on their 2012 Global Security Threats & Trends Report.  If you are interested in up-to-date trends on how hackers are getting into computer networks, this webinar may be for you.  It will be presented by Nicholas Percoco, Trustwave's head of SpiderLabs advanced forensic group.

Register for the webinar here.

 By:  Bonnie Kruckenberg

By Doug

PcAnywhere is a popular off-the-shelf remote access software package that allows personnel or vendors to access a business computer network remotely for various reasons.  Semantec, the developer of pcAnywhere has announced that the source code for pcAnywhere is believed to have been compromised in 2006 during a breach to their network.  A well known hacking group has recently claimed that they have the source code which may allow them to develop exploits which could potentially allow them to access the networks of businesses that use pcAnywhere.

Visa's Global Cyber Security Leader has indicated that "Visa highly recommends pcAnywhere and other unnecessary ports be disabled from the firewall to prevent POS systems from being compromised."  In addition, Semantec has provided a whitepaper regarding the source code compromise with recommendations to mitigate risk.  It is available here.  Please also note that PCI DSS requires that ports used for remote access be closed when not actively in use.

If your business uses pcAnywhere, your computer network may be vulnerable to being hacked.  Therefore, it is important that this information be forwarded to technical personnel, whether internal or external, so that appropriate assessment and action can be taken to secure your business network.  Small businesses that do not have internal IT resources may wish to forward this information to the entity that installed your network.  

By Doug

Here is an ABC News video on Visa's state-of-the-art data center and the security that goes into the first line of defense against fraud.  As one part of the payment card transaction process worldwide, about 8000 Visa transactions are flowing through Visa's systems per second.

By Doug

Although scams are heightened during the holiday season, they are truly present year round.  Here is a link to an article about a situation in which a local grocery store, that has money transfer services, was defrauded for nearly $1000.  This particular type of scam is called 'social engineering.'  Social engineering is when a scammer is able to trick a legitimate employee, or even business owner, into providing information or taking actions that will put the business at risk for losing funds in a fraudulent manner. 

Social engineering is often targeted at getting the employee or owner to either conduct the necessary actions which will allow the scammer to defraud the business, or to trick the employee or owner into providing login information for financial accounts or other online access which would allow the scammer to move funds once obtained.  An example of this is merchants that use virtual terminals to process credit card transactions.  If the scammer is able to obtain an administrator's login information to the portal on which a merchant maintains their customer credit card information, the scammer may be able to transact fraudulent credits to prepaid debit cards (gift cards) under their control and use the funds for purchases or cash advances before the merchant is aware of the fraud.

The ways in which the scammer tricks the employee or owner or many, but often center around a theme of being a legitimate employee of the credit card terminal manufacturer or processor, financial institution, or other legitimate entity.  A business can protect themselves from this by training employees to never give out sensitive information via telephone, or even in person, unless they initiated the communication via validated phone numbers (as opposed to phone numbers provided by questionable individuals), and to check the identification of any on-site service people.  A legitimate service organization will normally schedule an appointment as opposed to simply showing up.

History has shown us that this type of scam is often conducted by merchants that use simple terminals as well.  Terminals can be taken off line or put in training mode which will make any "transaction" run through them to appear to have been authorized (to the extent of providing a fake approval number) when the terminal never dialed out for authorization.  The transaction later comes back as a chargeback from the card issuer as 'No Valid Authorization' and cannot be fought.  The funds are gone. 

This is very common at financial institutions where the scammer tricks the teller employee to take the terminal off line and then conducts a cash advance.  Scammers often have counterfeit credit cards made up with the cell phone number of accomplices printed on the back of the card instead of a valid customer service phone number.  The accomplice instructs the teller how to "get an approval" when they are really instructing on how to take the terminal off line.  Organized rings travel the U.S. conducting this type of fraud and often have fake identification to match the name on the counterfeit credit card.  The rings are often sourced from California, Florida, or Georgia.

If ever in question about whether a situation involving your credit card processing is legitimate, please contact Wind River Financial at (800)704-7253.

Security Metrics Inc., a Salt Lake City, Utah-based provider of PCI security solutions, published a study showing 71% of the merchants queried worldwide were found to store unencrypted payment card data in 2011, an increase of 8 percent since 2010.

The full article can be found here.

By Vicki Ytzen

Are you being called on a daily basis about switching your credit card processing?   It can be very frustrating being bombarded with phone calls and wondering if you should check out their offerings. They promise you huge savings. They want you to sign a contract up front! They want you to forget the time-honored, remember if it sounds too good to be true, it probably isn’t!

By Becky

 If you have not done so, subscribe to the Wind River blog for instant notifications about new postings.

By Becky Tjugum

 By Doug

On 12/14/2011 at 12pm CST, Visa will be hosting a free webinar on small merchant data security.  The webinar will include a high level overview of the data security landscape for merchants and discuss new credit card processing technologies that can help increase security and reduce risk.

Registration for the webinar is required by Visa and can be completed here.

When the Federal Reserve crafted the debit interchange limits under the Durbin amendment, they specifically exempted banks with less than 10 billion in assets. They designed this exemption to protect the debit revenue streams for smaller banks.  As a result, the new debit interchange limits only apply to banks with more than 10 billion in assets.

So what does this mean to merchants? Well, quite a bit!  Instead of debit rates being determined by whether a customer selects PIN or signature, debit rates are now determined by the size of the customers bank.  

For example, on a $50 transaction by a customer using a debit card issued by a larger bank, the merchant will benefit from the new regulated rate of $0.21 plus 0.05 % and incur a transaction fee of only $0.24.  However, on a similar $50 transaction by a customer using a debit card issued by a smaller bank, an old debit rate (i.e. 1.05% plus $0.15) will apply resulting in a transaction fee of $0.68. In this $50 transaction example, the new regulated fee is 65% less than the non-regulated fee! However a merchant does not benefit from the new regulated rates when a customer uses a debit card issued by a smaller bank.

Based upon preliminary industry analysis of October activity, 60% - 80% of debit transactions were on debit cards issued by larger banks.  That is good news for merchants since these debit transactions are assessed the new regulated interchange rates.

Although merchants can't really do anything about the rate difference for the debit cards their customers carry, merchants must be diligent to ensure their processors are passing through the regulated debit interchange savings as intended.  Payment processors are not required to pass these savings on to their merchants; and many processors continue to charge merchants the old rates for ALL debit transactions, and retain the savings for their own enrichment.

Wind River Financial passes 100% of the savings along to merchants.  So unless you work with Wind River Financial, you may not be experiencing any debit rate savings - regardless of the debit card in your customers wallet!

By Doug

Hospitality Upgrade magazine recently published an article under consultation by Ingrid Beierly of Visa's Cyber Security & Investigations Team.  The artilce discusses a fraud technique that has resurfaced as of late.  

The technique is for a fraud suspect to gain control of a merchant's payment gateway by various means including social engineering such as tricking an employee into providing their login information, or by installation of a keyboard logger.  

Once the fraud suspect has the employee login information for the payment gateway, they can transact fraudulent credits to debit cards or prepaid debit cards under their control and then go to an ATM to withdraw the funds before the fraudulent activity is noticed.

Some practices that can help thwart this type of activity:

Do not use default passwords

Every user should have their own password

Change passwords regularly - no more than every 90 days

Enable logging so incidents can be investigated

Only those who need the ability to issue credits should have access to do so

Credits should be reviewed daily

Utilize dual control as a best practice

The entire article can be accessed here.

By Doug

Security Dark Reading, an information security related publication, published an article about the Unisys Security Index study which suveys 1000 consumers on their atttitudes about online security. 

Among the findings:

• 76% said they would close their account with the entity that lost their customer data
• 53% said they would take legal action
• 65% said they would publicly expose a company that allows a breach

The full article can be found here.

For those merchants who have a large amount of debit card activity, the drastic reduction in debit card fees mandated by the Durbin Amendment will have a direct impact in reducing your overall processing fees. Understanding how much a merchant account will cost your business in processing fees starts with something called the effective rate.

The term effective rate is used to refer to the percentage of net sales that a business pays in card processing fees. It's pretty simple to calculate the effective rate for your merchant account. Your effective rate is the total fees you pay for card payment processing divided by your total net Visa, MasterCard, and Discover (if accepted) transaction volume.

For example, if you paid $100 in total fees last month and your net sales volume processed was $5,000, your effective rate was 2.0%.

 $100 in fees / $5,000 in net sales * 100 = 2.00%

The Durbin Amendment became effective October 1, 2011 and Wind River Financial has chosen to pass all savings as a result of this legislation on to you. This reduction will be reflected beginning with your October statement. Look for your savings by calculating your new effective rate!

By Matt Uselman

In an op-ed to Forbes entitled, “The Key to Job Growth is on the Kitchen Table,” Ann makes a claim that seems obvious to us, but may sound outlandish to others:

...businesses run by families have a financial and personal commitment to their companies that others simply don’t have. That connection leads to a focus on longer-term investments and growth, lower worker-to-management salary ratios, and a strong commitment to employees, especially in tough times.

When Mark Courchane and I established Wind River Financial over 11 years ago, we knew that the company’s long-term growth and stability would be rooted in that commitment to employees. Today, Wind River boasts a culture rarely seen in the payment processing industry – one that places a premium on not just our own family, but employees’ families as well.

By Doug

Here is a an article from 10/12/2011 from hotelnewsnow.com regarding a collective effort from hotel industry groups to begin working with solution providers to create a credit card security framework specifically for the hotel/lodging industry. 

Historically, the nature of credit card transactions at hotels or other lodging facilities in conjunction with industry specific reservation and payment applications have made PCI compliance challenging. 

The article can be viewed here.

By:  Bonnie Kruckenberg

By Doug

Hotelmarketing.com published an article for the hospitality industry titled PCI Certification: How to Ensure Vendors Secure Your Guests' Data.  Click here to read the article.

When looking for vendors that will directly handle credit card data, Visa & MasterCard require that the vendor be PCI compliant.  The vendor can demonstrate compliance validation through an annual on-site audit or via self-assessment depending on the vendor's volume for all customers.  Lists of those that have undergone on-site audits can be found here (Visa) and here (MasterCard).  Vendors eligible for self-validation should be able to provide an Attestation of Compliance signed and dated by an executive officer of the company.  This document is good for one year from the date signed or validated.

We have found that hospitality industry businesses tend to use very industry specific software for reservation management which may also have payment modules that process credit card transactions.  Remember that every entity that accepts credit cards must be PCI compliant which includes using only payment software that has been independently tested by a certified authority and found to be PCI compliant (payment application data security standard validation). 

Wind River Financial asks customers to contact us if specific guidance is needed in this area.

By Doug

On Oct. 4th 1pm-2pm CDT, Cybersource is offering a free webinar titled: Beat Fraud While Increasing Profits.  It will focus on e-commerce and other card-not-present processing environments.

CyberSource experts will discuss proven strategies on how you can keep fraudsters out without impacting your true customers.  Learn how to create fraud-screening rules to automate more order review, deter fraudsters, and identify your good customers, using real-world examples. What type of data do you need? How do you get the most intelligence out of your data? CyberSource is on hand to discuss these questions and more, as you head into your busiest season of the year.

Register for the webinar here.

By Becky Tjugum

Credits do not go through the same posting process as sales transactions. Thus it takes longer to show on a cardholders account. Sometimes it can take up to two weeks depending on the bank. Here are some guidelines if you receive a chargeback for ‘Credit Not Processed’. 

By: Bonnie Kruckenberg

 By Doug

The National Institute of Standards & Technology (NIST) in conjunction with the Small Business Association (SBA) and the FBI have produced a nine minute video for small business owners and management about the importance of data security - It's not just good business, it's essential business.  The video can be accessed here.

Data security is what PCI DSS compliance is all about.  PCI compliance helps secure not only credit card data, but it can also help protect other proprietary data that would be harmful to a business if compromised.  Click here to go to the TrustKeeper website where you can validate PCI compliance.

By: Annette

Each year the United Way of Dane County sponsors a community-wide volunteer event called “Days of Caring”.  This year, Wind River Financial participated in this event by helping with prairie restoration efforts at the UW Arboretum.  On August 24, a team of Wind River volunteers spent the morning at the Arboretum cutting down overgrown sumac, a particularly aggressive weed.  (Arboretum staff members refer to this task as “freeing the oaks”.)  As you can see by the pictures below, it was dirty work, but a lot of unwanted sumac was sent to the chipper that day. 

By: Bonnie Kruckenberg

By Doug

Visa just released a new publication: Visa Acceptance Guide for the Lodging Industry.  It includes best practices for reservations, no shows, incidentals, and ways to help avoid chargebacks.  The guide can be found here.

By Chad

The drastic reduction in debit card interchange fees mandated by the Federal Reserve takes effect October 1^st. The question is: How will it impact your business? Will the changes and savings make it all the way to your business?

By Doug

Malware is showing up everywhere, from your place of business, to your neighborhood grocer to your mobile phone.  In this free webinar, experts from Trustwave, Wind River Financial's compliance partner, will delve into complex malware cases with live demos.

Also presented at DEF CON 19, Las Vegas, this advanced webinar will be especially relevant for IT professionals, from security administrators to CISOs.

You can register for the webinar here.

By Doug

A seven-member industry executive panel ¯ consisting of restaurant merchants, retail executives and industry association representatives ¯ highlighted data security and PCI compliance as key concerns that “keep them up at night,” during the Retail Solution Providers Association (RSPA) annual event in Orlando last week.

Click here to read the article.

By Becky

This is one of the easiest chargebacks to which to respond. Basically you just need to jog the cardholder's memory and remind them what was purchased and the location.

By Doug

On Aug. 9 at 11am CDT, Trustwave will be hosting a free webinar on managed security.  Managed security can help with PCI compliance by meeting or helping a business meet multiple PCI requirements that can often be difficult or expensive to meet individually through the purchase of network hardware or software.

In addition, some solutions can provide instant network segmentation to reduce the scope of a business's network subject to PCI requirements. 

For further information, you can register for the webinar here.

By Doug

On 08/17/2011 at 12pm CDT, Visa will be hosting a free webinar: Identifying and Detecting Security Breaches. 

Visa subject matter experts will teach participants how to identify and detect a security breach, and will provide best practices for handling a compromise event once it has occurred. An overview of Payment Card Industry Data Security Standard (PCI DSS) compliance and audit logging will also be included.

Pre-registration is required.  Please click here to register for the webinar.

By: Cristina

Payment processing through a mobile application on your smartphone is the hot new way to process credit and debit card transactions. Many providers, including Wind River Financial, are offering a mobile payment solution today. But how do you know if this payment app, and your customer's personal information, is secure?

Digital Transactions wrote a great article pointing out that some mobile apps store and leak critical data. viaForensics, a digital forensics and security firm, tested mobile applications and posted their findings on their website. If you are curious to see how your mobile app stacks up, you can check it out HERE!

Dan DeBraal and Dennis Driver, two of our product experts, have addressed the issues around mobile payments and security relating to them in their blog posts, "There's an App for That" and "Mobile Payments: security not keeping up the apps."

Mobile payments are a great way to enhance your business to accept credit and debit cards on the go as long as you are taking the important steps to make sure your customer's personal information is safe and secure. If you'd like to learn more about mobile payments or have questions regarding their security give us a call!!

By Doug

On behalf on Wind River Financial I would like to thank all the sponsors, participants and volunteers that helped make Tee Up for Nursing 2011 a success.   For anyone who is not familiar, Tee Up for Nursing helps to raise scholarship money for Edgewood nursing students.  The nursing industry is facing a growing shortage and this one way to help make the educational requirements easier for students who would like to pursue this career path.

Once again we were lucky enough to have Kathy Whitworth as the honorary tournament chair, and I know the pointers she provided were greatly appreciated.  The evening concluded with a fantastic dinner and an opportunity to hear from some of Edgewood’s nursing students.  The Madison area is truly fortunate to have such a top notch program preparing our future nurses.  If you did not have an opportunity to participate and support this event in 2011, we will surely be back in 2012 and I would encourage you to join the effort! If you would like to learn more log on to www.teeupfornursing.com

On June 29, 2011 the Federal Reserve Board approved the final rules for implementing the price controls dictated by the Durbin Amendment.   Some key points are:

·         The new pricing will be effective on October 1, 2011

·         The interchange rates for most Debit transactions will be capped at $0.21/item and .05%(5 basis points)

Wind River Financial will pass these rates though directly to our customers.  The Durbin Amendment contemplates these savings will be passed on through to your customers.  

Wind River will update details of these rules as they become available.  For your convenience, the FRB final regulations are located at:

http://www.federalreserve.gov/aboutthefed/boardmeetings/20110629openmemo.htm

IRS Mandate for Tax Reporting

        Background

 http://www.ted.com/talks/simon_sinek_how_great_leaders_inspire_action.html

By Doug

Where to Concentrate PCI Security Efforts

HotelNewsNow.com published this article on June 23, 2011 regarding why lodging businesses, as frequent targets of hackers, should concentrate on PCI compliance for credit card and customer information security.

The article can be accessed here.

A business owner made the decision to leave us for perceived lower pricing and better technology for processing.  What they found out after they received their first statement  was that the pricing was more expensive, but more importantly they were unable to connect with their Representative for any kind of help with their questions.  They came back to us not only for competitive pricing and technology, but because we pick up the phone.

 Does your processor pick up the phone when you call?  We will be honest and responsive to be sure your needs are met.  Let me know what you heard today…

By Doug

Small Businesses, Big Losses: How SMBs Can Fight Cybercrime

This is an article about how small and medium sized businesses are often targets of opportunity for cyber criminals.  The article presents relevant statistics on data compromised, average losses, resulting fallout, etc.

The article can be accessed here.

By Dave

Is your business new to credit card acceptance in the Card Not Present environment…possibly enabling your website for eCommerce for the first time? 

Or have you been accepting cards in the mail order/phone order (MOTO) arena for quite awhile, but maybe you are experiencing a high number of costly interchange downgrades and/or chargebacks? 

Are you getting complaints from your customers that your business has unnecessary holds on their credit card funds availability or checking account? 

When credit card acceptance is incorporated within this environment, here are some key questions and considerations that need to be addressed to help determine the optimal means for processing your transactions:

• What is the typical time span between the initial order and the shipment of the product?  Wind River can help you meet the card association requirements specific to the time limits which will keep your costs as low as possible.

• Will you know the exact amount of the final charge (including shipping costs) at the time of the initial order?  The card associations require the settlement amount to equal the total authorized amount.  Wind River can help you with the process to accomplish that.

• For situations involving changes to the amount ordered or dealing with cancelled orders, does your processing system allow for full and/or partial authorization reversals?  If so, is reversing the authorization part of your procedures?  Wind River can help you determine the best procedure to accomplish this which can improve customer satisfaction as well as help meet card association requirements.

• What kind of information are you collecting from your customers prior to processing the order?  By including your customer’s billing address and zip information (AVS) in each transaction, you can lessen your processing costs as well as improve your fraud control.  In addition, fraud can be lessened to an even greater degree by passing through your customer’s card verification code (CVV2/CVC2) found on the back of their card.

The environment for Card Not Present merchants can be quite confusing, complex and extremely frustrating.  Wind River Financial wants to help take away some of those stumbling blocks for you through our support and industry expertise. 

Please call your Wind River Financial Relationship Manager or call our toll-free number at 1-800-704-7253 to learn more detail about ways to improve processing in a Card Not Present environment.

By:  Vicki Ytzen

By Becky

A chargeback is initiated by the cardholder and in some cases by the issuing bank directly. The cardholder will contact their issuing bank when they are not satisfied with the product or services that they have received or they don’t recognize the transaction on their card statement. A cardholder has 120 days from the date of the transaction or date the product/services were received to dispute a transaction.

By Doug

Is your PCI DSS compliance expired?  Have you been getting emails from Trustwave to renew your compliance validation?

As a reminder, PCI DSS compliance validation must be completed annually.  Click here to login and renew your annual validation.  If you have forgotten your username or password, you can use the password reminder utility at this webpage or contact Trustwave Support at (800)441-1762. 

You can always login to your compliance account at Trustwave at: login.trustwave.com or "pci.trustwave.com/windriverfinancial"

By: Jenny

Accepting credit cards can be a significant, but necessary, cost for most businesses. How do you get the most “bang for the buck” on the dollars spent on card processing? In the credit card industry, the biggest win is usually found in using a processor that can help you save time, reduce risk/liability, maximize efficiency and grow, rather than simply minimize your rate. Let’s consider an example.

By Doug

On Tuesday 6/21/2011 at 1pm CDT, Wind River Financial's compliance partner, Trustwave, will be hosting a free webinar on how a data breach could effect your business.  Many merchants don't realize how devastating a data compromise can be until their systems have been hacked. Compromised merchants can experience costs for forensic exams, hefty fines, potential litigation, damage to reputation, and loss of business.

In this 60-minute webinar, security expert Steve Peskaitis from Trustwave's SpiderLabs will cover:

• Risks and costs of non-compliance with PCI DSS
• Business impact case studies
• Methods to help prevent breaches and comply with PCI DSS

Please register for the webinar here.

Do you currently use the DialPay system to process your transactions? Do you find it cumbersome and inefficient? Do you have repeat clients or customers that you process multiple transactions for on the same card and have to continue to ask for their card information?  Perhaps you keep their card information on file, requiring extra security measures to insure the information is not compromised. Do you find it difficult to track your repeat customers’ purchases? If any of these questions apply to you, then it may be time for you to consider a different way to process your transactions. And a virtual terminal may be the answer. Some of the features of a virtual terminal are: 

•  A virtual terminal allows you to log on to a website to process your transactions. You are able to process your transactions using your computer’s keyboard and monitor which gives you the ability to see what you are entering as opposed to calling in to DialPay and entering all of the credit card data using your phone keypad.

•  A virtual terminal efficiently stores customer and card information for future transaction processing. This eliminates the need to ask your repeat customers for card information every time they place an order. There is no need to keep card information on file, which can leave you vulnerable to a breach should the information get into the wrong hands. 

• A virtual terminal greatly reduces the amount of information you have to enter when processing transactions for repeat customers. It also allows you to process voids or credits simply and efficiently by referencing the original transaction.

• A virtual terminal allows you to view transaction history and maintain customer files to include such information as billing and e-mail addresses.

By Doug

Businesses with multiple physical locations face unique challenges when trying to protect sensitive data including: securing complex networks, maintaining secure data exchange, and maintaining an efficient data security infrastructure.

During this one hour webinar, Wind River Financial's compliance partner, Trustwave, will discuss:

• The biggest threats to your important data
• Effective use of technology for regulatory compliance
• Best practices for multi-location security management

When: June 14th 11am CDT.  Please register for the free webinar here.

By: Matt Tomlinson

Effective November 1st, 2011 MasterCard is expanding the existing authorization reversal mandate to include all MasterCard branded transactions which includes Credit, Debit and Prepaid for all merchants except for those with the following Merchant Category Codes:

By: Vicki Ytzen

Partial Authorizations

"Amount Due"  What's that?

You have just swiped a credit card and entered $150.00, the terminal dials out and comes back with a response on your screen saying "Amount Due $25.00".  The terminal is just sitting there with that message on the screen, and you're asking yourself what do I do now?

This is what happened: The card has approved for an amount less than the total sale.  Instead of giving a response of DECLINE, it's letting you know that only $125.00 was approved and the customer still owes $25.00.

You must print the receipt for the approved amount before going forward.  Press Enter, the terminal prints the receipt for $125.00, and at the bottom of the receipt it says AMOUNT DUE $25.00.  The customer needs to pay the balance due by another credit card, check or cash.

If the customer wants to cancel the sale, remember, the initial sale has already been approved and processed.  You will need to issue a Credit Refund for the partial amount that was approved.  DO NOT VOID THE TRANSACTION!

Has this happened to you?  Prior to this new change you would have gotten the response of "DECLINE".  Now, it approves the available amount, and let's you know if there is a balance due! 

Wind River Financial will continue to keep you up to date on all the new required processing procedures from the card associations.  

By Doug

Trustwave, Wind River Financial's PCI DSS compliance vendor, has recently released a report on Payment Card Trends & Risks for Small Merchants.

As Trustwave conducts more post breach forensic investigations than all other entities, the report identifies statistical trends in the types of merchants most targeted by hackers and identifies that 90% are smaller merchants.

The report can be downloaded here..

By Doug

On 5/23/11 at 3pm CDT, Trustwave will hosting a free webinar: Understanding Network Protection: The Key to PCI DSS Compliance. 

The number one reason businesses fail PCI DSS compliance is because their computer network is not properly protected. 

This webinar will help you understand and address network protection for PCI DSS. A Trustwave expert will help you understand the key requirements for network protection, and why addressing them is critical to the security of your business and the protection of cardholder data.  In the webinar, you will learn:

• The PCI DSS requirements merchants fail most often
• Small merchants at risk and why
• PC DSS: What's required, at a minimum, to ensure your business is protected
• Network protection devices - the basics

You can register for the webinar here..

By Doug

After completing the Self Assessment Questionnaire (SAQ) at the Trustwave portal for PCI, the "Submit" or "Acknowledge and Submit" button must be pressed in order to send your answers to Trustwave and complete the process.  This is for both customers completing the SAQ for the first time, and those renewing their SAQ prior to the annual expiration.

If you have recently completed your SAQ, please log in to the Trustwave portal to ensure that you have properly submitted your SAQ answers.  You can go to the Trustwave portal by clicking here and log in at the link at the top of the page.

By Doug

Visa has recently become aware of fraudster attacks targeting merchants running version 2.2 or earlier of osCommerce Merchant e-commerce solution software. 

Through a documented exploit, fraudsters are able to identify and target merchants or third party web hosts running vulnerabile versions of this osCommerce software and compromise it remotely.  Once the software has been compromised, criminals can gain administrative level access to the web server and data therein to perpetrate fraud.

It is critical that businesses use e-commerce software that is compliant with the Payment Application Data Security Standard (PA DSS) and ensuring that they are using the most up-to-date version.  Merchants and third party web hosts using a vulnerable version of osCommerce should immediately update to version 2.3.  PA DSS validated versions of e-commerce solutions can be found here.

In addition, e-commerce soutions must be installed, configured, and maintained in a PCI DSS compliant manner to help secure them.  Businesses using third party web hosts are responsible for ensuring that the web hosts are PCI DSS compliant as a service provider and that the web host is using a PA DSS compliant e-commerce solution if pre-installed.

By Doug

Trustwave will be hosting a free webinar on May 19th at 11am CDT: Is Your Website Leaking?  Web applications are built to provide information to users, but sometimes they provide too much data. The end result is that hackers are able to access valuable data and use it to dig deeper into the target network. 

The webinar will highlight:

• How leakage of information affects companies
• Common techniques hackers use to extract data
• Methods to prevent these attacks
 

You can register for the webinar here.

.

By Doug

At the recent Visa Global Security Summit, Visa released a new video concerning the state of fraud trends and the strategic initiatives Visa is taking to meet fraud challenges. 

The video can be found here..

by Mark Taber

By Doug

It is important that customers receive notification emails from Trustwave.  Trustwave sends out advance notices of PCI compliance expiration, advance scan notices, scan results with links to view scan result details, etc. 

In order to ensure you are getting Trustwave's emails, please have your IT provider add the following domains to your email client whitelist: trustwave.com and communications.trustwave.com.

By Doug

Tomorrow (4/19) at 1:30pm CDT, Wind River Financial's compliance partner Trustwave will be hosting a free webinar called Methods to Reduce Scope and Manage Risk for PCI DSS.

If using the internet for credit card authorizations, reducing your network scope by use of internal network firewalls or other forms of segmentation can greatly reduce the time, cost, and effort of reaching and maintaining PCI compliance. 

In addition, use of newer techniques like point-to-point encryption or redirecting customers from your website to PCI compliant gateways prior to entering their credit card number can pull pieces of your network entirely out-of-scope for PCI and also negate the requirement for your web host to be PCI compliant as well.

You can register for the webinar here.

by Mark Taber

A corporate branding effort frequently rises to the level of “Project Charter” or “Major Initiative” for one overarching reason: a successful branding effort takes unwavering commitment.  That commitment – of time, human resources, money and thoughtfulness – doesn’t just come from your Marketing Department. With branding, the commitment must be companywide, whether you’re initiating a true branding effort for the very first time or embarking on a “re-brand.”

• Branding is a companywide effort
• Branding focuses not on what you do, but how you do it
• Branding manages the gap between who you are now, and who you aspire to be (as a company)
• Branding can include the voice of the customer
• Brands fail because staff either doesn’t believe in, or isn’t trained on how to deliver, the promise(s) central the brand
• A Brand Specialist can guide you through the process

by Mark Taber

“Wind River Financial creates and nurtures strong client relationships by delivering industry-leading customer care; relevant, high quality products and services that exceed the scope of payment processing; and business expertise that our clients can use in meaningful, profitable ways.”

By Becky

"A low-tech fraud scheme proves financial institutions must be ever mindful of their security and due diligence gaps." 

"Using aliases and counterfeit driver's licenses, as well as other forms of identification, LuQuada Dixon of Oakland, Calif. and other accomplices allegedly convinced tellers at bank branches to advance cash on stolen credit cards."

"The scheme, though well orchestrated from a social engineering perspective, is almost archaic by today's cyber-savvy criminal standards”.  See the full article.

As stated in the article, it is important to always follow your internal processes for cash advances no matter what the customer requests you to do.  For additional tips on secure cash advance processes see our Cash Advance Processing Procedures here or on the Wind River Financial website.

 By Doug

As the hospitality industry continues to be specifically targeted by hackers seeking credit card data, the link below is a recent article from the Spring 2011 edition of HospitalityUpgrade magazine regarding specific items hotel operators should be reviewing as they are common weaknesses that hackers are exploiting to breach hotel computer networks.

The article can be accessed here.

By:   Bonnie Kruckenberg

By:Matt Uselman

As a young college student working at a bank I mistakenly put $20.00 bills in the slots for $5.00 bills in an ATM machine.  While my error delighted the customers wanting $5.00, it was a problem for those people requesting $20 and only receiving $5.00.  Fortunately for me my manager was supportive and we worked our way through the problem together.  

As difficult as these changing times are for people and business it’s no time to sit back and fret about “things that didn’t happen right or things that happened wrong”.  Rather, it’s time to plan, do and review your way to recovery and forward momentum. 

As a business owner you realize that you don’t stop making mistakes, you figure out how to recover from them quickly.  Learning that takes place in the recovery process is important, often painful but hopefully not fatal.  In addition, learning should take place in the review process.  An honest assessment of your goals, strategy, or execution should teach you something.  I have found that this type of learning begins with your team’s ability to speak the truth to one another. You must be able to focus on what matters (80/20 rule), don’t blame others (look in the mirror first) and trust each other.

If you want a detailed, practical, description of how to learn from mistakes visit Scott Burkun’s blog:  http://www.scottberkun.com/essays/44-how-to-learn-from-your-mistakes/.  Scott is a noted author and speaker on business and management issues and I have found his perspective interesting.   To see a more academic perspective on learning from mistakes you can also visit the website for the Harvard Business Review at www.hbr.org.

Let me know your thoughts at muselman@windriverfinancial.com

Lawmakers Increase Efforts to Delay Durbin Amendment

Lawmakers and others on Wednesday added their voices to a push to delay the finalization of debit interchange rules under the Durbin Amendment, with U.S. Sen. Jon Tester (D-Mont.) arguing that "the stakes are simply too high to move forward with this rule without a closer look at the impact on credit unions and community banks." Congressional opposition to the measure has revved up in past weeks following the testimony of two top regulators at a Senate hearing that it could put small banks at a competitive disadvantage. Several lawmakers cited comments from Federal Deposit Insurance Corp. chairman Sheila Bair and Federal Reserve chairman Ben Bernanke that the provision could coerce small banks into reducing their interchange fees or face potential rejection of their cards by merchants. Bair and Bernanke have suggested the possibility of mandating a two-tiered system to prevent retailers from rejecting debit cards from smaller banks with higher fees, but Tester and other lawmakers have viewed the proposal with skepticism. Other opponents to the debit interchange rule include Independent Community Bankers of America chairman James MacPhee, who said that Kalamazoo County State Bank would lose $20,000 on its debit card program if the rule is enacted, forcing it to hike fees on products and services to compensate for the lost income. "It shouldn't be the job of Washington to decide what you make a little profit on and what you are going to give a little on," says Sen. Roy Blunt (R-Mont.).

 

By Doug

Wind River Financial is proud to announce that we have become a Participating Organization (PO) in the PCI Security Standards Council.  Wind River Financial has strived to educate merchant customers and their service providers (including web hosts) about Payment Card Industry Data Security Standard (PCI DSS) compliance requirements for any entity that touches credit card data. 

In becoming a Participating Organization with the body that maintains the the PCI DSS, Wind River Financial will be even better positioned to gain advance knowledge of items the council committees are debating which can result in changes to the standard or release of clarification documents which, in turn, will allow us to assist our customers with their compliance efforts even better.

Wind River Financial looks forward to active participation in the council.

By Doug

On Tuesday March 22nd at 1:00pm CDT, Wind River Financial's compliance partner, Trustwave, will be hosting a free webinar entitled Overcoming the Common Challenges of the PCI DSS.  The webinar will help smaller merchants understand and overcome some of the more difficult requirements within the PCI DSS.

You can register for the webinar here.  As always previously recorded webinars are available on demand and a list of upcoming webinars are available here.  All are free of charge.

 By Doug

Visa has issued an informational bulletin regarding credit card terminal tampering by organized criminal groups.  Tampering includes installation of a "bug" that can capture credit card information from the terminal without the merchant's knowledge.  

The industry has seen the prevalence of this crime globally and there have been several cases throughout Wisconsin primarily by travelling criminal groups.

The bulletin gives tips about how to protect your business from this scheme.

The bulletin can be read here.

By Doug

Did you know that the PCI DSS has requirements surrounding third party web hosts for merchants if the merchant will be conducting e-commerce via their website?  

Any entity with whom a merchant shares credit card data is considered a service provider, and it is required that all service providers are PCI compliant, just like a merchant.  This is to help ensure the security of credit card data all the way through the transaction process.  A logical way of thinking about this is that PCI requirements follow credit card data wherever it goes and apply to any entity that physically touches the process.

An effective way to make PCI compliance easier is to limit the scope of your network to which PCI requirements apply.  Whether merchants do e-commerce only, or in addition to other credit card acceptance, there are product solutions called 'redirects' that can take your e-commerce piece entirely out-of-scope for PCI.  

At a high level, these solutions redirect your customer to the webserver of a PCI compliant gateway provider prior to entering their credit card number.  The result is that credit card data will no longer be processed or transmitted from your website - no card data...no PCI requirements.  

Wind River Financial partners with many gateway providers to provide this effective solution to customers.  Contact your Relationship Manager to inquire further (800)704-7253.

Part 3 of 4

By Matt Uselman

Point-of-Sale Technology:  The goal of technology should be to offer comprehensive, convenient and efficient payment systems.  The challenge is to identify what technology your clients will want to use, how to secure the data and integrate the information into your operations to improve efficiency.  Another logical question is to determine how to use the sales information to expand your target audience?  Consider giving Dennis Driver, Wind River Financial’s product manager, a call to learn more about this subject. Dennis can also be reached at ddriver@windriverfnancial.com.

By Joan

In the past year the card networks have been expanding their “no signature required” option for many merchants with face-to-face transactions. These programs generally allow swiped transactions of $25 or less to be processed without requiring a signature by the card holder. The “no signature required” is intended to help expedite the check out process and offer customer convenience. Additionally these programs provide certain chargeback protections for merchants.

If you are not currently participating in the “no signature required” program and would like to take advantage of this option, please contact your Wind River Financial Relationship Manager or call 800-704-7253 for more information.  In most cases, participation is as simple as a partial terminal download or signature suppression within your point-of-sale system.
 

By:  Matt Uselman

Part 2 of 4

Cardholder data security is the second of four major trends that will affect how your company will get paid in the future. Securing data is the responsibility of the business owner or key executive.

Weighing the actual cost of compliance against the potential cost of a security breach (hard and soft dollars) plus the negative impact on your brand makes becoming compliant an easy decision.  While other people in your company will tell you the risk of a breach is low, and it may be, you still have to consider the magnitude of the consequences caused by a breach.  An analogy we ask you to consider is that of fire insurance; no prudent business person would be uninsured for fire yet the probability of a fire is likely to be low.  The same is true for PCI compliance.  Another important tip to know is that even if your point of sale system is compliant your firm still needs to comply with the PCI DSS standards. 

Check out the link to see how other tech folks view the issue: http://www.techrepublic.com/whitepapers/pci-dss-avoiding-the-data-theft-disaster/330447

Learn more about Wind River's PCI Partner Program and see how we can help your company. 

By Doug

Trustwave recently released their 2011 Global Data Security report with key findings about computer breach trends, data pursued by hackers, targeted industries, etc. 

The report can be accessed here.

By:   Matt Uselman

Part 1 of 4

The world of electronic payments continues to increase in complexity and importance to your company.  Last year over 75% of the non-cash payments were made using some form of electronic payment.  We believe that the four trends affecting how you collect payments are government regulation, data security, point-of-sale technology and payment cost structure.  The trends are interrelated and therefore a change in one variable can change the outcome of the equation. 

Government regulation:  In the tug of war between merchants and banks, the government has tried to advocate for consumers by forcing banks to lower the fees for debit card transactions charged to merchants. The theory is that if banks charge merchants lower fees, then merchants will pass the savings to consumers.  Competition among businesses will be the mechanism to force merchants to pass along the fee reduction to consumers.  In addition, businesses may now offer discounts to customers that pay with other payment types (e.g., checks, etc.), not just cash and in certain circumstances may now set minimums and maximums for credit card transactions.  These rules will be finalized later this spring. 

Other regulatory changes on the horizon include 1099 reporting for merchants for 2011; including minimum withholding (20% of card volume) in 2012 for non-matching Tax Identification Numbers.  We also see the possibility of a fight over the regulation of credit card interchange rates on the horizon. 

Wind River Financial can help you determine the impact of these regulatory changes on your business. What will the new fees mean to your transaction cost and fixed cost structure?  Can you pass any savings to clients?  How will you create incentives to add sales?  How are your banking costs impacted? 

Next time we will look at some of the key trends relating to data security.

By Matt Uselman

Dr. Narayana Kocherlakota, President of the Federal Reserve Bank of Minneapolis, recently presented information to an audience of business people hosted by Wisconsin Bankers Association.  Dr. Kocherlakota’s key message is that the national economy is likely to improve slightly in 2011 over 2010.  Economic growth is expected to be 3% to 3.5%.   Unemployment will continue to be over 9% during 2011 and may remain above 8% through 2012.  Inflation is very close to zero and will not be an issue in the near-term.   The loss of individual’s net worth due to the decline in housing values as well as a lack of job security are the two big drags on the economy.   

Her are links to learn important details about Wisconsin’s economy:

Lessons from the “Great Recession”:   Wisconsin Bankers Association:  www.wisbank.com

Business Confidence Rising:  Wisconsin Manufactures & Commerce: www.wmc.org

Home Construction Development Looking Up:  Wisconsin Builders Association: www.wisbuild.org

Please contact me if you would like a copy of Dr. Kocheriakot's complete comments.

About one in five consumers would stop frequenting merchant locations that refuse to accept their credit cards for small payments, new survey data from Market Strategies International suggest.

A provision of the Durbin amendment within the Dodd-Frank Act directs the Federal Reserve Board to issue rules to allow merchants to refuse credit card transactions that are less than $10 and to enable merchants to offer consumers discounts for using less-costly forms of payment. Observers expect the Fed to issue its preliminary rules late this month, and they would go into effect in July.

In the Livonia, Mich.-based research firm’s quarterly online survey involving 2,006 adults ages 21 and older conducted Sept. 23 to 29, 46% of respondents said they would pay with cash instead if a merchant refused to accept their credit card for a small-ticket purchase.

Some 28% said they would use their debit card instead, 21% said they would stop shopping at that merchant’s location, and 4% said they would add something else on to their purchase to increase the sale to more than $10 so they could use their credit card.

By Becky Tjugum

An old but new fraud scam is circulating out there. The card brands require a merchant to credit the same card where the original transaction took place. But some cardholder’s, or should I say fraudsters, try to get merchants to do otherwise, especially in card-not-present situations. Be wary of customers making a purchase and then shortly thereafter, typically before the product ships, request the order to be canceled and a credit issued to a different credit card. Their story for having the credit issued to a different card can be multi-leveled and complicated.  The fraudster was never interested in the product or service that was ordered, they only want the credited funds placed on another card to be withdrawn and used in other fraudulent activities. The bottom line is, even if the original card has been compromised and closed, an issuing bank will still accept credits being posted to that card and will transfer it over to the new card that has been issued. Only issue credits to the card of the original sale.

By Doug

Regional criminal intelligence is showing a trend in bank robberies in which robbers are approaching financial institution personnel outside the bank when the employee is arriving to open the branch for the day. Armed suspects are forcing the employee to open the branch door and vault.  In some cases, suspects have fled with a great deal of cash.  To date, this has mostly occurred in the Milwaukee area.

By Doug

On Tuesday 12/07/2010 at 1:00pm CST, Wind River Financial's compliance partner, Trustwave, will be offering a free webinar answering questions about compliance challenges faced by merchants and common questions from everyday interactions about the Payment Card Industry Data Security Standard (PCI DSS). 

Date: Tuesday 12/07/2010

Time: 1:00pm CST

Please register for this free webinar here.

By Doug

On October 28th, 2010, the PCI Security Standards Council (PCI SSC) released version 2.0 of both the Payment Card Industry Data Security Standard (PCI DSS) and the Payment Application Data Security Standard (PA DSS). 

As it has been said, the updated version is mostly 'evolutionary' as opposed to 'revolutionary.'  It mostly contains clarifications on existing requirements and the council is beginning to address rules surrounding point-to-point (P2P) encryption and how P2P can potentially limit the scope to which the PCI DSS would apply to a business environment. 

In addition, the PCI SSC has also released their new website which can be found here.  The new website contains a special area for smaller merchants with useful information that can be found here.

Wind River Financial also encourages smaller merchants to visit the small business website of our PCI compliance vendor Trustwave.  It can be found here.

By Doug

Visa has seen the resurgence of an old fraud scheme whereby criminals can exploit weak online log-in credentials to access merchant accounts and conduct fraudulent transactions.  To help merchants better understand their responsibilities related to securing cardholder data, Visa Payment System Security will host a free data security call on Tuesday, November 2, 2010, at 12 p.m. CDT (11am MT).

The call will focus on best practices for preventing fraud and data compromises when criminals target merchant's Internet payment gateway environments. Special attention will be given to preventing criminals from exploiting weak merchant credentials from the merchant's network to access the gateway system and submit fraudulent credits.

Register for the webinar here.  participants will receive a confirmation e-mail that will include instructions on attending this event. This session will last approximately 30 minutes.

 

By Doug

Wind River Financial would like to alert the business community about an increase in fraud to small to medium businesses and municipalities resulting in large financial losses. 

The fraud normally begins by convincing 'phishing' scams in which criminals trick users into clicking on links in emails.  Doing so can allow criminals to download sophisticated malware to the business computer network which steals banking login credentials and other information.  The malware also spreads to other employees. 

Once the criminals have this information, they conduct wire transfers, or other acts, to obtain funds from the business bank accounts.  These funds are often unrecoverable.

Various federal law enforcement agencies have assembled additional information regarding this recent increase in account takeovers to busineses.  The information can be found here.

By Becky

For more information on preventing chargeback’s visit Visa.

By Doug

On Oct. 19th at 1pm, Trustwave will be hosting a free webinar on the upcoming release of the new version of the Payment Card Industry Data Security Standard.  Trustwave is Wind River Financial's partner for PCI DSS compliance validation services.

The new version is not expected to contain drastic changes from the existing version (1.2), but there are likely to be clarifications that may effect merchant compliance efforts.

You can register for the free webinar here.

By Doug

The Wall Street Journal posted an article on Oct. 2, 2010 regarding recent arrests the FBI and international law enforcement have made related to an organized criminal group who used Zeus malware to steal approximately $70 million from mostly small to medium sized businesses, churches, etc, in the U.S.

Important in this article is that organized crime is very much targeting small to medium sized businesses who they believe do not have the sophisticated IT security that many larger businesses may have. 

Zeus malware steals a business's sign on information for online banking and the criminals then initiate wires from the victim account to international bank accounts or sometimes to domestic accounts in which individuals owning the accounts are accomplices who then forward funds to the criminal ring.

The article can be found here.

By Doug

Visa Empowers Cardholders to Fight Fraud. Visa Marks National Cyber Security Awareness Month with Launch of New Website to Help Consumers Fight Payment Card Fraud

Visa Inc. marks National Cyber Security Awareness Month with the launch of a new website to help cardholders and small businesses protect payment card account information, avoid payment card scams and resolve unauthorized use of their cards. Visa is providing cardholders tips with practical know-how for protecting account information, avoiding payment card scams, and resolving unauthorized card use.

Visa's new website is at www.visasecuritysense.com, Visa also joins the National Cyber Security Alliance's "Stop. Think. Connect." campaign to educate consumers about protecting themselves and their personal information online.

Visa's new site for retailers can be found here.

by Bonnie Kruckenberg

Visa, MasterCard and Discover are each making changes to some fee structures in October 2010.  These changes are specific to select interchange categories, programs and fees.  Wind River Financial has developed a summary FAQ designed to help you better understand the changes taking place and how they may impact you.  Click here to view, download or print the FAQ from our Client Resources Library.

By Doug

Please see the announcement below from Visa.

By Becky Tjugum

We recommend daily monitoring of credits that are processed through your credit card terminal or POS. This is an area in which fraud can take place from internal or external sources.   Internally, without a thorough credit approval process, employees can issue credits to their own credit or debit cards or those of family or friends.   Externally, fraudsters can hack into or gain access to your card processing system and issue credits to debit cards. 

By Doug

Visa recently published an informational bulletin on data security for small merchants.  The publication can be found here under Best Practices. 

by Mark Taber

I heard a compelling presentation last week by Lou Heckler on how to be a leader in these tough economic times.  He was speaking before a group of bankers attending a two-week session at the Graduate School of Banking (GSB) at the University of Wisconsin.  Wind River sponsored the speaker series for the nationally acclaimed school that for 65 years has been an industry leader in providing advanced management education for financial professionals.  This school offers hands-on training for senior level managers and executives in the financial services industry and this year attracted students from more than 10 countries from around the globe.
 
Heckler's presentation, “Leadership by CHOICE”, focused on six drivers that make people and companies high performers.  Using humorous real life stories, Lou shared his insight on the Competency, High expectations, Ongoing relationships, Innovation, Clarity and Excitement needed to be a top performer these days.  Many of Lou's points align with the Wind River Promise to our Clients: To create and nurture strong client relationships by delivering industry-leading customer care; relevant high quality products and services that exceed the scope of payment processing; and business expertise that our clients can use in meaningful, profitable ways. 

You can find out more about Lou at louheckler.com.
 
Choose to be a leader when it comes helping your customers today.

By Doug Buan

Verizon Business Risk, in conjunction with the U.S. Secret Service, has just released the 2010 Data Breach Investigations Report.  This is an excellent source of information for understanding trends in computer breaches and how hackers continue to steal credit card information. 

You can download the report here.

The recently signed Financial Regulatory Reform Act is a major piece of legislation produced as a response by the Federal Government to "create a sound economic foundation to grow jobs, protect consumers, rein in Wall Street, end too big to fail, and prevent another financial crisis." This Bill will have far reaching effects on all financial services organizations, businesses and consumers.  The heavy lifting is yet to come as the rule making bodies begin the arduous process of boiling the law down to rules and regulations, including creating a new regulatory body to oversee the consumer protection. There has been much written about the potential impact to the payment processing industry, primarily focusing on interchange fees, but the ultimate rules are just predictions at this point.  

by Bonnie Kruckenberg

Wind River Financial is proud to have co-sponsored the 7th Annual Tee-Up For Nursing golf outing to raise scholarship funds for Edgewood College nursing students.

The outing was held on Monday, July 12th at Nakoma Country Club with special guest Kathy Whitworth, an 88-time LPGA champion and Hall of Fame inductee.  Nearly 90 golfers participated in this year's event, which brought the 7-year fundraising total over the half million dollar mark!

Wind River Financial has been participating in this important fundraiser since 2008, and joined Group Health Cooperative in co-sponsoring the this year's event.   The fundraising and awareness campaign are meant to call attention to the severe shortage of nurses projected in Wisconsin in the coming years.

By Doug

Wind River Financial's partner, Trustwave, will be hosting an upcoming free webinar called Understanding the PA-DSS (Payment Application Data Security Standard).  An expert will discuss what the PA-DSS is, who it applies to, and relevant deadlines for industry compliance.  Visa requires that any payment application in use must be PCI compliant.

You can register for the webinar here.

It will be held on July 20th at 1pm CDT but will also be available as a recorded session here shortly after the webinar.

In addition, you can receive direct email notice of all upcoming Trustwave webinars by registering here.

by Dan Bielinski

Two industry changes have taken effect as of July 1, 2010.

1. Visa has increased its assessment fee from .0925% to .11%
2. Visa has also issued a new payment application security mandate. Please see the blog posting dated April 16th for details, and check the list of validated payment applications to ensure that your software is compliant with these standards.

If your payment application is listed, then you needn't take any action. This means that your software is not improperly storing card information.

If your payment application is not listed, you may be vulnerable to fines from Visa or other potential penalties. In this case, you should contact your software developer to determine if there are plans to bring your payment application into compliance. If no such plan exists, we recommend that you switch to a compliant payment application already on the validated list, or, in the case of major system transitions, begin the process of planning for such a switch.

Don't hesitate to contact us if we can help with these or any other issues!

By Doug

Wind River Financial partners with Trustwave for PCI DSS compliance services for our customers.  Trustwave's SpiderLabs group will be hosting a free webinar titled: Understanding and Preventing Layer 2 Attacks.  

Layer 2 attacks involve the interception and manipulation of data at the local network level. For a merchant, this means within your computer network.  Due to the dynamic nature of local networks, Layer 2 attacks almost always succeed, allowing attackers to read and manipulate data where security controls tend to be weak. 

During this webinar, SpiderLabs experts will
 

• Define Layer 2 attacks
• Define the technologies used to instigate them
• Review best practices to prevent such attacks

IT and IS professionals with network experience will find this presentation useful.
 

Date: June 24, 2010
Time: 10:00 a.m. CDT

Please click here to register for this webinar. 

By Doug

Wind River Financial's vendor for the PCI Partner program, Trustwave,  has a new webinar available entitled "I'm Compliant...Now What?"  It will be shown on Tuesday June 15th at 1pm CDT and will be available ongoing via recorded webinar.

Many businesses do not realize that PCI compliance is not a finish line, it's an ongoing process.  It's a change in business process and thought with tactical and strategic decisions always being made with information security in mind.  This goes for both large and small businesses.

To register for this free webinar, please follow this link: I'm Compliant...Now What?

By Doug

Qualified Security Assessors (QSAs) are experienced IT personnel that have obtained special certification in consulting for the PCI DSS.  They can assist by helping clarify requirements within the Standard, assessing a merchant environment for PCI scope, recommendations for scope reduction, etc.

Wind River Financial has recently purchased a block of QSA telephone consultation hours from our partner, Trustwave.  Normally a customer would have to purchase a QSA consultation at $2500 minimum if going directly through Trustwave. 

As an added value to our customers, we are offering individual QSA consultation hours at $250/hr which is a pass through on our cost.  Calls to date have been very successful and have helped many IT personnel better understand how the PCI DSS applies to their environment and what is needed to approach it successfully.

If you are interested in a QSA telephone consultation, please contact your Relationship Manager at (800)704-7253.

By Doug

The following is information pertaining to an upcoming free webinar hosted by Trustwave.

PCI 101: Common PCI DSS Failures and How to Avoid Them

The requirements of PCI DSS are varied and complex, making the compliance process for small merchants seem like an overwhelming task. But some requirements are more difficult than others, as discovered by the compromise investigations conducted by Trustwave's advanced security team in 2009.

During this free webinar, a Trustwave expert will

• Identify the most commonly failed requirements of PCI DSS
• Offer best practices to overcome these common failures

Small and medium-sized merchants, and any organization just beginning the compliance process, will likely find this webinar useful.

May 18, 2010 1:00 p.m., CDT

You can register for this free webinar here.

By:  Bonnie Kruckenberg

Want to stay informed and up on the latest industry news?  Any time we make a blog post you will be alerted by an email notification.  It is easy!  Just go to the bottom of this blog page in the right hand corner and sign up!  This will be another great way for us to stay in touch and keep you informed!

By Doug

Wind River Financial partners with Trustwave to provide customers with tools and information to help merchants validate PCI compliance.  Trustwave recently built a "sitelet" to provide PCI related information in an easier format for smaller merchants. 

The sitelet includes a video with interviews of small business owners who have used Trustwave's TrustKeeper 3.0 to validate PCI compliance which is the same tool provided by Wind River Financial and Trustwave to help our partners work toward compliance.

The sitelet can be found here.

By Doug

Visa has notified processors of an amendment to existing operating regulations effective May 1, 2010 based on a recent trend they are referring to as "Data Pass."  Visa has defined Data Pass as follows:

To ensure that merchants recognize that the data pass practice is prohibited, effective 1 May 2010, U.S. Regional Operating Regulations will be amended as follows:

• Section 5.2.I.1.b Merchant Disclosure
  
  If the Merchant undertaking the initial Transaction has an agreement with another Merchant that allows the other Merchant to initiate a subsequent Transaction with the cardholder, the subsequent Transaction (after the initial Transaction has been completed) must be initiated as a new transaction such that:
  

• A separate transaction process is initiated
• The Cardholder is required to enter their Primary Account Number separately for the subsequent Transaction
• All other Transaction requirements comply with the applicable sections of the Visa U.S.A. Inc. Operating Regulations

• Section 5.2.I.2.a Agent Disclosure (Op Reg ID 8027)
  
  An Agent must not disclose a Cardholder Account Number, or other Visa Transaction Information embossed, printed or encoded on a Visa Card to third parties, other than for one of the following reasons:

• For the sole purpose of completing the initial Merchant Transaction
• As required by local law
• With the Permission of the Issuer, Acquirer, or Visa, as specified in the Visa U.S.A. Inc. Operating Regulations

These new rules clarify that merchants forming marketing and/or referral arrangements with other merchants may not transfer cardholder information to their referral partners to complete subsequent transactions with the Visa cardholder. Alternatively, any subsequent transactions related to these marketing arrangements must be subjected to a separate and distinct check out process. This separate check out process must require the cardholder to provide an account number so there is clear recognition that a sales transaction will occur.

A direct link to Visa's notification can be found here.

This tactic involves the sharing of consumer information, including Visa account numbers, between merchants without the consumer’s explicit knowledge or consent.

The data pass practice typically occurs when an advertisement is presented to a consumer immediately following a purchase made through an online merchant. The advertisement redirects the consumer to a third party that then attempts to enroll the cardholder in a monthly membership club. The third party offering the membership club enrollment is able to complete any subsequent transactions using cardholder information already “passed” to them by the initial merchant.

The unauthorized transfer of cardholder information and poor disclosure practices associated with this practice has subjected cardholders to aggressive sales tactics and unauthorized charges made to their accounts. This sales tactic has also resulted in a formal investigation and report completed by the U.S. Senate Commerce Committee.

By Doug Buan

As a valued customer of Wind River Financial, we would like to alert you to an important security mandate that takes effect this year. 

By Amy McCaughn

Wind River Financial is pleased to pass along a special offer from the Graduate School of Banking -- $100 off the registration price on any or both of their fantastic online seminars. 

 How to Strategically Manage the Investment Portfolio

Tuesday, April 27, 10:00-11:45am

Regular price $325; discounted price $225

Coaching for Better Performance (A 2-Part Program)

Starts Thursday, April 29, 9:30am

Regular price $450; discounted price $350

Bank management, lenders, investment specialists and marketers will all find value in these insightful and informative seminars.  To take advantage of the special discount, visit the registration here and enter promo code SP2010-100.

By Dan Bielinski

Visa, MasterCard and several major PIN Debit networks are making changes to their fee structures effective April 2010.  These changes affect multiple card categories, programs and fees. 

See how the changes impact you with our convenient summary, located in the Client Resources Library.

To minimize the impact of these changes on our merchant clients, Wind River passes these fees through with no additional mark-ups or adjustments.  As always, we continue to monitor client activity to ensure that merchants are qualifying for the lowest possible rates.

If you have any questions about these fee changes, pleast contact the Wind River Client Care Team.

By: Stanley D. Koopmans

Please open the link below for a table of Wisconsin bank performance ratios with a national comparison as of September 2009.  As a whole, Wisconsin Banks had a lower level of past due and net charge offs, but did not compare as favorably for capital, earnings, and liquidity.   

images/file/WI%20and%20US%20Bank%20Ratios.pdf

By:  Bonnie Kruckenberg

Hey, have you heard our name mentioned on the radio?  Just this week we started to sponsor the news on WIBA 1310 AM radio here in Madison.    We are hopeful that we can familiarize our local community with the Wind River Financial name and what we do!    As 2010 progresses, we’ll also be sponsoring the Milwaukee Brewers broadcasts on WIBA.  There are a lot of Brewers fans in our office!

If you catch one of our commercials, pop me a note and tell me what you think!

By Doug

On Tuesday 3/16 at 1pm CT, Wind River Financial's PCI DSS compliance partner, Trustwave, will be hosting a free webinar on overcoming the barriers to PCI DSS compliance. 

During this webinar, a Trustwave expert will review the PCI DSS requirements, outline the common barriers to compliance, and provide best practices for overcoming these obstacles. Smaller merchants and those who are just beginning the compliance cycle will find this webinar useful.

You can register for the webinar here.

By Doug

Here is a good article from USA Today about how cybercriminals still consider hotels to be easy targets for credit card information.  The article notes that the larger hotel chains have really begun to increase network security, so it is thought that cybercriminals will increasingly target smaller hotels & motels who may not have their card data environment properly segmented off from the rest of their internal network. 

The article also includes an interview with a computer forensic expert from Trustwave, Wind River Financial's PCI DSS compliance partner.

You can access the article here.

by Doug Buan

Free PCI DSS educational webinars are available on demand at the Trustwave website here.  The webinars were recorded during live sessions as presented by PCI DSS experts.  You can also register to be notified in advance of upcoming live webinars here.

We encourage you to take advantage of this free information to assist you with your PCI DSS compliance efforts.

By Doug Buan