Monday, September 26, 2011
Network Security for Small Businesses
Posted by
SecurityMetrics
at
9:06 AM
Links to this post
Labels: business, Business Owner, Hacking, network, scan, Security, Small Business, Vision
Thursday, September 22, 2011
Portfolio Compliance: A Custom Approach
Posted by
SecurityMetrics
at
12:32 PM
Links to this post
Labels: Acquiring Bank, business, Business Owner, Compliance, Custom, PCI, PCI DSS, PCI Tips/Tricks, Portfolio, Simplify
Monday, September 19, 2011
Is Your Printer an Informant?
- Document scanning to a file. The printer allows access to a scanned file via File Transfer Protocol (FTP) or may copy the file to a network file server. Authentication credentials to that file server are stored by the printer.
- Document scanning to email. Credentials are required to access the local mail server. A local printer may also store email and user addresses.
- Email notification. An address book of internal e-mails may be stored by the printer to enable various types of notification (fax, print job finished, etc.). If this information can be gleaned from the printer, the attacker now knows more than he should about internal e-mails.
- A remote administration portal, usually an embedded web server, can be reached from the network where the printer resides or even from the Internet. Often system administrators are not changing the default access password to this administration page.
- Change default passwords on printers.
- Develop an update management process to keep printer software and firmware up–to-date.
- Avoid using administrator level usernames and passwords when granting the printer access to network resources.
- Tools like Praeda are used by security professionals to help secure printers. (Note: these same tools are also available to attackers). You can follow Praeda’s progress at www.foofus.net
Posted by
SecurityMetrics
at
9:22 AM
Links to this post
Labels: address book, Data Storage, email, Encryption, files, Hacking, IT risk, network, password, printer, scan, Security, security breach, username, Wireless Security
Friday, September 16, 2011
IRS TIN Validation- Explained
What is IRS TIN validation? Where did it come from? What does this government mandate mean for you and your business? Phyllis Richards, VP of Merchant Services Product Management for SunTrust Merchant Services explains IRS TIN validation.
For more details on IRS TIN Matching, visit:
http://blog.securitymetrics.com/2011/07/not-validating-irs-tin-records-may-mean.html
Posted by
SecurityMetrics
at
12:56 PM
Links to this post
Labels: 6050W, Acquiring Bank, Bank, business, Business Owner, Compliance, government, IRS, mandate, Matching, requirement, SunTrust, tax identification number, TIN, US, Validation
Thursday, July 14, 2011
Maintain Safe Harbor: Check Your Compliance Status
When a business is financially safe from fines and penalties that a business would normally incur from a card data breach, they are said to be in Safe Harbor. To attain Safe Harbor status a business must validate and maintain full PCI compliance at all times.
Visa defines Safe Harbor as the following:
“Safe Harbor provides members protection from Visa fines and compliance exposure in the event its merchant or service provider experiences a data compromise.”
Computer network and software application weaknesses are discovered by criminals daily. Last October, the PCI standard changed from PCI DSS 1.2 to PCI DSS 2.0 to clarify, expound, and evolve certain requirements in effort to protect against emerging criminal trends.
Many PCI compliant businesses may not realize PCI validation needs to take place either quarterly, or yearly, depending on how payment cards are processed. Staying current with the PCI standard must be part of a business’ culture to continually prevent theft and fraud. See if your business maintains Safe Harbor by checking your PCI compliance status at your SecurityMetrics account. Visit www.securitymetrics.com/login.adp to sign in.
Posted by
SecurityMetrics
at
9:12 AM
Links to this post
Labels: Compliance, MasterCard, PCI, PCI DSS, Safe Harbor, Security, security breach, Visa
Wednesday, July 13, 2011
Not Validating IRS TIN Records May Mean 28% Revenue Withholding
When you receive a letter from your merchant processor asking you to validate your Tax Identification Number (TIN) and legal business name with your merchant processor, it's important that you do it. If you don’t, the law requires 28% of your credit card transactions to be withheld immediately beginning January 1, 2012.
TIN Matching is a new program set in place by the IRS to ensure merchant tax and business information match IRS records. TIN Matching originated from the Housing and Economic Recovery Act of 2008. The act includes a section that requires acquiring banks to report the gross amount paid to merchants in settlement of payment card transactions to the IRS.
The law also requires the merchant acquiring entity to collect and annually verify the Tax Identification Number (TIN) and the legal business name associated with each number held by their merchants.
SecurityMetrics has established many programs with acquiring banks to streamline the TIN validation process for their merchants. You may be contacted in the future by your merchant processor asking you to validate TIN information at the SecurityMetrics website. The process will take less than 5 minutes to complete, and if you have any questions, SecurityMetrics representatives are available 24/7 at 801.705.5665.
Want more information? Check out our TIN Matching Service website.
Posted by
SecurityMetrics
at
9:31 AM
Links to this post
Labels: Acquiring Bank, Bank, Business Owner, Compliance, Deadline, IRS, Merchant, Tax
Friday, July 8, 2011
Successful Merchant Portfolios Do Exist
An Interview with Sean Fuery, Director, Business Development
Why do merchants say they’re compliant, even when they’re not?

Most vendors in the merchant security industry offer a technology that gives a merchant the opportunity to go online, register, find out how they’re handling card data, fill out the proper PCI Self-Assessment
Questionnaire (SAQ) and if necessary, schedule a scan. What that technology doesn’t take into account is the fact that most merchants just don’t understand the surrounding complexities of PCI. They don’t understand how their card handling practices impact which SAQ they fill out, or whether or not their business must be scanned. In most cases, regardless of the security vendor they’re using, a merchant will begin filling out the SAQ and get to a point where they don’t understand what they’re reading. They can’t give an informed answer because they don’t have the technological expertise.
How does SecurityMetrics remedy merchant PCI confusion?
Our phone representatives take those merchants by the hand and explain what the SAQ questions mean in layman’s terms and how those questions apply to their business. We make sure they understand what their business’ handling practices should be based on the SAQ criteria.
When is a portfolio on the right track?
It’s not enough to get a merchant enrolled in a PCI program. Our ultimate goal is to validate their PCI compliance. The current industry average for PCI penetration within any given portfolio is between 10 and 20 percent. Quite honestly, we consider anything under 50 percent a catastrophic failure. We want a merchant to successfully become PCI compliant because a merchant that fills out an SAQ and passes a scan is going to be less of a target to a hacker. Hackers go after easy targets. Our merchants aren’t easy targets.
What is the secret to merchant portfolio success?
90% compliance. We have partners who have achieved this goal. We honor and support the PCI council in the SAQ questions they have offered; we just make it easier for merchants to understand. The PCI council has set the bar high to ensure merchants are safe. We feel it is our job to help merchants over the bar.
Posted by
SecurityMetrics
at
8:08 AM
Links to this post
Labels: Compliance, Merchant, PCI, PCI DSS, Portfolio, Security


