In This Issue
Tips for Safe Online Holiday Shopping
Holiday Shopping Experience
Data Security Alert
Upcoming ProPay Events
Quick Links
Join Our Mailing List!

The holiday season is upon us and that means increased business, busy store fronts, and long lines.  Shoppers will be searching for the best deals and must remain aware of the dangers in saving a few dollars.  ProPay's experts provide a few holiday tips on protecting you and keeping your card data secure. 

While consumer purchasing will be increasing, the legal side of data security has been initiating new standards.  ProPay's legal counsel will explain the new Washington State Data Security Law.
Understanding payment security can, at times, seem like a daunting task.  Our resource center may help in learning what you need to know about PCI DSS, fraud, and even read some of ProPay's white papers. 
As always, we hope that the information provided in this newsletter is helpful.  Please feel free to forward this to anyone that you feel may be interested. 

The ProPay Team
Tips for Safe Online Holiday Shopping
by Lance Rich, Exec. Vice President, Risk Management
The holiday season is upon us and many of us have started to make our lists for holiday gifts.

According to Zoomerang, the online survey company, 64% of consumers will conduct all or some

of their retail purchases online. Unfortunately, it's also a lucrative season for fraudsters, who use the

jump in online traffic to illegally obtain the identities of unsuspecting online shoppers. To help, ProPay

has provided some easy security tips to help customers remain safer while shopping online during the holidays.

Be Leery of Phishing. Consumers can't be expected to identify every advanced trend in phishing, but they can be aware of common red flags that could signify a potential phishing attack, which may include suspicious URLs, misspellings, and urgent requests for banking or personal information.

The SSL Standard. Secure Sockets Layers,more commonly known as SSL, helps ensure that Internet transmissions are encrypted and the identity of the organization has been verified. Consumers can verify if a site uses SSL via the "https://" in the address bar instead of the standard "http" format. Merchants will display the site seal of their SSL certificate provider either on their home page or during the checkout process. Take it a step further by clicking on the site seal to ensure it's legitimate. Verify that the date and name of the organization are consistent with the site you're visiting.

Trust your Gut. Tempting offers often arrive in your e-mail inbox. If something looks out of place, don't click on the links, especially if they're not from a vendor or organization you currently have a relationship with. Instead, navigate to the site yourself to validate the offer from the organization.

Update your Browser. Make sure you're using the most up to date version of browsers from Microsoft Internet Explorer, Mozilla Firefox, and Apple Safari. They all feature more advanced anti-phishing tools helping make it even easier for you to stay safe. A computer should always have the most recent updates installed for spam filters, anti-virus and anti-spyware software, and a secure firewall.

Pay With a Credit Card - Card Brand rules allow the shopper to dispute charges if he or she doesn't receive the item. Shoppers also have dispute rights if there are unauthorized charges on their credit card. Many card issuers have "zero liability" policies under which the card holder pays nothing if someone steals the credit card number and uses it. Most online retailers will require the three-digit Card Verification Value from the back of your credit card. If they don't, think twice about completing the purchase.

Public Computer Use. Whenever possible, it's best to avoid online transactions when connected to a public Wi-Fi, particularly if it's unsecured. You never know who could be listening. If you do use a public computer, log out of any Web session that stores personal account or banking information. This simple practice is critical.

Monitor Your Account. While it's a good habit to keep an eye on your banking account throughout the year, take a closer look during the holiday season particularly after purchasing products online. If your identity or account has been compromised, you may be able to limit fraud loss if it's caught early

By incorporating these simple and easy steps you can enjoy a less stressful holiday shopping season and experience. Your friends at ProPay wish you luck with you business as well as a safe and joyful holiday season.

Have a Safe Holiday Shopping Experience

by Chris Mark, Exec. Vice President, Data Security and Compliance

ID thieves are on the prowl during the holiday shopping season. Skimmers hit restaurants and thieves hit shopping outlets waiting for consumers to make a mistake.  Here are some tips and tricks to help you have a safer holiday shopping experience.


Plastic...not paper!  Leave the check book and pay with plastic.  All of the major card brands have 'zero' liability clauses and federal law limits your liability to $50 on credit card purchases.  The information from your check is valuable for data thieves and it can be very difficult for you to get your money back.


Take only what you need.  Don't take your social security card, checkbook, and other valuables shopping with you. Data thieves break into cars looking for purses and bags left behind.  


Login and check up!  Review your credit card statements online to look for any suspicious activity.  If found, report it immediately. 


Don't talk to strangers!  During the holiday season ID thieves are at their bravest often trying to capitalize on the giving spirit of the season.  Don't offer your credit card number (or other information) over the phone to anyone who calls.  If it is a charity ask them to send you the information via mail or donate directly to their website.


Visit friends and family!  Shop with known or trusted online vendors.  Using an unknown site to save a few dollars may cost you more in the long run.


Use the Pen not the PIN!  Although it may seem safer to use your PIN for transactions, in reality you may be exposed to more risk.  Skimming is an issue over the holidays and criminals love to get their hands on PINs.   PINs provide the merchant with more assurance that the transaction is legitimate but often cardholders do not have the same protections as with signature-based transactions.  Check your particular card if unsure but it does not cost you more to sign for the transaction and your PIN will remain safely in your own head.


Have a happy shopping experience!

Data Security Alert - Washington State New Data Security Law - Effective July 1, 2010

by Tony Allen, Exec. Vice President, Corporate Counsel

Merchant and Service Providers focusing on enhancements to the PCI DSS standard as articulated by the PCI Security Standards Council must now also consider the impact on their business of state laws that incorporate all or a portion of the PCI DSS.  Washington is the third state to codify a portion of PCI DSS.  Minnesota's 2007 Plastic Card Security Act adopted portions of the PCI DSS, and Nevada's statutory amendments effective January 1, 2010, requires company's doing business in Nevada that accept credit card payments to comply with the PCI DSS in its entirety. 


In summary, Washington's new law applies to businesses, processors and vendors all of which are defined terms.  A "business" is an entity "that processes more than 6 million credit and debit card transactions annually, and who provides, or offers, or sells goods or services" to Washington residents.  A "processor" is an entity "that directly processes or transmits account information for or on behalf of another person as part of a payment processing service."   A "vendor" is an entity "that manufactures and sells software or equipment that is designed to process, transmit, or store account information or that maintains account information that it does not own."


Businesses and processors whose failure to "take reasonable care to guard against unauthorized access" to account information in their possession or control, where that failure is found to be the proximate cause of a breach in which account information is compromised are liable to a financial institution for "reimbursement of reasonable actual costs related to the reissuance of credit and debit cards" incurred by the financial institution in efforts to mitigate current or future damages to its cardholders.  A vendor is liable to a financial institution for the same damages, to the extent that the damages were proximately caused by the vendor's negligence, unless the claim is limited by another law or by contract.


"Account Information" is defined as: (i) the full, unencrypted magnetic stripe or a credit or debit card; (ii) the full, unencrypted account information contained on an identification device; or (iii) the unencrypted primary account number on a credit or debit card or identification device, together with an unencrypted cardholder name, expiration date, or service code.  An "identification device" is "an item that uses radio frequency identification technology or facial recognition technology.


A "breach" for purposes of the law, has the same meaning as defined under Washington's security breach notification law; the unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a business.  "Personal information" as defined in Washington's breach notification statute is an individual's name together with any of the following elements when both the name and the element are unencrypted: (i) Social Security number, (ii) driver's license number or Washington identification card number, or (iii) account number, credit card number, or debit card number, together with any required security code, access code, or password permitting access to an individual's financial account.


Washington's law specifically exempts entities from liability if the account information was encrypted at the time of the breach or if the business was "certified compliant with the payment card industry data security standards" in effect at the time of the breach.  A business will be considered "compliant" if its PCI DSS compliance was validated by an annual security assessment that took place no more than one year prior to the breach.


Other states currently considering such legislation include California, Texas, Connecticut, New Jersey and Massachusetts.  State laws are part of a growing trend toward greater specificity and increased burdens and risk for businesses in the area of data security and are another compelling reason for your business to consider ProPay's ProtectPay solution.  If you have questions or desire more information contact:

ProPay Happenings

ProPay Resource Center - a valuable tool for understanding payment security 


Do you ever feel overwhelmed trying to understand all the things you need to know about payment security? From understanding PCI to the actual protection of sensitive payment data, certainly, this can be a daunting task. At ProPay, we're working to simplify this for you. When we launched our new website design back in August, we created a section called the Resources center. Here, you will find copies of past newsletters, whitepapers, datasheets, use cases, PCI DSS information, information about Fraud and other helpful industry links. Whether you're a small business or a large enterprise customer, the information contained in our Resource Center will provide valuable insight to payment security. In particular, you will find the ProPay whitepapers invaluable. They have been authored by both Chris and Heather Mark, recognized experts in the payments industry who joined ProPay earlier this year. You'll find Use Cases so you can see how other companies are using ProPay solutions to achieve compliance and protect sensitive data. If you have questions, feel free to call the toll-free ProPay Fraud Hotline. All of these tools exist for your benefit.


ProPay is committed to updating this content to ensure it's relevance. Take a tour of the ProPay Resource Center today and let us help you get up to speed on payment security. Click here to learn more.

DISCLAIMER:  ProPay, Inc. provides this newsletter only for general information or educational purposes.  Nothing herein should be relied upon without seeking the advice of an attorney or other professional appropriate to the subject matter.  While ProPay, Inc. strives to ensure information in this newsletter is accurate and current, ProPay, Inc. does not guarantee or represent that the information is correct, complete, or up-to-date; nor shall ProPay, Inc. be liable for any indirect, incidental or consequential damages (including lost data, information or profits) sustained or incurred in connection with the use of, operation of, or reliance upon any information contained in this newsletter.