iTWire - Credit cards and payment systems – the pot of gold in 2017 (2022)

The use of the EMV technical standard for smart payment cards, as with other encryption and token technology at the transaction inception points, will not eliminate the malware threat, a senior official of an endpoint security company says.

Carbon Black's security risk and compliance officer Christopher Strand told iTWire in an interview: "PoS breaches continue to mushroom globally. While there is pressure for full adoption of EMV technology (smart chip and pin) it is going to take a lot of time to completely roll-out to users and endpoints.

"In the interim common types of malware that use memory scraping on PoS endpoints will continue to gather payment data."

PoS (Point of Sale) breaches last year included up to 3.2 million Visa and MasterCard users in India from a malware breach of Hitachi’s Payment Services Platform. Essentially cyber criminals gained user information over six weeks that allowed them to use fake cards in China.

Last year iTWire spoke to Strand about PoS breaches. This year, he was interviewed again to get an update on the issues.

iTWire - Credit cards and payment systems – the pot of gold in 2017 (1)

(Video) HSN | Michael Anthony Jewelry 01.09.2017 - 09 AM

Q. Is EMV just a part of the solution?

Strand: EMV, as with other encryption and token technology at the transaction inception points, will not eliminate the malware threat. Exploits have continually evolved to find new ways to exploit these systems and steal critical data even with EMV implementations.

Even EMV has been compromised. Even as PoS defences are enhanced, all it does is result in more attacks to other segments of the payment systems entirety (such as eCommerce systems, and shared servers, etc.)

Regardless, payment providers must focus on the security posture of their entire infrastructure – there is no replacement for true in-depth, defence coverage throughout the payment systems.

Q. Will attackers continue to target ill-prepared and older PoS systems?

Strand: Continued use of unsupported or unpatched PoS operating systems, especially in developing economies, leaves providers vulnerable to attack – there are a large percentage that are “out of support” where security patches to fix vulnerabilities are no longer available. These providers are at an increased risk of breaching compliance posture and payment industry regulations.

Many of the PoS malware variants are years old and still work, especially on systems that are poorly patched (zero-day exploits still work), in a state needing upgrades, or that are integrated with other unsupported systems.

(Video) HSN | Home Office featuring Canon 10.01.2016 - 08 AM

Q. Do things like CNP, mobile payments, and e-commerce widen the threat window?

Strand: “Card not present’ (CNP) still presents a vast array of threats to organisations. Businesses expect providers to handle these issues, but both must focus on the security posture of their entire infrastructure.

Businesses need to be vigilant and proactive to ensure their security posture is solid across all their sensitive systems and have “defence in depth” throughout their stores, PoS systems, and back-end and corporate systems. They need visibility to respond quickly if something in their payment ecosystem is awry – otherwise, they are just another weak link in the payments chain.

Providers need to unite with the wealth of threat intelligence available in the marketplace. Shared threat intelligence will evolve security posture – no e-commerce vendor should go it alone.

Q. Are increasingly complex regulatory environments presenting new challenges to providers?

Strand: There will be a continued trend of increased regulations, and fines, for payment systems breaches. Many providers who simply consider breaches inevitable and a cost of doing business may find they are now liable.

Most regulations will shift to proactive security. The core requirements will make providers and businesses provide proactive analysis of their systems and give auditors and security managers a real sense of the risk posed by any of the security gaps within the ecosystem. For example, patch management and vulnerability assessment will need to be real-time.

(Video) HSN | Bose Sound Innovations Anniversary 03.13.2021 - 04 PM

PCI-DSS, with its ever-changing data security needs, is only going to get tougher and require all payment chain links to measure each of their policies and security controls. This is in tandem with many other cyber and data security mandates to holistically address payment security.

Q. Won't increasing awareness of security breaches and how they happened lead to more sophisticated PoS malware?

Strand: Every time there is a PoS breach, cyber criminals get to learn of more of the weaknesses to exploit and malware becomes more sophisticated.

Businesses must embrace the inevitability of cyber attacks and better malware – what you protect against today, will not necessarily work tomorrow. Current PoS malware focuses on different segments of an organisation’s environment, not always the obvious attack vectors and generally harder to detect.

Q. Is the payment card industry under threat?

Strand: Absolutely, but we need e-commerce and e-payment so it is a matter of security evolving faster than the bad guys to maintain confidence in the system. I have mentioned that it is time for all providers to adopt a “you show me yours and vice versa” information sharing to bring some semblance of sense to fighting cyber criminals.

Attack vectors and variants are becoming more innovative and resilient. A good example was the Oracle MICRO where attackers compromised a customer support portal. Cyber criminals will focus on aging, unsupported, geographically distributed systems, holiday periods when systems are stressed and known vulnerabilities are easier to exploit, or those lacking security controls that provide sufficient visibility. I repeat that aging, unpatched and out-of-support systems still in use are most at risk. PoS vulnerabilities can be a conduit to the greater computing ecosystem

(Video) HSN | Lunch Rush 11.26.2018 - 12 PM

But with the number of unsupported systems still increasing (either due to cost or convenience or not adopting full EVM), organisations are struggling to apply measurable analytics or frameworks that can help discover security gaps.

As an IT auditor, I have used risk modelling and assessment to measure various attributes of organisations that are under many different types of regulatory scrutiny. Business risk and measurement across IT and security systems are not new concepts!

IT policy, business process, and financial hygiene are often applied against a scorecard to establish qualitative and quantitative proof of compliance. While the concept of measuring cyber security has become a necessary process, it is still complex and those who struggle with it are at increased risk from cyber threats.

Many common frameworks and some regulations have provisions that help measure the effectiveness of security controls – PCI DSS, HIPAA, and other financial security regulations (FFIEC, HKMA).

Kindred organisations have created collective hubs of shared data to better share security intelligence – retail has RILA (Retail Industry Leaders Association), financial services has the FS-ISAC (Financial Services Information sharing and Analysis Centre) and more.

But the bad guys also share – they are even better in using collective and community intelligence to their advantage.

End-of-life systems are vulnerable, yet these are still widely used in the payments system. XP and XP-embedded is long gone but many PoS systems still run on it! Windows Server 2003 reached its end-of-life last year yet many backends use it. Security gaps and vulnerability of these systems are still being discovered!

(Video) New study challenges popular theory about dwarf galaxies - SpaceTime with Stuart Gary S21E11

Q. Can you summarise the issues?

  • Security – unsupported machines create huge vulnerabilities including inadequate denial of service (DoS), buffer overflow and code execution issues. Cyber criminals look for low-hanging fruit.
  • “Out of support” – too many popular POS operating systems are “out of support” – more low hanging fruit.
  • Non-compliance. PCI, HIPAA, or Dodd-Frank and most regulations require vulnerabilities to be patched within 30 days of discovery. It is impossible if patch updates aren’t happening.
  • PII risk. Older versions of operating systems and software make it almost impossible to ensure the confidentiality of critical information such as PII, user data, healthcare records, and credit card information.
  • Audit risk. Outdated systems cannot meet the audit “proof" that information is safe and secure from threats.
  • Unpatchable and outdated systems lead to “zero-day forever scenarios”. There will be no new patches for zero-day attacks – vulnerabilities can never be remediated. Microsoft’s official position is: “Unsupported and unpatched environments are vulnerable to security risks. This may result in an officially recognised control failure by an internal or external audit body, leading to the suspension of certifications, and/or public notification of the organisation’s inability to maintain its systems and customer information.”
  • Breach and data compromise.: Malware can access highly confidential information such as patient healthcare records.
  • Financial penalties: Your organisation can be fined for failure to pass compliance audits or for being in a noncompliant state
  • Damage to or illicit use of your patient healthcare records: A most devastating consequence and one that is difficult to remediate. Your organisation’s public image can suffer from a breach or failure to operate in a compliant state.

Subscribe to ITWIRE UPDATE Newsletter here
JOIN our iTWireTV our YouTube Community here


How do I claim a refund on my credit card? ›

How start a section 75 claim on your credit card
  1. Write to the credit card company, stating what you bought, where and when you bought it and how much you paid. ...
  2. Tell them that you've tried to contact the company you bought the goods or services from and what the response has been – if any.

Can I get a refund if I paid by credit card? ›

If you bought the item with a credit card, you'll get reimbursed in the form of a credit card refund. A credit card refund happens when you return a product you purchased using a credit card and get a credit to your account.

How do you claim credit card insurance? ›

To get this insurance, all you have to do is call your credit card provider and request it, then pay a premium on each of your monthly credit card statements. If you make a successful claim in the future, the amount will be credited back to your account.

How do I file a section 75 claim? ›

How do I make a claim?
  1. Contact the retailer: It's usually far easier to get a refund from the retailer, so this should be your first option. ...
  2. Call your credit card provider: Tell them you want to make a claim under Section 75 of the Consumer Credit Act. ...
  3. Fill out a claim form:

What to do if a company refuses to refund you? ›

Company Won't Give You a Refund? Here's How to Get Your Money Back
  1. Try to Work it Out with the Merchant First.
  2. Option 1: Request a Chargeback.
  3. Option 2: Consider Mediation.
  4. Option 3: Sue in Small Claims.
  5. Option 4: Pursue Consumer Arbitration.
  6. FairShake Can Help Make Arbitrating a Breeze.

Can I transfer money from a credit card to a bank? ›

It is possible to use a credit card to transfer money into a bank account by using a cash advance or balance transfer check, but we can't recommend it. Cash advances are risky because of the high interest rates and costly one-time fees. Balance transfers can lead to more debt if they're not handled correctly.

How do I know if my credit card has insurance? ›

Checking if your credit card provider offers trip cancellation insurance is pretty easy: Just call the customer service phone number on the back of your credit card and ask. There are a range of travel insurance types offered by credit cards, with the actual benefits varying greatly by card.

What is the benefits of credit card insurance? ›

The specific range of benefits provided by this insurance will vary with the financial institution that issued your credit card, but benefits generally include coverage for disability, critical illness, job loss and accidental death and/or dismemberment.

How does the credit card insurance work? ›

Credit card payment protection is an optional insurance program that allows you to put your card's minimum payments and fees on hold following certain life events. Payment protection may help your credit card account remain in good standing - even when something unexpected occurs.

What is not covered under section 75? ›

Section 75 doesn't apply if: you paid with a debit card or a charge card (although your card provider or bank may still be able to help through a chargeback process) the credit was provided under an overdraft or a bank loan.

Does section 75 have a time limit? ›

There are no minimum or maximum spend limits for a Chargeback claim, but there's a time limit - you get 120 days from when you first notice a problem. You can make a claim directly through the card issuer.

Can a section 75 claim be rejected? ›

Some banks are rejecting section 75 claims based on the Credit Card chargeback rules which stipulate a timescale of 45 to 180 days to make a claim, when in fact there is no such time limit to make a claim under section 75. Some unscrupulous banks may try to deceive you simply because they don't want to pay out.

Do credit cards show what you bought? ›

Your statements won't indicate the exact items you bought, but the name of the merchant will be listed. For example, if you used your Discover card to charge a bunch of clothes at Macy's, you'll see the retailer and the total you charged but not the individual items.

Can I dispute a credit card charge that I willingly paid for? ›

Can I dispute a credit card charge I willingly paid for? You should never dispute a credit card charge you willingly paid for. Not only is doing so unethical, but you won't be able to keep the initial credit you receive if you don't deserve it.

What stores give cash back without a receipt? ›

The problem is, no receipt.
  • So, what stores give you cash back without a receipt? I´ve found and listed below 10 stores that give you cash back without a receipt:
  • Costco.
  • Sam's Club.
  • Kohls.
  • Walmart.
  • REI.
  • Target.
  • Bed Bath And Beyond.

Can your bank help you get a refund? ›

Contact your bank immediately to let them know what's happened and ask if you can get a refund. Most banks should reimburse you if you've transferred money to someone because of a scam.

Can you fight a no refund policy? ›

Your bank will notify you of the dispute and you have the opportunity to challenge it with your own documentation. You do not have to offer a refund, and you have the right to enforce your no-refund policy despite the insistence of the issuing credit card company.

Can you withdraw money from credit card without PIN? ›

There are a few ways to get a cash advance on a credit card without a PIN. The easiest way to withdraw cash from a credit card without a PIN is to visit a bank that does business with your credit card company, ask the teller for a cash advance, and present your card along with a government-issued photo ID.

How can I get cash from my credit card without cash advance? ›

You can also avoid cash advances and get cash from a credit card using prepaid cards. You can take a few approaches, but the most direct and immediate one is buying a Mastercard gift card with a sufficient amount of cash on it using your credit card and withdrawing that cash from an ATM.

Can I cash App myself from a credit card? ›

Cash App supports debit and credit cards from Visa, MasterCard, American Express, and Discover.

Does my credit score go down if I check it? ›

Good news: Credit scores aren't impacted by checking your own credit reports or credit scores. In fact, regularly checking your credit reports and credit scores is an important way to ensure your personal and account information is correct, and may help detect signs of potential identity theft.

Do credit cards have death benefits? ›

Credit card debt doesn't follow you to the grave. It lives on and is either paid off through estate assets or becomes the joint account holder's or co-signer's responsibility.

Is there any insurance on debit card in case of death? ›


Personal Accident Insurance Cover - Non-Air (Death Only) In Rs. Personal Air Accident Insurance Cover (Death Only) In Rs.

Can I cancel my credit card insurance? ›

You can cancel credit card balance insurance at any time. Check your certificate of insurance for the steps to take. Usually you need to contact the insurance company. Keep in mind that the insurance company is often a different company than the financial institution that issued your credit card.

How do I cancel my credit card protection plan? ›

Can I cancel the Card Protection Plan? Yes, the Card Protection Plan can be cancelled by calling the customer care of the bank. However, you must call the customer care from the registered mobile number.

How can I protect my credit card? ›

8 Ways to Protect Your Credit Card Online
  1. (1) Limit Your Risk With One Account. ...
  2. (2) Get Virtual Account Numbers. ...
  3. (3) Create Unique Passwords. ...
  4. (4) Remember "S Is for Secure" ...
  5. (5) Use Known, Trusted Sites. ...
  6. (6) Only Shop on Secure Network. ...
  7. (7) Use Security Software. ...
  8. (8) Update to Stay Safe.

Is trip protection worth getting? ›

Though you may pay 5 to 10 percent of your trip cost for travel insurance, travel insurance is often worth the investment for its potential to help reimburse you for hundreds of thousands of dollars of covered travel-related expenses like emergency evacuation, medical bills, and costs related to trip cancellation and ...

Can you buy insurance on a credit card? ›

If your credit card offers insurance policies, read your cardholder agreement carefully to understand what is covered by the insurance and what isn't. Most policies have exclusions and limitations on coverage. For example, your card's insurance may cover a stolen cellphone but not a lost one.

What is payment protection on a credit card? ›

A payment protection plan is an optional service offered by some credit card companies and lenders that lets a customer stop making minimum monthly payments on a loan or credit card balance during a period of involuntary unemployment or disability. It may also cancel the balance owed if the borrower dies.

Is PayPal covered by section 75? ›

If you use money in your PayPal account to pay for something, it means you're not actually using the credit card for the transaction, so no link's created with the credit card issuer and the transaction is not eligible for Section 75 protection.

Who pays for a section 75 claim? ›

The law makes clear that both retailer and credit card company are jointly responsible for Section 75 claims. It might be easier to first complain to the retailer in some instances, for example if you're looking for a repair or a replacement rather than a refund, but you don't have to.

Should I pay for my holiday with credit or debit card? ›

Should I pay for my holiday using a credit or debit card? It may be useful to pay for your holiday with a credit card so that you can spread the cost over a few months. But make sure you have a plan to repay the balance so the debt doesn't turn into an unwelcome holiday hangover.

Are bank transfers covered under section 75? ›

Debit card payments, cheques and transfers are not covered by the Consumer Credit Act, though you may be able to make a 'chargeback' if there's a dispute with a debit card payment.

How many chargebacks are you allowed? ›

The industry-wide chargeback ratio maximum

A 1% chargeback rate is the industry-standard maximum, which equates to one chargeback per 100 successful orders. And that 1% is usually the absolute maximum allowed for direct merchant accounts.

Can you get in trouble for chargeback? ›

Can you Get in Trouble for Disputing a Charge? Yes. Cardholders can face consequences for abusing the chargeback process.

How long does a Section 75 refund take? ›

There's no legal time limit for your card provider to resolve a section 75 claim although it's reasonable to expect a maximum of 28 days. But keep in mind its legal responsibilities during this time go beyond just making its own attempt to recover your loss from the retailer – it is equally liable for the entire sum.

Can you appeal a section 75? ›

What do I do if my Section 75 claim is rejected? If you feel that your claim has been unfairly rejected, you can appeal to the Financial Ombudsman. Resolver can help you escalate your complaint.

Can I get a refund in cash if I paid by debit card? ›

Some retailers allow you to request a cash refund if you process a return transaction with a debit card, but you will not be able to do this with a credit card.

How long does it take to get a refund on a credit card? ›

Once the merchant processes your refund, it's up to your card company to post the credit to your account. This typically takes three to seven business days. These timeframes apply to simple refunds, in which you and the seller agree to a return.

How long does it take for a refund to appear on credit card? ›

Whether you've paid with a credit or debit card, you can return your purchase and receive a refund. The main difference is how quickly your refund processes. It takes between seven and 10 business days for a debit card refund to be approved. For credit cards, it can take anywhere between three and seven days.

How long does a card refund take? ›

Credit card refunds usually take between three and seven days, depending on the merchant and your credit card provider. Most merchants will process a refund instantly, but some take a few extra days. Likewise, each provider has their own process to follow before the refund is credited to your card balance.

Can I get a refund in cash if I paid by debit card? ›

Some retailers allow you to request a cash refund if you process a return transaction with a debit card, but you will not be able to do this with a credit card.

What happens if credit card refund is more than balance? ›

If you pay off your balance before getting a refund or if the refund is more than your current balance, that refund would result in a negative balance.

What happens when you get a refund on a credit card with zero balance? ›

If your credit card has a zero balance when the return is processed, a credit is generally added to the account that can be applied to future purchases. If your card remains inactive with a negative balance for several months, the credit card issuer will likely send you a check for the credited funds.

Can a company reverse a refund? ›

Once a refund has been made, it is permanent. The credit card or direct debit account will need to be charged again if the transaction was refunded by mistake.

Does returning things affect credit? ›

So does returning items directly affect your credit? The only way is if you used a credit card to make the purchase, and returning it will drastically affect your credit utilization ratio.

How long can a company hold a refund? ›

You can get a full refund within 30 days. This is a nice new addition to our statutory rights. The Consumer Rights Act 2015 changed our right to reject something faulty, and be entitled to a full refund in most cases, from a reasonable time to a fixed period (in most cases) of 30 days.

Why was my credit card payment returned? ›

A returned payment fee occurs when your credit card company issues a charge to your account in response to insufficient funds or if your account is unable to process a transaction for a related number of reasons.

Can my bank get me a refund? ›

The chargeback process lets you ask your bank to refund a payment on your debit card when a purchase has gone wrong. You should contact the seller first, as you cannot start a chargeback claim unless you have done this. Then, if you can't resolve the issue, get in touch with your bank.

Can I still transfer money if my card is Cancelled? ›

After the cancellation of a card, banks are obliged to allow limited transaction types to take place, including refunds, usually for at least 6 months. You should therefore withdraw funds to the card you used to deposit, even if this card has been cancelled.

Does Walmart give cash back for returns? ›

If your purchase was a debit transaction, the refund is placed back on the debit card, if available, or cash can be provided.

What stores give cash back without a receipt? ›

The problem is, no receipt.
  • So, what stores give you cash back without a receipt? I´ve found and listed below 10 stores that give you cash back without a receipt:
  • Costco.
  • Sam's Club.
  • Kohls.
  • Walmart.
  • REI.
  • Target.
  • Bed Bath And Beyond.

Does Walmart keep track of returns? ›

You can do Walmart returns without a receipt and get cash back for items under $10. If you have absolutely no proof of purchase, you're not out of luck. Go to the Service Desk with the product and your valid government-issued photo ID. Your returns will be tracked against your ID.

Can I return something over $50 at Walmart without a receipt? ›

How to return an item over $50 to Walmart without a receipt? You can attempt to return an item of any value to Walmart without a receipt. However, all no-receipt returns are subject to the approval of a store manager or supervisor, so larger ticket items are less likely to be approved without proof of purchase.


1. HSN | iRobot Cleaning 02.15.2021 - 04 AM
2. HSN | Healthy Innovations 09.21.2018 - 08 PM
3. HSN | Bose Sound Innovations - All On Free Shipping 03.31.2022 - 07 PM
4. HSN | Lancome Paris Beauty 02.11.2020 - 04 PM
5. HSN | KORRES Beauty Gifts 12.10.2019 - 11 PM
6. HSN | iRobot Cleaning 02.15.2021 - 12 AM

Top Articles

You might also like

Latest Posts

Article information

Author: Sen. Emmett Berge

Last Updated: 11/25/2022

Views: 5545

Rating: 5 / 5 (80 voted)

Reviews: 95% of readers found this page helpful

Author information

Name: Sen. Emmett Berge

Birthday: 1993-06-17

Address: 787 Elvis Divide, Port Brice, OH 24507-6802

Phone: +9779049645255

Job: Senior Healthcare Specialist

Hobby: Cycling, Model building, Kitesurfing, Origami, Lapidary, Dance, Basketball

Introduction: My name is Sen. Emmett Berge, I am a funny, vast, charming, courageous, enthusiastic, jolly, famous person who loves writing and wants to share my knowledge and understanding with you.