Monday, April 16, 2018

Merchant Services 101: Part II

PCI Compliance: What is it and why does it matter?

By Guest Blogger: Cheryl Donahue

Editor's Note: Dealing with merchant card service providers in business can be costly. That’s why I invited Cheryl Donahue to guest blog and provide insight to help save us some $$$$. This is part two of her three part series.

Whenever a merchant processes, stores or transmits cardholder data, they are claiming responsibility for protecting that information. Failure to properly secure sensitive information can result in costly fines, audit costs, restrictions or worse should an actual breach occur. To ensure businesses are kept accountable, and consumer information safe, credit card companies such as Visa, MasterCard and Discover, created PCIDSS, or Payment Card Industry Data Security Standards, herein referred to as PCI. Yet, most merchants have zero knowledge of PCI requirements, how determine if they are compliant or whether they are being charged for any non-compliance.

The PCI requirement consists of 12 steps ensuring policies, procedures, training and security measures are in place for consumer & merchant privacy and protection alike. To further this goal, all systems used to transmit data must be secure and all members must know how to safely handle patient credit card information. The ramifications of breaching any patient information are not only damaging to the patient, but also to the practice.

A lesser known requirement is the Self-Assessment Questionnaire (SAQ) of all practices accepting credit cards from patients. Additionally, for those practices utilizing a card swipe or terminal that transmits information via the internet (certainly everyone who integrates their patient payments with their practice management software) Quarterly Vulnerability Scans must also be performed in most cases.

Many reading this may be thinking, “Why have I never heard of this before? It certainly seems important!” 

And it certainly is.


However, most merchant providers do not take a proactive approach in notifying a practice that is not PCI Compliant, leaving the practice ignorant and open for penalty. In fact, 40% of the statements analyzed at Merchant Advocate show a fine for non-compliance. How could that be? My theory is, and I have been in the merchant industry for 20 years, that processors make a lot of money when their clients are not compliant, eliminating any motivation for them to shut off that revenue stream. Many processors charge between $20 and $60 dollars EACH MONTH for non-compliance. Think of how much revenue that produces! The worst case I have run across was a practice being charged $175 every month for over two years.

How to determine your compliance. 
Gather three consecutive, current monthly merchant statements and look towards the end of the statement. Find the section that contains line items like monthly statement fee, batch fees, FANF fee, etc., this is generally where a fine for non-compliance can be found. 

Here are some of the descriptions for this non-compliance fine:


     Non-Receipt of PCI Validation
     PCI Non-Validation
     PCI Non-Compliance Fee
     Quarterly PCI Non-Validation 

What to do if you are non-compliant. 
Call the merchant processor and request they send your credentials for PCI compliance. All processors contract with a PCI vendor, a company that has been certified by the PCI Council to determine compliance for businesses accepting credit cards. This company will have a website and your practice will have a login and password to access that site and complete your PCI requirements. 

Now, it gets even more confusing! The Self-Assessment Questionnaire (SAQ) can quickly bring on a headache, but there is help available. The company contracted with a processor to provide PCI typically has a support team to help navigate the process. If a practice requires a Quarterly Vulnerability Scan (QVS), the IT firm should be able to help, if not it may be time to find a new IT firm. If they have no idea what a QVS is, that’s a bad sign. An IT firm should be well versed in the PCI process and have trained staff readily available for assistance. A failed QVS could be a sign of an insecure network, leaving consumer information open for hacking. If a QVS fails, the IT firm should download the scan report, mitigate the vulnerabilities, inform the client of its completion and conduct another scan. A completed SAQ and a passed QVS (if required) are both needed to achieve compliance and avoid any unnecessary fees.

Why you should get compliant. 
Yes, at first glance, this may seem like a lot of work for a small amount of payoff. Recently, I had a dentist tell me that for a charge of $39 per month he felt it wasn’t worth his office manager’s time to go through the process. It’s important to note that he is a Merchant Advocate client and I was going to help his OM navigate the entire process. Here’s my two cents on why a dental practice ABSOLUTELY should take the time to achieve PCI Compliance. 

Fines for not being PCI Compliant can quickly skyrocket. The cost of an average breach in a regulated industry (dental practices are regulated) is $155 per record. How many patient records do you have? It adds up pretty fast, doesn’t it?

PCI and HIPAA overlap. The HIPAA Security Rule requires secure patient data, including credit card information. PCI requires secure credit card data. If a breach occurs, it’s double trouble. Medical/Healthcare breaches are the second largest category of breaches. The top two cyber-crimes are identity theft and credit card theft. Basically, a dental practice is a gold mine for cyber thieves.

PCI and HIPAA also have common requirements of poli
cies, procedures and training. PCI requires policies address staff procedures, network security, data privacy, the use of electronic mail and texting, internet and paper acceptable uses. That sounds a lot like the requirements of the HIPAA Security Rule. The Security Rule recommends a penetration test of your network, while PCI requires a vulnerability scan. If your QVS passes, meaning you don’t have vulnerabilities, it is likely your network is also secure from outside hackers.

To sum up, PCI Compliance should be taken seriously by all dental practices. Not does it protect patients, it protects the reputation and jobs of the staff, as well as the very future of the practice.

Cheryl Donahue is the Director of New Business at Merchant Advocate. Founded in 2007, Merchant Advocate is the trusted source in merchant services, providing fairness and transparency in the unregulated credit card processing industry.  We provide exceptional results and increase bottom lines by protecting our customers from unfair rates, fees and hidden costs.

You may contact Cheryl with questions or to receive a free analysis on your merchant statement by emailing her at cdonahue@merchantadvocate.com or calling 720-526-5318

Wednesday, April 11, 2018

DATA MINING, BREACHES, PRIVACY – OH NO!

Three Silicon Valley CEOs have finally stated the obvious that millions have yet to grasp.

In a news clip on CBS This Morning, three Silicon Valley CEOs agreed 
that data was the most valuable resource on the planet.

In the clip, the speakers talk about surveillance capitalism: gathering as much information as possible of every user on the internet, which is “being used to not only watch people, but influence them, predict what they are going to do, and change what they are going to do.”

The CEO’s go on to state, “by 2025, the number of interactions we may have to connected devices could jump from a few hundred today to 4,800.”

Our privacy is at stake. Data mining is invariably the cause of large-scale breaches happening at alarming rates.

Where did data mining begin?

Let’s blame it on ancient civilizations. From

the Romans and Grecians to the Chinese and Israeli, governments have been carrying out censuses to keep record of how many males and females lived in a household and how many of those males were of fighting age.
Tax collecting also enabled for determining data to create taxes on foreigners, oil,
wartime expenses, imports & exports, sales, etc.

Data mining is nothing new, but the accessibility of information has never been more wide spread. Let’s take Facebook, for example, since it is a hot topic.

Did you know data is gathered from the commercial, paid advertisements you like or share, as well as the articles and videos you click?

While all those clicks count for a lot, the biggest data mining pull is from the “let’s get to know each other” posts that pop up all over Facebook. These seemingly harmless, fun entertainment posts between “friends” are wolves in sheep’s clothing. Don’t trust them. The companies that host these tell-all’s gather and store every last response. Some of those answers can even be matched with information sold on the dark web in the financial breaches.

Do I sound paranoid? Fine, then I sound paranoid. But I am simply amazed at how willing some are to hand over their private information that will inevitably be used to their detriment.

I particularly loved one post on Facebook this morning: “How old will you be by 2060?” By choosing a random future year, the one posting could then determine the birth year of the responder. I found this to be exceptionally creepy that a date closer to the average Facebook user’s age was not chosen. Think about it. If you are 25, then you were born in 1993. The age the 25 year old would be in 2060 is 67. A 15 year old would be 57. Who is this post targeting?

If your Facebook Privacy Settings are not strong, everyone is able to see your birth month, day and year. So, what was the end-game of the above post? To gain information and thousands complied by responding.

Here are my own personal Facebook rules:

1. Screen Friend Requests. The meaning of friend is “a person whom one knows and with whom one has a bond of mutual affection.” I get many friend requests, but if I don’t know you, have not shared a meal with you, or even had a conversation with you, we really are not friends. I truly use my Facebook to keep up with my friends in the midst of a busy life.

2. Limit face time. I self-impose the amount of time I waste on Facebook. It can suck me in if I don’t. The NY Times posted an article two years ago that said the average user spends almost an hour every day on Facebook. I think it may be more now.

3. Hit Unfollow. I have Unfollowed many Facebook friends. The ones who post pictures of themselves every day, the ones that only repost or share other posts (aka no original content), the ones who rant politically, the ones that use their personal Facebook page for business, the list goes on. I do not, however, unfriend them completely. While I may not want to see their posts in my newsfeed every day, they are still my friends; and I will go to their Facebook page to check in on them. I “subscribed” to Facebook to hear their hearts and see how they are doing. Period.

4. Avoid Ads. Subsequently, I actively will NOT like, view or share commercial posts shared by friends. Zephora Digital Marketing had some very compelling statisticsNumber 5 states, “On average, the Like and Share Buttons are viewed across almost 10 million websites daily.” I choose to be one less viewed.

5. No Sharing. In fact, I will be the fact checker of anything anyone reposts. Snopes.com is a great resource for those entirely mindless, missing or too-stupid-to-believe articles that get shared.

I mentioned the article from Zephoria above but it had some amazing

statistics: The Top 20 Valuable Facebook Statistics. A few really stood out initially and after I typed rule 5 above, so I did a little deeper reading.

I loved number 12, stating there are a whopping 83 million fake profiles. Some of those are from people who do not implement their security controls and post they have been “hacked.” No, they were not hacked they were spoofed. It has nothing to do with passwords and everything to do with the fact their personal security has not been implemented.

Zephoria also states the average time spent per Facebook visit is 20 minutes, but I disagreed so strongly that I did some fact checking. The Infodocket article it is quoting from is 2014 – that’s data from four years ago – and everyone is still quoting it.

Hmm. Then I went back and checked the 83 million fake profile source. Guess what? That data was from CNN in 2012 and the source actually stated it they were either fake or a duplicate accounts. Well, it appears that the information is not always accurate – but it’s on the internet, so it must be true, right?

Curious now, I went back to the source of number five on Zephoria’s list. This one was from Facebook, but also from 2014.

Now, back to my original story line. I am old enough to remember that “big brother” is watching and listening. Compare now to the 70’s? The 70s was just a line used by some over hyper, completely paranoid hippies. But now? Guess I am willing to say the spy net has grown incrementally pass it being only big brother watching and listening. However, there is much we do on a daily basis that could prevent our personal information being shared over a compromised network.

On any online fill in the blank, I only answer the required fields, usually marked with an asterisk. My response to anything online now is typically, “Do I have to?” For instance, if you are responding to a “free” site, how is it that it remains free? Someone is getting something, somewhere. And that something is most likely you.

In regards to Facebook:




Want to know about your Facebook Ad preferences?

Nothing in your Facebooks profile should be Public, unless of course, that is the point of your Facebook page. Check to see which applications have access to what data. These options are all under your Facebook Profile Settings.

Be smart. Think before clicking. Tighten your security controls. Now more than ever, there is no excuse to remain ignorant and this is an area for which you do not want to remain complacent.

Monday, April 2, 2018

ANOTHER data breach



5 Million Credit and Debit Cards Are For Sale. The average internet consumer will not participate in this sale, but if you shop on the dark web, you could.
This data breach, sponsored by Saks and Lord & Taylor customers, is a result of a mafia hacker group known as Joker's Stash. The group was also behind the Whole Food, Chipotle and Trump Hotel breach.
Though not yet confirmed, some news sources are speculating, a particular talent of theirs, that an employee clicked on a phishing email and opened an executable file, which is akin to holding the server's door open for the hackers and rolling out the red carpet. This type of hack happens too often to too many.
There are two aspects of this breach that must be addressed:
Debit Cards. Do not use your debit cards for retail, restaurants or internet purchases. I personally do not even use my debit card any longer. A debit card is the gateway to your bank account. Some banks are offering purchase protection in case of a breach, but it is not worth the time it will take to untangle the mess it will create. Use your debit card at your own high risk.
Employees and emails in your business. The beauty of an email service, such as Google, is that the email service does not download to the accessing computer. The hacking risk is greater if your business downloads emails to the computers using a software program such as Outlook. All the security implementation installed cannot prevent an unsuspecting employee from clicking a virus contained or phishing email. Phishing emails are often branded, looking like a reputable company with matching logo – a bank, an insurance company, a business. 
The email will often say you need to change your password, update your information or something else that compels you to urgent action – fear based. Their goal is your logins and passwords. Some links will even lead you to what looks like the “bank’s” valid website. Do not be fooled. Again, the goal is to obtain your logins and passwords. They will do what they can to obtain that information. Then when they have access through what you have provided them, they can wreak havoc [enter stage right - Saks and Lord & Taylor.]
Never, and I mean never, click on email links or open any attachments from senders you do not know. And never assume the sender is the true “sender.” If you have an account at the “sender’s” business, go to their main website to see if it states you need to update any information.
For reference, I once received an email from “Paypal,” and while it looked legitimate, I called Paypal to confirm. Surprisingly, it was actually them. I then I asked what insane person at Paypal thought it would be a good idea to send emails to confirm personal information in the phishing email world we live in. I have not gotten another email from them since.
Update your anti-virus, anti-spyware, filters and firewalls/vpns and update your employees as well – never ever assume your employees know about phishing emails and how dangerous they can be.  
Beware of pop-up warnings on your computers or smart devices that state you have a virus. Do NOT click on anything. Close the window and move on. It might also be a good idea to run anti-virus and anti-spyware programs for peace of mind.
Speaking of anti-virus and anti-spyware software, they're not running at their best if they're not routinely updated. Setting the software to automatically download and update will provide you maximum protection for all software. This also includes your QuickBooks software. Some of the updates are security enhancements to keep your data protected. Click Install Now when you see that message.
Welcome to the Information Age was March’s eNewsletter and it contains a plethora of information for you and your business. I will keep writing about ways to protect your business and yourself but it is up to you to implement!

Monday, March 26, 2018

Step Away From the Intensity of Caregiving


On March 21st, 9-1-1, a new show on FOX, aired the latest episode, “A Whole New You.” There has been a compelling story line into the trials and tribulations of family caregiving. In fact, that is the story line that drew me into the show.
Abby, one of the show’s protagonists, is a caregiver for her mother, Patricia Clark, who has Alzheimer’s. The scenes between mother and daughter portray the difficult, 24/7 emotional battle that is homecare. Viewers are given a brief glimpse into the unexpected outcomes of caregiving; how it doesn’t matter if you had prior plans when you are needed, how anything can happen at any time, and how emotionally draining and life altering an experience it really is. 
In the previous episode “Trapped,” Patricia lashes out and delivers Abby a slap so unexpected, even the audience could feel its sting. The scene cuts particularly close to the intensity and depth of hurt that inevitably happens when caring for our aging loved ones. That episode ends with Abby finding her mother passed away in the hospital bed she had set up in her own living room. “A Whole New You” picks up that story line as Abby is left to grapple with the powerful force of grief and the fog that follows.
At the end of the episode, in an emotionally raw moment, Abby states, “I no longer know who I am.” I paused the scene and revisited the emotion I felt when my Mom died. A few deep breaths later, I realized how much Abby’s pain resonated with me and my sixteen years of caregiving. This great script writing has to be from someone who experienced caregiving and the acting excellently portrays the raw emotions. 
A Caregiver is truly who I became. The longer the job went on, the more it consumed every facet of my life, while my old self slowly faded away. Then, suddenly when my primary focus of caregiving was complete, it was final. Planning around doctor visits, declining friend’s invites, overseeing my parent’s calendars more than my own and in the blink of an eye it all became non-existent. My main purpose of life left me like Abby - I no longer knew who I was. It was the intensity of a tornado and its sudden end.
March 20th designated seven years since Mom passed away. Caregiving changed me in ways I never imagined. There are bits of myself and things I once enjoyed that are still slow to return. 
My life was severely altered for sixteen years, with the weight of care giving primarily on my shoulders. I was not the same person who entered caregiving that exited that day, though I had put several stakes in the ground, emotional bread crumbs to come back to when caregiving was finished.
Seven years later, life has moved on. Some days are great, while some are not. I believe that is true of most people, regardless of whether caregiving was or is part of their life. Then again, it would be hard for me to gauge.
I do know that seven years later, I still occasionally feel emotional exhaustion. If it is anything like putting on weight, it may be a while until feeling fully refreshed. I make sure to choose activities to aid me along. Digging in dirt working in flower beds, getting my car washed, maintaining a clean house, cleaning out closets and drawers, going to baseball games, enjoying the company of friends over dinner, and laughing as much as possible. Laughing – now, that is refreshingly good for the soul.
In the chapter, “Frustration: Patience is Truly a Virtue,” of my book, Matters of The Heart, I wrote:
“The ballpark is the one place I could go, have a hotdog and a drink, and not think about anything except baseball. It quickly became my refuge from the stresses of caregiving. There are 81 home games every year.  I bet we went to at least 65 home games that first year. It was the one sense of normalcy that I had and I clung to it. They were my outlet – win or lose.
There must be outlets when you are the primary caregiver. One time, I wrote a list of all the things that made me feel good on separate slips of paper and put them in a jar. When I felt overwhelmed, I would pick one.
My favorite was a massage. Another was getting my car washed. Another was sitting outside in the sun. Another was taking a long hot soaking bath with a glass of wine, and nice bubbles or bath salts. Another was burying myself in a favorite fiction author. Another was going to the movie and buying popcorn.”
Like Abby, I did not learn enough about the necessity of stepping away from the intensity more often and was frequently overwhelmed by the angst and heartache that comes with caregiving. I could measure the burden severity, when taking time to step away, by whether I listened to the radio on my seven hour drive to my timeshare condo on North Padre Island. No radio meant I needed the silence. With every mile driven, I was liberated by the thought of all the stress being blown out the window, under the tires, and rolled right over.
If you find yourself in the intensity of caregiving, take opportunities to step away. It took some arranging, but when I stepped away, I did not communicate with home. As caregivers, we are enslaved to our phones. It is often an addiction. It is our emotional lifeline. And, yet, it is more debilitating and detrimental to our lives than we realize. It is an exhausting, emotional reminder of all that entangles us, either consciously or not. Constant accessibility is not always emotionally healthy for anyone.
Step Away. Make it happen for the sake of you! Let everyone know you will not be available. If it is an emergency, use a 9-1-1 text code, but inform everyone who consumes your life that it best be an emergency.
Truly step away – even if just for a day. It does not have to be extravagant. Go to a museum. Drive through the mountains. Get a massage. Hike a trail. Take a chair to a park, have a picnic and listen to the birds.
It is your day – spend it doing something you have always wanted to do, or something you may not have done in a while. It is not the time to grocery shop or run errands. Enjoy your time. In joy, step away.
Warning: The deeper you need to disconnect and step away, the harder it will be. You will be tempted to continue your enslavement with accessibility. That is the addiction entanglement. Speaking from experience, that is not optimizing your much needed break. If I knew the bases were covered, I often put my phone in airplane mode. Sometimes I even recorded a custom voicemail:  “So great to hear from you. Please leave a message but I have stepped away for a few days and will not be returning phone calls until Monday. If this is an emergency, please call _____. Thanks!”
Abby recognized the necessity of stepping away before it affected one specific valued relationship. The intensity of caregiving affects all our relationships, not just the one being cared for.  If it changes us, it is a given that it will change all our relationships with others.
Stepping away is connecting with the “you” that you enjoyed before the intensity of caregiving. Stepping away is at best a self-preservation mode, preserving you, your sanity, your relationships, your attitude, your life, et al.
Stepping away is an art-form worth learning.   
If you want to read more about my dealings with Matters of The Heart, you can find my book here.