If you are a mobile merchant – that is, you often set up a booth to sell your wares, or collect payments from clients while on the road, then having a solution to take credit card payments might appeal to you.  CDG Commerce offers just the thing you need – a wireless terminal.  Take a look:

CDG's wireless credit card terminal

CDG Commerce is known for providing a low cost processing solution, and this is no different.  The wireless access is $20 / month, and the merchant account is an additional $10 (which includes a web virtual terminal, and ecommerce capabilities).  If you are looking for low cost processing, this is it!

You can read more and apply for the service here.

Google launched its “wallet service” as described here:
Google Wallet Rings Up Visa, Amex, Discover as Partners

This is an interesting way to pay for items, but it does require merchants to sign up and have specialized hardware at their registers.  I understand the appeal of these kinds of systems, but I’m wondering if they will really take off.

Here’s my question – does this really make it easier to pay for things?  The current system of pulling out your “real” wallet, swiping a card, and signing a piece of paper is pretty painless right now.  I suppose this reduces some security concerns, but it does add more management tasks for the consumer – funding the account, keeping card information updated online, etc.   Also, you need a phone that supports it – which many people still do not have.  Most people have pockets or purses, which is all you need to put a “real” wallet.

It’ll be interesting to see how it goes – the current pay system is pretty well entrenched, and convenient, so I think it will be hard to displace.

Here’s an article describing the use of so-called ‘Doppleganger’ domains to intercept and steal information:
Researchers steal 20GB of corporate emails via doppelganger domains

Essentially, by taking advantage of typos, the researchers were able to intercept corporate emails, many containing sensitive information in them.  This is similar to someone registering a domain misspelling to grab free web traffic, and show advertising.  However, the email intercept puts a new twist on it.

Here’s the reason – you can intercept mis-typed emails “silently” – either discard them, or forward them on to the real intended recipient.  Nobody can tell what you are doing with the information you glean.  The sender / recipient may never realize the email was misdirected.

For example, you have a domain abc.com.  Your Division in Germany is “de.abc.com” – so I email to my colleague overseas, using “joe@de.abc.com” – however, I misspell it as “joe@deabc.com”.

Now, if some nefarious person has registered “deabc.com” and set up a mailserver there to accept all incoming email, they have just intercepted that email.  If that email contained any passwords, or company secrets, well, it could be very damaging to the company.  Keep in mind that an external customer emailing a sales rep would be susceptible to the same mistake.

So, is your company at risk for this kind of attack?  If so, you should consider registering these alternate domains, and checking into any doppelganger domains that were already registered.

One overlooked method for preventing identity theft is the “credit freeze.”  Many states allow this now.  Basically, you contact the 3 credit reporting agencies (experian, transunion, equifax), and request the freeze.  Here’s a link describing what this means.

The main drawback is that you won’t be able to open a new credit line, or credit card account without “unfreezing” your account.  So if you don’t need any new credit card accounts, loans, etc.  then a credit freeze is a great option.  This prevents the agencies from releasing your credit information, so if someone tries to open an account in your name, it will be denied.

With so many security breaches happening nowadays, simply being careful with your own data is not enough.  Too many organizations (legally) have your data, and their security CAN be breached.  We see the reports every day.  How many breaches go undetected or unreported?

If you are an online merchant, and you haven’t heard about PCI Compliance yet, you probably will soon.  Credit card companies are slowly pushing online retailers to tighten up their security to reduce fraud.

Maintaining PCI DSS compliance is a potentially a huge obstacle for online retailers.  This document provides some links to understand the basics of what you will need to do.  Essentially this requires two main steps: a questionnaire, and an external scan of your server.  Some scanning vendors are providing an “all in one” spot for you to handle both of these requirements.  We’re partnered with ControlScan, which provides this service for $249/ year.

Here are some links that will help you learn more about PCI compliance:

PCI FAQ: Click here – seems like most merchants will be level 4, which means you need to run quarterly scans from an “approved scanning vendor”.

Here’s a short blog post with video that explains PCI DSS.  It explains that this movement is largely to contain fraud, and stem losses being incurred by banks, businesses, and consumers.

Approved Scanning vendors: Click here

At this point it seems like few gateway providers are “pressuring” their merchants to be PCI compliant, which makes sense – the cost of becoming and maintaining compliance will cause many “hobby” merchants to pack it in, or move to a third party payment system (paypal, google, etc.), and cancel their merchant accounts altogether.  In the long term, I expect more hosting companies to offer and tout “PCI Compliant” server platforms.  Shopping cart vendors are also moving this way.  However, the burden will always be ultimately on the merchant to prove they are using a compliant setup, so I believe now is the time to get your site moving in that direction.

My recommendation at this point (if you are an online merchant) is to go through the process at least one time, to see how close you are to compliance.  Make changes based on the results to get as close as you reasonably can, then keep the documentation until your provider asks.  Then you’ll have a quicker path to pci compliance if you are required to be so.