MicroBiz for Windows Security Refresher
October 2015

Given the all the recent press on credit card data breaches at major retailers (Target,Lands End, etc) data security remains a top priority of retailers of all sizes. In light of this, we decided to provide a ‘refresher’ on security best practices using MicroBiz for Windows.

Tip #1: Back-Up MicroBiz Often

While there are several methods to backing up your MicroBiz data, the recommended choice is to run the internal MicroBiz backup program. This is found at MANAGEMENT | CUSTOMIZE | GLOBAL SETTINGS.

Make sure you know where your Backup Directory is pointing to as well. When the backup is complete this is where you will find your MicroBiz Data. The backup process will actually create a TEMPBAK and ZIPBACK folder. The Zipback folder is exactly what it sounds like. All your backup files zipped up into a uniquely named backup. (i.e.: BIZBAK01.ZIP ) This method when done daily, will keep up to 30 days of backups before overwriting a previously created zip file. The Tempbak folder or directory contains just the files themselves unzipped from the last time the backup process was run. Remember to give us a call before starting the installation or upgrade.

Tip #2: No Retention of Credit Card Data
Versions of MicroBiz for Windows earlier than version 12.5 have the ability to retain credit card data. Versions 12.5 and later became PCI compliant by removing the ability to retain credit card in the system. So, to avoid any exposure to a release of stored card data, please make sure you are running a version of MicroBiz that is 12.5 or later.

Tip #3: Secure Usernames and Passwords
Another recommendation to add security to MicroBiz is to add usernames and passwords for all employees who are using MicroBiz. This can be done through: “Management” – “Add/Edit Password.” You will need to use the “Add” button to add a new user. Enter in the login name and security number. Note that Level 0 is for higher security users (managers) and Level 99 is for lower security users (employees). You will want to create at least one administrator username with security set to 0, meaning they can have access to every function in the program. Make sure you remember your administrator username and password, as MicroBiz Support will not know this information. When you have all employees set up, click on the “Save” button to save your changes.

Tip #4: Maintain Adequate Security Levels
We also recommend that you evaluate your security levels on a regular basis. This can be done through: “Management” – “Edit Security Level.” You will see a list of all of the available functions in MicroBiz. The number for these functions will need to be changed according to the level you have set for your employees in “Add/Edit Password.” It is recommended that you make sure that “Edit Security” and “Add/Edit Password” are both set to level 0 so that only the administrator can make changes to security.

Tip #5: Review Your Transaction Settings
Other functions for transaction-level security can be found in “Management” – “Customize” – “Transaction Settings” – “Security” tab.
1) Validate Clerk’s Initials against employee file? – If this option is checked, MicroBiz will cross-check the initials in “Management” – “Add/Edit Password” with “Management” – “Employee Control.” This option would be recommended if you use the “Time Clock” or “Commission” features in MicroBiz.

2) Carry Security Level Through Initial Sign-on? – If this option is checked, MicroBiz will only prompt you ONCE for username and password when you enter MicroBiz. Based on the security level of the user logged in, MicroBiz will only allow access to functions associated with that user.

3) Always Require Customer at F9 Invoice? – If this option is checked, you MUST have a “F8-Cust” loaded to the Work Screen before completing a sale. The below “A.” and “B.” options will require a “F8-Cust” loaded to the Work Screen based on whether you tender using the “Credit” or Debit” options.

4) Split Add/Edit Security to Add and Edit – If this option is checked, two new security levels will be added in “Edit Security Level” for “Add Product” and “Edit Product.” By default, the security levels will be set to 0 (highest security). This is a useful option if you want different security levels for both editing and adding products.

Tip #6: Reduce PCI Exposure with Integrated EMV Compliant Payment Processing
In the retail management software market, ‘integrated payment processing’ is defined as a having your credit/debit card processing service tightly integrated with your retail point of sale (POS) system.

MicroBiz’s EMV compliant integrated payments solution through OpenEdge uses PCI compliant credit card terminals that securely encrypt credit card data as the card is read by the terminal (swipe, dip, contactless). The encrypted card data is then directly passed to a secure hosted payment gateway maintained by our payment gateway provider – so that unencrypted card data is never transmitted through or retained by your POS system. As a result, your MicroBiz POS system will be compliant with PCI security standards, which mandate that businesses safely encrypt and store PIN numbers, CVV2 numbers and magnetic stripe data.

In addition to reducing financial liability from a breach of credit card data, integrated payment processing can help you reduce costs and improve efficiency. If you currently use a payment processing solution that is not integrated with your store POS system, it may be worth it to re-evaluate the hidden costs of operational inefficiencies of your current set-up and research you new options to see if you can save time and money.

Integrated EMV Processing Options with MicroBiz

The Offer: 
Through the end of this year, any MicroBiz for Windows user that opens a new merchant account with Global Payments through its OpenEdge subsidiary will receive a free Ingenico iPP320 EMV payment terminal. These terminals generally sell for $250 to $350!The Device: 
The iPP320 is a compact, lightweight and stylish payment terminal that plugs directly into a POS system for instant installation and easy integration. The iPP320 accepts all forms of electronic payment, including contactless, EMV, and mobile (NFC). The unit is fully EMV and PCI PTS V2 and V3 certified and features a large, backlit keypad and crisp LCD display to make PIN entry and option selection easy. It supports end-to-end encryption technologies to protect sensitive cardholder data throughout the entire transaction.

Interested? We suggest contacting OpenEdge as soon as possible, as there is currently a backlog given the October 1st deadline. If you do not currently process through Global Payments using OpenEdge or XCharge, you will need to open a merchant account through OpenEdge. Certain terms and conditions apply to the free terminal offering. Please contact OpenEdge at [email protected]. When submitting a request to OpenEdge, please indicate that you are a MicroBiz user and include your:
– Company Name
– Contact Name
– Address
– City, State, Zip
– Phone Number and Email

Debunking EMV Payment Myths

A lot has been written about the ongoing transition from magnetic stripe to chip cards, and in spite of best efforts to communicate “just the facts,” a few misunderstandings have surfaced. In our discussion with our customers on payment options, we have heard a few ‘myths’ about EMV requirements and the liability to merchants. We have tried to debunk these EMV myths below.

Myth #1. Anyone who accepts card-present transactions must upgrade to chip technology.
There is no mandate forcing businesses accepting in-person (or card-present) transactions to adopt chip enabled terminals and other technology. However, there is a risk. If you accept a chip card transaction (by swiping the magnetic stripe on the back of a chip card), and the transaction turns out to be fraudulent, you will be liable for all costs and fines associated with the transaction. The October 1st Liability Shift transferred liability from credit card issuers to the party that is least chip enabled in the event of a fraudulent chip card transaction. In most cases this is the retailer with the magnetic stripe reader.

Myth #2. If I didn’t upgrade to a chip card terminal by the October 1st liability shift deadline, I won’t be able to accept card transactions.
Not true. The liability shift deadline did not render all non-chip-enabled terminals inoperable. Your non-chip-enabled terminal still works and you can accept card transactions with it, as long as you are comfortable assuming the added risk.

Myth #3. Transitioning to chip cards doesn’t reduce fraud.
The fact is, EMV has been a tremendous success in preventing fraud around the world. Wherever EMV is implemented comprehensively, fraud is reduced. Regularly published fraud statistics from many national banking and regulatory authorities France, UL and Canada prove the point. EMV reduces counterfeit and lost and stolen fraud in card-present POS applications, and provides strong, dynamic cardholder authentication in card-not present (CNP) scenarios.

Myth #4. EMV is not secure enough.
As a matter of fact, EMV is based on strong cryptography and elaborate key management; a fundamental EMV principle is to digitally sign payment data to ensure transaction integrity. As opposed to magnetic stripe technology, a chip is extremely difficult to copy, spoof or crack. Using an EMV card with a PIN verification makes it even more secure. Although EMV has been heavily scrutinized by criminals and the academics, there have been no reported real-life, in-market breaks of chip card technology.

Myth #5: EMV is already outdated and of no use in a world moving to mobile and contactless payments.
Not true. Ever since the first EMV implementation nearly a decade ago, EMV specifications have been continuously monitored by EMVCo and other chip card stakeholders and updated to meet the changing needs of the payment industry. And, most mobile and contactless payments are based on EMV specifications.

Myth #6: The business case for upgrading to EMV in the U.S. is not positive; the benefits do not outweigh the costs.
False. The cost of fraud in the U.S. continues to rise, not only the direct cost of lost goods and services, but the additional costs associated with protecting against fraud and cleaning up after an incident. For example, in the wake of recent well-known data breaches, millions of cards had to be reissued, and customer service costs for issuers and merchants increased. The costs of issuing new chip cards and payment terminals is much lower than it was five years ago. In a regulated environment, these fraud savings will be passed on to end user merchants over time. So the fact is that is economically positive for both processors and retail businesses to make the switch.