May
19
2015
May 19th, 2015 by Elma Jane

We’re now nearly midway through 2015, and payment security still remains a topic that stirs up great concern and confusion. While there is seemingly unanimous agreement on the need for heightened security, there’s uncertainty about those who are tasked with actually implementing it. Let’s dig deeper into EMV, P2PE and tokenization. How each will play a part in the next generation of securing payments, and how without properly working together they might just fall short.

 

 

Europay, MasterCard, and Visa (EMV) – A powerful guard against credit card skimming. EMV also uses cryptography to create dynamic data for every transaction and relies on an integrated chip embedded into the card.

Downside: For Independent Software Vendor (ISVs), the biggest downside of EMV is the complexity of creating an EMV solution. ISVs interested in certifying PINpads with a few processors face up to 22 months of costly work, and because there are a large number of pending certifications, processors will be backed up over the next few years.

It’s not impossible for an ISV to build EMV solutions in-house, but it’s difficult and unnecessary when there are plug-and-play EMV solutions available. These solutions include pre-packaged and pre-certified APIs that remove most of the need for research, the complexity and the burden of time and cost.

Point to Point Encryption (P2PE) – Secures devices, apps and processes using encrypted data with cryptographic keys only known to the payment company or gateway from the earliest point of the transaction, from tech-savvy criminals, jumping at their chance to intercept POS systems and scrape the memory from Windows machines.

How does a key get into card reader? Through an algorithm called derived unique key per transaction (DUKPT), or “duck putt.” DUKPT generates a base key that’s shared with device manufacturers securely, where output cardholder data is rendered differently each time a card is swiped, making it impossible to reverse engineer the card data. P2PE not only benefits the cardholders, but also the ISVs and merchants. PA-DSS certification was designed to address the problems created with cardholder data which is not encrypted.

Downside: P2PE isn’t cheap if an organization wants to do it in-house. The secure cryptographic device needed to manage the keys, Hardware Security Module (HSM), can cost $30-40,000 but when it’s built out, that total cost can jump to $100,000.

TOKENIZATION – The best way to protect cardholder data when it’s stored is using tokenization, a process which the PCI Security Standards Council describes as one where the primary account number is replaced with a surrogate value a token. For merchants dealing with recurring billing, future payments, loyalty programs and more, tokenization is critical.

Downside: Tokenization doesn’t prevent malware that’s remotely installed on POS devices. It’s possible, as seen with recent retail card breaches, for data to be stolen before it is tokenized. That’s why it’s essential to group tokenization together with P2PE and EMV to offer optimal security.

 

Posted in Best Practices for Merchants, Credit Card Security, EMV EuroPay MasterCard Visa, Payment Card Industry PCI Security, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Sep
19
2014
September 19th, 2014 by Elma Jane

CREDIT CARD NUMBER’S ANATOMY

The numbers on front of a credit card aren’t just random. They give away specific information about the card and where it comes from.

The first 6 digits of the credit card number is the Bank Identification number (BIN). This will tell the name of the credit card issuer.

Example: Travel or entertainment cards, such as American Express  cards, begin with a 3 . All Visa credit cards start with a 4, MasterCard with a 5, and 6 is dedicated to Discover.

The first six digits of the card, including the Bank Identification number, represent the issuer identification number. This identifies the bank that issued the card.

Of course, there’s the personal account number. This is made up of the seventh digit on, everything except the last number on the card.

The final digit on the credit card is known as the check digit or checksum. This number is set by something called the Luhn formula, patented by an IBM scientist in 1960. It’s a formula that uses the numerals in your card’s account number to verify that it’s valid. Various combinations of the card’s digits must ultimately add up to a number divisible by 10.

The formula is mostly used to protect against input errors. Let’s say you enter in the wrong numbers on an online shopping site. The formula will compute that the digits don’t add up right, telling you you’ve entered an invalid card number. That last digit of your credit card makes sure the formula works like it’s supposed to.

Now you know that there’s a lot of information on that little card in the wallet.

Posted in Best Practices for Merchants, EMV EuroPay MasterCard Visa, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , ,

Sep
16
2014
September 16th, 2014 by Elma Jane

Card-not-present merchants are battling increasingly frequent friendly fraud. That type of fraud..The I don’t recognize or I didn’t do it dispute. This occurs when a cardholder makes a purchase, receives the goods or services and initiates a chargeback on the order claiming he or she did not authorize the transaction.

This problem can potentially cripple merchants because of the legitimate nature of the transactions, making it difficult to prove the cardholder is being dishonest. The issuer typically sides with the cardholder, leaving merchants with the cost of goods or services rendered as well as chargeback fees and the time and resources wasted on fighting the chargeback.

Visa recently changed the rules and expanded the scope of what is considered compelling evidence for disputing and representing chargeback for this reason code. The changes included allowing additional types of evidence, added chargeback reason codes and a requirement that issuers attempt to contact the cardholder when a merchant provides compelling evidence.

The changes give acquirers and merchants additional opportunities to resolve disputes. They also mean that cardholders have a better chance to resolve a dispute with the information provided by the merchant. Finally, they provide issuers with clarity on when a dispute should go to pre-arbitration as opposed to arbitration.

Visa has also made other changes to ease the burden on merchants, including allowing merchants to provide compelling evidence to support the position that the charge was not fraudulent, and requiring issuers to a pre-arbitration notice before proceeding to arbitration, which reduces the risk to the merchant when representing fraud reason codes.

The new “Compelling Evidence” rule change does not remedy chargebacks but brings important changes for both issuers and merchants. Merchants can provide information in an attempt to prove the cardholder received goods or services, or participated in or benefited from the transaction. Issuers must initiate pre-arbitration before filing for arbitration. That gives merchants an opportunity to accept liability before incurring arbitration costs, and Visa will be using information from compelling evidence disputes to revise policies and improve the chargeback process

Visa made those changes to reduce the required documentation and streamline the dispute resolution process. While the changes benefit merchants, acquirers and issuers, merchants in particular will benefit with the retrieval request elimination, a simplified dispute resolution process, and reduced time, resources and costs related to the back-office and fraud management. The flexibility in the new rules and the elimination of chargebacks from cards that were electronically read and followed correct acceptance procedures will simplify the process and reduce costs.

Sometimes, an efficient process for total chargeback management requires expertise or in-depth intelligence that may not be available in-house. The rules surrounding chargeback dispute resolution are numerous and ever-changing, and many merchants simply do not have the staffing to keep up in a cost-effective and efficient way. Chargebacks are a way of life for CNP merchants; however, by working with a respected third-party vendor, they can maximize their options without breaking the bank.

Reason Code 83 (Fraud Card-Not-Present) occurs when an issuer receives a complaint from the cardholder related to a CNP transaction. The cardholder claims he or she did not authorize the transaction or that the order was charged to a fictitious account number without approval.

The newest changes to Reason Code 83, a chargeback management protocol, offer merchants a streamlined approach to fighting chargebacks and will ultimately reduce back-office handling and fraud management costs. Independent sales organizations and sales agents who understand chargeback reason codes and their effect on chargeback rates can teach merchants how to prevent chargebacks before they become an issue and successfully represent those that they can’t prevent.

Posted in Best Practices for Merchants, EMV EuroPay MasterCard Visa, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Jan
09
2014
January 9th, 2014 by Elma Jane

Notably after the Japanese tsunami…the Hungarian Red Cross has used mobile technology to raise funds for disaster relief, but for the first time has enlisted social media in the process. The organization is running a Facebook campaign that lets smartphone users make instant donations to aid victims of Typhoon Haiyan in the Philippines.

The donations will pass through the MasterCard Mobile app that was developed by the Hungarian m-payments firm Cellum. The solution relies on QR codes. The method is available only in Hungary.

Process works like this:

Download the MasterCard Mobile app to your smartphone and register your bank card, then follow the steps to secure your personal data.

To donate, scan the QR code shared on Facebook with the built-in scanner of MasterCard Mobile. Transaction data are displayed on the screen to ensure the donation goes to the chosen cause.

The QR code contains a minimum sum, which can be increased.

Then press the send button to review and confirm transaction data.

The app then initiates the transaction, which you need to authorize by entering your mPIN.

You will receive feedback on the successful transaction, which can later be viewed in the transactions menu.

The donations will pass through Cellum’s system and quickly go to the Hungarian Red Cross’ account, which is dedicated to typhoon relief efforts.

Donations are a matter of impulse and that people who decide to give want to act quickly, chances are they don’t carry around a pen to put down a 24-digit bank account number on a piece of paper. By the time they get home and visit their online bank where they could transfer the money, they have already been distracted by a hundred other stimuli, so they end up sending nothing. Cellum’s solution is simple; whenever the impulse hits people, they probably have their phone at hand said Cellum spokesman Balazs Inotay.

Posted in e-commerce & m-commerce, Internet Payment Gateway, Medical Healthcare, Smartphone Tagged with: , , , , , , , , , , , , , , , , , , , ,