Nov
03
2015
PCI COMPLIANCE
November 3rd, 2015 by Elma Jane

While EMV represents a significant improvement in the way credit/debit card fraud is detected and prevented, some have confused EMV’s capabilities with the concepts of data security and PCI compliance.

Does EMV override PCI?

The answer is NO, EMV technology does not satisfy any PCI requirements, nor does it reduce PCI scope.

  • EMV is counterfeit card fraud protection – it makes it more difficult to make use of stolen card data.
  • EMV is not encryption – EMV does not encrypt the Primary Account Number (PAN) and therefore the card data must still be protected according to PCI guidelines.
  • EMV only works for card present transactions.

If your business accepts credit or debit cards in a physical store or other face-to-face setting, you will need to implement the EMV technology and PCI standards. If you upgrade your terminals for EMV, consider adding point-to-point encryption (P2PE) capabilities to reduce PCI scope and protect data end to end. In addition, using tokens after authorization can prevent the card data from being used, should it be stolen.

 

Posted in Best Practices for Merchants, EMV EuroPay MasterCard Visa, Payment Card Industry PCI Security Tagged with: , , , , , , , , , , , , , , , , ,

Oct
01
2015
EMV
October 1st, 2015 by Elma Jane

The day the payments industry has pointed to for several years arrives today, a turning point in the U.S.‘s migration to EMV chip-and-PIN cards.

Rules set by Visa and MasterCard as of today, the liability for fraud carried out in physical stores with counterfeit cards belongs to the merchant if it has not yet upgraded its POS system to accept EMV-enabled chip cards. Banks will be issuing EMV Chip Cards.

An enormous change, as everyone learns to deal with the new technology that requires consumers to insert their cards and leave them in the store machines throughout a payment transaction, rather than swipe.

In a recent survey, less than a third of merchants overall have invested in EMV-compliant technology, and one study said 80 percent of small and midsize merchants have not upgraded their systems as of today’s liability shift.

Issuers are claiming to be more prepared than merchants, but according to the Smart Card Alliance, around 200 million chip cards have been issued to U.S. cardholders. That, however, is less than 17 percent of the approximately 1.2 billion payment cards in circulation.

What is clear is that today does not represent the end of the journey. The lack of preparedness at the physical point of sale, however, may be beneficial for card-not-present merchants.

Over the past few months, the mainstream media has awoken to the fact that implementing EMV does not mean fraud will disappear. Fraudsters quickly adapted to the difficulty of counterfeiting cards by attacking Card-Not-Present channels, where a chip has no effect.

In other markets, fraud migrated quite rapidly to card-not-present channels. It is necessary on e-commerce merchants to protect themselves with an array of tools, like device authentication, one-time passwords, randomized PIN pad and biometrics. Fraud mitigation tools like data analytics, address and CVV verification, 3D secure and tokenization. These services should be available from their merchant acquirer processor or gateway.

There should be a gradual reduction in card fraud over the next 12-18 months in spite of the delays in this country’s EMV migration. It’s going to take time for the technology to be adopted.

U.S. Merchants’ overall relative lack of preparedness for EMV may give e-commerce and mobile merchants time they didn’t think they would have to explore the options.

Sophisticated authentication technologies such as biometrics will help increase the security of card transactions. Device-based verification could be easily incorporated in an EMV transaction.

Banks have expressed interest more in using the phone as a biometrics. It’s all going to depend on what is the most convenient way to access your funds. The nice thing about biometrics is it’s meant to enable more convenience and stronger security.

 

Posted in Best Practices for Merchants, e-commerce & m-commerce, EMV EuroPay MasterCard Visa, Mobile Payments, Mobile Point of Sale, Point of Sale Tagged with: , , , , , , , , , , , , , , , , ,

Sep
04
2014
September 4th, 2014 by Elma Jane

EMV, which stands for Europay, MasterCard and Visa, and is slated to be mandated across the United States starting in October 2015 and automated fuel dispensers have until October 2017 to comply. Unlike magnetic swipe cards, EMV chip cards encrypt data and authenticate communication between the card and card reader. Additionally, chip card user is prompted for a PIN for authentication.

Why are those dates important? Companies lose $5.33 billion to fraud today, with card issuers and merchants incurring 63 and 37 percent of these losses, respectively. Under the EMV mandate, merchants who do not process chip cards will bear the burden of the issuer loss. By accepting chip card transactions, merchants and issuers should see a reduction in fraud.

Overcoming Barriers to EMV Adoption

Given the significant barriers to EMV adoption, it may be tempting for merchants to meet minimum requirements for accepting EMV payments. However, medium to large retailers should also consider the bigger picture of customer security and peace of mind.

Some key critical success factors for a payment initiative of this size include:

Business Continuity Architecture: As with all payment systems, it is imperative to have the EMV system running at all times. The solution should preferably have Active-Active architecture across multiple data centers and have a low Recovery Point Objective (the point in time to which the systems and data must be recovered after an outage).

Cost Benefit Analysis: Take a top down approach and decide accordingly on the scope of the analysis. This will ensure that decisions on scope are made on basis of quantitative data and not just qualitative arguments.

Phased Approach: To overcome time or cost overage in a project of this scope and complexity, retailers should try using an iterative approach for development. The rollout can be divided into multiple releases of six to seven months, which will provide the opportunity to review, capture lessons learnt, and improve subsequent releases.

Proactive Monitoring Alerts: Considering the criticality of business function carried out by EMV, tokenization and payment gateway, a vigorous supervising environment must be defined to perform proactive and reactive monitoring. It should take into consideration the monitoring targets, tools, scope and methods. This will provide advance visibility to the failure points and better ensuring maximum system availability.

Resilience Testing: Typically in a software project, the testing is limited to the unit, integration, performance and user acceptance. However, due to the critical nature of the applications and systems involved, robust resiliency testing is vital. This will ensure that there are no single points of failure and the system remains available when running in error conditions.

Stakeholder Identification: This is a key step to ensure that you have varied perspectives from all departments and their support. It will keep your organization from being blindsided and reduce the risk of disagreements in later stages of the program. Key stakeholders should include Store Operations, Card Accounting, Loss Prevention, Contact Center and IT & Data Security.

Organizations should adopt a five step approach to implement a secure, robust and industry-leading payment solution:

Encryption – Point to point encryption will ensure card data is secure and encrypted from the point of capture to the processor. Usually, merchants use data encryption that is not point to point, rendering their organization vulnerable to data breaches. Software encryption is the most common form of encryption, as it is easily installed and quires little or no hardware upgrades; however, it is less secure, may expose encryption keys, and is prone to memory scanning attacks. Hardware encryption is considered more secure but requires more costly terminal upgrades. Hardware encryption is designed to self-destruct the keys if tampered, but is not well-defined as very limited headway has been made in this space. 

Tokenization – Build a Card Data Environment (CDE) that will host a centralized card data storage solution. Only limited applications with firewall access and capability to mutually authenticate via certificates can access CDE and receive card data. The rest of the applications will have tokens which are random numbers. This architecture will ease the merchant’s burden with existing and emerging PCI Data Security Standards.

Payment Gateway – Perform a risk assessment on the current payment gateway and identify gaps in functionality, manageability, compliance, scalability, speed to market and best practices. Determine the alternatives to mitigate the risks. Some of the important aspects of a leading payment gateway solution are support for all forms of credit, debit, gift cards and check transactions. Its ability to work with any acquirer, in-built encryption abilities, support for settlement and reconciliation must also be kept into consideration.

Settlement, Funding and Reconciliation – A workflow-based system to handle chargebacks and the automation of chargeback processing will greatly reduce labor-intensive work and enhance the quality of data used for settlement and reconciliation. Upgrades to the existing receipt retrieval system may be needed.

Card fraud is on the rise in the U.S., and merchants are the primary target for stealing information. With the EMV deadline just over a year away, the responsible retailer must take steps to prepare now. Although EMV implementation might seem overwhelming to merchants, they should start their journey to secure payments rather than wait for a looming deadline. Solutions such as data encryption and tokenization should be used in combination with EMV to implement a robust payment solution to better protect merchants against fraud. By proactively adopting EMV payment solutions, merchants can stay ahead of the regulatory curve and better protect their customers from fraud.

 

Posted in Best Practices for Merchants, Credit Card Security, EMV EuroPay MasterCard Visa, Payment Card Industry PCI Security, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

May
29
2014
May 29th, 2014 by Elma Jane

A point-of-sale facial recognition system that uses NFC to help combat card fraud has been created during a recent company hack-a-thon, together with a group of engineers and designers from Logic PD. Hackathon was an opportunity for experts to explore the possibilities of useful solutions to today’s challenges, with the recent significant breaches in security at leading retailers, the need for this type of solution is particularly meaningful.

The solution, is a multi-modal security platform for card purchases, uses NFC authentication combined with camera imaging to protect users. When users make a mobile payment at the point of sale, the kiosk snaps a picture of the purchaser. This image can be incorporated via the cloud into the user’s digital transactional record, which was stored and distributed via SeeControl in this example, allowing users to identify who made each purchase, and easily identify those that are fraudulent even before banks and financial institutions.

Posted in Credit Card Security, Mobile Payments, Mobile Point of Sale, Point of Sale, Smartphone Tagged with: , , , , , , , , , , , , , , , ,

Jan
13
2014
January 13th, 2014 by Elma Jane

Most of the world has already migrated to EMV chip technology. EMV, as commentators have noted, affects not only hardware and software, but every card payment system, device and application.  Looking ahead to the 2015 liability shift, stakeholders who have not made the switch should consider these benefits of EMV.

Rather than focusing on any potential expenses, however, stakeholders should  instead consider the important elements they have to gain.
EMV is here.

Benefits of EMV:

Global interoperability – Since most of the world has migrated to EMV, U.S. banks can that transition gain the ability to have their cards used with full EMV security anywhere in the world. Further, merchants benefit from this global interoperability as it allows them to process transactions coming into the U.S. from foreign travelers in the same way as domestic transactions.

Higher security – The latest data indicates that 78 percent of all counterfeit card fraud originates in areas where EMV has not yet been widely implemented, and even the most ardent detractors of EMV admit that EMV is very secure.

All stakeholders, gain a higher level of security than was available through magnetic-stripe technology.

Roadmap to mobile – POS terminals that support contactless EMV will in turn enable mobile EMV on NFC at merchants, meaning merchants can take advantages of all manner of popular payment methods, as well as the latest loyalty, location-based and couponing capabilities of mobile.

Posted in Credit card Processing, Credit Card Security, EMV EuroPay MasterCard Visa, Mobile Payments, Mobile Point of Sale, Near Field Communication, Point of Sale, Smartphone Tagged with: , , , , , , , , , , , , , , , , , , , ,