MasterCard Archives - Page 3 of 7 - Payment Processing News
May
19
2015
May 19th, 2015 by Elma Jane

We’re now nearly midway through 2015, and payment security still remains a topic that stirs up great concern and confusion. While there is seemingly unanimous agreement on the need for heightened security, there’s uncertainty about those who are tasked with actually implementing it. Let’s dig deeper into EMV, P2PE and tokenization. How each will play a part in the next generation of securing payments, and how without properly working together they might just fall short.

 

 

Europay, MasterCard, and Visa (EMV) – A powerful guard against credit card skimming. EMV also uses cryptography to create dynamic data for every transaction and relies on an integrated chip embedded into the card.

Downside: For Independent Software Vendor (ISVs), the biggest downside of EMV is the complexity of creating an EMV solution. ISVs interested in certifying PINpads with a few processors face up to 22 months of costly work, and because there are a large number of pending certifications, processors will be backed up over the next few years.

It’s not impossible for an ISV to build EMV solutions in-house, but it’s difficult and unnecessary when there are plug-and-play EMV solutions available. These solutions include pre-packaged and pre-certified APIs that remove most of the need for research, the complexity and the burden of time and cost.

Point to Point Encryption (P2PE) – Secures devices, apps and processes using encrypted data with cryptographic keys only known to the payment company or gateway from the earliest point of the transaction, from tech-savvy criminals, jumping at their chance to intercept POS systems and scrape the memory from Windows machines.

How does a key get into card reader? Through an algorithm called derived unique key per transaction (DUKPT), or “duck putt.” DUKPT generates a base key that’s shared with device manufacturers securely, where output cardholder data is rendered differently each time a card is swiped, making it impossible to reverse engineer the card data. P2PE not only benefits the cardholders, but also the ISVs and merchants. PA-DSS certification was designed to address the problems created with cardholder data which is not encrypted.

Downside: P2PE isn’t cheap if an organization wants to do it in-house. The secure cryptographic device needed to manage the keys, Hardware Security Module (HSM), can cost $30-40,000 but when it’s built out, that total cost can jump to $100,000.

TOKENIZATION – The best way to protect cardholder data when it’s stored is using tokenization, a process which the PCI Security Standards Council describes as one where the primary account number is replaced with a surrogate value a token. For merchants dealing with recurring billing, future payments, loyalty programs and more, tokenization is critical.

Downside: Tokenization doesn’t prevent malware that’s remotely installed on POS devices. It’s possible, as seen with recent retail card breaches, for data to be stolen before it is tokenized. That’s why it’s essential to group tokenization together with P2PE and EMV to offer optimal security.

 

Posted in Best Practices for Merchants, Credit Card Security, EMV EuroPay MasterCard Visa, Payment Card Industry PCI Security, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Jan
26
2015
January 26th, 2015 by Elma Jane

Accept Electronic Payments in Their Currency,

Convert it to Yours

DCC or Dynamic Currency Conversion is a system where the Visa or MasterCard holder in a foreign country can shop on an American based web site that displays prices in their own local currency. The web site can offer multiple choices as to which country the shopper is based in and the shopper can be immediately familiar with the pricing of goods and services.

Exchange rates are in constant flux. Dynamic Currency Conversion utilizes a Bank Reference Table (BRT) otherwise known as a Card Recognition Table (CRT). This table is updated on a daily basis so that transactions have the most up to date conversion rate for transactions. Your web site holds pricing information in $USD, and based on the selection of the shopper, prices are converted to their native currency. Even if the shopper does not choose the correct currency, at the time the card information is presented, the system automatically recognizes that the card is foreign and applies the appropriate currency and exchange rate.

At the close of the transaction an invoice or receipt can present the total to the customer in their currency, along with the merchants local currency along with the exchange rate that was applied. In today’s global business environment, this level of convenience to the customer insures they are comfortable with the transaction from shopping cart to the door. Your business reaches foreign nations expanding your market while presenting new opportunities, increasing your businesses bottom line.

On the merchant end, all transactions are settled in $USD. Reporting mechanisms can display the consumers pricing and the exchange rate they paid for analysis and cost reduction.

Currency Conversion

  • Accept currencies from other nations.
  • Convert funds to US Dollars.
  • Set prices in local currency to avoid confusion or calculation.
  • Works with e-commerce as well as Mail Order / Phone Order.
  • Ease the sales process for your customers.
  • Increase customer familiarity.
  • Immediately convert currency to avoid value gaps.

Posted in Best Practices for Merchants, Electronic Payments Tagged with: , , , , , , , , , , , , , , , ,

Jan
21
2015
January 21st, 2015 by Elma Jane

With a crucial deadline, the payments industry is starting to look at just what kind of fraud liability and how much fraud merchant acquirers will have to assume if their merchants aren’t ready to accept Europay-MasterCard-Visa (EMV) chip cards by October.

While issuers currently absorb losses under card-network rules, that burden will shift to acquirers this fall in cases where the fraud occurs at merchants unprepared for EMV.

As a result, acquirers will have to reckon with a whole new category of risk exposure.

In card-not-present transactions, acquirers have faced this, but in the overwhelming majority of cases they’ll be confronting it for the first time.

Surprisingly, for all the talk in the industry about the imminent arrival of EMV, it appears few acquiring executives have fully accounted for what the shift really means for them.

Some 24% of U.S. point-of-sale terminals are “EMV-capable,” while 9% of debit/prepaid cards issued, and 2% of credit cards have EMV chips so far. But while terminals may be technically capable, it isn’t known just how many of these merchants have the software and trained personnel to accept EMV.

Foreign issuers, especially, may be licking their chops at the prospect of offloading their consumer-fraud risk onto U.S. acquirers. For years and years, these non-U.S. issuers have invested in EMV, but the U.S. is still using the mag stripe. So non-U.S. issuers appear to be very aware of the liability shift.

To be sure, acquirers’ increased risk exposure may be relatively short-lived. Under the network rules, liability rests with the issuer in cases where both the merchant and the issuer are EMV-compliant. That could be nearly universally the case within a few years. By 2018, nearly all cards and terminals will be compliant.

But that still leaves open the question of how many of these terminals will really be running chip card transactions.

The issue isn’t so much about terminals as about software. Many mid-size merchants are using so-called integrated solutions that run payments as part of a larger business-management system. That means acquirers must work with a number of other parties to reconfigure software, and that presents a challenge when it comes to getting masses of merchants EMV-compliant.

The bigger problem is the integrated point-of-sale market.

While the liability shift may impact acquirers, not all them are convinced their exposure will rise all that much. Some argue the risk of loss from lost/stolen/counterfeit cards at the point of sale is low and not likely to rise, especially for small-ticket merchants.

Fraudsters, are much more inclined to practice their trade online, where the risk of being caught is lower, compared to face-to-face transactions.

 

Posted in Best Practices for Merchants, Credit card Processing, Credit Card Reader Terminal, Credit Card Security, EMV EuroPay MasterCard Visa, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , ,

Oct
23
2014
October 23rd, 2014 by Elma Jane

The U.S. government will replace roughly 9 million government-issued payment cards with EMV chip-and-PIN versions early next year in a push to increase awareness and use of the more secure cards. Between 5 and 6 million prepaid debit cards used for issuing government payments, including Social Security and veterans benefits, will be reissued in January 2015. Another 3 million cards issued to federal government employees will also be replaced with EMV versions through the General Services Administration’s SmartPay program.

All the cards will be set up for Chip and PIN security as a U.S. government standard under the upgrade program, rather than the Chip and Signature approach required by Visa and MasterCard for most U.S. retailers starting late next year. However, there was no indication that the new cards will actually have the less secure magnetic data stripe removed.

Finding the right answers with the latest technologies to stop these cyber thieves and taking proactive and positive steps by adopting PIN and chip technology for government-issued debit and credit cards shows the importance of protecting financial transactions. While EMV is important, it’s not a total solution to the issue of data security.

POS devices at all federal agencies that accept retail payments will also be converted to accept EMV cards on a schedule set by the U.S. Treasury Dept. No timetable was given for the federal POS conversion.

The rollouts at four of the six largest U.S. retail chains will give a boost to EMV, which despite an October 2015 deadline has seen slow uptake among retailers. Under a mandate by Visa and MasterCard, retailers who experience credit or debit card fraud after next October but haven’t upgraded their POS equipment to accept EMV cards will be liable for the loss. If the bank that issued the card hasn’t upgraded it to EMV, the bank will take the loss.

But despite that October deadline, fewer than half of retailers’ POS terminals are expected to be able to accept EMV cards by the end of 2015, and barely half of U.S. payment cards will have been upgraded by then, according to the Payments Security Task Force, a banking industry group tracking EMV uptake.

The 9 million federally issued cards are a tiny fraction of the 1 billion credit and debit cards in use in the U.S., so the overall impact of accelerated EMV conversion is likely to be small. However, the Buy Secure initiative also explicitly includes a consumer-education component. Visa said it will spend $20 million in a public service campaign, and American Express said it will launch a $10 million program to help small merchants upgrade their POS terminals.

Small merchants are less likely to know about EMV than large retail chains, which have been making implementation plans for years.

 

Posted in Best Practices for Merchants, Credit Card Security, EMV EuroPay MasterCard Visa, Payment Card Industry PCI Security Tagged with: , , , , , , , , , , , , , , , , , , , , , ,

Sep
24
2014
September 24th, 2014 by Elma Jane

The CVV Number (Card Verification Value) on your credit card or debit card is a 3 digit number on VISA, MasterCard and Discover branded credit and debit cards. On your American Express branded credit or debit card it is a 4 digit numeric code.

The codes have different names:

American Express – CID or unique card code.

Debit Card – CSC or card security code.

Discover  – card identification number (CID)

Master Card – card validation code (CVC2)

Visa  – card verification value (CVV2) 

CVV numbers are NOT your card’s secret PIN (Personal Identification Number).

You should never enter your PIN number when asked to provide your CVV. (PIN numbers allow you to use your credit or debit card at an ATM or when making an in-person purchase with your debit card or a cash advance with any credit card.)

Types of security codes:

CVC1 or CVV1, is encoded on track-2 of the magnetic stripe  of the card and used for card present transactions. The purpose of the code is to verify that a payment card is actually in the hand of the merchant. This code is automatically retrieved when the magnetic stripe of a card is swiped on a point-of-sale (card present) device and is verified by the issuer. A limitation is that if the entire card has been duplicated and the magnetic stripe copied, then the code is still valid.

The most cited, is CVV2 or CVC2. This code is often sought by merchants for card not present transactions occurring by mail or fax or over the telephone or Internet. In some countries in Western Europe, card issuers require a merchant to obtain the code when the cardholder is not present in person.

Contactless card and chip cards may supply their own codes generated electronically, such as iCVV or Dynamic CVV.

Code Location:

The card security code is typically the last three or four digits printed, not embossed like the card number, on the signature strip on the back of the card. On American Express cards, the card security code is the four digits printed (not embossed) on the front towards the right. The card security code is not encoded on the magnetic stripe but is printed flat.

American Express cards have a four-digit code printed on the front side of the card above the number.

MasterCard, Visa, Diners Club,  Discover, and JCB credit and debit cards have a three-digit card security code. The code is the final group of numbers printed on the back signature panel of the card.

New North American MasterCard and Visa cards feature the code in a separate panel to the right of the signature strip. This has been done to prevent overwriting of the numbers by signing the card.

Benefits when it comes to security:

As a security measure, merchants who require the CVV2 for card not present payment card transactions are required by the card issuer not to store the CVV2 once the individual transaction is authorized and completed. This way, if a database of transactions is compromised, the CVV2 is not included, and the stolen card numbers are less useful. Virtual Terminals and payment gateways do not store the CVV2 code, therefore employees and customer service representatives with access to these web-based payment interfaces who otherwise have access to complete card numbers, expiration dates, and other information still lack the CVV2 code.

The Payment Card Industry Data Security Standard (PCI DSS) also prohibits the storage of CSC (and other sensitive authorization data) post transaction authorization. This applies globally to anyone who stores, processes or transmits card holder data. Since the CSC is not contained on the magnetic stripe of the card, it is not typically included in the transaction when the card is used face to face at a merchant. However, some merchants in North America require the code. For American Express cards, this has been an invariable practice (for card not present transactions) in European Union (EU) states like Ireland and the United Kingdom since the start of 2005. This provides a level of protection to the bank/cardholder, in that a fraudulent merchant or employee cannot simply capture the magnetic stripe details of a card and use them later for card not present  purchases over the phone, mail order or Internet. To do this, a merchant or its employee would also have to note the CVV2 visually and record it, which is more likely to arouse the cardholder’s suspicion.

Supplying the CSC code in a transaction is intended to verify that the customer has the card in their possession. Knowledge of the code proves that the customer has seen the card, or has seen a record made by somebody who saw the card.

 

Posted in Best Practices for Merchants, EMV EuroPay MasterCard Visa, Point of Sale, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Sep
22
2014
September 22nd, 2014 by Elma Jane

Consumers know how hard it is to obtain a credit card, if your credit score isn’t up to par. A bad credit score can prevent you from getting credit and make it hard to purchase your day to day necessities. People with poor credit don’t know their options. There are a number of ways to get a credit card if you have a poor credit score. There will likely be road blocks and limitations in your search. You won’t have the same options available as someone with pristine credit. But you will be able to get a line of credit if you look in the right place.

COSIGNED CREDIT CARDS                                                                                                                              If you get a cosigner, you will be able to obtain a card that would not be available to you otherwise. The cosigner has to have good credit, and they are responsible for your debt if you can’t pay. Make sure your cosigner fully recognizes their obligations and what will happen if you are unable to pay.

GIVE AN EXPLANATION FOR POOR CREDIT                                                                                        Explain the circumstances behind your poor credit. You can add a 100-word statement to your credit report such as the loss of a job. If you can tell your story and convince creditors you are on the road to increasing your credit score, they may believe you are more likely to pay back your debts. Divorce and illness are two other instances where individuals may see a drop in their credit score. Make sure whatever you list is true.

IMPROVE YOUR CREDIT                                                                                                                              One of the most difficult options. Poor credit can seem extremely hard to repair. But there are choices, it is just a process that will take a significant period of time. If you have poor credit, you can open bank accounts and pay off your loans and credit cards on time. If you pay off your debt in a timely manner, your credit score will improve over time and you will gain access to more credit card options.

RETAIL STORE CARDS                                                                                                                               Retail stores often have store credit cards they offer customers. Retail stores are generally more willing to approve applicants without a stellar credit score. But these cards usually come with extremely high interest rates and relatively low credit limits, so make sure you fully understand the terms of the card before applying.

SECURED CREDIT CARDS                                                                                                                            You deposit some money into an account, and then a creditor will provide you with a line of credit equal to your deposit. It is essentially a down payment, and if you don’t pay your credit card bill, your creditor is entitled to the money in the account. This might not sound like a favorable position, but remember that secured credit cards can be used as a valuable tool to rebuild your credit. Make sure the card you apply for reports to a credit reporting agency. This will help you start building a credit history. SELECT A CREDIT

CARD DESIGNED FOR THOSE WITH POOR CREDIT                                                                                      There are a number of credit cards offered by Visa and MasterCard designed for people with poor credit. These cards have low limits, a significant number of fees and high interest rates. But for some people, it may be their best option. Talk to your bank’s administrators or with your current credit card company to see if they offer a credit card that fits your personal needs.

SUBPRIME CREDIT CARDS                                                                                                                    Another option for those with poor credit, but they are ripe with fees that many people who are already short on cash may not be able to handle. Interest rates can be dangerously high for those with poor credit, so beware of these cards. They are often a last resort for individuals who need access to credit. However, like secured credit cards, they can be used to rebuild credit. Make sure you read the fine print and understand the applicable fees before you apply for a subprime credit card. Again, make sure the card reports to a credit reporting agency so you start building a credit history. Finding a line of credit doesn’t have to be a difficult endeavor. If you know what you are looking for, you can find a line of credit that fits your personal needs without breaking the bank. There are limitations, as well as pros and cons, to many of the forms of credit available to those with poor credit scores, such as secured credit cards or subprime credit cards. But those options do give people choices they otherwise may not have, and they help you build credit, so that eventually you will have a greater number of options.

Posted in Best Practices for Merchants Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Sep
19
2014
September 19th, 2014 by Elma Jane

CREDIT CARD NUMBER’S ANATOMY

The numbers on front of a credit card aren’t just random. They give away specific information about the card and where it comes from.

The first 6 digits of the credit card number is the Bank Identification number (BIN). This will tell the name of the credit card issuer.

Example: Travel or entertainment cards, such as American Express  cards, begin with a 3 . All Visa credit cards start with a 4, MasterCard with a 5, and 6 is dedicated to Discover.

The first six digits of the card, including the Bank Identification number, represent the issuer identification number. This identifies the bank that issued the card.

Of course, there’s the personal account number. This is made up of the seventh digit on, everything except the last number on the card.

The final digit on the credit card is known as the check digit or checksum. This number is set by something called the Luhn formula, patented by an IBM scientist in 1960. It’s a formula that uses the numerals in your card’s account number to verify that it’s valid. Various combinations of the card’s digits must ultimately add up to a number divisible by 10.

The formula is mostly used to protect against input errors. Let’s say you enter in the wrong numbers on an online shopping site. The formula will compute that the digits don’t add up right, telling you you’ve entered an invalid card number. That last digit of your credit card makes sure the formula works like it’s supposed to.

Now you know that there’s a lot of information on that little card in the wallet.

Posted in Best Practices for Merchants, EMV EuroPay MasterCard Visa, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , ,

Sep
19
2014
September 19th, 2014 by Elma Jane

MasterCard is claiming a 98% success rate for pilot trials of a biometric verification system combining both voice and facial recognition.

It recently held a closed pilot to understand the consumer experience around voice and facial recognition.

A beta mobile app was tested in an e-commerce environment on over 14,000 transactions.  The test group, used both Android and iOS operating systems. The results, yielding a successful verification rate of 98%, mixing a combination of voice and facial recognition. The process usually took less than 10 seconds.

With the first wave of apps utilising Apple’s TouchID fingerprint recognition system coming to market – both US neo-bank Simple and PFM outfit Mint have shipped their first iOS upgrades to incorporate the technology. Biometric verification is beginning to gain currency among businesses and consumers as a useful tool in the fight against fraud.

The launch of Apple Pay will start to bring true scale to the next generation of payments authentication. The challenge is to take lessons from the different applications of biometrics already in place and elevate them into the next generation of authentication, not just for one platform, but for the mass market globally.

MasterCard already has first hand experience of a mass-market implementation of biometric card technology with the recent launch of the Nigerian eIDcard, which combines payment card functionality with a mix of fingerprint, facial and iris recognition.

 

Posted in Best Practices for Merchants, EMV EuroPay MasterCard Visa, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Sep
17
2014
September 17th, 2014 by Elma Jane

Host Card Emulation (HCE) offers virtual payment card issuers the promise of removing dependencies on secure element issuers such as mobile network operators (MNOs). HCE allows issuers to run the payment application in the operating system (OS) environment of the smart phone, so the issuing bank does not depend on a secure element issuer. This means lower barriers to entry and potentially a boost to the NFC ecosystem in general. The issuer will have to deal with the absence of a hardware secure element, since the OS environment itself cannot offer equivalent security. The issuer must mitigate risk using software based techniques, to reduce the risk of an attack. Considering that the risk is based on probability of an attack times the impact of an attack, mitigation measures will generally be geared towards minimizing either one of those.

To reduce the probability of an attack, various software based methods are available. The most obvious one in this category is to move part of the hardware secure element’s functionality from the device to the cloud (thus creating a cloud based secure element). This effectively means that valuable assets are not stored in the easily accessible device, but in the cloud. Secondly, user and hardware verification methods can be implemented. The mobile application itself can be secured with software based technologies.

Should an attack occur, several approaches exist for mitigating the Impact of such an attack. On an application level, it is straightforward to impose transaction constraints (allowing low value and/or a limited number of transactions per timeframe, geographical limitations). But the most characteristic risk mitigation method associated with HCE is to devaluate the assets that are contained by the mobile app, that is to tokenize such assets. Tokenization is based on replacing valuable assets with something that has no value to an attacker, and for which the relation to the valuable asset is established only in the cloud. Since the token itself has no value to the attacker it may be stored in the mobile app. The principle of tokenization is leveraged in the cloud based payments specifications which are (or will soon be) issued by the different card schemes such as Visa and MasterCard.

HCE gives the issuer complete autonomy in defining and implementing the payment application and required risk mitigations (of course within the boundaries set by the schemes). However, the hardware based security approach allowed for a strict separation between the issuance of the mobile payment application on one hand and the transactions performed with that application on the other hand. For the technology and operations related to the issuance, a bank had the option of outsourcing it to a third party (a Trusted Service Manager). From the payment transaction processing perspective, there would be negligible impact and it would practically be business as usual for the bank.

This is quite different for HCE-based approaches. As a consequence of tokenization, the issuance and transaction domains become entangled. The platform involved in generating the tokens, which constitute payment credentials and are therefore related to the issuance domain, is also involved in the transaction authorization.

HCE is offering autonomy to the banks because it brings independence of secure element issuers. But this comes at a cost, namely the full insourcing of all related technologies and systems. Outsourcing becomes less of an option, largely due to the entanglement of the issuance and transaction validation processes, as a result of tokenization.

 

Posted in Best Practices for Merchants, Credit Card Security, EMV EuroPay MasterCard Visa, Near Field Communication, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Sep
15
2014
September 15th, 2014 by Elma Jane

Visa has taken advantage of the hoopla surrounding Apple’s application of digital account tokens to replace card numbers for online and mobile purchasing by initiating the roll out of its Token Service to US clients.

Visa Tokens will be made available to issuing financial institutions globally, starting with US banks next month, and followed by a phased roll-out overseas beginning in 2015. The technology has been designed to support payments with mobile devices using all major mobile platforms.

More than 750 staff from across the Visa organisation globally were involved in the effort, working closely with initial launch partners – financial institutions, merchants and processors to ensure the ecosystem was ready. Today, Visa is making these services available and believe it will help transform connected devices and wearables into secure payment vehicles.

Visa Token Service replaces sensitive payment account information found on plastic cards with a digital account number or token. Because tokens do not carry a consumer’s payment account details, such as the 16-digit account number, they can be safely stored by online merchants or on mobile devices to for e-commerce and mobile payments.

The release of the service has been given added urgency by a spate of successful hacks on merchant card data stores, such as the recent plundering of card account data at Home Depot and Target.

MasterCard has its own equivalent Digital Enablement Service, which will be released outside of the US in 2015.

Posted in Best Practices for Merchants, Credit Card Security, e-commerce & m-commerce, Mobile Payments, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , ,

← Previous Article
Next Articles »