Payment Card Industry PCI Security Archives - Page 6 of 6 - Payment Processing News

Category: Payment Card Industry PCI Security

Jan
30
2014
January 30th, 2014 by Elma Jane

As many as 40 million Target customers hacked over the holidays when thieves got into their credit and debit card.  If you shopped at Target between November 27 and December 15 while thieves were hacking data, you’re unlikely to lose a dime. Federal law and industry practices protect virtually all customers from any liability for fraudulent charges. So many breaches occur in the first place. Credit and debit card fraud has nearly quadrupled in the past decade, hitting $11.3 billion in losses worldwide last year. That hurts profits and raises the cost of goods. The U.S. accounts for more than its share of fraud, and hardly a month goes by when there isn’t a breach from some large U.S. retailer, in part because the U.S. lags other countries in card security.

After the Target breach, the stolen account information flooded underground markets that operate on the Internet, selling batches of data that allow thieves to counterfeit cards and shop till they drop. The best thing that could happen is if this latest megabreach forced the industry and Congress to fix some of the system’s most troubling vulnerabilities.

Cyberthieves are growing more sophisticated, and nothing can prevent every data breach. But when a company as big as Target can be hacked for 19 days to the tune of 40 million records, consumers deserve more modern and tougher protections.

Some ideas for curbing cybercrime:

Put stronger protections on debit cards. Credit cards carry the gold standard in protection against having to pay for fraudulent charges. Federal law limits losses to $50, and most issuers take that down to zero. After a data breach, debit cards are similarly protected. But if your debit card is lost or stolen, by law you could lose up to $500, and reimbursement may depend on how quickly you report the loss. There’s no sound reason for the gap. It should be eliminated.

Set federal standards to protect data. The industry, led by Visa and MasterCard, has always provided its own security standards to keep data safe. Obviously, they’re not working. Federal standards could help, especially if backed by sanctions for flouting them. The Federal Trade Commission has some authority, but the law is nearly 100 years old, and some companies have challenged the agency in court. Since the Target breach, several senators are calling for more federal authority.

Get with the 21st century. The U.S. is far behind Europe, which almost a decade ago replaced the magnetic strip on cards with a digital chip that prevents thieves from counterfeiting cards with stolen data. That’s one reason the U.S. has become a mecca for hackers. The U.S. industry is migrating to these “EMV” cards, but it has moved slowly. The players fight among themselves over everything from who pays to the type of security. Requiring cardholders to use PIN numbers would provide the best security. Whatever the decision, the industry needs to get moving to meet a self-imposed 2015 deadline.

Posted in Best Practices for Merchants, Credit Card Security, Digital Wallet Privacy, Electronic Payments, EMV EuroPay MasterCard Visa, Financial Services, Payment Card Industry PCI Security, Visa MasterCard American Express

Dec
05
2013
December 5th, 2013 by Elma Jane

Three key benefits mPOS can provide PSPs. mPOS:

1. Maintains A Continuity Of Operations 
mPOS solutions also ease the process of accepting and approving payments, according to the white paper. By enabling face-to-face card present transactions, mPOS allows transactions to be conducted in a highly secure manner. Further, once the encrypted transaction data is decrypted securely by the PSP at the payment gateway (with no access granted to the merchant), the onward presentation of the data into the acquiring network is consistent with that used historically for traditional POS terminals.

2. Simplifies Merchant Support 
Thales suggests the biggest benefit to PSPs is that mPOS reduces the variety of costs PSPs need to cover to support merchants, cutting expenses related to equipment, security and PCI DSS compliance. This, the white paper says, allows PSPs that utilize mPOS to better allocate resources toward handling higher transaction volumes and acquiring business.

3. Supports Both Magnetic Stripe and EMV Cards 
Another benefit to PSPs is that mPOS, despite its recent entrance to the market, is already widely available. The white paper explains that since the mPOS revolution quickly migrated from the U.S. abroad, mPOS solutions now exist to serve the unique needs of both markets. While this means challenges for merchants operating globally, PSPs benefit from being able to address the needs of merchants who want to opt for any and all available market solutions.

Much has been said about the recent explosion of the mobile point-of-sale (mPOS) market and how micromerchants are driving this payments revolution. But, what this story doesn’t communicate effectively is that small merchants aren’t the only stakeholders benefiting from the ongoing mPOS migration.

Payment service providers (PSPs) are another member of the mPOS value chain that can gain flexibility and security through these solutions, new research from data protection solution provider Thales suggests.

“Both merchants and PSPs have operational and logistical issues with traditional POS terminals associated mainly with the highly controlled and certified environment in which they must be used,” Thales writes in its latest white paper on the topic, “mPOS: Secure Mobile Card Acceptance.”

The 27-page white paper provides an extensive overview of the ongoing POS revolution, explaining how mPOS can reduce friction and costs for merchants, illustrating how the technology works step-by-step and highlighting the roles that each stakeholder plays along the value chain.

Posted in Electronic Payments, Mobile Payments, Mobile Point of Sale, Payment Card Industry PCI Security, Point of Sale, Smartphone Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , ,

Dec
02
2013
December 2nd, 2013 by Elma Jane

Europay, Mastercard, and Visa (EMV) standards. Considered safer and widely used across Europe and other nations, the chip-based cards require insertion of the card into a terminal for the duration of a transaction, a break here from our traditional swipe-and-buy behavior. That’s just one way in which EMV changes things here… but it’s not the only way, nor is it the most important way. By way of reminder, October 2015 is the date by which all restaurants and other merchants are due to have implemented these standards, or potentially be liable for counterfeit fraud, which primarily reflects a shift from magnetic-stripe credit cards to chip cards.

The main driver in the EMV migration is card-related financial fraud.  As an example, and traditionally, card fraud in the United Kingdom has always been considerably higher than here in the States, primarily because the U.K. previously used offline card authorization as opposed to the online card methodology used here. As losses due to fraud rose steadily in Europe, despite the best efforts of global law enforcement agencies to reduce it, the pressure to find a solution built around some alternative authentication strategy mounted. From this concern, EMV was born.

Is it working? Recent statistics from the European Central Bank (ECB) revealed that, despite growing card usage, fraud in the Single Euro Payments Area (SEPA) – a mature EMV territory that includes all 28 members of the European Union,  Finland,  Iceland ,  Liechenstein,  Monaco and Norway,  – fell 7.6% between 2007 and 2011. This decline is underpinned by a slowdown in the growth of ATM fraud as well as a 24% drop in fraud carried out at point of sale terminals. The 2008 Canadian roll-out of Chip and PIN had a dramatic impact on fraud there. Card Skimming had accounted for losses totaling $142 million, but that figure dropped to $38.5 million in 2009, according to figures provided by the Interac Association. Some critics point to the fact that most of this decrease comes in the form of face-to-face card fraud, and that criminals merely shift their focus onto some other area that is less anti-fraud focused. Still, there are positive gains and as technologies improve, more successes are sure to follow.

Part of the reason why the U.S. not embraced  EMV sooner is because our  fraud problem, while significant, has typically been among the lowest rates in the world among highly developed economically mature countries. Much of that is due to the online authentication methods at work here. Here at home, our online authentication methodology permits authorizations to be done in real-time, thus thwarting a significant percentage of the fraudulent attempts at the point-of-sale, the best place to stop fraud. Our online authentication methods also incorporate multiple fraud and risk parameters as well as advanced neural networks that are ‘built-in’ to the approval process. It’s been a highly effective system that works well, when compared to most alternatives. The effectiveness of our authentication processes has helped fuel the resistance to full EMV adoption here. However, the EMV migration has gained momentum to the point where it is only a matter of time. The truth is that, despite the gains in preventing credit card fraud, and despite the best efforts of EMV’s backers to push acceptance through, global adoption of the EMV standard is still considerably less than 100%.

In England’s old offline authentication method, credit card transactions were gathered together at specific times- typically, at the end of the business day- and then batched over to the card issuers for authorization. It’s a method that gave those committing fraud a significant time lag between the transaction and the authorization, and this time lag contributed greatly to the higher levels of fraudulent activities in England. However, for Europe and for much of the rest of the world, adoption of the EMV technologies changes things dramatically, at least in terms of authentication protocols for both online and offline purchases. During an offline transaction using the EMV chip card, the payment terminal communicates with the integrated circuit chip (ICC), embedded in the payment card. This is a break from the old method which involved using telecommunications to connect with the issuing bank. The ICC / terminal connection enables real-time card authentication, cardholder verification, and payment authorization offline. Alternatively, in an online EMV transaction, the chip generates a cryptogram that is authenticated by the card issuer in real time.

Posted in Electronic Payments, EMV EuroPay MasterCard Visa, Financial Services, Near Field Communication, Payment Card Industry PCI Security, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Nov
15
2013
November 15th, 2013 by Elma Jane

November 7, 2013 –  Payment Card Industry (PCI) Council’s recent acceptance of the world’s first Point-To-Point Encryption-validated solution is great news for both acquirers and merchants, and will aid in reducing merchant scope and increasing business security worldwide. If your P2PE know-how is a little spotty, here are the basics.

What is P2PE?

Point-To-Point Encryption (P2PE) is the combination of hardware and processes that encrypts customer credit/debit card data from the point of interaction until it reaches a merchant solution provider’s environment for processing. Because card data is immediately encrypted as the card is swiped (or dipped), it prevents clear-text information from residing on the payment environment. Encrypted card data is then transferred to, decrypted by, and processed through the solution provider processor who is the sole holder of the decryption key.

In a POS environment, merchants often store decryption keys on their backend servers. Bad idea. If a cybercriminal hacks into that environment, they not only have access to the encrypted card numbers, but the decryption key as well. Hacker jackpot. Many question the difference between P2PE and typical point of sale (POS) encryption.

The reason P2PE is arguably the most secure way to process is because merchants don’t have access to decryption keys. If a hacker breaches a merchant using a validated P2PE solution, he/she will only recover a long string of useless encrypted card numbers with no way to decode them.

Why use P2PE?

Basically, P2PE increases data security and has the ability to make a merchant’s job of reaching PCI compliance easier. The main point of using a P2PE-valiated solution is to significantly lessen the scope of security efforts through PCI Data Security Standard (DSS) requirement and P2PE Self-Assessment Questionnaire (SAQ) reduction. Compared to the 80+ questions required of mainstream merchant SAQs, the P2PE-HW SAQ only requires merchants to answer 18 questions.

Are all P2PE solutions created equal?

Answer is no. Many P2PE solution vendors claim their solution reduces scope, but in order for a merchant to qualify, they must select only P2PE-validated solutions listed on the PCI Council’s website.

To get P2PE solutions and applications listed on the approved website, solution provider processors must go through a rigorous testing process performed by a qualified P2PE Qualified Security Assessor (QSA). P2PE QSAs help entities thorough the 210-page document of P2PE requirements, testing procedures, and controls required to keep cardholder data secure – a task which only a few companies in the world can do.

As of this post, the only P2PE hardware solution approved by the PCI Council is European Payment Services’ (EPS) Total Care P2PE solution, validated by P2PE QSA SecurityMetrics. A number of other P2PE solutions are currently undergoing the review process and will be added to the list once approved.

Posted in Best Practices for Merchants, Credit card Processing, Credit Card Security, Electronic Payments, Merchant Services Account, Payment Card Industry PCI Security, Point of Sale, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Nov
14
2013
November 14th, 2013 by Elma Jane

Los Angeles-based company Verifi, providing antifraud and risk-management services recently secured a patent for its dispute-resolution technology that enables merchants to avoid chargebacks by turning them into refunds earlier in the process. According to the patent abstract, the patent covers “receiving, at the partner platform, an inquiry/dispute event notification,” and “refunding the transaction or canceling future or recurring charges associated with the transaction.”

Verifi noted in the patent application, consumers are increasingly contacting their issuing bank first in the case of a disputed credit or debit card charge, cutting the merchant out until later in the process. The patent in question, in addition to streamlining the process for issuers engaged in the dispute process, helps recurring merchants by removing cardholders from the recurring payment program during the resolution process so additional charges will not come into question until the original dispute is settled.

 

Posted in Best Practices for Merchants, Credit card Processing, Payment Card Industry PCI Security Tagged with: , , , , , , , , , , , , , , , , , , , , , , ,

Oct
31
2013
October 31st, 2013 by Elma Jane
Ingenico Biometric Credit Card Terminal with EMV Chip and PIN Processing NFC.

Ingenico Biometric Credit Card Terminal with EMV Chip and PIN Processing NFC.

Ingenico’s new biometric payment device (the iWB 220) is to be used in a pioneering project, to bring financial support to low-income families.

Payment solutions provider, Ingenico are to deploy Ingenico´s biometric solution in Colombia and the Dominican Republic, together with Carvajal Tecnología y Servicios, a player in the electronic payment industry in Latin America,

This biometric point of sale solution complies with the Image Quality Specifications for single finger capture device defined by the FBI, the United States Federal Bureau of Investigation.

In addition to high security standards, the solution is a mobile device with an embedded Magstripe, as well as Chip & PIN readers.

Upon government approval for each of the applications, funds will be sent to the banks and through the use of these unique devices, beneficiaries can withdraw their funds, with the use of a fingertip. Approved family members are the only ones able to withdraw the funds, and the government is assured that the benefit is being paid to the right person.

Posted in Credit Card Reader Terminal, Credit Card Security, Electronic Payments, EMV EuroPay MasterCard Visa, Payment Card Industry PCI Security Tagged with: , , , , , , , , , , , , , , , , , ,

Oct
31
2013
October 31st, 2013 by Elma Jane

While credit card processors and retailers have made strides to combat credit card fraud, it is still rampant across the U.S. In fact, credit card fraud jumped 17 percent between January, 2011, and September, 2012, according to the most recent data from the FICO Falcon Fraud Manager Consortium.

Debit cards obviously have better safeguard measures in place, since debit card fraud rose less than 1 percent between January, 2011, and September, 2012. Plus, the average fraud loss per compromised account fell by 3 percent.

Card-not-present (CNP) fraud is the biggest challenge by far, accounting for 47 percent of all credit card fraud. CNP fraud – which includes payments via the internet, mail and phone – grew 25 percent over the two-year period. So, where the problems with credit cards lie.

Unfortunately, CNP fraud may get worse before it gets better, in FICO’s Banking Analytics Blog. This problem may even intensify as the US moves away from magnetic stripe and toward EMV [chip] card technology. In other countries adopting chip-based authentication technology, we’ve seen counterfeit fraud decline, but as a counterbalance, fraudsters often ramp up efforts around CNP fraud.

However, there was a glimmer of light in the credit card fraud fiasco. While card fraud attempts rose, the average loss per compromised account dropped 10 percent. Plus, the ratio of fraud to non-fraud spending remained constant. “In other words, the volume of card fraud increased proportionally to the volume of consumer credit card spending.

Even though many retailers have implemented successful fraud prevention programs, Visa provides retailers with the warning signs for CNP fraud, including:

Multiple cards used from a single IP address. Orders made up of “big ticket” items. Orders that include several of the same item. Shipping to an international address. Transactions with similar account numbers.

Posted in Digital Wallet Privacy, EMV EuroPay MasterCard Visa, Mail Order Telephone Order, Payment Card Industry PCI Security Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

← Previous Article