PCI COMPLIANCE
September 21st, 2016 by Elma Jane

PCI compliance applies to any company, organization or merchant of any size or transaction volume that either accepts, stores or transmits cardholder data.

Any merchant accepting payments directly from the customer via credit or debit card must be Compliant. The merchant themselves are therefore responsible for becoming Compliant, as the deadline for the merchant becomes overdue.

Understanding and knowing the details of Payment Card Industry Compliance can help you better prepare your business. Because failing and waiting to become compliant or ignoring them, could end up being an expensive mistake.

The VISA regulations have to adhere to the PCI standard forms as part of the operating regulations. The regulations signed when you open an account at the bank. The rules under which merchants are allowed to operate merchant accounts.

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.

 

 

 

Posted in Best Practices for Merchants, Credit Card Security, Payment Card Industry PCI Security, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , ,

EMV
December 18th, 2015 by Elma Jane

A leading provider of mobile point of sale and mobile payment technology, published today the EMV Migration Tracker.

Many merchants have deployed EMV capable terminals while cardholders have received cards with EMV chips, but not much data has been published about the real world use of EMV chip card technology in the U.S. Most published statistics rely on surveys or forecasts rather than real transactional data.

The EMV Migration Tracker shows new data and insights since the October 1 liability shift, including:

  • Over 50% of all cards in use now have EMV chips on them. From October to November, the percent grew 5% as banks and card issuers accelerated their rollout of new chip cards.
  • Over 83% of American Express cards have EMV chips, while Discover lags at 40%
  • Over 63% of the cards used in Hawaii have EMV chips, but Mississippi sees just 11% penetration of chip cards.

While EMV chip card technology has been implemented in Europe years ago, the rollout of EMV in the U.S is just beginning. The rollout came earlier this year with the October 1 liability shift in card present transaction, meaning that merchants who have not upgraded their POS system can become liable for counterfeit card fraud losses that occur at their stores. This is an early step in an ongoing process that the Payments Security Task Force predicts will lead to 98 percent of U.S. credit and debit cards containing EMV chips by the end of 2017.

http://www.finextra.com/news/announcement.aspx?pressreleaseid=62506

 

 

 

 

 

Posted in Best Practices for Merchants Tagged with: , , , , , , , , , , , , , , , , , , ,

Risk
October 9th, 2015 by Elma Jane

Credit card fraud is much more difficult to prevent in a card-not-present transaction. In a face-to-face setting the merchant can inspect the card to ensure that it is valid and can verify that the cardholder is an authorized user on the account. None of these actions can be performed when the payment is submitted online or accepted by phone. As we moved in adopting EMV Technology, majority of fraud is going to migrate away from counterfeit and stolen cards towards the card-not-present transaction as happened in other countries.

A combination of best practices and fraud prevention tools can provide card-not-present merchants with strong fraud prevention capabilities.

Steps to avoid fraud and protect your business for a card-not-present transaction:

  • Email Verification: Send a message to the email address provided by the customer requesting that the customer verify the email address is correct, you can ensure that the email is associated with the other information provided.   
  • Maintain PCI compliance:All merchants accepting card payments are now required to be compliant with the requirements of the PCI DSS (Payment Card Industry Data Standard) which sets the rules for data security management, policies, procedures, network architecture, software design and other protective measures.
  • Security Code Verification. Requesting the three digit security code on the back of a credit card. Visa (CVV2), MasterCard (CVC 2) and Discover (CID) cards, and the 4-digit numbers located on the front of American Express (CID) cards. Card Security Codes help verify that the customer is in a physical possession of a valid card during a card-not-present transaction.
  • Use an Address Verification Service (AVS): Enables you to compare the billing address provided by your customer with the billing address on the card issuer’s file before processing a transaction. AVS is good protection against card information obtained through means like phishing and malware because fraudster might not know the billing address.
  • Use 3D Secure Service: MasterCard and Verified by Visa enable cardholders to authenticate themselves to their card issuers through the use of personal passwords they create when they register their cards with the programs. The liability of any fraudulent charges through the 3D service is picked up by the issuer, not the merchant.
  • Verify the phone number and transaction information.Prior to shipping your products, call the phone number provided by the customer and verify the transaction information. Criminals may be unable to verify such information, because in their haste to max out the credit line before the fraud is discovered, they often order at random and do not keep records.

 

 

 

Posted in Best Practices for Merchants, e-commerce & m-commerce, Mail Order Telephone Order, Payment Card Industry PCI Security, Travel Agency Agents Tagged with: , , , , , , , , , , , , ,

October 23rd, 2014 by Elma Jane

The U.S. government will replace roughly 9 million government-issued payment cards with EMV chip-and-PIN versions early next year in a push to increase awareness and use of the more secure cards. Between 5 and 6 million prepaid debit cards used for issuing government payments, including Social Security and veterans benefits, will be reissued in January 2015. Another 3 million cards issued to federal government employees will also be replaced with EMV versions through the General Services Administration’s SmartPay program.

All the cards will be set up for Chip and PIN security as a U.S. government standard under the upgrade program, rather than the Chip and Signature approach required by Visa and MasterCard for most U.S. retailers starting late next year. However, there was no indication that the new cards will actually have the less secure magnetic data stripe removed.

Finding the right answers with the latest technologies to stop these cyber thieves and taking proactive and positive steps by adopting PIN and chip technology for government-issued debit and credit cards shows the importance of protecting financial transactions. While EMV is important, it’s not a total solution to the issue of data security.

POS devices at all federal agencies that accept retail payments will also be converted to accept EMV cards on a schedule set by the U.S. Treasury Dept. No timetable was given for the federal POS conversion.

The rollouts at four of the six largest U.S. retail chains will give a boost to EMV, which despite an October 2015 deadline has seen slow uptake among retailers. Under a mandate by Visa and MasterCard, retailers who experience credit or debit card fraud after next October but haven’t upgraded their POS equipment to accept EMV cards will be liable for the loss. If the bank that issued the card hasn’t upgraded it to EMV, the bank will take the loss.

But despite that October deadline, fewer than half of retailers’ POS terminals are expected to be able to accept EMV cards by the end of 2015, and barely half of U.S. payment cards will have been upgraded by then, according to the Payments Security Task Force, a banking industry group tracking EMV uptake.

The 9 million federally issued cards are a tiny fraction of the 1 billion credit and debit cards in use in the U.S., so the overall impact of accelerated EMV conversion is likely to be small. However, the Buy Secure initiative also explicitly includes a consumer-education component. Visa said it will spend $20 million in a public service campaign, and American Express said it will launch a $10 million program to help small merchants upgrade their POS terminals.

Small merchants are less likely to know about EMV than large retail chains, which have been making implementation plans for years.

 

Posted in Best Practices for Merchants, Credit Card Security, EMV EuroPay MasterCard Visa, Payment Card Industry PCI Security Tagged with: , , , , , , , , , , , , , , , , , , , , , ,

September 24th, 2014 by Elma Jane

The CVV Number (Card Verification Value) on your credit card or debit card is a 3 digit number on VISA, MasterCard and Discover branded credit and debit cards. On your American Express branded credit or debit card it is a 4 digit numeric code.

The codes have different names:

American Express – CID or unique card code.

Debit Card – CSC or card security code.

Discover  – card identification number (CID)

Master Card – card validation code (CVC2)

Visa  – card verification value (CVV2) 

CVV numbers are NOT your card’s secret PIN (Personal Identification Number).

You should never enter your PIN number when asked to provide your CVV. (PIN numbers allow you to use your credit or debit card at an ATM or when making an in-person purchase with your debit card or a cash advance with any credit card.)

Types of security codes:

CVC1 or CVV1, is encoded on track-2 of the magnetic stripe  of the card and used for card present transactions. The purpose of the code is to verify that a payment card is actually in the hand of the merchant. This code is automatically retrieved when the magnetic stripe of a card is swiped on a point-of-sale (card present) device and is verified by the issuer. A limitation is that if the entire card has been duplicated and the magnetic stripe copied, then the code is still valid.

The most cited, is CVV2 or CVC2. This code is often sought by merchants for card not present transactions occurring by mail or fax or over the telephone or Internet. In some countries in Western Europe, card issuers require a merchant to obtain the code when the cardholder is not present in person.

Contactless card and chip cards may supply their own codes generated electronically, such as iCVV or Dynamic CVV.

Code Location:

The card security code is typically the last three or four digits printed, not embossed like the card number, on the signature strip on the back of the card. On American Express cards, the card security code is the four digits printed (not embossed) on the front towards the right. The card security code is not encoded on the magnetic stripe but is printed flat.

American Express cards have a four-digit code printed on the front side of the card above the number.

MasterCard, Visa, Diners Club,  Discover, and JCB credit and debit cards have a three-digit card security code. The code is the final group of numbers printed on the back signature panel of the card.

New North American MasterCard and Visa cards feature the code in a separate panel to the right of the signature strip. This has been done to prevent overwriting of the numbers by signing the card.

Benefits when it comes to security:

As a security measure, merchants who require the CVV2 for card not present payment card transactions are required by the card issuer not to store the CVV2 once the individual transaction is authorized and completed. This way, if a database of transactions is compromised, the CVV2 is not included, and the stolen card numbers are less useful. Virtual Terminals and payment gateways do not store the CVV2 code, therefore employees and customer service representatives with access to these web-based payment interfaces who otherwise have access to complete card numbers, expiration dates, and other information still lack the CVV2 code.

The Payment Card Industry Data Security Standard (PCI DSS) also prohibits the storage of CSC (and other sensitive authorization data) post transaction authorization. This applies globally to anyone who stores, processes or transmits card holder data. Since the CSC is not contained on the magnetic stripe of the card, it is not typically included in the transaction when the card is used face to face at a merchant. However, some merchants in North America require the code. For American Express cards, this has been an invariable practice (for card not present transactions) in European Union (EU) states like Ireland and the United Kingdom since the start of 2005. This provides a level of protection to the bank/cardholder, in that a fraudulent merchant or employee cannot simply capture the magnetic stripe details of a card and use them later for card not present  purchases over the phone, mail order or Internet. To do this, a merchant or its employee would also have to note the CVV2 visually and record it, which is more likely to arouse the cardholder’s suspicion.

Supplying the CSC code in a transaction is intended to verify that the customer has the card in their possession. Knowledge of the code proves that the customer has seen the card, or has seen a record made by somebody who saw the card.

 

Posted in Best Practices for Merchants, EMV EuroPay MasterCard Visa, Point of Sale, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

June 16th, 2014 by Elma Jane

Credit card companies are racing against tech giants like Apple and Google to create what would thin our wallets forever. The race, which started to replace paper with plastic, is now entering a new phase of combining our cell phones and credit cards. Credit card giant American Express is working on developing a next generation app, which would let consumers shop using their virtual credit cards just like virtual boarding passes on an iPhone Passbook. Amex doesn’t stand alone in the race. Google, Square and Apple are some of the many companies in Silicon Valley, which are working on taking the leap. While Google Wallet and PayPal are some of the available products providing customers with a virtual wallet experience. The credit card companies still continue to benefit being the point of sale for these products. This puts Amex in a unique position, as it doesn’t have to struggle becoming the card customers choose to use. Amex is just a jump away in moving from customers’ wallet to cellphone.

Posted in Best Practices for Merchants, Visa MasterCard American Express Tagged with: , , , , , , , , , , ,

June 9th, 2014 by Elma Jane

Some American banks and financial institutions, like JPMorgan Chase, American Express and Citi, have already issued credit cards with new security technology. Other banks will do so by the end of the year. Often referred to as E.M.V. (short for Europay, MasterCard and Visa) or chip-and-PIN, these new cards use a combination of an embedded microchip and a personal numeric code to authorize payment transactions. Depending on the card issuer, some cards may have the chip but require just the old-fashioned signature instead of a PIN.

Most traditional credit cards in the United States today use a magnetic strip and a customer signature to seal a deal. The information embedded in the stripe can be easily cloned, however, and signatures can be forged. The chips in the newer E.M.V. cards which encode account information when transferring it to the merchant are harder to duplicate. The PIN must be entered for each charge, which helps make the cards more secure for in-person purchases. The cards are not infallible, though, criminals have still found ways to steal PINs and make fraudulent online purchases.

With new types of credit cards come new payment terminals, and many retailers must upgrade their equipment to make it compatible with E.M.V. cards. Instead of a slot to swipe the strip, the new credit card terminals typically need a chip reader. Most merchants will probably have the new equipment in place by October 2015, when new rules about fraud liability kick in. Under these rules, the bank or the merchant could be held accountable for any fraudulent charges if one of them has not upgraded to the new system. The party with the weaker security measures must pay.

Posted in Best Practices for Merchants, Credit card Processing, Credit Card Reader Terminal, Credit Card Security, EMV EuroPay MasterCard Visa, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , ,

May 13th, 2014 by Elma Jane

Walmart US, says: After listening to customers complain about the high fees and confusion associated with transferring money, we knew there had to be a solution. Walmart-2-Walmart brings new competition and transparent, everyday low prices to a market that has become complicated and costly for customers.

Walmart is taking on Western Union and MoneyGram through the launch of a low-fee store-to-store money transfer service. The retail giant has teamed up with Euronet Worldwide subsidiary Ria on the Walmart-2-Walmart service, which will enable customers to transfer money to and from more than 4000 stores when it launches next week. The partners say that their service is far cheaper than rivals, with just two pricing tiers: customers pay $4.50 for transferring up to $50 and $9.50 for sending up to $900. Walmart argues that its service will particularly benefit the tens of millions of America’s underbanked. The retailer has long had its sights on this market, teaming up with American Express in 2012 to launch Bluebird, a mobile-heavy alternative to bank debit and current accounts.

 

Posted in Best Practices for Merchants, Financial Services Tagged with: , , , , , , , , , , , , , , , , , ,

February 18th, 2014 by Elma Jane

Payment Tokenization Standards

Tokenization is the process of replacing a traditional card account number with a unique payment token that is restricted in how it can be used with a specific device, merchant, transaction type or channel. When using tokenization, merchants and digital wallet operators do not need to store card account numbers; instead they are able to store payment tokens that can only be used for their designated purpose. The tokenization process happens in the background in a manner that is expected to be invisible to the consumer.

EMVCo – which is collectively owned by American Express, Discover, JCB, MasterCard, UnionPay and Visa – has announced that it is expanding its scope to lead the payments industry’s work to standardize payment tokenization. EMVCo says that the new specification will help provide the payments community with a consistent, secure and interoperable environment to make digital payments when using a mobile handset, tablet, personal computer or other smart device.

Key elements of EMVCo’s work include adding new data fields to provide richer industry information about the transaction, which will improve transaction efficiency and enhance the consumer and merchant payment experience by helping to prevent fraudulent card account use. EMVCo will also create a consistent approach to identify and verify the valid use of a token during payment processing including authorization, capture, clearing and settlement.

EMVCo’s announcement follows an earlier joint announcement from MasterCard, Visa and American Express that proposed an initial framework for industry collaboration to standardize payment tokenization. EMVCo says it will now build on this framework with collective input from all of its members and the industry as a whole.

Posted in Credit card Processing, Credit Card Reader Terminal, Credit Card Security, Digital Wallet Privacy, Electronic Payments, Financial Services, Payment Card Industry PCI Security, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

December 30th, 2013 by Elma Jane

Earlier this year, American Express offered its cardholders free permanent membership in ShopRunner, a service that gives its members free, two-day shipping at several retail sites. Similarly, PayPal recently tested two-day free shipping offers with a few retailers, whereby shoppers could get free, two-day shipping without an annual fee if they simply checked out using PayPal. The offer had no minimum purchase requirement. Now, Global payment firm MasterCard announced that its customers will receive free, two-day shipping from five of the Internet’s leading retailers. MasterCard also offered a premium service that extends the free, two-day shipping offer to other online merchants. MasterCard joins American Express and PayPal in offering customers free, two-day shipping options at select online retailers.

Collectively ShopRunner, PayPal’s offer, and MasterCard’s recent move may be part of what some in the retail industry are calling the Amazon Prime effect, which is a trend to faster, free shipping services driven in part by Amazon’s Prime service. These offers are changing customer expectations, so that merchants, regardless of size, may need to change free shipping offers to reflect the two-day service available from Amazon Prime, ShopRunner, and now MasterCard.

MasterCard Offer Aims at Large Retailers

To take advantage of the MasterCard offer, shoppers must register at a special MasterCard site, sign in and shop from the site, select two-day shipping at checkout and of course, pay with a MasterCard. Customers will have to pay for the two-day shipping upfront and email the order confirmation to MasterCard to be reimbursed.

Regular online shoppers may purchase an annual subscription for $69.99, extending the free, two-day shipping to about 30 larger retailers, including Nordstrom, J. C. Penney, Home Depot, and GameStop. The premium annual subscription also raises the maximum limit from $500 for six months to $1,500 per year.

The “Free Shipping by MasterCard” offer features five of the retail industry’s best known merchants: Best Buy, QVC, Macy’s, Kohl’s, and Walmart. Online purchases made from these sellers can earn free shipping up to $20 per purchase and $500 maximum over a six-month period.

Implications for Small, Mid-sized Ecommerce Merchants

Free shipping is now or, at least is becoming a key to online ecommerce success. As an example, Forrester Research’s U.S. Online Holiday Retail Forecast 2013, which was released on November 25, found that many online shoppers will leave a site and not buy anything if there is not a free shipping offer available.

Customers may look at shipping as an extra cost or even a waste of money, which is different from how they calculate the gas and inconvenience of going to a store or mall. Even offering free shipping with a minimum purchase can make customers feel better about the checkout process.

Where MasterCard’s offer is different is that it is increasing the expectation around how long a package should take to arrive, and, perhaps, changing how sellers need to think about free shipping.

When an ecommerce retailer purchases pay-per-click advertising, invests in email marketing, buys banner ads, or even prints a brochure or catalog to include in the shipping box, that retailer is investing to acquire or keep customers.

When it comes to accounting for these marketing investments, pay-per-click advertising, as an example, is often taken as part of marketing expenses generally and not attributed directly to a single transaction. For this reason, it is possible that merchants are losing money on some particular orders because of the advertising and promotional expenses associated with those particular orders, but making a profit overall thanks to spreading out marketing costs over all orders and generally increasing the total number of orders and reorders.

Ecommerce businesses may need to start thinking about shipping costs, even two-day shipping costs, in a similar way, not necessarily associating these costs with individual orders, but looking at the business as a whole to see if the free shipping offers are increasing profitability or market share company wide.

New Opportunity for Payment Providers

Free, two-day shipping offers also represent an opportunity for payment companies, like MasterCard, since these free shipping offers could give a particular payment service a competitive advantage. After all, most shoppers will choose the payment card or payment option that provides free shipping over other payment choices.

For the most part, PayPal, American Express via ShopRunner, and now MasterCard are focusing on large retailers, but there may be another opportunity with small and mid-sized online merchants.

Posted in Credit card Processing, e-commerce & m-commerce, Electronic Payments, Point of Sale, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , ,