September 15th, 2016 by Elma Jane

 

Storing credit card data for recurring billing are discouraged.

But many feels storing is necessary in order to facilitate recurring payments.

Using a third party vault provider to store credit card data for recurring billing is the best way.

It helps reduce or eliminate the need for electronically stored cardholder data while still maintaining current business processes.

For recurring billing a token can be use, by utilizing a vault. The risk is removed from your possession.

Modern payment gateways allow card tokenization.

Any business that storing data needs to review and follow PCI DSS requirement in order for the electronic storage of cardholder data to be PCI compliant.

On the primary account number, an appropriate encryption will be applied. In this situation, the numbers in the electronic file should be encrypted either at the column level, file level or disk level.

 

Posted in Best Practices for Merchants, Credit Card Security Tagged with: , , , , , , , , ,

May 19th, 2015 by Elma Jane

We’re now nearly midway through 2015, and payment security still remains a topic that stirs up great concern and confusion. While there is seemingly unanimous agreement on the need for heightened security, there’s uncertainty about those who are tasked with actually implementing it. Let’s dig deeper into EMV, P2PE and tokenization. How each will play a part in the next generation of securing payments, and how without properly working together they might just fall short.

 

 

Europay, MasterCard, and Visa (EMV) – A powerful guard against credit card skimming. EMV also uses cryptography to create dynamic data for every transaction and relies on an integrated chip embedded into the card.

Downside: For Independent Software Vendor (ISVs), the biggest downside of EMV is the complexity of creating an EMV solution. ISVs interested in certifying PINpads with a few processors face up to 22 months of costly work, and because there are a large number of pending certifications, processors will be backed up over the next few years.

It’s not impossible for an ISV to build EMV solutions in-house, but it’s difficult and unnecessary when there are plug-and-play EMV solutions available. These solutions include pre-packaged and pre-certified APIs that remove most of the need for research, the complexity and the burden of time and cost.

Point to Point Encryption (P2PE) – Secures devices, apps and processes using encrypted data with cryptographic keys only known to the payment company or gateway from the earliest point of the transaction, from tech-savvy criminals, jumping at their chance to intercept POS systems and scrape the memory from Windows machines.

How does a key get into card reader? Through an algorithm called derived unique key per transaction (DUKPT), or “duck putt.” DUKPT generates a base key that’s shared with device manufacturers securely, where output cardholder data is rendered differently each time a card is swiped, making it impossible to reverse engineer the card data. P2PE not only benefits the cardholders, but also the ISVs and merchants. PA-DSS certification was designed to address the problems created with cardholder data which is not encrypted.

Downside: P2PE isn’t cheap if an organization wants to do it in-house. The secure cryptographic device needed to manage the keys, Hardware Security Module (HSM), can cost $30-40,000 but when it’s built out, that total cost can jump to $100,000.

TOKENIZATION – The best way to protect cardholder data when it’s stored is using tokenization, a process which the PCI Security Standards Council describes as one where the primary account number is replaced with a surrogate value a token. For merchants dealing with recurring billing, future payments, loyalty programs and more, tokenization is critical.

Downside: Tokenization doesn’t prevent malware that’s remotely installed on POS devices. It’s possible, as seen with recent retail card breaches, for data to be stolen before it is tokenized. That’s why it’s essential to group tokenization together with P2PE and EMV to offer optimal security.

 

Posted in Best Practices for Merchants, Credit Card Security, EMV EuroPay MasterCard Visa, Payment Card Industry PCI Security, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

November 4th, 2014 by Elma Jane
Universe9
“Healthcare’s Unique, Robust MEDIPAID Rolls Out”
Delivering paperless, next-day deposits for Medical Billers
National Transaction Corporation (NTC) in Coral Springs, Florida announced today that, by the first of December 2014, their paperless medical insurance electronic funds capturing suite: MEDIPAID will be fully functional nationwide. NTC’s MEDIPAID delivers next-day deposits for any Medical entity that must bill health insurance companies.
MEDIPAID will bring the speed, ease and convenience of credit card merchant accounts to the world of medical insurance billing. Upon MEDIPAID’s deployment, the medical office receives its payments considerably faster. The revenue is immediately available since it is paid directly into the businesses’ checking account with secure electronic payments.
NTC’s agents help merchants standardize their Electronic Remittance Advice (ERA) and distribution options to automate posting which further reduces paper and time burdens. At a rate far less than credit card processing or third party billing companies, MEDIPAID is designed to eliminate the healthcare provider’s paper check payments with electronic payments that include the remittance detail (ERA) and further allows providers to take advantage of distribution options to automate the claims payment posting processes.
For more information, Contact us anytime.
National Transaction Corporation
office: 954-346-3300 or 888-996-2273
fax: 954-510-4239
website: www.nationaltransaction.com

Posted in Best Practices for Merchants, Medical Healthcare Tagged with: , , , , , , , , , , , ,

August 11th, 2014 by Elma Jane

Tokenization technology has been available to keep payment card and personal data safer for several years, but it’s never had the attention it’s getting now in the wake of high-profile breaches. Still, merchants especially smaller ones haven’t necessarily caught on to the hacking threat or how tools such as tokenization limit exposure. That gap in understanding places ISOs and agents in an important place in the security mix, it’s their job to get the word out to merchants about the need for tokenization. That can begin with explaining what it is.

The biggest challenge that ISOs will see and are seeing, is this lack of awareness of these threats that are impacting that business sector. Data breaches are happening at small businesses, and even if merchants get past the point of accepting that they are at risk, they have no clue what to do next. Tokenization converts payment card account numbers into unique identification symbols for storage or for transactions through payment mechanisms such as mobile wallets. It’s complex and not enough ISOs understand it, even though it represents a potential revenue-producer and the industry as a whole is confused over tokenization standards and how to deploy and govern them.

ISOs presenting tokenization to merchants should echo what security experts and the Payment Card Industry Security Council often say about the technology. It’s a needed layer of security to complement EMV cards. EMV takes care of the card-present counterfeit fraud problem, while tokenization deters hackers from pilfering data from a payment network database. The Target data breach during the 2013 holiday shopping season haunts the payments industry. If Target’s card data had been tokenized, it would have been worthless to the criminals who stole it. It wouldn’t have stopped malware access to the database, but it would been as though criminals breaking into a bank vault found, instead of piles of cash, poker chips that only an authorized user could cash at a specific bank.

A database full of tokens has no value to criminals on the black market, which reduces risk for merchants. Unfortunately, the small merchants have not accepted the idea or the reality and fact, that there is malware attacking their point of sale and they are being exposed. That’s why ISOs should determine the level of need for tokenization in their markets. It is always the responsibility of those who are interacting with the merchant to have the knowledge for the market segment they are in. If you are selling to dry cleaners, you probably don’t need to know much about tokenization, but if you are selling to recurring billing or e-commerce merchants, you probably need a lot more knowledge about it.

Tokenization is critical for some applications in payments. Any sort of recurring billing that stores card information should be leveraging some form of tokenization. Whether the revenue stream comes directly from tokenization services or it is bundled into the overall payment acceptance product is not the most important factor. The point is that it’s an important value to the merchant to be able to tokenize the card number in recurring billing, but ISOs sell tokenization products against a confusing backdrop of standards developed for different forms of tokenization. EMVCo, which the card brands own, establishes guidelines for EMV chip-based smart card use. It’s working on standards for “payment” tokenization with the Clearing House, which establishes payment systems for financial institutions. Both entities were working on separate standards until The Clearing House joined EMVCo’s tokenization working group to determine similarities and determine whether one standard could cover the needs of banks and merchants.

 

Posted in Best Practices for Merchants Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , ,

December 30th, 2013 by Elma Jane

Alternative Payments and Ecommerce Conversions

There’s no shortage of alternative payment choices: eBay’s PayPal, Google’s Wallet, Visa V.me, and MasterCard MasterPass, to name a few.  There is also a proliferation of alternate contenders, as mobile shopping threatens to disrupt traditional methods of payments.

Alternative payment companies each claim that their payment method increases conversions. My company, SeeWhy, performed an independent analysis and confirmed these claims.

In this study data shows significant increases in conversion compared with credit cards, peaking at a 101 percent increase on smartphones.

But this is not the whole story. While these increases are impressive, they only applied to around 15 percent of traffic, so the impact on your site’s overall conversion rate will be much less. Depending on the characteristics of your site you will probably see somewhere in the region of 5 to 10 percent improvement in your site’s overall conversion rate, which is still significant enough not to be ignored. As mobile commerce grows, then alternative payments will become ever more important.

However, before embarking on an alternative payment implementation, there are three important considerations you need to take into account.

1. How Many Alternative Payment Methods?

Choosing only one alternative payment method might be tough, so why not implement several, and cover the market more thoroughly? This may be a valid approach, but think carefully before choosing this option.

For example, RunningShoes.com has implemented PayPal, Google Wallet, and MasterPass as alternative payment options.

The problem is that offering payment choices can create four different competing calls-to-action, as you can see. Whenever consumers are faced with too much choice, indecision tends to follow.

This is also problematic when you consider the whole page. There are lots of visual distractions to the primary call to action, which in this case is the red Secure Checkout button.

Before embarking on implementing multiple calls-to-action, consider how you are going to solve this issue. One route you could consider is to suppress the alternate payment methods for returning customers if the customer always pays by credit card, for example. Or if the customer always purchases by PayPal, show the PayPal button most prominently, and hide the others under a Show alternate methods of payment  link.

2. How to Implement

Not all sites will see significant increases in conversion when implementing alternate payment methods. The main reason for this is that implementations can be done badly. One of the primary benefits of these payment methods is that they enable visitors to bypass the billing, shipping, and card entry steps on an ecommerce site. This is especially important for mobile sites, where entering these details using fingers and small screens defeats all but the most determined.

However, many sites implement these payment methods as an alternative only to entering the credit card number. You can see this here on Barnes and Noble ‘s site, where you are forced to enter shipping and billing information before being presented with the PayPal button. This may be a simpler implementation to do than providing an alternate checkout path, but it is frankly a waste of time, and surprisingly prevalent in PayPal implementations.

The correct method is to implement the alternative payment method as a button at the start of the checkout process, probably on the cart summary page. You can see a good example here of this at PacSun.com, an apparel site, but note the competing calls-to-action problem here as well.

PacSun deals with this slightly differently on mobile devices by not offering V.me. as a payment alternative. This avoids having a four choice vertical list of competing calls-to-action.

Alternative payments can undoubtedly result in higher conversions. However, to be effective they need to be implemented correctly to provide an alternative checkout flow, not simply a payment alternative to credit cards. This takes more effort to implement, but it is worth it. Implementing one payment method properly is a better route than superficially implementing multiple payment methods. This is especially true for mobile sales where the goal is to eliminate data entry as much as possible and alternate payments can do this very effectively. As mobile commerce becomes more important, so will alternative payments, for all merchants.

3. Which Payment Method?

Since there are multiple choices, the obvious route is to adopt PayPal. PayPal claims over 30 million U.S. mobile customers, and over a 100 million active accounts…which is a larger base than any of its competitors. SeeWhy found that 34 percent of U.S. consumers shopping online had PayPal accounts as of July 2013.

However, PayPal also carries some baggage. Having grown up as a payment method of choice for eBay, its reputation is not always considered positive. Some consumers are wary about PayPal, having had negative experiences in the past, probably with smaller merchants on eBay. In fact, according to SeeWhy’s analysis, two thirds of PayPal account holders state that their preferred payment method is a credit card.

Merchants selling luxury items might want to consider alternatives before implementing PayPal because of its reputation issues. Google Wallet is an alternative that is growing fast in part because of the growth of Android smartphones where a Google Wallet account is required to use the Play store, the Android equivalent of the app store. Google Wallet can also be linked to Google+ social sign on, so if you are considering implementing social sign on as well this might be a route to consider.

Both Visa’s V.me and MasterCard’s MasterPass both hold significant potential but the companies are only just beginning to roll out their service. It’s also worth noting that both Visa and MasterCard are rolling out their services through the acquiring banks. This will cause a proliferation of payment choices, leading to complexity and confusion for the shopper. You can see this already with MasterPass where having selected the Buy with MasterPass option, you are then presented with an array of different MasterPass wallets to choose from. Currently there are only six options, but what happens when there are hundreds?

Posted in e-commerce & m-commerce, Electronic Payments, Mobile Payments, Smartphone Tagged with: , , , , , , , , , , , , , , , , , , , , , , ,

October 17th, 2013 by Elma Jane

You find a good deal online, and as you hastily proceed through the checkout, something goes wrong.

After typing in your name, address and credit card number, you mis-key a digit of your credit card number. The transaction doesn’t go through. The screen seems to yell at you. START OVER. You feel like yelling back.

You have to get to a meeting, so you close your browser and vow to revisit the process later or – worse – try booking the flight on another travel site.

Cart abandonment is a well-known problem for merchants trying to sell goods to online shoppers, and it is even more pronounced when the shopper is using a mobile device.

Travelocity was seeing far too much of it, so the online travel booking site turned to Jumio for a solution.

Travelocity’s deployment of Netswipe, Jumio’s credit card scanning and validation tool, provided the basis for discussion in a recent webinar, “How Travelocity Increased Conversion, Engagement on its Mobile Apps,” sponsored by Jumio and hosted by Mobile Payments Today.

The best webinars look at use cases, said Anthony Lanham, Jumio senior vice president for North American sales, and Travelocity’s experience with Netswipe provides a great example.

Travelocity’s problem was straightforward, the online travel agency’s director of engineering. The site is a common destination for people looking for just-in-time bookings, he said. They need it right now.

And with shoppers increasingly accessing the site from mobile devices, there was this pattern. The user doing a last-minute booking is in a hurry. When you’re in a hurry with a small screen, there’s a decent tendency to ‘fat-finger’ and make key-entry errors. The transaction fails, and that becomes frustrating for the user in a hurry.

A Jumio consumer mobile insight study found that a majority of respondents find it too difficult to fill out forms from a mobile device. And if a purchase doesn’t go through, they almost never go back to try again.

They may come back and finish later, but if it’s Travelocity, the door is now open to go to Expedia and book that flight or hotel.”

Netswipe is designed to remove the burden of entering card details. The solution lets users snap a photo of their card with the camera on their mobile device and present it at checkout, removing the need to self-enter.

In the case of Travelocity, when users reach the mobile site’s checkout page, they see an “autoscan with camera” option in the billing header. They hold the card in front of the camera, which scans it and provides the necessary details to the site. The process takes about five seconds.

To test the solution, Travelocity first implemented it on its sister site, LastMinute.com. Adding the software development kit to the LastMinute.com app was simple and early adoption was larger than the company anticipated. That early success led to quick integration of the app on the flagship Travelocity site.

Checkout conversion rates there also increased much more quickly than anticipated. Over two months, customers using the card scan feature converted at 52 percent, compared to 9 percent for other customers. “The data made it clear that ease of entering payment information was the main reason.”

Though Travelocity’s challenge centered on customer conversion and engagement, Netswipe also acts as a fraud deterrent.

Fraudsters always take the path of least resistance and any decent fraudster can get their hands on the name and number and expiration date that match. But once you get to the point of asking that fraudster to put a bona fide card in front of a camera, you are going to instantly cut out a huge swath of fraudsters. For them to take that information and actually translate it on a physical card that would pass muster for the checks that we do is an enormous task. They can go monetize those fraudulent credentials elsewhere easily.

Moharil offered a few lessons from the integration. First, he said, it’s important to measure, and to continue measuring often. For example, are users checking out the feature out of curiosity or are they using it to complete transactions? And it’s important to plan for backward compatibility – making sure earlier versions of the Jumio SDK and Travelocity app don’t have glitches.

Moharil advised rolling out a new solution along the simplest path, in a small use case, early results for Travelocity have been so good, he only wishes the solution were implemented sooner.

The webinar concluded with a short question-and-answer session. The free webinar is now available for Online Replay, and will remain on the Mobile Payments Today site for 12 months.

 

Posted in Best Practices for Merchants, e-commerce & m-commerce, Travel Agency Agents, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , ,