EMV
November 30th, 2015 by Elma Jane

Cybercriminals will continue to look for opportunities to steal payment information. Despite the superior security features associated with EMV technology, chip cards may still be vulnerable to certain types of fraud.

An EMV chip does not stop lost or stolen cards from being used in card-not-present transactions. Merchants who deal in card-not-present transactions like sales over the telephone or via the Internet are encouraged to adopt additional security measures to ensure the authenticity of cards used for transactions. The strength of the U.S. e-commerce market makes card-not-present fraud an equally important security issue that card issuers and merchants need to consider in the shift to chip cards for point-of-sale transactions.

Retailers and service providers who deal in card-present transactions are reminded that upgrading to EMV terminal at the POS is the best way to protect their customers and their business from fraudulent transactions.

EMV cards are available as either chip-and-PIN (requiring the cardholder to enter their personal identification number to complete a transaction) or chip-and-signature (requiring the cardholder’s signature), U.S. banks have primarily chosen to issue chip-and-sign cards for now.

While 59 percent of US adults have already received a new chip card, only 41 percent of them know its benefits and only 37 percent say their card issuers explained how to use the chip cards.

 

 

Posted in Best Practices for Merchants, e-commerce & m-commerce, EMV EuroPay MasterCard Visa, Point of Sale Tagged with: , , , , , , , , , ,

Payment
November 17th, 2015 by Elma Jane

Within the payment processing industry, Merchant accounts are categorized according to how they process their transactions.

There are two primary merchant account categories:

Swiped (Card Present) and Keyed (Card-Not-Present).

Swiped or Card-Present Transactions: Are those in which both the card and the cardholder are present at the time the payment is processed, they physically swipe their customers credit card through a terminal or point-of-sale system.

The sub-categories within this group include:

Retail Merchants – Normally conduct their business in an actual storefront or office space. They primarily use counter-top terminals or Point-of-Sale systems.                          Restaurant Merchants – Requires a special set-up that allows for tips to be added to the final sale amount by settling the transaction with an adjusted price that will include the tip amount.
Wireless / Mobile Merchants – They use wireless terminals or mobile phones to run these transactions in Real-Time. Have the ability to accept credit cards transactions wherever they are located out on the road.
Hotel / Lodging Merchant – Will authorize a customer’s credit card for a certain sale amount.

Card-Present Transactions also include grocery stores, department stores, movie theaters, etc. Card acceptance settings where cardholders use unattended point-of-sale (POS) terminals, such as gas stations, are also defined as card-present transactions. 

Keyed-In or Card-Not-Present Transactions: Whenever the transaction is completed and the cardholder (or his or her credit card) is not physically present to hand to the seller.

The sub-categories within this group include:
Mail Order / Telephone Order (MOTO) – The customers card information is gathered via over the phone, fax, email or internet and then manually key-entered into a terminal or payment gateway software. Once the transaction is approved and completed, the product is then shipped to the customer for delivery.
eCommerce / Internet – Conduct ALL of their business over the internet through a web site. So all credit card transactions are processed online via a payment gateway in real-time. The payment gateway is integrated into the web sites shopping cart. The cardholders card is charged instantly.

Travel Merchants is one example of Keyed or Card-Not-Present Transactions.

Start processing credit card payments today whether Swiped or Keyed.

Give us a call now at 888-996-2273 so more details!

Posted in Best Practices for Merchants, e-commerce & m-commerce, Mail Order Telephone Order, Mobile Payments, Mobile Point of Sale, Point of Sale, Smartphone, Travel Agency Agents Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , ,

POS
November 13th, 2015 by Elma Jane

It’s important for merchants to understand the basic of how a credit card terminal works. It is the channel through which the process flows and the merchants can choose the right one for their processing needs, whether they use a point-of-sale (POS) countertop model, a cardreader that attaches to a smartphone or mobile device, a sleek handheld version for wireless processing or a virtual terminal for e-commerce transactions.

A credit card terminal’s function is to retrieve the account data stored on the payment card’s EMV microchip or a magnetic stripe and pass it along to the payment processing company (also known as merchant account provider).

For card-not-present (CNP) – mail order, telephone order and online transactions – the merchant enters the information manually using a keypad on the terminal, or the e-commerce shopper enters it on the website’s payment page. The back half of the process remains the same.

The actual data transmission goes from the terminal through a phoneline or Internet connection to a Payment Processing Company, which routes it to the bank that issued the credit card for authorization.

In card-present transactions where the card and cardholder are physically present, the card is connected to the reader housed in the POS terminal. The data is captured and transmitted electronically to the merchant account provider, who handles the authorization process with the issuing bank and credit card networks.

A POS retail terminal with a phone or Internet connection works best in a traditional retail setting that deals exclusively in card present transactions. For a business with a mobile sales, a mobile credit card processing option like Virtual Merchant Converge Mobile relies on a downloadable app to transform a smartphone or tablet into a credit card terminal equipped with a USB cardreader.

Wireless Terminals are compact, allowing you to accept credit cards in the field without relying on a phone connection. If you process debit cards, you’ll need a PIN pad in addition to your terminal so cardholders can enter their personal identification number to complete the sale.

Selecting the right terminal for your credit card processing needs depends largely on the type of business you run and the sorts of transactions you process. Terminals are highly specialized and provide different services. At National Transaction we offer a broad range of terminals with NFC (near field communication) Capability to accept Apple Pay, Android Pay and other NFC/Contactless payment transactions at your business. An informed business decision benefits your bottom line. Start accepting credit cards today with National Transaction.

 

 

Posted in Best Practices for Merchants, Credit card Processing, e-commerce & m-commerce, EMV EuroPay MasterCard Visa, Mobile Point of Sale, Point of Sale Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

EMV
October 16th, 2015 by Elma Jane

With the EMV liability shift that takes effect in October 2015, how much you’ll be affected depends on how you process credit card payments.

For Card Present Transactions

If you use POS hardware or terminal that you need to swipe the credit card, then you’ll be facing the same EMV environment as retailers. October 1st is the start of the liability shift for fraudulent charges made with the card present transactions. The party who hasn’t made an investment in EMV security features will be liable.

For the card issuer, they need to invest in EMV security features, that’s why they came out with the chip cards, where all credit and debit cards have this security chips that are harder to counterfeit than magnetic strips.

For the merchant, they need to invest in EMV capable terminals or POS hardware that can take advantage of the card’s security chip.

If both parties have made the investment, then liability will be resolved in a similar manner to how it was before the shift. However, if only one party has adopted EMV technology, the party that didn’t make the investment will be held liable.

For Card Not Present Transaction (CNP)

If you process credit cards online, over the phone, or through an online payment gateway integrated, the new EMV standards won’t directly change the way you do business. You’ll still be processing EMV cards based on the customer’s credit card number.

Chances are Card-Not-Present transactions will experience an increase in fraud. Because of the EMV-technology in the Card Present Transaction, fraudster will likely turn their attention to the next target which is CNP,

but payment gateways and banks concerned about the vulnerabilities, will begin to adopt new standards to minimize their exposure.

If you’re processing CNP transactions stay up-to-date on the newest security developments, online security standards find more effective ways to navigate the new credit card security frontier.

 

 

 

Posted in Best Practices for Merchants, Credit Card Reader Terminal, Credit Card Security, EMV EuroPay MasterCard Visa, Mail Order Telephone Order, Point of Sale Tagged with: , , , , , , , , , , , ,

September 24th, 2014 by Elma Jane

The CVV Number (Card Verification Value) on your credit card or debit card is a 3 digit number on VISA, MasterCard and Discover branded credit and debit cards. On your American Express branded credit or debit card it is a 4 digit numeric code.

The codes have different names:

American Express – CID or unique card code.

Debit Card – CSC or card security code.

Discover  – card identification number (CID)

Master Card – card validation code (CVC2)

Visa  – card verification value (CVV2) 

CVV numbers are NOT your card’s secret PIN (Personal Identification Number).

You should never enter your PIN number when asked to provide your CVV. (PIN numbers allow you to use your credit or debit card at an ATM or when making an in-person purchase with your debit card or a cash advance with any credit card.)

Types of security codes:

CVC1 or CVV1, is encoded on track-2 of the magnetic stripe  of the card and used for card present transactions. The purpose of the code is to verify that a payment card is actually in the hand of the merchant. This code is automatically retrieved when the magnetic stripe of a card is swiped on a point-of-sale (card present) device and is verified by the issuer. A limitation is that if the entire card has been duplicated and the magnetic stripe copied, then the code is still valid.

The most cited, is CVV2 or CVC2. This code is often sought by merchants for card not present transactions occurring by mail or fax or over the telephone or Internet. In some countries in Western Europe, card issuers require a merchant to obtain the code when the cardholder is not present in person.

Contactless card and chip cards may supply their own codes generated electronically, such as iCVV or Dynamic CVV.

Code Location:

The card security code is typically the last three or four digits printed, not embossed like the card number, on the signature strip on the back of the card. On American Express cards, the card security code is the four digits printed (not embossed) on the front towards the right. The card security code is not encoded on the magnetic stripe but is printed flat.

American Express cards have a four-digit code printed on the front side of the card above the number.

MasterCard, Visa, Diners Club,  Discover, and JCB credit and debit cards have a three-digit card security code. The code is the final group of numbers printed on the back signature panel of the card.

New North American MasterCard and Visa cards feature the code in a separate panel to the right of the signature strip. This has been done to prevent overwriting of the numbers by signing the card.

Benefits when it comes to security:

As a security measure, merchants who require the CVV2 for card not present payment card transactions are required by the card issuer not to store the CVV2 once the individual transaction is authorized and completed. This way, if a database of transactions is compromised, the CVV2 is not included, and the stolen card numbers are less useful. Virtual Terminals and payment gateways do not store the CVV2 code, therefore employees and customer service representatives with access to these web-based payment interfaces who otherwise have access to complete card numbers, expiration dates, and other information still lack the CVV2 code.

The Payment Card Industry Data Security Standard (PCI DSS) also prohibits the storage of CSC (and other sensitive authorization data) post transaction authorization. This applies globally to anyone who stores, processes or transmits card holder data. Since the CSC is not contained on the magnetic stripe of the card, it is not typically included in the transaction when the card is used face to face at a merchant. However, some merchants in North America require the code. For American Express cards, this has been an invariable practice (for card not present transactions) in European Union (EU) states like Ireland and the United Kingdom since the start of 2005. This provides a level of protection to the bank/cardholder, in that a fraudulent merchant or employee cannot simply capture the magnetic stripe details of a card and use them later for card not present  purchases over the phone, mail order or Internet. To do this, a merchant or its employee would also have to note the CVV2 visually and record it, which is more likely to arouse the cardholder’s suspicion.

Supplying the CSC code in a transaction is intended to verify that the customer has the card in their possession. Knowledge of the code proves that the customer has seen the card, or has seen a record made by somebody who saw the card.

 

Posted in Best Practices for Merchants, EMV EuroPay MasterCard Visa, Point of Sale, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

August 28th, 2014 by Elma Jane

Merchants are still using pedestrian passwords that crooks can easily break, security company Trustwave has found. Of the nearly 630,000 stored passwords that Trustwave obtained during penetration tests in the past two years, its technicians were able to crack more than half in just a few minutes and 92% within 31 days. Even though adding new information about weak passwords or ongoing malware investigations gets frustrating because the same problems facing the financial and payments industries persist, it does not surprise Trustwave researchers. For a lot of software or hardware developers, their main concern is availability of the service. They want to make sure their POS is available and running to accept credit cards, often at the cost of a lot of security controls. It is difficult to implement security and to do it correctly.

Trustwave recommends longer passwords with more characters, rather than shorter ones with letters and numbers. A longer password that is a phrase not easily figured out is better than a shorter, complex password. These findings have been added to an online version of the 2014 Trustwave Global Security Report. To accommodate the fast changing nature of security threats, Trustwave is regularly updating its research and making the information available to consumers and payments industry stakeholders on the company’s site. The criminals stealing data are a constantly moving target. It no longer made sense for those interested in our research to have to wait a year to see new statistics. Having access to updated security reporting should be helpful to merchants. They can see how trends are tracking over time, instead of constantly having to go online to see what is relevant to them or rely on the trade groups to keep them informed. This provides one switch to keep them in the know, so there is some value there and it’s a smart move on Trustwave’s part. Since the new Payment Card Industry security requirements call for security measures to be embedded in software development lifecycles, there is some utility in Trustwave’s new approach to sharing research information.

Trustwave said the trend of businesses detecting breaches continues to rise, with 29% of businesses doing so in 2013 compared to only 9% in 2009. Trustwave compiled that data from 691 post-breach forensics investigations conducted in 2013. The report also indicated e-commerce breaches are increasing, with 54% of all breaches targeting e-commerce sites in 2013, compared to only 9% in 2010. More regions, including the U.S., being in various stages of converting to EMV chip-based cards for card-present transactions fuels the criminals’ shift to e-commerce fraud. Additionally, the company is working with law enforcement officials after discovering a control center of eight servers behind what is being called Magnitude, an exploit kit of Russian origin that has led to thousands of attacks and millions of attempted malware attacks globally.

Posted in Best Practices for Merchants, Payment Card Industry PCI Security, Point of Sale Tagged with: , , , , , , , , , , , , , , , , , , , , , , , ,