August 11th, 2014 by Elma Jane
Tokenization technology has been available to keep payment card and personal data safer for several years, but it’s never had the attention it’s getting now in the wake of high-profile breaches. Still, merchants especially smaller ones haven’t necessarily caught on to the hacking threat or how tools such as tokenization limit exposure. That gap in understanding places ISOs and agents in an important place in the security mix, it’s their job to get the word out to merchants about the need for tokenization. That can begin with explaining what it is.
The biggest challenge that ISOs will see and are seeing, is this lack of awareness of these threats that are impacting that business sector. Data breaches are happening at small businesses, and even if merchants get past the point of accepting that they are at risk, they have no clue what to do next. Tokenization converts payment card account numbers into unique identification symbols for storage or for transactions through payment mechanisms such as mobile wallets. It’s complex and not enough ISOs understand it, even though it represents a potential revenue-producer and the industry as a whole is confused over tokenization standards and how to deploy and govern them.
ISOs presenting tokenization to merchants should echo what security experts and the Payment Card Industry Security Council often say about the technology. It’s a needed layer of security to complement EMV cards. EMV takes care of the card-present counterfeit fraud problem, while tokenization deters hackers from pilfering data from a payment network database. The Target data breach during the 2013 holiday shopping season haunts the payments industry. If Target’s card data had been tokenized, it would have been worthless to the criminals who stole it. It wouldn’t have stopped malware access to the database, but it would been as though criminals breaking into a bank vault found, instead of piles of cash, poker chips that only an authorized user could cash at a specific bank.
A database full of tokens has no value to criminals on the black market, which reduces risk for merchants. Unfortunately, the small merchants have not accepted the idea or the reality and fact, that there is malware attacking their point of sale and they are being exposed. That’s why ISOs should determine the level of need for tokenization in their markets. It is always the responsibility of those who are interacting with the merchant to have the knowledge for the market segment they are in. If you are selling to dry cleaners, you probably don’t need to know much about tokenization, but if you are selling to recurring billing or e-commerce merchants, you probably need a lot more knowledge about it.
Tokenization is critical for some applications in payments. Any sort of recurring billing that stores card information should be leveraging some form of tokenization. Whether the revenue stream comes directly from tokenization services or it is bundled into the overall payment acceptance product is not the most important factor. The point is that it’s an important value to the merchant to be able to tokenize the card number in recurring billing, but ISOs sell tokenization products against a confusing backdrop of standards developed for different forms of tokenization. EMVCo, which the card brands own, establishes guidelines for EMV chip-based smart card use. It’s working on standards for “payment” tokenization with the Clearing House, which establishes payment systems for financial institutions. Both entities were working on separate standards until The Clearing House joined EMVCo’s tokenization working group to determine similarities and determine whether one standard could cover the needs of banks and merchants.
Posted in Best Practices for Merchants Tagged with: account numbers, bank, billing, card, card brands, card number, card present, Clearing House, data, data breaches, database, e-commerce, EMV, emvco, fraud, ISOs, Malware, Merchant's, mobile wallets, network, payment, Payment Card Industry, Security, smart card, target, tokenization, transactions
August 8th, 2014 by Elma Jane
MasterCard’s latest Card Personalization Validation module in the Collis EMV Personalization Validation Tool qualified by MasterCard, including the U.S. Common Debit AID. The tool will be used to support EMV card issuers in the U.S., and specifically checks if MasterCard cards are correctly personalized according to the latest MasterCard specifications. It also includes specific personalization profiles to certify compliance with the Durbin Legislation. The Collis EMV Personalization Validation Tool is the most thorough and comprehensive test tool for issuers, card personalization bureaus and card manufacturers that want to validate the personalization of their contact/contactless payment cards and mobile payment applications. With the tool, issuers easily check the correctness of the personalization of any EMV card application according to the latest test specifications of the seven major worldwide payment schemes. He added that the Collis EMV Personalization Validation Tool fits also seamlessly to prepare for the MasterCard CPV Formal Approve Service that UL can deliver.
Posted in Credit Card Security, EMV EuroPay MasterCard Visa, Visa MasterCard American Express Tagged with: card, contactless payment, Debit AID, EMV, EMV card, MasterCard, mobile payment, payment schemes
August 8th, 2014 by Elma Jane
Visa Inc., the global leader in payments, is helping U.S. fuel retailers prevent credit and debit card fraud at the pump with intelligent analytics that identify higher-risk transactions that may be fraudulent. Visa Transaction Advisor uses sophisticated analytics based on the breadth and scale of VisaNet data to flag the riskiest transactions by working with fuel companies to understand their needs, creating a new service that builds on Visa’s predictive analytics capabilities, providing fuel merchants with more intelligence to prevent fraud and improve their bottom line. While global fraud rates across the Visa payment system remain near historic lows, less than 6 cents for every $100 transacted – fuel pumps can be targets for criminals because they are often self-service terminals. The new solution, Visa Transaction Advisor (VTA), enables merchants to use real-time authorization risk scores to identify transactions that could involve lost, stolen or counterfeit cards. A pilot test of the new service showed a 23 percent reduction in the rate of fraudulent transactions – all without costly infrastructure upgrades or disruption of the customer experience.
How It Works
After a cardholder inserts the card at the pump, Visa analyzes multiple data sets such as past transactions, whether the account has been involved in a data compromise and nearly 500 other pieces of data to create a risk score. This allows merchants to identify those transactions with a higher risk of fraud and perform further cardholder authentication before gas is pumped. The time and costs associated with resolving fraudulent transactions can be substantial for both merchants and financial institutions and inconvenient for cardholders, which is one of the reasons why fraud prevention is critical. Visa’s solution is easy to implement, using existing message fields and formats as well as pump software or hardware to ensure minimal impact to merchants and acquirers. Several fuel merchants who piloted the technology over the last several months noticed a decrease in fraud, without negatively impacting their consumers’ experience. VTA as a tool help mitigate fraudulent transactions. A 23 percent reduction in the rate of fraudulent chargebacks during a pilot program in Los Angeles. This was done with minimal impact to the customer experience, making secure payment at the pump as convenient as possible. Providing fuel to millions of customers each month through approximately 15,000 service stations in the United States, said US Credit Card Operations Manager, from Shell, considering new solutions and technology it has to have a clear business benefit, be customer-centric and easy to implement. With no infrastructure investment, testing VTA as part of proactive fraud prevention tool-set to better identify fraudulent card activity earlier in the transaction cycle, without inconveniencing customers.
Visa Transaction Advisor is available to merchants through participating U.S. acquirers. Visa has partnered with Vantiv and is also working with other acquirers to offer the service to its fuel clients. Ease of implementation is a critical requirement whenever talking about a new merchant service. Visa Transaction Advisor builds on existing payment infrastructure, is easy to implement and flexible enough to allow customization by merchants.
Posted in Credit Card Security, EMV EuroPay MasterCard Visa, Visa MasterCard American Express Tagged with: account, acquirers, analytics, authorization, card, cardholder, counterfeit cards, credit, Credit Card Operations, customer, data, debit, financial institutions, fraud, higher-risk transactions, Merchant's, payments, Rates, retailers, terminals, transactions, visa, Visa payment, Visa Transaction, Visa Transaction Advisor, VisaNet, VTA
July 22nd, 2014 by Elma Jane
Facebook has begun testing a buy button which lets users purchase products advertised on the social network. Meanwhile, Twitter is also stepping up its commerce game, acquiring payments outfit CardSpring.
Facebook users on desktop or mobile can now click a buy call-to-action button on ads and page posts to purchase a product directly from a business, without leaving the social network. Users can pay with a card that Facebook already has on file or enter new details and save them for future use or have them forgotten. No payment details are shared with advertisers. So far, the system is only being tested with a few small and medium-sized businesses in the US.
Separately, Twitter is also looking to strengthen its commerce credentials, buying CardSpring for an undisclosed fee. CardSpring provides an API designed to make it easy for developers to link digital applications to payment cards. It is expected that CardSpring’s technology will help merchants offer discounts in tweets, with customers entering their card details so that when they make a purchase at a later date, the saving is automatically applied.
Posted in Uncategorized Tagged with: api, card, card details, CardSpring, customers, desktop, digital applications, discounts, link, Merchant's, mobile, network, payment cards, payments, product, purchase, technology, twitter
July 21st, 2014 by Elma Jane
European authorities dismantled a Romanian-dominated cybercrime network that used a host of tactics to steal more than EUR2 million. As a direct result of the excellent cooperation and outstanding work by police officers and prosecutors from Romania, France and other European countries, a key criminal network has been successfully taken down this week.
Hundreds of police in Romania and France, backed by the European Cybercrime Centre, carried out raids on 177 addresses, interrogating 115 people and detaining 65. Those held are suspected of participating in sophisticated electronic payment crimes, using malware to take over and gain access to computers used by money transfer services all over Europe. They are also accused of stealing card data through skimming, money laundering and drug trafficking.Proceeds of the crimes were invested in different types of property, deposited in bank accounts or transferred electronically, says the EC3. Large sums of money, luxury vehicles and IT equipment were seized during the raids.
Posted in Uncategorized Tagged with: accounts, bank, bank accounts, card, card data, cybercrime, data, electronic payment, host, Malware, money transfer, network, payment
July 14th, 2014 by Elma Jane
French financial services company LCL has introduced a service that securely issues payment card PIN codes to customers via SMS texting. The programme has been introduced initially for cardholders who forget their confidential code when out shopping or withdrawing cash. In a second phase, the bank intends to extend PIN issuance to coincide with the mail-out of newly-created cards.
LCL is using Gemalto’s Netsize platform, which offers direct connections to more than 160 mobile operators globally for message delivery. LCL recognizes the mobile channel as a new opportunity to support their continued drive to optimize card activation rates and be the top-of-wallet choice for payment. Enabling cardholders to get their PIN code on their mobile phone prompts them to start using their banking card as soon as they receive it.
Posted in Best Practices for Merchants, Mobile Payments, Smartphone Tagged with: bank, card, cardholders, codes, customers, mobile, mobile channel, payment, PIN, Rates, sms, wallet
June 20th, 2014 by Elma Jane
A recent survey said, 82 percent of e-commerce merchants who currently do not employ a consumer authentication solution are afraid that such solutions will scare off online shoppers, but with more and more fraud expected to migrate online in the coming years, the payments industry needs to do a better job of informing merchants why authentication in the card-not-present realm is crucial to data security.
While a majority of payment service companies employ some type of 3-D Secure online authentication, and most large merchants do likewise, the rest of the merchant population, especially in North America, apparently do not. 55 percent of merchants surveyed, a majority of which are U.S.-based, do not use online authentication, noting that North America is the only world region where less than half of merchants use the technology. The reason so many U.S. merchants eschew consumer authentication is they see it as a sales killer.
The main reason appears to be fear, uncertainty and doubt (FUD) about how consumer authentication will impact sales conversion and user experience, 43 percent of merchant respondents are FUD-preoccupied, with 20 percent concerned about the effect of the technology on sales conversion, 13 percent worried about changing the user experience and 10 percent simply want nothing to do with consumer authentication. Beyond the FUD concerns, there is also a very real perception with merchants and service providers that integration is long and difficult, adding that 21 percent of merchants who do not employ authentication, citing the time and/or cost of integration as the barrier.
End to FUD
The solution to merchant adoption of some form of 3-D Secure technology is apparently education. Many FUD concerns are related to a hangover effect caused by bad experiences with previous iterations of consumer authentication. But the report provides evidence that the FUD factor can be overcome because of the happiness factor that authentication-using merchants express. 81 percent of merchant respondents showing satisfaction with the solutions they have employed.
The report said nearly half of merchants surveyed said authentication had no effect on sales conversion, either positive or negative; however, almost 20 percent believe it has had a positive effect on sales. The positive result seems to be related to merchants who use authentication selectively, on specific transactions rather than on all of them. Additionally, the technology results in many merchants experiencing lower numbers of chargebacks. Amongst merchants, 59 percent overall say the authentication program brought a decrease in chargebacks and this is true for more than half of merchants from each geographic region.
FYI on FUD
The adoption is very low because not many people understand it. Online verification does retard the checkout process as a second screen pops up that consumers must navigate in order to proceed with the purchase. However, these barriers can be overcome with education and simply getting people comfortable with the technology. If we had this solution from day one on all e-commerce sites today nobody would be complaining because people would be used to doing it. It is a question of achieving ubiquity rather than taking a piecemeal approach to implementation. It is a matter of if you do it at one place or every place. If you have to do it at only one location that makes that site really secure. If all sites ask the same question, you get used to it.
Consumer authentication is also something that requires buy-in from issuers, acquirers and merchants. It is a participation solution where the issuer and the acquirer have to be participating in it. If you are an e-commerce site and you are certified with Verified by Visa the card brands proprietary version of 3-D Secure, if the card issuer has not embraced that, then the security will not happen.
Increasing number and frequency of breaches is slowly eroding consumers’ trust in the safety of e-commerce It’s not good for the whole ecosystem. At some point people will come back and say, this is too risky to do online transactions with cards. Before that point is reached, businesses should improve their online defenses, and consumer authentication is central to that defense. With the U.S. payments infrastructure in the process of transitioning to the Europay/MasterCard/Visa (EMV) chip card standard at the physical POS, fraud in the United States will sharpen its focus on the less secure online channel. EMV will do a lot of good in terms of card present security, but it does not do anything for card-not-present environments. So how are we going to contain the online fraud? We have to go to a 3-D Secure type solution
Posted in Best Practices for Merchants Tagged with: 3-D Secure online authentication, card, card present security, card-not-present, chargebacks, chip, chip card, consumer, data security, e-commerce, e-commerce merchants, EMV, Europay/MasterCard/Visa, fraud, Merchant's, online authentication, online channel, online fraud, online shoppers, online transactions, payment service, payments industry, POS, sales conversion, technology, Verified, visa
June 16th, 2014 by Elma Jane
Credit card companies are racing against tech giants like Apple and Google to create what would thin our wallets forever. The race, which started to replace paper with plastic, is now entering a new phase of combining our cell phones and credit cards. Credit card giant American Express is working on developing a next generation app, which would let consumers shop using their virtual credit cards just like virtual boarding passes on an iPhone Passbook. Amex doesn’t stand alone in the race. Google, Square and Apple are some of the many companies in Silicon Valley, which are working on taking the leap. While Google Wallet and PayPal are some of the available products providing customers with a virtual wallet experience. The credit card companies still continue to benefit being the point of sale for these products. This puts Amex in a unique position, as it doesn’t have to struggle becoming the card customers choose to use. Amex is just a jump away in moving from customers’ wallet to cellphone.
Posted in Best Practices for Merchants, Visa MasterCard American Express Tagged with: American Express, amex, app, Apple, card, cellphone, credit-card, customers, google, Iphone, virtual credit cards, wallet
June 4th, 2014 by Elma Jane
The operator of a gold vault on the Isle of man is to issue a credit card made of solid gold that enables customers to draw down cash on their holdings of the valuable metal. The 14-carat Visa gold card from IMGold will be made available to clients who have at least £100,000 of the metal bars in their vault. The idea is that customers can use the card to borrow against their reserves, effectively hedging against a decline in the value of gold.
IMGold is currently inviting applicants for the blinged up store of wealth under the banner: The card that carries more weight.
The Isle of man is some way behind Kazakhstan’s oligarchs, who have been brandishing gold and diamond-encrusted cards for some year now. MasterCard and Kazkommertsbank introduced their own diamond-encrusted card in the province back in 2008. This was followed in 2012 by the launch of Visa Infinite Exclusive cards – made of pure gold, with pearl embossing and 26 diamonds – by Sberbank for its top 100 customers in the energy-rich country.
Posted in EMV EuroPay MasterCard Visa, Visa MasterCard American Express Tagged with: card, credit-card, IMGold, MasterCard, reserves, visa, Visa gold card, Visa Infinite Exclusive cards
May 29th, 2014 by Elma Jane
A point-of-sale facial recognition system that uses NFC to help combat card fraud has been created during a recent company hack-a-thon, together with a group of engineers and designers from Logic PD. Hackathon was an opportunity for experts to explore the possibilities of useful solutions to today’s challenges, with the recent significant breaches in security at leading retailers, the need for this type of solution is particularly meaningful.
The solution, is a multi-modal security platform for card purchases, uses NFC authentication combined with camera imaging to protect users. When users make a mobile payment at the point of sale, the kiosk snaps a picture of the purchaser. This image can be incorporated via the cloud into the user’s digital transactional record, which was stored and distributed via SeeControl in this example, allowing users to identify who made each purchase, and easily identify those that are fraudulent even before banks and financial institutions.
Posted in Credit Card Security, Mobile Payments, Mobile Point of Sale, Point of Sale, Smartphone Tagged with: banks, breaches, card, card fraud, card purchases, cloud, digital, facial recognition system, financial institutions, mobile payment, nfc, NFC authentication, platform, point of sale, retailers, Security, security platform
