October 9th, 2020 by Admin

When you are first setting up a retail or an eCommerce endeavor, few decisions will be of as much importance as the payment provider that you choose. Your payment provider will handle each and every card transaction your online company makes, and if it doesn’t function properly, or if it has a lot of hidden fees, such as old legacy systems with long term contracts, you can be setting your business up to fail before you ever get started.

So, we are going to explain to you what you should be looking for when you reach this crucial decision in the setup phase of your business, and we will help you find a payment provider that meets your needs perfectly and sets you up to succeed in the business world.

As a general rule of thumb, there are three main factors that you really need to consider when you go to choose who you will be working with: The people involved in the transaction, the fees associated with each transaction, and how the transaction is handled behind the scenes. There are some smaller tidbits that can make a specific provider a better or worse choice, but those three factors will allow you to narrow your search down to a select few of top competitors that will truly help your company succeed.

The Parties Involved

Besides your bank and the customer’s bank, there are three different factors that go into every single one of your transactions, and a payment provider works with all three of them. There’s you, your customer, and the technology acting as a bridge between the two of you. We’ll go into more detail about all that, now.

The Customer

With this part of the transaction, we are really talking about the “issuing bank”. That’s your customer’s bank, and they handle lending the customer the money to make a purchase on your site, and they issue the card that the customer uses to make that purchase. This is your customer’s main form of interaction with the transaction process, and it’s one of the most important factors since it’s what starts the transaction in the first place. However, you have no control over this factor, and you can simply ensure that the technology, which we’ll talk about soon, makes their part of the transaction as smooth as possible.

The Merchant

This is you and your part in the transaction. You function as the merchant that the customer is engaging with, and in order to do that, you need a merchant bank to partner with and work as your company’s bank. A merchant bank functions differently than the bank you use in your day to day life. Instead of issuing you funds in advance for credit purchases and managing your checking and savings accounts, a merchant bank takes in your customers’ payments for you, and then puts those payments into a special merchant account that is a lot like a business’s checking account. Without a merchant bank, you won’t be able to succeed in the long-term with eCommerce.

The Technology Solution

Your technology, and the company handling it, is what makes a transaction possible in the first place, and there are two parts to this imperative factor: The payment processor and the payment gateway.

Processor

The payment processor is what actually handles the transaction. It moves the money between the different parties and delivers it to the banks and accounts involved. If your processor is subpar, your customer’s transaction experience will be, too. You need an up-to-date payment processor that functions smoothly and without any hassle placed on you or your customer to ensure that each customer enjoys a seamless transaction.

Gateway

The payment gateway is essentially what sends the transaction information to the payment processor. It links to your site’s shopping cart feature, and when a customer buys something, it connects to the payment processor and begins the transaction. In order to ensure that your transactions are smooth and effortless, this technological asset needs to be competent and able to easily satisfy your customers without being apparent.

How the Transaction Process Happens

The transaction process is fairly complicated, but it all takes place in a matter of seconds. In fact, it’s usually seemingly instantaneous.

Once a purchase is made, the payment gateway encrypts the transaction data to protect your customer and your business, and then it asks the customer’s bank if it will advance the funds for the customer’s purchase. If yes, the payment will be sent to your merchant account, and if not, the transaction will be denied and ended until a resolution can be found.

Once that step is completed, the funds typically end up being accessible by you the second your merchant bank acquires them and places them in your account, but you may be forced to keep a certain amount in the account to make sure you can cover any returns that pop up.

This part is not instantaneous. It can take a couple days to complete this part of the process.

Transaction Fees

This is easily the factor that you’ll want to pay attention to the most, because a lot of merchant service providers are downright misleading when they quote your rates, and you need to get a firm understanding of how a company sets up its fees to know what to actually expect from your bill.

Most often, companies will quote something like 1.8% rates to interest you and appeal to your more frugal side, but then they’ll apply all sorts of hidden fees that raise that rate as high as 11% without notifying you properly. As you can imagine, that can make your bill a bit more than what you thought it would be.

There are three rate models that are most often used:

Flat-Rate

You’re given a specific amount to pay, and whether that covers your total fees or not, that’s what you pay. You could be overpaying tremendously if you accept a quite a few low cost cards vs. the higher cost cards. The processor is banking on your acceptance of these lower cards to ensure all costs are covered.

Interchange Plus Pricing

This takes the interchange fee you pay and adds a small fixed rate on top of it. It’s not as consistent as a flat-rate fee because of the sheer amount of interchange fees out there and the number of different credit cards with all of the various reward and incentive programs.

Tiered Pricing

This is when the provider creates a few tiers of fees and charges you based on the tier your fees are in rather than each individual fee. The only bad thing about this is that the provider decides which fees go into which tier.

Other Important Things to Consider

Does your processor provide Data Security/PCI protection? What about financial breach protection, in the event you are breached?

Any business or other entity that stores, processes or transmits cardholder data must ensure that their processes meet the Payment Card Industry / Data Security Standard (PCI/DSS). Failure to do so can result in heavy fines being levied.

Understanding PCI/DSS

The PCI/DSS is a global standard defining acceptable practice for any entity involved in the storage, transmission or processing of cardholder data.

In recognition of the sensitive, confidential and valuable nature of this data the standard imposes strict regulations which must be met in full. The full requirements are detailed but are covered by 12 broad requirements. These are grouped into 6 broad control objectives as follows:

1. Build and Maintain a Secure Network and Systems
– Install and maintain a firewall configuration to protect data
– Do not use vendor-supplied defaults for system passwords and other security parameters

2. Protect Cardholder Data
– Protect stored data (use encryption)
– Encrypt transmission of cardholder data and sensitive information across public networks

3. Maintain a Vulnerability Management Program
– Use and regularly update anti-virus software
– Develop and maintain secure systems and applications

4. Implement Strong Access Control Measures
-Restrict access to data by business need-to-know
-Assign a unique ID to each person with computer access
-Restrict physical access to cardholder data

5. Regularly Monitor and Test Networks
-Track and monitor all access to network resources and cardholder data
-Regularly test security systems and processes

6. Maintain an Information Security Policy
-Maintain a policy that addresses Information Security

Any entity handling card transactions must meet the standard and be able to demonstrate (certify) that it does so. The level of certification is flexible and depends on how transactions are processed and in what volume.

A Summary of Benefits

Achieving full compliance with PCI/DSS standards is more than an obligation. It delivers genuine benefits to businesses:

– Lessen the risk of fraudulent transactions

– Prevent security breaches

-Lessen the impact should a breach occur

– Reduce your business’ exposure to risk and liability

– Provide peace of mind for your customers

– Avoid the negative PR associated with data loss

Why are These Requirements in Place?

Card transactions have grown enormously in recent years as cards become the number 1 preferred form of payment. Since no physical money is handled or exchanged as part of these transactions they are dependent on the transfer of data.

That data therefore becomes sensitive and valuable and must be protected. Failure to protect this data can lead to fraud and theft. These crimes often impact both the card holder and the merchant directly. They can also damage or even destroy the reputation of businesses or organizations involved in hacks or data breaches.

More widely card fraud has the long-term detrimental effect of eroding consumer confidence and trust – both in the individual companies affected and in the card payment industry more widely.

Millions of consumers and organizations worldwide are choosing to pay by card. And millions of businesses, professionals, traders and organizations are accepting and handling these payments. Instead of allowing an ad-hoc approach where each business sets its own level of security the PCI / DSS was imposed. This ensures a uniformly high level of data security throughout the worldwide card payment industry.

Keep your Data Secure – Don’t get caught without PCI Data Breach Protection

Posted in Best Practices for Merchants, Credit card Processing, Credit Card Security, e-commerce & m-commerce, Electronic Payments, Financial Services, Internet Payment Gateway, Mail Order Telephone Order, Merchant Account Services News Articles, Merchant Services Account, Mobile Payments, nationaltransaction.com, Payment Card Industry PCI Security, Uncategorized, Visa MasterCard American Express Tagged with: , , , , , , , , , ,

CODE 10
February 17th, 2016 by Elma Jane

Helping customers protect and safeguard their payment data is one of NTC’s top priorities. Experts agree that a layered approach is the most effective way to combat evolving security threats and unauthorized access to payment data.

Implementation of best practices and the latest protection technology is needed to ensure of cardholder data protection from increasingly complex and evolving security threats.

EMV is a good start to enhance data security with card authentication, cardholder verification, and transaction authorization. But a multi-layered security approach that includes encryption and tokenization provides complete data protection to both merchants and their customers.

EMV alone is not enough because EMV authenticates the validity of the card and the cardholder, but it does not secure the data. With encryption and tokenization without EMV, as a merchant, you are liable for fraudulent transactions. Encryption and tokenization are a process or system to protect sensitive cardholder data but do not authenticate the data.

EMV is a key component to a multi-layered security approach. It secures the payment transaction with enhanced functionality, by combining EMV, encryption and tokenization merchants can have a complete data protection that they need.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Posted in Best Practices for Merchants, Credit Card Security, EMV EuroPay MasterCard Visa Tagged with: , , , , , , , , , , , , ,

CODE 10
February 2nd, 2016 by Elma Jane

Businesses continue to struggle with the prohibited storage of unencrypted customer payment data. The Payment Card Industry Data Security Standard (PCI DSS), merchants are instructed that, Protection methods are critical components of cardholder data protection in PCI DSS Requirement.

PCI DSS applies to every company that stores, processes or transmits cardholder information. Regardless of the size or type of business you operate, the number of credit card transactions you process annually or the method you use to do so, you must be PCI compliant.

Data breach is not a limited, one-time occurrence. This is why PCI compliance is required across all systems used by merchants.

Encryption and Tokenization is a strong combination to protect cardholder at all points in the transaction lifecycle; in use, in transit and at rest.

National Transaction’s security solutions provide layers of protection, when used in combination with EMV and PCI-DSS compliance.

Encryption is ideally suited for any businesses that processes card transactions in a face to face or card present environment. From the moment a payment card is swiped or inserted at a terminal featuring a hardware-based, tamper resistant security module, encryption protects the card data from fraudsters as it travels across various systems and networks until it is decrypted at secure data center.

Tokenization can be used in card not present environments (travel merchants) such as e-commerce or mail order/telephone order (MOTO), or in conjunction with encryption in card present environments.  Tokens can reside on your POS/PMS or within your e-commerce infrastructure at rest and can be used to make adjustments, add new charges, make reservations, perform recurring transactions, or perform other transactions in use. Tokenization protects card data when it’s in use and at rest. It converts or replaces cardholder data with a unique token ID to be used for subsequent transactions.

The sooner businesses implement encryption and tokenization the sooner stored unencrypted data will become a thing of the past.

 

Posted in Best Practices for Merchants, Travel Agency Agents Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , ,

Evolution of Electronic Payments
December 17th, 2015 by Elma Jane

Mobile Payments – It is bound to see more actions with tech giants Apple, Google and Samsung in mobile payment trends. We will also see new technologies like smartwatches, bracelets and rings that will give us the ability to provide payment options.

NFC – Near Field Communication, another familiar face among the payment trends. NFC, however, goes way beyond making payments using smartphones. These speed up POS payment processing quickly and easily without requiring a PIN or signature. While there are other POS payment methods, such as QR codes, NFC will come out on top. Merchants should ensure they have an overview of the current Point-of-Sale options and should, if needed, upgrade to the latest technology.

Security: Tokenization and biometric authentication will have a strong influence on the payment industry.

Tokenization –  when applied to data security, is an extremely interesting method of securing credit card data. As the credit card numbers are substituted by tokens that has no value, then no harm can be done if tokens are stolen, which makes tokenization a secure process.

There are several new inventions when it comes to payment processing authentication such as password, PIN, and fingerprint methods. But they are weak so two-factor authentication is increasingly used to improve security.

Biometrics Authentication –  like finger print scan, facial recognition, voice recognition, and pulse recognition are set to become increasingly significant. This will increase both security and convenience.

International E-Commerce It’s important that merchants offer shoppers their preferred local payment method. Merchants who are looking for e-commerce success will need to create an international strategy. Merchants should also consider checking with their payment service providers. Providers know their way around to alternative payment methods.

Cash on the Retreat Cashless Society? Some countries in Europe are certainly cutting down on the usage of cash. In Sweden, it is now almost impossible to use cash to pay for bus tickets. Acceptable payment methods include customer cards, credit cards, and payments via smartphone apps. Traditional cash-based bakeries no longer exist and instead, now display signs requesting that customers use cashless payment methods for even the smallest amounts. The situation in Denmark is similar; the government is currently debating whether or not to release smaller retailers from the obligation of having to accept cash as a payment method. Cash is on the retreat, and alternative payment methods are advancing. However, cash is still on the list.

Real-Time Payments (Instant Payments) The European Central Bank (ECB) will bring instant payments strongly in the near future. Instant or real-time payments are a trend which will be with us for a long time to come.

Regulatory Changes The first Payment Services Directive (PSD) from 2007 is still currently implemented domestically. After a tough two-year negotiation period, the EU has now, finally, agreed on a second payment services directive (PSD2). The European Banking Authority (EBA) is set to develop more detailed guidelines and regulatory standards for various industries. Payment industries should begin preparing themselves now for implementation, doing this will allow them to be ready for the appropriate steps necessary in 2016/2017.

Posted in Best Practices for Merchants, e-commerce & m-commerce, Near Field Communication, Point of Sale, Travel Agency Agents Tagged with: , , , , , , , , , , , , , , , , , , , , , , , ,

Breach
December 14th, 2015 by Elma Jane

Reality of data theft means that a breach can sometimes have two or three aftershock effects years down the line.

Eighty five percent of American consumers admitted that if significant personal consequences present themselves after their information is compromised as part of a breach, they would have no problem seeking a new place to spend their money.

In particular, 67 percent said that they would cut ties with the victimized brand if money was actually removed from their checking accounts, 62 percent said so if their credit cards were charged for fraudulent purchases, 57 percent said the same if their personal information was released and 54 percent would look elsewhere if their credit scores were affected.

It’s been two years since major retail attacks made data breach a household word, vice president of enterprise data security firm said.

As it becomes easier for customers to switch their preferred brands, data breaches events can be too devastating for some merchants.

http://www.pymnts.com/news/2015/been-breached-say-bye-bye-to-customer-loyalty/

Posted in Best Practices for Merchants Tagged with: , , , ,

PCI COMPLIANCE
November 3rd, 2015 by Elma Jane

While EMV represents a significant improvement in the way credit/debit card fraud is detected and prevented, some have confused EMV’s capabilities with the concepts of data security and PCI compliance.

Does EMV override PCI?

The answer is NO, EMV technology does not satisfy any PCI requirements, nor does it reduce PCI scope.

  • EMV is counterfeit card fraud protection – it makes it more difficult to make use of stolen card data.
  • EMV is not encryption – EMV does not encrypt the Primary Account Number (PAN) and therefore the card data must still be protected according to PCI guidelines.
  • EMV only works for card present transactions.

If your business accepts credit or debit cards in a physical store or other face-to-face setting, you will need to implement the EMV technology and PCI standards. If you upgrade your terminals for EMV, consider adding point-to-point encryption (P2PE) capabilities to reduce PCI scope and protect data end to end. In addition, using tokens after authorization can prevent the card data from being used, should it be stolen.

 

Posted in Best Practices for Merchants, EMV EuroPay MasterCard Visa, Payment Card Industry PCI Security Tagged with: , , , , , , , , , , , , , , , , ,

October 23rd, 2014 by Elma Jane

The U.S. government will replace roughly 9 million government-issued payment cards with EMV chip-and-PIN versions early next year in a push to increase awareness and use of the more secure cards. Between 5 and 6 million prepaid debit cards used for issuing government payments, including Social Security and veterans benefits, will be reissued in January 2015. Another 3 million cards issued to federal government employees will also be replaced with EMV versions through the General Services Administration’s SmartPay program.

All the cards will be set up for Chip and PIN security as a U.S. government standard under the upgrade program, rather than the Chip and Signature approach required by Visa and MasterCard for most U.S. retailers starting late next year. However, there was no indication that the new cards will actually have the less secure magnetic data stripe removed.

Finding the right answers with the latest technologies to stop these cyber thieves and taking proactive and positive steps by adopting PIN and chip technology for government-issued debit and credit cards shows the importance of protecting financial transactions. While EMV is important, it’s not a total solution to the issue of data security.

POS devices at all federal agencies that accept retail payments will also be converted to accept EMV cards on a schedule set by the U.S. Treasury Dept. No timetable was given for the federal POS conversion.

The rollouts at four of the six largest U.S. retail chains will give a boost to EMV, which despite an October 2015 deadline has seen slow uptake among retailers. Under a mandate by Visa and MasterCard, retailers who experience credit or debit card fraud after next October but haven’t upgraded their POS equipment to accept EMV cards will be liable for the loss. If the bank that issued the card hasn’t upgraded it to EMV, the bank will take the loss.

But despite that October deadline, fewer than half of retailers’ POS terminals are expected to be able to accept EMV cards by the end of 2015, and barely half of U.S. payment cards will have been upgraded by then, according to the Payments Security Task Force, a banking industry group tracking EMV uptake.

The 9 million federally issued cards are a tiny fraction of the 1 billion credit and debit cards in use in the U.S., so the overall impact of accelerated EMV conversion is likely to be small. However, the Buy Secure initiative also explicitly includes a consumer-education component. Visa said it will spend $20 million in a public service campaign, and American Express said it will launch a $10 million program to help small merchants upgrade their POS terminals.

Small merchants are less likely to know about EMV than large retail chains, which have been making implementation plans for years.

 

Posted in Best Practices for Merchants, Credit Card Security, EMV EuroPay MasterCard Visa, Payment Card Industry PCI Security Tagged with: , , , , , , , , , , , , , , , , , , , , , ,

September 5th, 2014 by Elma Jane

Businesses are rapidly adopting a third-party operations model that can put payment data at risk. Today, the PCI Security Standards Council, an open global forum for the development of payment card security standards, published guidance to help organizations and their business partners reduce this risk by better understanding their respective roles in securing card data. Developed by a PCI Special Interest Group (SIG) including merchants, banks and third-party service providers, the information supplement provides recommendations for meeting PCI Data Security Standard (PCI DSS) requirement 12.8 to ensure payment data and systems entrusted to third parties are maintained in a secure and compliant manner.

Breach reports continue to highlight security vulnerabilities introduced by third parties as a leading cause of data compromise. The leading mistake organizations make when entrusting sensitive and confidential consumer information to third-party vendors is not applying the same level of rigor to information security in vendor networks as they do in their own. Per PCI DSS Requirement 12.8, if a merchant or entity shares cardholder data with a third- party service provider, certain requirements apply to ensure continued protection of this data will be enforced by such providers. The Third-Party Security Assurance Information Supplement focuses on helping organizations and their business partners achieve this by implementing a robust third-party assurance program.

Produced with the expertise and real-world experience of more than 160 organizations involved in the Special Interest Group, the guidance includes practical recommendations on how to:

Conduct due diligence and risk assessment when engaging third party service providers to help organizations understand the services provided and how PCI DSS requirements will be met for those services.

Develop appropriate agreements, policies and procedures with third-party service providers that include considerations for the most common issues that arise in this type of relationship. 

Implement a consistent process for engaging third-parties that includes setting expectations, establishing a communication plan, and mapping third-party services and responsibilities to applicable PCI DSS requirements.

Implement an ongoing process for maintaining and managing third-party relationships throughout the lifetime of the engagement, including the development of a robust monitoring program. 

The guidance includes high-level suggestions and discussion points for clarifying how responsibilities for PCI DSS requirements may be shared between an entity and its third-party service provider, as well as a sample PCI DSS responsibility matrix that can assist in determining who will be responsible for each specific control area.

PCI Special Interest Groups are PCI community-selected and developed initiatives that provide additional guidance and clarifications or improvements to the PCI Standards and supporting programs. As part of its initial proposal, the group also made specific recommendations that were incorporated into PCI DSS requirements 12.8 and 12.9 in version 3.0 of the standard.One of the big focus areas in PCI DSS 3.0 is security as a shared responsibility. This guidance is an excellent companion document to the standard in helping merchants and their business partners work together to protect consumers’ valuable payment information.

Posted in Best Practices for Merchants, Credit Card Security, Payment Card Industry PCI Security Tagged with: , , , , , , , , , , , , , , , , , , , , , ,

September 4th, 2014 by Elma Jane

EMV, which stands for Europay, MasterCard and Visa, and is slated to be mandated across the United States starting in October 2015 and automated fuel dispensers have until October 2017 to comply. Unlike magnetic swipe cards, EMV chip cards encrypt data and authenticate communication between the card and card reader. Additionally, chip card user is prompted for a PIN for authentication.

Why are those dates important? Companies lose $5.33 billion to fraud today, with card issuers and merchants incurring 63 and 37 percent of these losses, respectively. Under the EMV mandate, merchants who do not process chip cards will bear the burden of the issuer loss. By accepting chip card transactions, merchants and issuers should see a reduction in fraud.

Overcoming Barriers to EMV Adoption

Given the significant barriers to EMV adoption, it may be tempting for merchants to meet minimum requirements for accepting EMV payments. However, medium to large retailers should also consider the bigger picture of customer security and peace of mind.

Some key critical success factors for a payment initiative of this size include:

Business Continuity Architecture: As with all payment systems, it is imperative to have the EMV system running at all times. The solution should preferably have Active-Active architecture across multiple data centers and have a low Recovery Point Objective (the point in time to which the systems and data must be recovered after an outage).

Cost Benefit Analysis: Take a top down approach and decide accordingly on the scope of the analysis. This will ensure that decisions on scope are made on basis of quantitative data and not just qualitative arguments.

Phased Approach: To overcome time or cost overage in a project of this scope and complexity, retailers should try using an iterative approach for development. The rollout can be divided into multiple releases of six to seven months, which will provide the opportunity to review, capture lessons learnt, and improve subsequent releases.

Proactive Monitoring Alerts: Considering the criticality of business function carried out by EMV, tokenization and payment gateway, a vigorous supervising environment must be defined to perform proactive and reactive monitoring. It should take into consideration the monitoring targets, tools, scope and methods. This will provide advance visibility to the failure points and better ensuring maximum system availability.

Resilience Testing: Typically in a software project, the testing is limited to the unit, integration, performance and user acceptance. However, due to the critical nature of the applications and systems involved, robust resiliency testing is vital. This will ensure that there are no single points of failure and the system remains available when running in error conditions.

Stakeholder Identification: This is a key step to ensure that you have varied perspectives from all departments and their support. It will keep your organization from being blindsided and reduce the risk of disagreements in later stages of the program. Key stakeholders should include Store Operations, Card Accounting, Loss Prevention, Contact Center and IT & Data Security.

Organizations should adopt a five step approach to implement a secure, robust and industry-leading payment solution:

Encryption – Point to point encryption will ensure card data is secure and encrypted from the point of capture to the processor. Usually, merchants use data encryption that is not point to point, rendering their organization vulnerable to data breaches. Software encryption is the most common form of encryption, as it is easily installed and quires little or no hardware upgrades; however, it is less secure, may expose encryption keys, and is prone to memory scanning attacks. Hardware encryption is considered more secure but requires more costly terminal upgrades. Hardware encryption is designed to self-destruct the keys if tampered, but is not well-defined as very limited headway has been made in this space. 

Tokenization – Build a Card Data Environment (CDE) that will host a centralized card data storage solution. Only limited applications with firewall access and capability to mutually authenticate via certificates can access CDE and receive card data. The rest of the applications will have tokens which are random numbers. This architecture will ease the merchant’s burden with existing and emerging PCI Data Security Standards.

Payment Gateway – Perform a risk assessment on the current payment gateway and identify gaps in functionality, manageability, compliance, scalability, speed to market and best practices. Determine the alternatives to mitigate the risks. Some of the important aspects of a leading payment gateway solution are support for all forms of credit, debit, gift cards and check transactions. Its ability to work with any acquirer, in-built encryption abilities, support for settlement and reconciliation must also be kept into consideration.

Settlement, Funding and Reconciliation – A workflow-based system to handle chargebacks and the automation of chargeback processing will greatly reduce labor-intensive work and enhance the quality of data used for settlement and reconciliation. Upgrades to the existing receipt retrieval system may be needed.

Card fraud is on the rise in the U.S., and merchants are the primary target for stealing information. With the EMV deadline just over a year away, the responsible retailer must take steps to prepare now. Although EMV implementation might seem overwhelming to merchants, they should start their journey to secure payments rather than wait for a looming deadline. Solutions such as data encryption and tokenization should be used in combination with EMV to implement a robust payment solution to better protect merchants against fraud. By proactively adopting EMV payment solutions, merchants can stay ahead of the regulatory curve and better protect their customers from fraud.

 

Posted in Best Practices for Merchants, Credit Card Security, EMV EuroPay MasterCard Visa, Payment Card Industry PCI Security, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

June 20th, 2014 by Elma Jane

A recent survey said, 82 percent of e-commerce merchants who currently do not employ a consumer authentication solution are afraid that such solutions will scare off online shoppers, but with more and more fraud expected to migrate online in the coming years, the payments industry needs to do a better job of informing merchants why authentication in the card-not-present realm is crucial to data security.

While a majority of payment service companies employ some type of 3-D Secure online authentication, and most large merchants do likewise, the rest of the merchant population, especially in North America, apparently do not. 55 percent of merchants surveyed, a majority of which are U.S.-based, do not use online authentication, noting that North America is the only world region where less than half of merchants use the technology. The reason so many U.S. merchants eschew consumer authentication is they see it as a sales killer.

The main reason appears to be fear, uncertainty and doubt (FUD) about how consumer authentication will impact sales conversion and user experience, 43 percent of merchant respondents are FUD-preoccupied, with 20 percent concerned about the effect of the technology on sales conversion, 13 percent worried about changing the user experience and 10 percent simply want nothing to do with consumer authentication. Beyond the FUD concerns, there is also a very real perception with merchants and service providers that integration is long and difficult, adding that 21 percent of merchants who do not employ authentication, citing the time and/or cost of integration as the barrier.

End to FUD

The solution to merchant adoption of some form of 3-D Secure technology is apparently education. Many FUD concerns are related to a hangover effect caused by bad experiences with previous iterations of consumer authentication. But the report provides evidence that the FUD factor can be overcome because of the happiness factor that authentication-using merchants express. 81 percent of merchant respondents showing satisfaction with the solutions they have employed.

The report said nearly half of merchants surveyed said authentication had no effect on sales conversion, either positive or negative; however, almost 20 percent believe it has had a positive effect on sales. The positive result seems to be related to merchants who use authentication selectively, on specific transactions rather than on all of them. Additionally, the technology results in many merchants experiencing lower numbers of chargebacks. Amongst merchants, 59 percent overall say the authentication program brought a decrease in chargebacks and this is true for more than half of merchants from each geographic region.

FYI on FUD

The adoption is very low because not many people understand it. Online verification does retard the checkout process as a second screen pops up that consumers must navigate in order to proceed with the purchase. However, these barriers can be overcome with education and simply getting people comfortable with the technology. If we had this solution from day one on all e-commerce sites today nobody would be complaining because people would be used to doing it. It is a question of achieving ubiquity rather than taking a piecemeal approach to implementation. It is a matter of if you do it at one place or every place. If you have to do it at only one location that makes that site really secure. If all sites ask the same question, you get used to it.

Consumer authentication is also something that requires buy-in from issuers, acquirers and merchants. It is a participation solution where the issuer and the acquirer have to be participating in it. If you are an e-commerce site and you are certified with Verified by Visa the card brands proprietary version of 3-D Secure, if the card issuer has not embraced that, then the security will not happen.

Increasing number and frequency of breaches is slowly eroding consumers’ trust in the safety of e-commerce It’s not good for the whole ecosystem. At some point people will come back ­­­­­­­­and say, this is too risky to do online transactions with cards. Before that point is reached, businesses should improve their online defenses, and consumer authentication is central to that defense. With the U.S. payments infrastructure in the process of transitioning to the Europay/MasterCard/Visa (EMV) chip card standard at the physical POS, fraud in the United States will sharpen its focus on the less secure online channel. EMV will do a lot of good in terms of card present security, but it does not do anything for card-not-present environments. So how are we going to contain the online fraud? We have to go to a 3-D Secure type solution

 

Posted in Best Practices for Merchants Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , ,