Mar
17
2014
March 17th, 2014 by Elma Jane

Lots of talk has gone on since the recent spate of merchant data breaches on ways to potentially prevent hackers from gaining access to stored payment card data. Use of biometric information, such as a fingerprint, to access stored credentials is among the solutions often bandied about.

The prospects of using individuals’ biometric information for credentialing is fairly scary.  Security may be what biometrics is trying to achieve, but it’s also its biggest flaw. Imagine having your fingerprint information stored at Target this holiday season, that information would now be in the hands of lots of people not intended to have access to it. Unlike a password, someone can’t change his or her fingerprint. So once someone has the print, they have it forever. So even if something is biometric based, it also has to have a lot of other security measures, and that could  include GPS-based location services tied to an individual’s smartphone.

Biometrics alone won’t work. It’s very scary that that information could be stored in a way that someone could figure out how to get it. Even if encrypted, that’s a huge security concern. You can’t change your fingerprint.

Posted in Credit card Processing, Credit Card Security, Electronic Payments, Payment Card Industry PCI Security, Smartphone Tagged with: , , , , , , , , , , , , ,

Feb
20
2014
February 20th, 2014 by Elma Jane
Android-iPhone-Credit-Card-Reader

Android-iPhone-Credit-Card-Reader

Several options exist for mobile credit card processing.

Credit card processing on iPhone/ipad/Android/BlackBerry or Tablets – Using NTC’s portable credit card readers, merchants can now swipe credit cards on iPad or Android tablet devices. NTC’s Virtual Merchant solution allows users to download a secure application to interfere your smartphone with our merchant account services seamlessly. The application and credit card processing data on the carriers network or a WiFi connection to the internet.

NTC’s MagTek Bullet Swipe Credit Card Reader for Android Phones and Tablets.

Using any Android 2.2. or higher device you can process credit card transactions securely to the smartphone via Bluetooth and utilize wireless devices internet connection (WiFi or Carrier) to send the credit card processing data encrypted for processing approval.

Security anywhere. With the BulleT Secure Credit Card Reader Authenticator (SCRA), security comes with the flexibility and portability of a Bluetooth wireless interface. Small enough to fit into the palm of your hand, the BulleT enables secure wireless communications with a PC or mobile phone using the popular Bluetooth interface. Not only does the BulleT encrypt card data from the moment the card is swiped, but it also enables card authentication to immediately detect counterfeit or altered cards.

Ideal for merchant services accounts and financial institutions’’ mobile credit card processing, NTC’s BulleT offers MagnaSafe credit card processing security features with the convenience of a Bluetooth interface. This powerful combination assures credit card data protection, transaction security and convenience needed to secure mobile credit card processing with strong encryption and 2-factor authentication. The BulleT is specifically designed to leverage the existing magnetic stripe credit card reader as a secure token empowering cardholders with the freedom and confidence of knowing that their credit card transactions are secure and protected anytime, anywhere. Android Credit Card Swipe Reader for Android Phones and Tablets on your wireless mobile merchant account.

 

NTC’s MagTek iDynamo Credit Card processing swipe reader for iPhone and Ipad.

Credit card processing on an iPhone has never been easier. Simply attach NTC’s  iDynamo card reader to your iPhone or iPad device, install our Virtual Merchant software from the App Store and you’re ready to go. Take advantage of lower credit card processing rates by processing swiped transactions instead of  keying the credit card in later and get paid faster. From the company that leads with Security from the Inside MagTek has done it again with the iDynamo, a secure card reader authenticator (SCRA) designed to work with the iPhone and iPad. The iDynamo offers MagnasafeTM security and delivers open standards encryptions with simple, yet proven DUKPT key management, immediate tokenization of card data and MagnePrint card authentication to maximize data protection and prevent the use of counterfeit cards. Mobile merchants can now leverage the power of their iPhone/iPod Touch products without the worries of handling or storing sensitive card data at any time. Ideal for wireless mobile merchant accounts and mobile credit card processing, the iDynamo offers MagneSafe security features combined with the power of iPhone and iPod Touch products. This powerful combination assures convenience and cost savings, while maximizing credit card data protection and credit card transaction security from the moment the card is swiped all the way to authorization. No other credit card reader beats the protection offered by a MagnaSafe product.

Other credit card devices claim to encrypt data in the reader. NTC’s iDynamo encrypts the data inside the read head, closest to the magnetic stripe and offers additional credit card security layers with immediate tokenization of card data and MagnePrint card authentication. This layered approach to security far exceeds the protection of encryption by itself, decreases the scope of PCI compliance, and reduces fraud.

NTC’s  iDynamo is rugged and affordable, so it not only withstands real world use, it performs to the high standards set by MagTek as the leader in magnetic credit card swipe reading products for nearly 40 years.

Posted in Credit card Processing, Credit Card Reader Terminal, Credit Card Security, Digital Wallet Privacy, e-commerce & m-commerce, Electronic Payments, Internet Payment Gateway, Merchant Services Account, Mobile Payments, Mobile Point of Sale, Payment Card Industry PCI Security, Smartphone Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Dec
05
2013
December 5th, 2013 by Elma Jane

Three key benefits mPOS can provide PSPs. mPOS:

1. Maintains A Continuity Of Operations 
mPOS solutions also ease the process of accepting and approving payments, according to the white paper. By enabling face-to-face card present transactions, mPOS allows transactions to be conducted in a highly secure manner. Further, once the encrypted transaction data is decrypted securely by the PSP at the payment gateway (with no access granted to the merchant), the onward presentation of the data into the acquiring network is consistent with that used historically for traditional POS terminals.

2. Simplifies Merchant Support 
Thales suggests the biggest benefit to PSPs is that mPOS reduces the variety of costs PSPs need to cover to support merchants, cutting expenses related to equipment, security and PCI DSS compliance. This, the white paper says, allows PSPs that utilize mPOS to better allocate resources toward handling higher transaction volumes and acquiring business.

3. Supports Both Magnetic Stripe and EMV Cards 
Another benefit to PSPs is that mPOS, despite its recent entrance to the market, is already widely available. The white paper explains that since the mPOS revolution quickly migrated from the U.S. abroad, mPOS solutions now exist to serve the unique needs of both markets. While this means challenges for merchants operating globally, PSPs benefit from being able to address the needs of merchants who want to opt for any and all available market solutions.

Much has been said about the recent explosion of the mobile point-of-sale (mPOS) market and how micromerchants are driving this payments revolution. But, what this story doesn’t communicate effectively is that small merchants aren’t the only stakeholders benefiting from the ongoing mPOS migration.

Payment service providers (PSPs) are another member of the mPOS value chain that can gain flexibility and security through these solutions, new research from data protection solution provider Thales suggests.

“Both merchants and PSPs have operational and logistical issues with traditional POS terminals associated mainly with the highly controlled and certified environment in which they must be used,” Thales writes in its latest white paper on the topic, “mPOS: Secure Mobile Card Acceptance.”

The 27-page white paper provides an extensive overview of the ongoing POS revolution, explaining how mPOS can reduce friction and costs for merchants, illustrating how the technology works step-by-step and highlighting the roles that each stakeholder plays along the value chain.

Posted in Electronic Payments, Mobile Payments, Mobile Point of Sale, Payment Card Industry PCI Security, Point of Sale, Smartphone Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , ,

Nov
15
2013
November 15th, 2013 by Elma Jane

November 7, 2013 –  Payment Card Industry (PCI) Council’s recent acceptance of the world’s first Point-To-Point Encryption-validated solution is great news for both acquirers and merchants, and will aid in reducing merchant scope and increasing business security worldwide. If your P2PE know-how is a little spotty, here are the basics.

What is P2PE?

Point-To-Point Encryption (P2PE) is the combination of hardware and processes that encrypts customer credit/debit card data from the point of interaction until it reaches a merchant solution provider’s environment for processing. Because card data is immediately encrypted as the card is swiped (or dipped), it prevents clear-text information from residing on the payment environment. Encrypted card data is then transferred to, decrypted by, and processed through the solution provider processor who is the sole holder of the decryption key.

In a POS environment, merchants often store decryption keys on their backend servers. Bad idea. If a cybercriminal hacks into that environment, they not only have access to the encrypted card numbers, but the decryption key as well. Hacker jackpot. Many question the difference between P2PE and typical point of sale (POS) encryption.

The reason P2PE is arguably the most secure way to process is because merchants don’t have access to decryption keys. If a hacker breaches a merchant using a validated P2PE solution, he/she will only recover a long string of useless encrypted card numbers with no way to decode them.

Why use P2PE?

Basically, P2PE increases data security and has the ability to make a merchant’s job of reaching PCI compliance easier. The main point of using a P2PE-valiated solution is to significantly lessen the scope of security efforts through PCI Data Security Standard (DSS) requirement and P2PE Self-Assessment Questionnaire (SAQ) reduction. Compared to the 80+ questions required of mainstream merchant SAQs, the P2PE-HW SAQ only requires merchants to answer 18 questions.

Are all P2PE solutions created equal?

Answer is no. Many P2PE solution vendors claim their solution reduces scope, but in order for a merchant to qualify, they must select only P2PE-validated solutions listed on the PCI Council’s website.

To get P2PE solutions and applications listed on the approved website, solution provider processors must go through a rigorous testing process performed by a qualified P2PE Qualified Security Assessor (QSA). P2PE QSAs help entities thorough the 210-page document of P2PE requirements, testing procedures, and controls required to keep cardholder data secure – a task which only a few companies in the world can do.

As of this post, the only P2PE hardware solution approved by the PCI Council is European Payment Services’ (EPS) Total Care P2PE solution, validated by P2PE QSA SecurityMetrics. A number of other P2PE solutions are currently undergoing the review process and will be added to the list once approved.

Posted in Best Practices for Merchants, Credit card Processing, Credit Card Security, Electronic Payments, Merchant Services Account, Payment Card Industry PCI Security, Point of Sale, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Oct
21
2013
October 21st, 2013 by Elma Jane

Good time for merchants to start noting how their provider is handling card company fee changes as well as any future rate and fee changes, especially if your contract will expire in 2014.

October 2013 Rate and Fee Increase Notices

Visa, MasterCard, and Discover Credit card companies generally make rate and fee changes in the April and October time frame, although they have also made changes at other times of the year. Inevitably, some banks and merchant account providers seem to take advantage of the card company changes by increasing or adding their own mark-ups and by pointing too much of the blame at the card companies for the increases. This time around isn’t much different than others and merchants have sent me some rate and fee increase notices that go well beyond any card company changes.

In understanding how your provider is handling the latest card company changes, keep in mind that there are two important changes for October 2013:

Discover introduced a .25 cent increase to all transactions.

MasterCard introduced a .25 cent increase to certain transactions.

Below are two examples of recent notices on the October changes. Understanding the above .25 cent changes, how would you rate these providers?

Notice 1: 0.02 Percent + $0.02 Increase

“MasterCard, Visa and Discover typically evaluate the Interchange rates and fees twice per year most often in April and October. Based on recent changes as well as analysis from other network providers and vendors, the following changes to your merchant account are being implemented and will be reflected in your merchant statements for transactions processed beginning in October:

 Interchange Plus Merchants: Percentage charged in excess of Interchange will increase by 2/100ths of a percent; and

Transactions Fees for all authorized transactions will increase by $0.02/transaction.”

Tiered Pricing Merchants: Qualified Rate for Visa, MasterCard and Discover will increase 2/100th of a percent;

Notice 2: 0.40 Percent Increase

“Effective October 1, 2013, the discount rates charged for your Visa, MasterCard, and Discover (as applicable) credit card and non-PIN (signature) debit card transactions will increase by 0.400%. We have increased these charges based on a variety of factors, including recent Card Organization changes and our own pricing considerations. This change will appear beginning with your October month-end statement you will receive in November.”

Your Statements Now go back to the statements you received in August and September or any notices you received via mail and read the notice your provider posted for these changes. Did the provider announce the actual change or did it state something quite differently? If it’s the latter, make sure it adjusts pricing accordingly. Also, make sure you monitor your rates, fees, and notices going forward to determine the best long-term course of action. If the provider needs you to extend your contract to correct its overcharges, then there are probably bigger pricing issues and more assertive action required by you to investigate your overall processing cost.

EMV Capable Terminals

To reduce fraud in the U.S., the card companies are introducing cards that have a chip as well as the current magnetic strip. Chip cards are prevalent outside the U.S. and EMV — Europay, MasterCard, and Visa — established the technical standards for processing them.

Brick-and-mortar merchants should understand about EMV.

Brick-and-mortar merchants should have equipment capable of processing EMV chip card transactions by October 2015 as certain fraud liability will shift from the bank that issued the card to the merchant. The equipment may be a terminal or a chip card reader attached to the terminal or POS system.

Certain credit card transactions will require a PIN number instead of a signature similar to PIN debit transactions today. Also, like the current PIN debit devices, each chip reader will need to be encrypted and the encryption code is processor specific. Therefore, if a merchant has an encrypted device, changing processors may be more costly as the encryption cannot simply be downloaded over the phone or Internet as is done with terminal reprogramming now. Instead, the encrypted device will need to go back to the provider for encryption or swapped with an encrypted device or a new encrypted device may be needed.

“EMV capable” can mean very little. In fact, if you have purchased or leased an “EMV capable” terminal it may simply mean that it has the slot or contactless connection to place the chip card and the terminal may have the capability to eventually be encrypted to actually process chip cards. However, the cost and time required to do so could be prohibited.

However, merchants should be planning to have equipment capable of processing chip card by October 2015. In fact, they should be planning to have the equipment capable of processing chip cards well ahead of the October 2015 — perhaps as early as late 2014, to ensure receiving it in time.

If a merchant’s existing terminal fails or is no longer supported, the merchant should inquire about EMV terminals as a replacement. However, ask if it comes fully encrypted and capable of actually processing an EMV transaction or if it will need the encryption later. Right now, the answer is likely that the terminal will need encryption later. If so, the merchant should obtain the time frame, process, and cost for enabling the terminal to actually process chip cards. This should be in writing. Remember, new terminals cost the provider around $150 to $250 and the encryption may be an extra $25 to $50.

Make sure you are comfortable with your provider and have negotiated the best processing cost before changing to encrypted EMV equipment.

Merchants do not need EMV terminals today and very few providers actually have terminals that can process an EMV chip card transaction right now.

 

Posted in Credit card Processing, Electronic Payments, EMV EuroPay MasterCard Visa, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,