Travel
March 16th, 2016 by Elma Jane

More and more travel agents and tour operators are working in a card-not-present transaction that opens the door to travel agency credit card fraud. Travel Agencies are among the highest-risk merchants, as far as credit card processors are concerned. The reason is more likely the dispute and chargeback transactions.

So what should you do, whether you have just started your travel agency or have been in business for years to reduce risk?   

First, understand the potential liability associated with selling airfares online before you even apply for a merchant account. Understanding risk exposure will help travel agency take adequate steps to minimize losses associated with chargebacks.

A good example is an airline sales agent. A travel agency or a tour operator merchant account may be liable for the entire amount of an airline ticket, if it is successfully disputed by a customer or if it was purchased with a stolen credit card.

To reduce risk, you will need to set up card acceptance policies and procedures to address the following issues:

  1. Authorization requests approved by an issuer. In most cases, airlines are liable for card-not-present transaction fraud, even when they were approved by the card issuer, because authorization approval is not a proof that the legitimate cardholder is making the purchase, nor is it a guarantee of payment.
  2. As a travel agency, your organization may not necessarily be a Visa or MasterCard merchant, subject to the Credit Card Associations’ rules and regulations. In most fraud-related transactions, the airline transfers liability to the travel agency it has partnered with as part of the contractual agreement. In such cases, your organization will bear the full financial responsibility.

Selecting a payment processor is a big step, choose one with experience in working with travel agencies and other high-risk merchants. Your processor must be able to assist you with your fraud prevention procedures.

Check out National Transaction Corp. we are the travel experts when it comes to electronic payments for travel agencies! Give us a call now at 888-996-2273 or visit us at www.nationaltransaction.com

 

 

 

Posted in Best Practices for Merchants, Travel Agency Agents Tagged with: , , , , , , , , , , , , , , , , ,

Breach
February 5th, 2016 by Elma Jane

Businesses and banking institutions must require consumers to use other types of authentication methods, like biometrics, mobile verification codes and geo-location.

Merchants and banks can expect more hackers to breach customer accounts that rely only on usernames and passwords for online authentication.

This type of fraud will only grow more as hackers recognize and take advantage of the opportunity presented by on-file accounts protected by weak authentication.

Many online users use the same username and password for multiple accounts, once those credentials are compromised, criminals can use them to access accounts on different websites.

With the ease and simplicity of password vaults and safes that are easy and efficient to use and user education, this problem finds a solution.

A stronger authentication that goes far beyond username and password, is a powerful tool in effort to prevent data breaches.

 

 

Posted in Best Practices for Merchants Tagged with: , , , , , , , , , ,

EMV
January 28th, 2016 by Elma Jane

The shift to EMV is helping to address vulnerabilities in the United States payments ecosystem. It has been shown that EMV can deliver benefits as a part of industry efforts to combat fraud. 

EMV migration is a critical focus for enhancing payments security, which is why the current efforts around chip card deployment are greatly beneficial for consumers and merchants alike. EMV technology helps to reduce counterfeit card fraud, as it generates dynamic data with each payment to authenticate the card, after which the cardholder is prompted to sign or enter a PIN to confirm their identity.

The EMV rollout represents a dynamic time for card payments that promises great advances, among them is enhanced security for cardholders. It also presents an opportunity to consider other innovations such as mobile wallets and mobile POS to further engage your customers and drive customer loyalty. When merchants continue to invest in EMV and NFC (near field communications, used for tap-and-pay transactions), the purchases made at their EMV-enabled terminals are made more secure than magnetic stripe.

New mobile payment options such as mobile wallets support EMV and therefore offer this added layer of security. Ultimately, by enabling contactless payments, merchants can also enable more flexibility in addition to increasing security for their customers.

Additionally, industry players are backing major mobile wallets, such as Android Pay, Apple Pay, and Samsung Pay.

Posted in Best Practices for Merchants, Credit Card Security, EMV EuroPay MasterCard Visa, Smartphone Tagged with: , , , , , , , , , , , , , , , , , , , , ,

PCI COMPLIANCE
November 3rd, 2015 by Elma Jane

While EMV represents a significant improvement in the way credit/debit card fraud is detected and prevented, some have confused EMV’s capabilities with the concepts of data security and PCI compliance.

Does EMV override PCI?

The answer is NO, EMV technology does not satisfy any PCI requirements, nor does it reduce PCI scope.

  • EMV is counterfeit card fraud protection – it makes it more difficult to make use of stolen card data.
  • EMV is not encryption – EMV does not encrypt the Primary Account Number (PAN) and therefore the card data must still be protected according to PCI guidelines.
  • EMV only works for card present transactions.

If your business accepts credit or debit cards in a physical store or other face-to-face setting, you will need to implement the EMV technology and PCI standards. If you upgrade your terminals for EMV, consider adding point-to-point encryption (P2PE) capabilities to reduce PCI scope and protect data end to end. In addition, using tokens after authorization can prevent the card data from being used, should it be stolen.

 

Posted in Best Practices for Merchants, EMV EuroPay MasterCard Visa, Payment Card Industry PCI Security Tagged with: , , , , , , , , , , , , , , , , ,

Identity
October 29th, 2015 by Elma Jane

What is Identity Theft?

Identity theft and identity fraud are terms used to refer to all types of crimes in which someone wrongfully obtains and uses another person’s personal data.

Basic categories of identity theft:

Account Takeover Fraud – is one of the two basic forms of financial identity theft, it occurs when a fraudster obtains and uses a victim’s personal information to take control of existing bank or credit card accounts and carries out unauthorized transactions right at a point of sale or access individual accounts online. Victims are often the first to detect account takeover when they discover charges on monthly statements they did not authorize or funds depleted from existing accounts.

Business or commercial identity theft – entails using a business’ name to obtain credit or even billing a business’ clients for products and services. Business identity theft can go on for years undetected.

Criminal identity theft – occurs when an imposter gives another person’s name and personal information such as drivers’ license, date of birth, or Social Security Number to a law enforcement officer during an investigation or upon arrest.

Identity cloning – some people use identity theft and identity cloning interchangeably, but definitely are not the same thing. True identity clones pretends to be you, they want to assume your identity. They want to become YOU.

Medical identity theft – occurs when someone steals your personal information (like name, Social Security Number or MediCare Number) to obtain medical care in your name. Medical identity theft can damage your credit rating.

New Account Fraud – means using another’s personal identifying information to obtain products and services. New credit card accounts is the most prevalent form of new account fraud. Because the thief is likely to use a different mailing address, the victim never sees the bill for the new account. When this type of fraud involves a credit card, once the new plastic is issued, the criminal turns it into cash very quickly. Victims may also be denied credit as a result of applying for loans.

 

 

 

Posted in Best Practices for Merchants Tagged with: , , , , , , , ,

E-Pay
October 20th, 2015 by Elma Jane

We’ve covered  a lot about EMV, but what about improving security for online and Card-Not-Present transactions? That’s where 3-D Secure comes in.

3-D Secure allows a card holder to authenticate himself while making an online payment.

In a traditional credit card transaction, a payment request is presented to the issuing bank for authorization. The Issuing bank authorizes the transaction based solely on the funds available to the card holder.

With card present, the magnetic strip on the card can be read and a signature collected. This process has now been largely superseded by Chip and PIN which gives the card holder the opportunity to identify himself via a secret PIN code.

An E-commerce transaction is conducted online, without the possibility to access the card physically. Un-authorized usage and fraud are therefore more likely.

3-D Secure allows transactions to be conducted in safety online, greatly reducing the risk of fraud and chargebacks.

How 3-D Secure Works?

When a payment request arrives at the merchant or payment gateway, the Merchant Plug In (MPI) component is activated. The MPI talks to Visa or MasterCard to check if the card is enrolled for 3-D Secure. If the card is not enrolled, this means that either the bank that issued the card is not yet supporting 3-D Secure or it means that the card holder has not yet been registered for the service. If the card is enrolled, the MPI will redirect the card holder to the 3-D Secure authentication web page for the issuing bank; the card holder will then identify himself. The MPI will evaluate the reply from the bank and, if successful, allow the transaction to proceed for authorization. The transaction could still fail for lack of funds or other reasons but is more likely to be approved because of the authentication.

3-D Secure allows 3 domains to work together.

Domain 1: The card holder has the peace of mind that his card is not used without his authorization.

Domain 2: Merchants are protected from fraud and can provide the product and service without delay or extra costs.

Domain 3: Banks see that the transaction has been authenticated and are more likely to approve the transaction, to the convenience of the card holder.

Implementation of 3-D Secure:

Visa is called Verified by Visa.

MasterCard is called Secure Code.

Amex is called SafeKey.

JCB is called J/Secure.

Posted in Best Practices for Merchants, e-commerce & m-commerce, Internet Payment Gateway Tagged with: , , , , , , , , , , , , , , , , , ,

May 4th, 2015 by Elma Jane

The rate of payments fraud is steadily decreasing, the current frequency stands at 0.06 percent or six basis points. 

The perception of risks associated with card payments are much larger than the actual threat or reported losses. But the lack of trust that comes from such perception could impact the growth of the payments industry.

Recent advancements in payments security, such as tokenization and multiple tier authentication protocols, have contributed to the manageable number of fraudulent transactions. The EMV migration is expected to push the figure even lower, as chip-enabled technology spreads to over 50 percent of the US by the end of 2015.

For criminals, breaking into robust financial systems is becoming more costly and time consuming, which has discouraged many from attempting such unlawful acts.

Fraud is something that we can’t say will be eliminated completely. But efforts by all stakeholders in the industry can contain it to the minimum.

Counterfeit cards and payments data falling into the wrong hands are the two most common types of fraud that consumers are facing today. The surge in e-commerce has been linked to greater risks of fraud in the online channel, and while counterfeiting cards may be more difficult with EMV in place, online fraud has historically increased in its place.  

Posted in Best Practices for Merchants, Credit Card Security, EMV EuroPay MasterCard Visa Tagged with: , , , , , , , , , , , ,

April 13th, 2015 by Elma Jane

With only six months to go before the EMV chip-card liability shift takes effect, many U.S. merchants are not yet aware of the EMV migration.

When the Oct. 1 liability shift takes hold, merchants not accepting the new chip-card technology will become liable for any losses resulting from payment card fraud at the point of sale. Some merchants have stated that they would rather trust their existing security measures than pay for the upgrade to EMV, but others still need to educate themselves on the benefits and drawbacks of EMV – and it’s not even clear how many are out of the loop.

The challenge is that no one really knows about the level of EMV readiness because there is no single, common way to reach all of the merchants of all different levels and sizes at the same time.

Instead, various organizations are picking bits and pieces of the market they can reach and do everything they can to inform and help merchants to determine if they are moving toward chip-based technology or not.

EMV cards improve security at the point of sale by including technology that makes them resistant to counterfeiting. They can also be used with a PIN to address stolen card fraud. Though the card networks set an October deadline for conversion to EMV technology, it is not a mandate; companies will still be able to handle credit card transactions even if they do not have EMV technology in place.

And even the merchants that have the right technology installed may not be using it properly. During the EMV preparedness process, it has become apparent that installed EMV terminals had not been turned on or otherwise were not fully capable of accepting EMV transactions.

The confusion extends to the banks as well. Not all issuers will be ready for EMV, and some have outright stated that they do not think it will be possible to meet this year’s deadline.

In a move designed to get more small-business merchants on board with EMV, Visa Inc. introduced a 20-city small business chip education tour last month.

The real measurement of the implementation will be in transaction volumes, or actual chip-on-chip transactions.

Even though the liability shift is just six months away, still really early to make a determination on all of this.

Posted in Best Practices for Merchants, Credit Card Security, EMV EuroPay MasterCard Visa, Point of Sale, Visa MasterCard American Express Tagged with: , , , , , , , , , ,

January 21st, 2015 by Elma Jane

With a crucial deadline, the payments industry is starting to look at just what kind of fraud liability and how much fraud merchant acquirers will have to assume if their merchants aren’t ready to accept Europay-MasterCard-Visa (EMV) chip cards by October.

While issuers currently absorb losses under card-network rules, that burden will shift to acquirers this fall in cases where the fraud occurs at merchants unprepared for EMV.

As a result, acquirers will have to reckon with a whole new category of risk exposure.

In card-not-present transactions, acquirers have faced this, but in the overwhelming majority of cases they’ll be confronting it for the first time.

Surprisingly, for all the talk in the industry about the imminent arrival of EMV, it appears few acquiring executives have fully accounted for what the shift really means for them.

Some 24% of U.S. point-of-sale terminals are “EMV-capable,” while 9% of debit/prepaid cards issued, and 2% of credit cards have EMV chips so far. But while terminals may be technically capable, it isn’t known just how many of these merchants have the software and trained personnel to accept EMV.

Foreign issuers, especially, may be licking their chops at the prospect of offloading their consumer-fraud risk onto U.S. acquirers. For years and years, these non-U.S. issuers have invested in EMV, but the U.S. is still using the mag stripe. So non-U.S. issuers appear to be very aware of the liability shift.

To be sure, acquirers’ increased risk exposure may be relatively short-lived. Under the network rules, liability rests with the issuer in cases where both the merchant and the issuer are EMV-compliant. That could be nearly universally the case within a few years. By 2018, nearly all cards and terminals will be compliant.

But that still leaves open the question of how many of these terminals will really be running chip card transactions.

The issue isn’t so much about terminals as about software. Many mid-size merchants are using so-called integrated solutions that run payments as part of a larger business-management system. That means acquirers must work with a number of other parties to reconfigure software, and that presents a challenge when it comes to getting masses of merchants EMV-compliant.

The bigger problem is the integrated point-of-sale market.

While the liability shift may impact acquirers, not all them are convinced their exposure will rise all that much. Some argue the risk of loss from lost/stolen/counterfeit cards at the point of sale is low and not likely to rise, especially for small-ticket merchants.

Fraudsters, are much more inclined to practice their trade online, where the risk of being caught is lower, compared to face-to-face transactions.

 

Posted in Best Practices for Merchants, Credit card Processing, Credit Card Reader Terminal, Credit Card Security, EMV EuroPay MasterCard Visa, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , ,

September 19th, 2014 by Elma Jane

MasterCard is claiming a 98% success rate for pilot trials of a biometric verification system combining both voice and facial recognition.

It recently held a closed pilot to understand the consumer experience around voice and facial recognition.

A beta mobile app was tested in an e-commerce environment on over 14,000 transactions.  The test group, used both Android and iOS operating systems. The results, yielding a successful verification rate of 98%, mixing a combination of voice and facial recognition. The process usually took less than 10 seconds.

With the first wave of apps utilising Apple’s TouchID fingerprint recognition system coming to market – both US neo-bank Simple and PFM outfit Mint have shipped their first iOS upgrades to incorporate the technology. Biometric verification is beginning to gain currency among businesses and consumers as a useful tool in the fight against fraud.

The launch of Apple Pay will start to bring true scale to the next generation of payments authentication. The challenge is to take lessons from the different applications of biometrics already in place and elevate them into the next generation of authentication, not just for one platform, but for the mass market globally.

MasterCard already has first hand experience of a mass-market implementation of biometric card technology with the recent launch of the Nigerian eIDcard, which combines payment card functionality with a mix of fingerprint, facial and iris recognition.

 

Posted in Best Practices for Merchants, EMV EuroPay MasterCard Visa, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,