May 19th, 2015 by Elma Jane
We’re now nearly midway through 2015, and payment security still remains a topic that stirs up great concern and confusion. While there is seemingly unanimous agreement on the need for heightened security, there’s uncertainty about those who are tasked with actually implementing it. Let’s dig deeper into EMV, P2PE and tokenization. How each will play a part in the next generation of securing payments, and how without properly working together they might just fall short.
Europay, MasterCard, and Visa (EMV) – A powerful guard against credit card skimming. EMV also uses cryptography to create dynamic data for every transaction and relies on an integrated chip embedded into the card.
Downside: For Independent Software Vendor (ISVs), the biggest downside of EMV is the complexity of creating an EMV solution. ISVs interested in certifying PINpads with a few processors face up to 22 months of costly work, and because there are a large number of pending certifications, processors will be backed up over the next few years.
It’s not impossible for an ISV to build EMV solutions in-house, but it’s difficult and unnecessary when there are plug-and-play EMV solutions available. These solutions include pre-packaged and pre-certified APIs that remove most of the need for research, the complexity and the burden of time and cost.
Point to Point Encryption (P2PE) – Secures devices, apps and processes using encrypted data with cryptographic keys only known to the payment company or gateway from the earliest point of the transaction, from tech-savvy criminals, jumping at their chance to intercept POS systems and scrape the memory from Windows machines.
How does a key get into card reader? Through an algorithm called derived unique key per transaction (DUKPT), or “duck putt.” DUKPT generates a base key that’s shared with device manufacturers securely, where output cardholder data is rendered differently each time a card is swiped, making it impossible to reverse engineer the card data. P2PE not only benefits the cardholders, but also the ISVs and merchants. PA-DSS certification was designed to address the problems created with cardholder data which is not encrypted.
Downside: P2PE isn’t cheap if an organization wants to do it in-house. The secure cryptographic device needed to manage the keys, Hardware Security Module (HSM), can cost $30-40,000 but when it’s built out, that total cost can jump to $100,000.
TOKENIZATION – The best way to protect cardholder data when it’s stored is using tokenization, a process which the PCI Security Standards Council describes as one where the primary account number is replaced with a surrogate value a token. For merchants dealing with recurring billing, future payments, loyalty programs and more, tokenization is critical.
Downside: Tokenization doesn’t prevent malware that’s remotely installed on POS devices. It’s possible, as seen with recent retail card breaches, for data to be stolen before it is tokenized. That’s why it’s essential to group tokenization together with P2PE and EMV to offer optimal security.
Posted in Best Practices for Merchants, Credit Card Security, EMV EuroPay MasterCard Visa, Payment Card Industry PCI Security, Visa MasterCard American Express Tagged with: (POS) systems, account number, billing, card, card breaches, card reader, cardholder, cardholder data, chip, credit card, data, DSS, EMV, EuroPay, gateway, Independent Software Vendor, ISVs, MasterCard, merchants, p2pe, payment company, payment security, payments, PCI, PINpads, point-to-point encryption, POS devices, processors, Security, security standards council, token, tokenization, transaction, visa
October 1st, 2013 by Elma Jane
A payment card transaction involves some or all the following participants:
Acquirers or Payment Processors that market card acceptance services to merchants, obtain transaction authorization, and clear and settle card transactions for the merchant.
Consumers or Cardholders that use payment cards to purchase goods and services. Issuers that market and issue payment cards to consumers and set the terms and conditions for their use; Merchants that accept payment cards for the purchase of goods and services; Network Operator that oversees the system and coordinates the transmission of information and the transfer of funds between issuers and acquirers.
Since the network operators revenue depends on the value of transactions that flow through its network, it tries to ensure the widest possible acceptance among consumers and merchants. In order to increase use and acceptance, the networks use marketing techniques to gain brand recognition, create products that encourage consumer usage and merchant acceptance, and set fees and impose rules on system participants including:
Interchange Fees they are set by the network but are generally paid by acquirers to issuers and are usually reflected in the merchant service fee paid by merchants to acquirers. Interchange fees can be calculated either as a flat fee per transaction, as a percentage of the transaction value, or a combination of both.
Membership Requirements MasterCard and Visa require issuers and acquirers to be regulated financial institutions or be sponsored by a regulated financial institution. Interac also requires issuers to be regulated financial institutions.
Network Switch Fees these fees are charged to acquirers and/or issuers, and are set and collected by the network. They can be calculated either as a flat fee per transaction or as a percentage of the transaction value.
Merchant Acceptance Rule Includes:
No Discrimination Rules which prohibit merchants from encouraging consumers to consider (or steering consumers toward) lower cost payment instruments.
No Surcharge Rules which prevent merchants from charging consumers a fee for the use of a credit card rather than some other credit card or method of payment;
Honour-All-Cards Rules which require merchants that accept any of the networks credit cards to accept all of that networks credit cards (core, high spend and premium high spend in the case of MasterCard), regardless of the applicable interchange fee. The networks have also expanded this rule to include debit cards (i.e. if a merchant accepts one debitcard, they must accept all of that networks debit cards).
With four-party card networks, such as Visa and MasterCard, the card networks seek to maximize the transactions following through them by attacting more card issuers. The networks do this by offering the prospect of interchange income to issuers, thus creating an incentive to increase interchange as much as the market (i.e. the parties paying the interchange fees) will bear.
The ability to use credit cards and debit cards to purchase goods and services rests largely on a behind-the-scenes architecture of procedures, rules and technology that govern how funds and information are transferred between people and institutions in the process of settling accounts, i.e., of ensuring that merchants that sell goods and services get paid by the people who purchase them.
Posted in Best Practices for Merchants, Credit card Processing, Electronic Payments Tagged with: accept, account, acquirer, authorization, cardholder, credit card, debit, fees, interchange, issuer, merchant service, merchants, network, payment, processor, Rates, transaction
September 30th, 2013 by Elma Jane
Future of Marketing Lies in Mobile Payments…Why?
Marketing and payments might seem like strange bedfellows to the average retailer, but in fact, they are converging rapidly to bring more value to consumers and merchants alike. Here are 10 reasons why the future of marketing is inextricably linked to payments innovation:
1. Cross-Platform Acceptance
Better yet, these targeted offers can be acquired and redeemed through different mediums…online, offline and mobile…and utilized interchangeably. This makes life easier on the consumer and thus makes them more likely to engage with new loyalty and rewards programs. Moreover, as the Internet and mobile solutions continue to merge, the digital “wallets” that many of us use online today (think PayPal) are, logically, moving to our phones. When these payment and marketing applications are accessible from the same device, customers can seamlessly receive pertinent offers and pay for goods at the same time in the same place. Other apps will give consumers the ability to shop in one medium and buy in another, simplifying omni-channel marketing to affect commerce across all channels. This kind of convenience and value is a win for both customer and merchant.
2. Loyalty and Rewards get Simpler
The reality is that it’s much easier to issue and redeem loyalty rewards, gift cards and discounts when they are integrated into the POS experience and don’t require customers or merchants to alter the existing in-store purchase or checkout stream. You can see these simplified applications already in practice at chains like Starbucks, as well as independent merchants that use systems like LevelUp.
3. Merchant adoption
The payment technologies that succeed will be the ones that are ultimately adopted by merchants, which in turn will lead to consumer usage. Key technologies that will likely facilitate widespread adoption of mobile payments…either proactively because merchants want to see what they can offer them, or passively as they upgrade devices…include:
EMV (chip and pin), which will force merchants to update their POS systems, likely catalyzing them to update all points of interaction.
NFC – Cloud Computing – Geofencing – QR Codes and even Basic Bar Codes
4. More Value for Consumers
And for consumers, the convergence of payments and marketing should deliver highly valuable deals, offers, comparisons information and more, ultimately providing drastic improvement of the buying and shopping experience.
5. More Value for Merchants
So what does this value look like? For merchants, the convergence of payments and marketing should bring in new customers, increase sales from existing customers, and provide more customer data. It should also create a more streamlined multi-channel experience so consumers have little barrier to adoption.
6. No Single Technology will Win
These new technologies introduce an interesting question: What should merchants do to prepare for this brave new world where payments and marketing collide? For one, merchants should avoid betting on any one technology. In fact, the POS needs to morph into something a little more complex, becoming instead a POI, where a broad variety of payment types, loyalty programs, coupons and more can be redeemed. Merchants should be in a position to choose what types of payment they want to accept and in what medium, and not be limited to fixed payment tenders.
When the convergence of marketing and payments will happen
The increasing adoption of mobile payments by merchants and consumers, when combined with new POS environments, will jump-start the convergence of marketing and payments. However, we’re still in the early stages.
Mobile commerce technologies are widespread but still working to gain traction from consumers en masse. Additionally, merchants haven’t yet felt the need to upgrade their POS systems to accept mobile payments
However, the October 2015 EMV Liability Shift, a date set by Visa and MasterCard for certain charge-back liabilities to fall to the merchant unless they have upgraded to EMV-capable POS systems, is likely to push merchants to upgrade their systems.
Once merchants begin to upgrade these POS systems, the smart ones will take the opportunity to add more features and functionality to the systems, including the ability to accept payment…and marketing-driven solutions from mobile handsets. That’s when we’ll see the value of two-way communication between merchants and consumers dramatically change the shopping experience and bring payments into the marketing mix.
7. Smartphone Adoption is Speeding Up
Consumers’ mobile phones are already equipped to deliver highly valuable offers, and adoption is increasing at a rapid pace. Smartphones bring with them new app technologies that include not only mobile payments but also loyalty and rewards programs that are designed to drive preference for stores, good and services.
8. Targeted Offers and Single-Use Applications
Of course, these solutions are still in their infancy. Elegant single-use applications, such as mobile wallets and gift cards, will soon grow to provide highly targeted offers that take into account everything from shopping preferences to location, providing incentives as a customer walks the aisle of a store. Just about every player in the payments ecosystem is thinking about these new commerce technologies. The winners will be those that demonstrate clear value for both the merchants and customers.
9. The “POS” is now a “POI”
A point-of-sale (POS) solution used to be a place where goods were purchased and money traded hands. Usually, this took the form of a cash register or credit card machine. Though these still exist, a wave of new value-added marketing services, such as targeted offers, discounts and highly valuable loyalty applications, have led to the transformation of the POS into a point-of-interaction (POI), a place where consumers and merchants meet to exchange value for value.
10. Two-way communication
When embedded in smartphones, new technologies…like near-field communication (NFC), QR codes, geofencing and cloud authentication solutions…allow for two-way communication between the consumer and the POS solution, enabling merchants to deliver coupons and offers directly to customers’ mobile phones through targeted integrated programs.
Posted in Digital Wallet Privacy, e-commerce & m-commerce, Mobile Payments, Mobile Point of Sale, Smartphone Tagged with: bar codes, cloud, device, EMV, handsets, innovation, loyalty, marketing, merchants, mobile, nfc, offline, omni-channel, online, payments, PayPal, phones, POI, point of interaction, POS, qr codes, rewards
August 16th, 2013 by Admin
Square credit card processing service was fined $507,000 by Florida’s Office of Finance Regulation for operating an electronic payment processing service without a money transmission license. Some may remember the same treatment in Illinois in March of this year. The order covers two years of operation and processing including Square Register, stored value and prepaid access credit card services.
Square was granted a money transmission license after it paid the fine via wire transfer and is now in compliance. Square neither admits or denies any wrongdoing. Although it’s an emerging field the Florida based fines show that adhering to state laws is a tricky situation that needs extra scrutiny on the processors end. Due to the state by state nature of the laws, credit card processing companies find themselves complying with each state’s independent regulation laws.
In a statement from Square.. “We worked with Florida to resolve our application and receive our license to operate as a money transmitter in the state, We look forward to continuing to help merchants across Florida grow their business with Square.”
Posted in Credit card Processing, Electronic Payments, Mobile Payments, Mobile Point of Sale Tagged with: account, credit card, Florida, merchant, merchants, Processing, Square
