October 8th, 2014 by Elma Jane

When the PCI Security Standards Council (PCI SSC) launched PCI DSS v3.0 in January 2014, businesses were given one year to implement the updated global standard. Now that the deadline is fast approaching, interest is picking up in what v3.0 entails. On Jan. 1, 2015, version 3.0 of the Payment Card Industry (PCI) Data Security Standard (DSS) will reach year one of its three-year lifecycle.

Trustwave, a global data security firm, is on the frontlines of helping secure the networks of merchants and other businesses on the electronic payments value chain against data breaches. As an approved scanning vendor, Trustwave is used by businesses to achieve and validate PCI DSS compliance.

PCI DSS v3.0 is business as usual for the most part, except for a few changes from v2.0 that considers impactful for large swaths of merchants. The top three changes involve e-commerce businesses that redirect consumers to third-party payment providers. The expansion of penetration testing requirements and the data security responsibilities of third-party service providers.

Penetration testing

Penetration testing is the way in which merchants can assess the security of their networks by pretending to be hackers and probing networks for weaknesses. V3.0 of the PCI DSS mandates that merchants follow a formal methodology in conducting penetration tests, and that the methodology goes well beyond what merchants can accomplish using off-the-shelf penetration testing software solutions.

Merchants that are self assessing and using such software are going to be surprised by the rigorous new methodology they are now expected to follow.

Additionally, penetration testing requirements in v3.0 raises the compliance bar for small merchants who self assess. Those merchants could lower the scope of their compliance responsibilities by segmenting their networks, which essentially walls off data-sensitive areas of networks from the larger network. In this way merchants could reduce their compliance burdens and not have to undergo penetration testing.

Not so in v3.0. If you do something to try to reduce the scope of the PCI DSS to your systems, you now need to perform a penetration test to prove that those boundaries are in fact rigid.

Redirecting merchants

The new redirect mandate as affecting some, but not all, e-commerce merchants that redirect customers, typically when they are ready to pay for online purchases to a third party to collect payment details. If you are a customer and you are going to a website and you add something to your shopping cart, when it comes time to enter in your credit card, this redirect says I’m going to send you off to this third party.

The redirect can come in several forms. It can be a direct link from the e-commerce merchant’s website to another website, such as in a PayPal Inc. scenario, or it can be done more silently.

An example of the silent method is the use of an iframe, HTML code used to display one website within another website. Real Estate on the merchant’s website is used by the third-party in such a way that consumers don’t even know that the payment details they input are being collected and processed, not by the e-commerce site, but by the third party.

Another redirect strategy is accomplished via pop-up windows for the collection of payments in such environments as online or mobile games. In-game pop-up windows are typically used to get gamers to pay a little money to purchase an enhancement to their gaming avatars or advance to the next level of game activity.

For merchants that employ these types of redirect strategies, PCI DSS v3.0 makes compliance much more complicated. In v2.0, such merchants that opted to take Self Assessment Questionnaires (SAQs), in lieu of undergoing on-site data security assessments, had to fill out the shortest of the eight SAQs. But in v3.0, such redirect merchants have to take the second longest SAQ, which entails over 100 security controls.

The PCI SSC made this change because of the steady uptick in the number and severity of e-commerce breaches, with hackers zeroing in on exploiting weaknesses in redirect strategies to steal cardholder data. Also, redirecting merchants may be putting themselves into greater data breach jeopardy when they believe that third-party payment providers on the receiving end of redirects are reducing merchants’ compliance responsibilities, when that may not, in fact, be the case.

Service providers

Service provider is any entity that stores, processes or transmits payment card data. Examples include gateways, web hosting companies, back-up facilities and call centers. The update to the standard directs service providers to clearly articulate in writing which PCI requirements they are addressing and what areas of the PCI DSS is the responsibility of merchants.

A web hosting company may tell a merchant that the hosting company is PCI compliant. The merchant thought, they have nothing left to do. The reality is there is still always something a merchant needs to do, they just didn’t always recognize what that was.

In v3.0, service providers, specifically value-added resellers (VARs), also need to assign unique passwords, as well as employ two-factor authentication, to each of their merchants in order to remotely access the networks of those merchants. VARs often employ weak passwords or use one password to access multiple networks, which makes it easier for fraudsters to breach multiple systems.

The PCI SSC is trying to at least make it more difficult for the bad guys to break into one site and then move to the hub, so to speak, and then go to all the other different spokes with the same attack.

Overall, v3.0 is more granular by more accurately matching appropriate security controls to specific types of merchants, even though the approach may add complexity to merchants’ compliance obligations. On the whole a lot of these changes are very positive.

 

Posted in Best Practices for Merchants, Credit Card Security, Payment Card Industry PCI Security Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

May 23rd, 2014 by Elma Jane

Before making a purchase, there are several devices that consumers may use to help them make a decision: Use a specific store’s mobile app on their smartphones. Visit the store’s website on a tablet or computer, or just pick up the phone and call customer service to ask a question. Whatever the case, omnichannel is an important buzzword for merchants.

Here are ways to ensure a seamless and secure retail experience to turn browsers into loyal buyers.

Ensure Channels Work Together

Even in historically single-channel retail sectors such as grocery, more than half of customers now use two or more channels before completing a purchase, shown in a recent study. Retailers must therefore offer both traditional and digital channels. However, before investing in the latest mobile-optimized website feature or app, retailers should learn how existing online and physical channels can together enhance the customer experience. What customers value most is not the number of channels offered, but how these channels support each other.

A merchant’s website might encourage visitors to take advantage of a special event in-store, while sales assistants on the floor can use Wi-Fi enabled tablets to access additional product information.

Help Customers Find What They Want

With Internet access ubiquitous, cost-conscious customers are just a click away from being able to compare prices and find special offers. Many take out their smartphone or tablet in stores to compare prices, a trend called Showrooming.

Online retailers can take advantage of this trend by encouraging shoppers to compare prices in-store using a mobile app. In-store retailers, on the other hand, could provide greater value through targeted offers, price match guarantees, expert advice, convenient delivery choices and personalized customer care.

Optimize The Checkout Experience

Businesses must be sure to have a quick, streamlined checkout process once they have converted an online browser into a customer or else they risk facing shopping cart abandonment. This can be done in a few steps:

1. Assess how the checkout experience can be customized for its customers. Keep the mandatory information required from new or first-time online or mobile shoppers to a minimum and shorten the process for returning customers by securely storing their payment details and other personal information.

2. Develop a dedicated mobile app or other innovative functions that can increase long-term satisfaction and loyalty.

3. Test different payment methods to find those that are most convenient for customers. These payment options may include paying with reward points, using a digital wallet or providing a digital offer or coupon at checkout. There is a balance to be found between having additional payment methods to meet customer expectations and choosing methods appropriate to a merchant’s business model.

4. Establish a one-click online checkout process. Chase for example, is currently developing a Chase Wallet and Quick Checkout solution. The Chase Wallet will allow customers to store and access their Chase cards and ultimately, any branded card for a quick checkout. It will also update Chase-branded cards when a customer replaces an existing card and use tokenization to securely process payments with select merchants.

Merchants also face the challenge of ensuring that the online and in-store checkout experience is secure, while at the same time eliminating as many false positives as possible. False positives are a hindrance to any business as they may reduce sales, increase chargebacks and frustrate customers. A quick-checkout solution may help reduce false positives because customer information is automatically populated rather than manually keyed into the checkout page.

Acquirers should also work with online retailers to provide a conditional approval code for a transaction. This code allows the fulfillment process to move forward while authentication is taking place. The additional time for a thorough authentication also helps reduce the number of false positives.

Use Data to Build Loyalty

Customers will likely return to a retailer if product marketing reflects their past purchases or interests. Therefore, taking advantage of data including a customer’s purchasing history, loyalty, behavior or social media interests may help retailers to better understand their customers as well as personalize their shopping experience.

According to a study released in March 2013, Chase Paymentech found that 32 percent of merchants use their payment data to help craft their multi-channel sales strategy and 42 percent use it to improve the online customer experience. In addition, further analysis of payment methods, chargeback rates, fraud rates and authorization rates may improve the customer shopping experience and  drive overall profitability.

 

Posted in Best Practices for Merchants Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

May 21st, 2014 by Elma Jane

There are no enforced standards in the card processing industry regarding rates, fees, and contractual terms. It is possible for two providers to offer seemingly the same rates and fees that result in different processing costs.

Excessive Monthly, Annual, or Quarterly Fees

There are numerous monthly, annual, or quarterly fees merchants may see on their statements each month. Many merchants pay far more than they should for these fees. The fees may have names like statement fee, service fee, membership fee, regulatory fee, PCI fee, and host of other names. The fair amount each merchant should pay for these fees varies by sales volume and merchant type. Also, the amount a merchant pays for any given fee isn’t as important as the overall processing cost. These are general guidelines; some merchants should pay far less. If you are currently paying more, it may be a good time to review your overall processing cost including your pricing plan, rates, and fees.

Excessive Payment Gateway Fees

A payment gateway route transactions from the merchant’s website to the provider. Some retail point-of-sales devices require a gateway to route the transactions. Merchants generally pay a per-month and a per-transaction fee for use of the gateway. As a rule, the direct cost to process through the gateway is a few cents per transaction.

PCI Non-compliance or Non-validation Fee

Many providers now charge a monthly non-compliance or non-validation fee if the merchant is not PCI compliant. This fee may be in addition to a monthly, quarterly, or annual PCI fee. Supposedly, providers charge the non-compliant or non-validation fee as an incentive for merchants to become compliant. Nonetheless, some providers use this fee more for revenue generation, than as an incentive. Some providers do not charge this fee at all.

Merchants should not change providers because of this fee. Instead, the merchants should become PCI compliant to eliminate the fee and reduce the probability of being breached, which could easily result in huge monetary penalties – tens of thousands of dollars. To become compliant, merchants should complete the PCI Self-Assessment Questionnaire and adhere to the PCI requirements, which may require quarterly scans. In short, if a merchant is being charged a non-compliance or non-validation fee, it is as much the merchant’s fault as anyone else.

Visa FANF Fee

In 2012, Visa started charging providers a Fixed Acquirer Network Fee (FANF). The actual fee charged by Visa is dependent on the merchant type. The fee for customer-present retail merchants is based on the number of locations. The cost for ecommerce and fast food merchants is based on the volume of business. Customer-present retail merchants that have non-swiped transactions can also pay an additional customer-not-present FANF fee.

Most aggregators – i.e., merchant account providers that group multiple merchants into a single merchant account, such as Square, PayPal – integrate the FANF cost into their rates and fees versus itemizing them out separately. Most traditional providers properly pass through the actual Visa FANF fee to their merchants. However, there are a few that treat this fee as another hidden revenue stream. I’ve seen providers charge a flat monthly fee for customer-present merchants and I’ve seen the FANF fee inflated by as much as 50 percent for ecommerce merchants. Keep in mind when reviewing that the fee is generally based on the volume of the prior month. In order words, the fee you see on your statement for April activity is likely based on the March volume, as providers need to know the monthly Visa volume before they can assess the fee.

Unusual Discover Card Fees

For Discover transactions, some providers charge a higher percentage, or higher per-item fee, or monthly access fee.

 

Posted in Best Practices for Merchants, Credit card Processing Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,