January 21st, 2015 by Elma Jane

With a crucial deadline, the payments industry is starting to look at just what kind of fraud liability and how much fraud merchant acquirers will have to assume if their merchants aren’t ready to accept Europay-MasterCard-Visa (EMV) chip cards by October.

While issuers currently absorb losses under card-network rules, that burden will shift to acquirers this fall in cases where the fraud occurs at merchants unprepared for EMV.

As a result, acquirers will have to reckon with a whole new category of risk exposure.

In card-not-present transactions, acquirers have faced this, but in the overwhelming majority of cases they’ll be confronting it for the first time.

Surprisingly, for all the talk in the industry about the imminent arrival of EMV, it appears few acquiring executives have fully accounted for what the shift really means for them.

Some 24% of U.S. point-of-sale terminals are “EMV-capable,” while 9% of debit/prepaid cards issued, and 2% of credit cards have EMV chips so far. But while terminals may be technically capable, it isn’t known just how many of these merchants have the software and trained personnel to accept EMV.

Foreign issuers, especially, may be licking their chops at the prospect of offloading their consumer-fraud risk onto U.S. acquirers. For years and years, these non-U.S. issuers have invested in EMV, but the U.S. is still using the mag stripe. So non-U.S. issuers appear to be very aware of the liability shift.

To be sure, acquirers’ increased risk exposure may be relatively short-lived. Under the network rules, liability rests with the issuer in cases where both the merchant and the issuer are EMV-compliant. That could be nearly universally the case within a few years. By 2018, nearly all cards and terminals will be compliant.

But that still leaves open the question of how many of these terminals will really be running chip card transactions.

The issue isn’t so much about terminals as about software. Many mid-size merchants are using so-called integrated solutions that run payments as part of a larger business-management system. That means acquirers must work with a number of other parties to reconfigure software, and that presents a challenge when it comes to getting masses of merchants EMV-compliant.

The bigger problem is the integrated point-of-sale market.

While the liability shift may impact acquirers, not all them are convinced their exposure will rise all that much. Some argue the risk of loss from lost/stolen/counterfeit cards at the point of sale is low and not likely to rise, especially for small-ticket merchants.

Fraudsters, are much more inclined to practice their trade online, where the risk of being caught is lower, compared to face-to-face transactions.

 

Posted in Best Practices for Merchants, Credit card Processing, Credit Card Reader Terminal, Credit Card Security, EMV EuroPay MasterCard Visa, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , ,

November 4th, 2014 by Elma Jane
Universe9
“Healthcare’s Unique, Robust MEDIPAID Rolls Out”
Delivering paperless, next-day deposits for Medical Billers
National Transaction Corporation (NTC) in Coral Springs, Florida announced today that, by the first of December 2014, their paperless medical insurance electronic funds capturing suite: MEDIPAID will be fully functional nationwide. NTC’s MEDIPAID delivers next-day deposits for any Medical entity that must bill health insurance companies.
MEDIPAID will bring the speed, ease and convenience of credit card merchant accounts to the world of medical insurance billing. Upon MEDIPAID’s deployment, the medical office receives its payments considerably faster. The revenue is immediately available since it is paid directly into the businesses’ checking account with secure electronic payments.
NTC’s agents help merchants standardize their Electronic Remittance Advice (ERA) and distribution options to automate posting which further reduces paper and time burdens. At a rate far less than credit card processing or third party billing companies, MEDIPAID is designed to eliminate the healthcare provider’s paper check payments with electronic payments that include the remittance detail (ERA) and further allows providers to take advantage of distribution options to automate the claims payment posting processes.
For more information, Contact us anytime.
National Transaction Corporation
office: 954-346-3300 or 888-996-2273
fax: 954-510-4239
website: www.nationaltransaction.com

Posted in Best Practices for Merchants, Medical Healthcare Tagged with: , , , , , , , , , , , ,

October 23rd, 2014 by Elma Jane

The U.S. government will replace roughly 9 million government-issued payment cards with EMV chip-and-PIN versions early next year in a push to increase awareness and use of the more secure cards. Between 5 and 6 million prepaid debit cards used for issuing government payments, including Social Security and veterans benefits, will be reissued in January 2015. Another 3 million cards issued to federal government employees will also be replaced with EMV versions through the General Services Administration’s SmartPay program.

All the cards will be set up for Chip and PIN security as a U.S. government standard under the upgrade program, rather than the Chip and Signature approach required by Visa and MasterCard for most U.S. retailers starting late next year. However, there was no indication that the new cards will actually have the less secure magnetic data stripe removed.

Finding the right answers with the latest technologies to stop these cyber thieves and taking proactive and positive steps by adopting PIN and chip technology for government-issued debit and credit cards shows the importance of protecting financial transactions. While EMV is important, it’s not a total solution to the issue of data security.

POS devices at all federal agencies that accept retail payments will also be converted to accept EMV cards on a schedule set by the U.S. Treasury Dept. No timetable was given for the federal POS conversion.

The rollouts at four of the six largest U.S. retail chains will give a boost to EMV, which despite an October 2015 deadline has seen slow uptake among retailers. Under a mandate by Visa and MasterCard, retailers who experience credit or debit card fraud after next October but haven’t upgraded their POS equipment to accept EMV cards will be liable for the loss. If the bank that issued the card hasn’t upgraded it to EMV, the bank will take the loss.

But despite that October deadline, fewer than half of retailers’ POS terminals are expected to be able to accept EMV cards by the end of 2015, and barely half of U.S. payment cards will have been upgraded by then, according to the Payments Security Task Force, a banking industry group tracking EMV uptake.

The 9 million federally issued cards are a tiny fraction of the 1 billion credit and debit cards in use in the U.S., so the overall impact of accelerated EMV conversion is likely to be small. However, the Buy Secure initiative also explicitly includes a consumer-education component. Visa said it will spend $20 million in a public service campaign, and American Express said it will launch a $10 million program to help small merchants upgrade their POS terminals.

Small merchants are less likely to know about EMV than large retail chains, which have been making implementation plans for years.

 

Posted in Best Practices for Merchants, Credit Card Security, EMV EuroPay MasterCard Visa, Payment Card Industry PCI Security Tagged with: , , , , , , , , , , , , , , , , , , , , , ,

October 9th, 2014 by Elma Jane

Coin

This 300-year-old coin around my neck. It was off of a Spanish Shipwreck known as the Shipwreck of 1715. When I first saw it, I noticed a little hole with a speck of a diamond. I questioned the jeweler about it, why would you drill a hole in a 300-year-old coin and damage this 300-year-old treasure? The jeweler preceded to tell me that it was a 300-year-old hole.

Think about how we used currency 300 years ago. There were no banks, no financial institutions to hold merchants money. So if I had a bunch of money, I had it on a wire or had it in a box. I may have kept my money in my mattress. People would keep their money on a wire, punch holes in the coins, string the money through the wire and then go back to business on their horse and buggy, or however they got from point-to-point 300 years ago. If you have ever heard a phrase that the business owner started his business on a shoe string, you now know where the phrase originated.

What I found amazing in this one coin that I wear is that, It has thousands of transactions in its history. Who knows what was bought and sold with this very coin? Whether it was goats or chickens, a piece of property somewhere, or a boat ride to the states, or whatever it might be. There is no documented history behind each one of those transactions.

Today, when National Transaction processes a transaction for a merchant, we know the date and time. We know the amount of sale, we probably know the email address and the owner zip code, we actually know quite about the information around that transaction.

Many articles are written that answer the who, what, when, where and why questions with today’s electronic transactions. We have four of the five answers. We know who, what, when and where. The only thing that we don’t know is why the customer bought the item.

If this coin had today’s technologies there would have been thousands of transactions that this coin could have shared. The story of those purchases would be fascinating.

All business owners wants to make a sale. Each time they do make a sale, we recommend capturing any and all contact information. This customer is a buyer! Today, most people have an email address or cell phone number. If we don’t capture the customer’s information we have just ignored the single most important thing in any business’s life cycle: the customer.

 

Posted in Best Practices for Merchants Tagged with: , , , , , , ,

October 8th, 2014 by Elma Jane

When the PCI Security Standards Council (PCI SSC) launched PCI DSS v3.0 in January 2014, businesses were given one year to implement the updated global standard. Now that the deadline is fast approaching, interest is picking up in what v3.0 entails. On Jan. 1, 2015, version 3.0 of the Payment Card Industry (PCI) Data Security Standard (DSS) will reach year one of its three-year lifecycle.

Trustwave, a global data security firm, is on the frontlines of helping secure the networks of merchants and other businesses on the electronic payments value chain against data breaches. As an approved scanning vendor, Trustwave is used by businesses to achieve and validate PCI DSS compliance.

PCI DSS v3.0 is business as usual for the most part, except for a few changes from v2.0 that considers impactful for large swaths of merchants. The top three changes involve e-commerce businesses that redirect consumers to third-party payment providers. The expansion of penetration testing requirements and the data security responsibilities of third-party service providers.

Penetration testing

Penetration testing is the way in which merchants can assess the security of their networks by pretending to be hackers and probing networks for weaknesses. V3.0 of the PCI DSS mandates that merchants follow a formal methodology in conducting penetration tests, and that the methodology goes well beyond what merchants can accomplish using off-the-shelf penetration testing software solutions.

Merchants that are self assessing and using such software are going to be surprised by the rigorous new methodology they are now expected to follow.

Additionally, penetration testing requirements in v3.0 raises the compliance bar for small merchants who self assess. Those merchants could lower the scope of their compliance responsibilities by segmenting their networks, which essentially walls off data-sensitive areas of networks from the larger network. In this way merchants could reduce their compliance burdens and not have to undergo penetration testing.

Not so in v3.0. If you do something to try to reduce the scope of the PCI DSS to your systems, you now need to perform a penetration test to prove that those boundaries are in fact rigid.

Redirecting merchants

The new redirect mandate as affecting some, but not all, e-commerce merchants that redirect customers, typically when they are ready to pay for online purchases to a third party to collect payment details. If you are a customer and you are going to a website and you add something to your shopping cart, when it comes time to enter in your credit card, this redirect says I’m going to send you off to this third party.

The redirect can come in several forms. It can be a direct link from the e-commerce merchant’s website to another website, such as in a PayPal Inc. scenario, or it can be done more silently.

An example of the silent method is the use of an iframe, HTML code used to display one website within another website. Real Estate on the merchant’s website is used by the third-party in such a way that consumers don’t even know that the payment details they input are being collected and processed, not by the e-commerce site, but by the third party.

Another redirect strategy is accomplished via pop-up windows for the collection of payments in such environments as online or mobile games. In-game pop-up windows are typically used to get gamers to pay a little money to purchase an enhancement to their gaming avatars or advance to the next level of game activity.

For merchants that employ these types of redirect strategies, PCI DSS v3.0 makes compliance much more complicated. In v2.0, such merchants that opted to take Self Assessment Questionnaires (SAQs), in lieu of undergoing on-site data security assessments, had to fill out the shortest of the eight SAQs. But in v3.0, such redirect merchants have to take the second longest SAQ, which entails over 100 security controls.

The PCI SSC made this change because of the steady uptick in the number and severity of e-commerce breaches, with hackers zeroing in on exploiting weaknesses in redirect strategies to steal cardholder data. Also, redirecting merchants may be putting themselves into greater data breach jeopardy when they believe that third-party payment providers on the receiving end of redirects are reducing merchants’ compliance responsibilities, when that may not, in fact, be the case.

Service providers

Service provider is any entity that stores, processes or transmits payment card data. Examples include gateways, web hosting companies, back-up facilities and call centers. The update to the standard directs service providers to clearly articulate in writing which PCI requirements they are addressing and what areas of the PCI DSS is the responsibility of merchants.

A web hosting company may tell a merchant that the hosting company is PCI compliant. The merchant thought, they have nothing left to do. The reality is there is still always something a merchant needs to do, they just didn’t always recognize what that was.

In v3.0, service providers, specifically value-added resellers (VARs), also need to assign unique passwords, as well as employ two-factor authentication, to each of their merchants in order to remotely access the networks of those merchants. VARs often employ weak passwords or use one password to access multiple networks, which makes it easier for fraudsters to breach multiple systems.

The PCI SSC is trying to at least make it more difficult for the bad guys to break into one site and then move to the hub, so to speak, and then go to all the other different spokes with the same attack.

Overall, v3.0 is more granular by more accurately matching appropriate security controls to specific types of merchants, even though the approach may add complexity to merchants’ compliance obligations. On the whole a lot of these changes are very positive.

 

Posted in Best Practices for Merchants, Credit Card Security, Payment Card Industry PCI Security Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

September 16th, 2014 by Elma Jane

Card-not-present merchants are battling increasingly frequent friendly fraud. That type of fraud..The I don’t recognize or I didn’t do it dispute. This occurs when a cardholder makes a purchase, receives the goods or services and initiates a chargeback on the order claiming he or she did not authorize the transaction.

This problem can potentially cripple merchants because of the legitimate nature of the transactions, making it difficult to prove the cardholder is being dishonest. The issuer typically sides with the cardholder, leaving merchants with the cost of goods or services rendered as well as chargeback fees and the time and resources wasted on fighting the chargeback.

Visa recently changed the rules and expanded the scope of what is considered compelling evidence for disputing and representing chargeback for this reason code. The changes included allowing additional types of evidence, added chargeback reason codes and a requirement that issuers attempt to contact the cardholder when a merchant provides compelling evidence.

The changes give acquirers and merchants additional opportunities to resolve disputes. They also mean that cardholders have a better chance to resolve a dispute with the information provided by the merchant. Finally, they provide issuers with clarity on when a dispute should go to pre-arbitration as opposed to arbitration.

Visa has also made other changes to ease the burden on merchants, including allowing merchants to provide compelling evidence to support the position that the charge was not fraudulent, and requiring issuers to a pre-arbitration notice before proceeding to arbitration, which reduces the risk to the merchant when representing fraud reason codes.

The new “Compelling Evidence” rule change does not remedy chargebacks but brings important changes for both issuers and merchants. Merchants can provide information in an attempt to prove the cardholder received goods or services, or participated in or benefited from the transaction. Issuers must initiate pre-arbitration before filing for arbitration. That gives merchants an opportunity to accept liability before incurring arbitration costs, and Visa will be using information from compelling evidence disputes to revise policies and improve the chargeback process

Visa made those changes to reduce the required documentation and streamline the dispute resolution process. While the changes benefit merchants, acquirers and issuers, merchants in particular will benefit with the retrieval request elimination, a simplified dispute resolution process, and reduced time, resources and costs related to the back-office and fraud management. The flexibility in the new rules and the elimination of chargebacks from cards that were electronically read and followed correct acceptance procedures will simplify the process and reduce costs.

Sometimes, an efficient process for total chargeback management requires expertise or in-depth intelligence that may not be available in-house. The rules surrounding chargeback dispute resolution are numerous and ever-changing, and many merchants simply do not have the staffing to keep up in a cost-effective and efficient way. Chargebacks are a way of life for CNP merchants; however, by working with a respected third-party vendor, they can maximize their options without breaking the bank.

Reason Code 83 (Fraud Card-Not-Present) occurs when an issuer receives a complaint from the cardholder related to a CNP transaction. The cardholder claims he or she did not authorize the transaction or that the order was charged to a fictitious account number without approval.

The newest changes to Reason Code 83, a chargeback management protocol, offer merchants a streamlined approach to fighting chargebacks and will ultimately reduce back-office handling and fraud management costs. Independent sales organizations and sales agents who understand chargeback reason codes and their effect on chargeback rates can teach merchants how to prevent chargebacks before they become an issue and successfully represent those that they can’t prevent.

Posted in Best Practices for Merchants, EMV EuroPay MasterCard Visa, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

September 16th, 2014 by Elma Jane

When plastic cards become digital tokens, they become virtual. So how do you say that the Card is Present or Not Present.  The legendary regulatory difference that the cards industry has relied on to differentiate between interchange fees for Card Present and Card Not Present transactions.

Apple secured Card Present preferential rates for transactions acquired by iTunes on the basis that the card’s legitimacy is verified with the issuer at the time of registration and the token minimizes probability of fraud. If an API call to the issuing bank is sufficient to say that the Card is Present, who is to say that the same logic can’t apply to online merchants who also verify the authenticity of Cards on File when they tokenize them? How can one arbitrarily say that the transaction processed with token from an online merchant is Card Not Present, but the one processed with Apple Pay is Card Present even though both might have made the same API call to the bank to verify the card’s validity?

In the Apple case, a physical picture of the card is taken and used to verify that the person registering the card has it. It is not that hard for an online merchant to verify that the Card on File converted as a token does belong to the person performing an online transaction.

As we move towards chip and pin the card present merchants will spend substantial money upgrading their hardware and POS systems. That expense will be offset by that savings in losses due to fraud. MOTO and e-commerce transactions ( card NOT present ) will always have a higher cost because the nature of processing is NON face to face transactions. Of course the fraud and losses are higher when the card is manually entered or given to someone over the phone……Face to face will always have the lowest cost per transaction because it is usually the final step in the sale. Restaurants are low risk because you had the transaction AFTER you eat. If there is a dispute it happens before the merchant even sees the credit card.

In the long run, as cards become digital and virtual through tokens, we are all going to wonder if card is present or not present. May be some will say. Card is a ghost.

Posted in Best Practices for Merchants, Credit card Processing, EMV EuroPay MasterCard Visa, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

September 15th, 2014 by Elma Jane

Visa has taken advantage of the hoopla surrounding Apple’s application of digital account tokens to replace card numbers for online and mobile purchasing by initiating the roll out of its Token Service to US clients.

Visa Tokens will be made available to issuing financial institutions globally, starting with US banks next month, and followed by a phased roll-out overseas beginning in 2015. The technology has been designed to support payments with mobile devices using all major mobile platforms.

More than 750 staff from across the Visa organisation globally were involved in the effort, working closely with initial launch partners – financial institutions, merchants and processors to ensure the ecosystem was ready. Today, Visa is making these services available and believe it will help transform connected devices and wearables into secure payment vehicles.

Visa Token Service replaces sensitive payment account information found on plastic cards with a digital account number or token. Because tokens do not carry a consumer’s payment account details, such as the 16-digit account number, they can be safely stored by online merchants or on mobile devices to for e-commerce and mobile payments.

The release of the service has been given added urgency by a spate of successful hacks on merchant card data stores, such as the recent plundering of card account data at Home Depot and Target.

MasterCard has its own equivalent Digital Enablement Service, which will be released outside of the US in 2015.

Posted in Best Practices for Merchants, Credit Card Security, e-commerce & m-commerce, Mobile Payments, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , ,

September 11th, 2014 by Elma Jane

Online retailers are finding the bricks-and-clicks strategy to be an effective way to serve and engage shoppers. Perhaps that is why an increasing number of ecommerce merchants are setting up shop offline. It’s important to note, however, that a bricks-and-clicks business isn’t just about having a physical store and an ecommerce site. For this model to be effective, each channel must complement and add value to the other.

Guidelines to execute a bricks-and-clicks strategy:

Allow Access to Online Account Information in Physical Store

Bridge the gap between bricks and clicks by giving your customers and physical-store staff access to online account information. Doing so can enhance shopping experiences and drive sales.

Integrate Online and Offline Inventory, Fulfillment

Offer click-and-collect services that allow shoppers to buy merchandise online and pick it up at a local retail branch or service station. Many consumers would rather forgo the shipping costs and wait time and instead pick up their items at a time and place that’s convenient for them. Also, use your brick-and-mortar inventory when an item is out of stock online.

Use Online Data for Offline Selling, and Vice Versa

Data pertaining to online sales and traffic won’t just help you optimize your ecommerce site. It can also apply to offline decisions. For instance, if you see an increase in sales for a particular product on your website, you should consider promoting it offline, as well, to your brick-and-mortar shoppers.

Also pay attention to social media data such as Facebook likes and Pinterest pins. What’s trending on social sites can help with merchandising and marketing. Consider something similar in your brick-and-mortar business. Take note of the most liked, viewed, and pinned items online and then leverage that information when making decisions regarding product displays, inventory and more.

You can also use offline information to enhance your ecommerce site. Utilize in-store analytics tools, such as people counters and sensors, to better understand how your offline customers behave and then compare that with online behavioral data to spot patterns and opportunities.

Qualitative information, such as shoppers’ common questions and concerns, can also be used to improve your online shop. For instance, if your physical store associates keep getting the same questions about a particular product, there’s a good chance that online shoppers have similar queries. So you may want to include the answer in that item’s product description page.

Use Smartphone Beacons in Physical Stores

Beacons are Bluetooth-enabled devices that let brick-and-mortar merchants send customized offers and recommendations to their shoppers via their smartphones based on where the shoppers are in the store. For example, if a shopper is in the footwear department, the retailer can use its store beacons to send the shopper a coupon for shoes. Bricks-and-clicks businesses can also use the technology to send tailored offers to shoppers based on their online behavior.

Posted in Best Practices for Merchants Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , ,

September 9th, 2014 by Elma Jane

The use of customer data can help you make smarter decisions that can improve your store, enhance the shopper experience, and increase conversions. When used incorrectly, however, data can waste resources and alienate your visitors.

Ways that ecommerce merchants commonly misuse data.

Collecting Unnecessary Data

Big Data analytics and reporting tools can put a lot of information in your hands, but that doesn’t mean you should collect and track every single metric. Don’t waste space and bandwidth collecting information that is not essential in your business. Unnecessary data can create noise that slows down the analytics process. Gathering and analyzing information you don’t need can distract you from the metrics that matter. Collecting too much data can create security headaches. The best defense against breaches is to not have data to steal. If you don’t need it, don’t collect it.

Determine your store’s key performance indicators before collecting any information. A good way of doing this is to examine each metric and ask yourself whether it’s just  nice to know or is something that you can actually act on. While it may be nice to know that a particular customer has a high Klout Score, that metric probably won’t do anything for your bottom line. It’s better to not bother with it. Key metrics vary from one business to the next. For most ecommerce sites, the important metrics usually include conversion rate, traffic sources, and on-site browsing activities.

Creeping-out Shoppers

Most retailers do this inadvertently when they’re trying to customize the shopper experience. A certain amount of personalization can provide value and convenience to users, but you also have to draw the line between cool personalization and creepy. Sending emails with tailored product recommendations is a good way to increase conversions. But you have to be careful with how you execute it, so that you don’t appear too intrusive. The same goes for remarketing banner ads.

Ignoring Qualitative Information

Numbers can produce many insights, but focusing solely on that data can create an incomplete view of your company. Best data strategies make use of both quantitative and qualitative information. Go beyond the numbers to get the pulse of your customers by collecting feedback through social interactions, customer service logs, surveys with open-ended questions and more. Qualitative information can complement and validate the hard numbers.

Using Data to Justify a Decision or Hypothesis

When it comes to data collection, many merchants fall into the confirmation bias trap, wherein they interpret the information to confirm their existing beliefs or to justify their decisions. Using data this way causes you to ignore information or results that aren’t in line with your beliefs and could result in you missing opportunities. Say a company has so much faith in its new marketing strategy that when website traffic improves, the staff deems the campaign a success without looking at the conversion or retention rates. If the staff had ignored initial biases and looked at the big picture instead, they could have identified flaws and found ways to correct them. The key to addressing this is to have an open mind when interpreting information. This can be difficult, especially when you’re too close to your business. Consider a third-party specialist who can remain objective, to help make the right decisions.

 

Posted in Best Practices for Merchants, e-commerce & m-commerce Tagged with: , , , , , , , , , , , , , , ,