August 19th, 2014 by Elma Jane

In response to the third-party threat, the PCI Security Standards Council has published a guide to help organizations and their business partners reduce risk by better understanding their respective roles in securing card data.

The Third-Party Security Assurance Information Supplement provides guidance practical recommendations to help businesses and their partners protect data, including:

Conduct due diligence and risk assessment when engaging third party service providers to help organizations understand the services provided and how PCI DSS requirements will be met for those services.

Develop appropriate agreements, policies and procedures with third-party service providers that include considerations for the most common issues that arise in this type of relationship.

Implement an ongoing process for maintaining and managing third-party relationships throughout the lifetime of the engagement, including the development of a robust monitoring program.

Implement a consistent process for engaging third-parties that includes setting expectations, establishing a communication plan, and mapping third-party services and responsibilities to applicable PCI DSS requirements.

One of the big focus areas in PCI DSS 3.0 is security as a shared responsibility. This guidance is an excellent companion document to the standard in helping merchants and their business partners work together to protect consumers’ valuable payment information.

 

Posted in Best Practices for Merchants, Credit Card Security, Payment Card Industry PCI Security Tagged with: , , , , , , ,

August 11th, 2014 by Elma Jane

Tokenization technology has been available to keep payment card and personal data safer for several years, but it’s never had the attention it’s getting now in the wake of high-profile breaches. Still, merchants especially smaller ones haven’t necessarily caught on to the hacking threat or how tools such as tokenization limit exposure. That gap in understanding places ISOs and agents in an important place in the security mix, it’s their job to get the word out to merchants about the need for tokenization. That can begin with explaining what it is.

The biggest challenge that ISOs will see and are seeing, is this lack of awareness of these threats that are impacting that business sector. Data breaches are happening at small businesses, and even if merchants get past the point of accepting that they are at risk, they have no clue what to do next. Tokenization converts payment card account numbers into unique identification symbols for storage or for transactions through payment mechanisms such as mobile wallets. It’s complex and not enough ISOs understand it, even though it represents a potential revenue-producer and the industry as a whole is confused over tokenization standards and how to deploy and govern them.

ISOs presenting tokenization to merchants should echo what security experts and the Payment Card Industry Security Council often say about the technology. It’s a needed layer of security to complement EMV cards. EMV takes care of the card-present counterfeit fraud problem, while tokenization deters hackers from pilfering data from a payment network database. The Target data breach during the 2013 holiday shopping season haunts the payments industry. If Target’s card data had been tokenized, it would have been worthless to the criminals who stole it. It wouldn’t have stopped malware access to the database, but it would been as though criminals breaking into a bank vault found, instead of piles of cash, poker chips that only an authorized user could cash at a specific bank.

A database full of tokens has no value to criminals on the black market, which reduces risk for merchants. Unfortunately, the small merchants have not accepted the idea or the reality and fact, that there is malware attacking their point of sale and they are being exposed. That’s why ISOs should determine the level of need for tokenization in their markets. It is always the responsibility of those who are interacting with the merchant to have the knowledge for the market segment they are in. If you are selling to dry cleaners, you probably don’t need to know much about tokenization, but if you are selling to recurring billing or e-commerce merchants, you probably need a lot more knowledge about it.

Tokenization is critical for some applications in payments. Any sort of recurring billing that stores card information should be leveraging some form of tokenization. Whether the revenue stream comes directly from tokenization services or it is bundled into the overall payment acceptance product is not the most important factor. The point is that it’s an important value to the merchant to be able to tokenize the card number in recurring billing, but ISOs sell tokenization products against a confusing backdrop of standards developed for different forms of tokenization. EMVCo, which the card brands own, establishes guidelines for EMV chip-based smart card use. It’s working on standards for “payment” tokenization with the Clearing House, which establishes payment systems for financial institutions. Both entities were working on separate standards until The Clearing House joined EMVCo’s tokenization working group to determine similarities and determine whether one standard could cover the needs of banks and merchants.

 

Posted in Best Practices for Merchants Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , ,

August 8th, 2014 by Elma Jane

Apple talking to Visa about mobile payments

Apple is in talks with Visa as it ponders launching a mobile wallet this autumn. The latest bout of rumours suggest that the ability to make instore payments could finally arrive with the iPhone 6, although the information’s sources offer contradictory takes on the technology, with one saying that the system is likely to be NFC-based and another suggesting that it will rely on Bluetooth and WiFi. The report suggests that Apple will not be going down the host card emulation route, instead making use of the Secure Element, although the famously proprietorial tech titan has no intention of giving up any control to wireless carriers. Apple hopes that working with Visa will also help it bypass the payment processing chain, helping it to lower costs for merchants and customers.

Posted in EMV EuroPay MasterCard Visa, Mobile Payments, Smartphone, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , ,

August 8th, 2014 by Elma Jane

Visa Inc., the global leader in payments, is helping U.S. fuel retailers prevent credit and debit card fraud at the pump with intelligent analytics that identify higher-risk transactions that may be fraudulent. Visa Transaction Advisor uses sophisticated analytics based on the breadth and scale of VisaNet data to flag the riskiest transactions by working with fuel companies to understand their needs, creating a new service that builds on Visa’s predictive analytics capabilities, providing fuel merchants with more intelligence to prevent fraud and improve their bottom line. While global fraud rates across the Visa payment system remain near historic lows, less than 6 cents for every $100 transacted – fuel pumps can be targets for criminals because they are often self-service terminals. The new solution, Visa Transaction Advisor (VTA), enables merchants to use real-time authorization risk scores to identify transactions that could involve lost, stolen or counterfeit cards. A pilot test of the new service showed a 23 percent reduction in the rate of fraudulent transactions – all without costly infrastructure upgrades or disruption of the customer experience.

How It Works

After a cardholder inserts the card at the pump, Visa analyzes multiple data sets such as past transactions, whether the account has been involved in a data compromise and nearly 500 other pieces of data to create a risk score. This allows merchants to identify those transactions with a higher risk of fraud and perform further cardholder authentication before gas is pumped. The time and costs associated with resolving fraudulent transactions can be substantial for both merchants and financial institutions and inconvenient for cardholders, which is one of the reasons why fraud prevention is critical. Visa’s solution is easy to implement, using existing message fields and formats as well as pump software or hardware to ensure minimal impact to merchants and acquirers. Several fuel merchants who piloted the technology over the last several months noticed a decrease in fraud, without negatively impacting their consumers’ experience. VTA as a tool help mitigate fraudulent transactions. A 23 percent reduction in the rate of fraudulent chargebacks during a pilot program in Los Angeles. This was done with minimal impact to the customer experience, making secure payment at the pump as convenient as possible. Providing fuel to millions of customers each month through approximately 15,000 service stations in the United States, said US Credit Card Operations Manager, from Shell, considering new solutions and technology it has to have a clear business benefit, be customer-centric and easy to implement. With no infrastructure investment, testing VTA as part of proactive fraud prevention tool-set to better identify fraudulent card activity earlier in the transaction cycle, without inconveniencing customers.

Visa Transaction Advisor is available to merchants through participating U.S. acquirers. Visa has partnered with Vantiv and is also working with other acquirers to offer the service to its fuel clients. Ease of implementation is a critical requirement whenever talking about a new merchant service. Visa Transaction Advisor builds on existing payment infrastructure, is easy to implement and flexible enough to allow customization by merchants.

 

Posted in Credit Card Security, EMV EuroPay MasterCard Visa, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , ,

August 7th, 2014 by Elma Jane

Bill Me Later Is Now PayPal Credit, PayPal Working Capital Exceeds $150 Million and Both are Going Global. Delivering flexible and convenient credit products is something. Bill Me Later with eBay (PayPal), a vision to make shopping and paying easy, flexible and convenient. Announcing the evolution of Bill Me Later to PayPal Credit and the exceptional growth of PayPal Working Capital a global portfolio of credit solutions that help people and businesses leap forward.

PayPal Credit Evolves and Plans to Expand to the UK and Germany

As people and businesses know and trust the PayPal name, this is a natural and logical brand transformation. It also demonstrates how credit are moving more towards the center of the business, aligning it more closely with overall brand and working as a partner with businesses to spur growth. Customers and merchants across the pond have been asking for the flexibility and convenience of PayPal Credit in their markets, today they’re also announcing the plan to introduce PayPal Credit to the UK and Germany. People will begin to see PayPal in places they haven’t seen before, allowing shoppers to easily make purchases with financial flexibility.

Since the pilot program launched last September, more than 20,000 businesses have collectively borrowed more than $150 million in PayPal Working Capital business loans through their lending partner, WebBank. The program is also expanding to the UK and Australia to fuel business growth. Businesses in these countries will have access to capital in minutes once they apply and are approved through a simple online interface. PayPal Working Capital allows these businesses to repay with a share of their sales they choose, and don’t repay on days they don’t have sales. The program uses a business’s sales history, there is no credit check or extensive documentation required. The loan charges a single, affordable fixed fee instead of periodic interest so businesses know the cost of the loan up front. Offering these products more broadly is a sign of the power that credit brings to both merchants and consumers. Merchants can leverage credit as a tool to secure capital and grow their businesses. Additionally, they can offer credit with flexible payments options for their customers and immediate sales, while consumers experience freedom of choice when buying what they want when they want it.

Posted in Merchant Account Services News Articles Tagged with: , , , , , , , , , , , , , ,

August 7th, 2014 by Elma Jane

8706521946_cfbc9e0e6f_o

Recent high-profile cyberattacks at retail giants like Target and Neiman Marcus have highlighted the importance of protecting your business against point-of-sale (POS) security breaches. Often, the smallest merchants are the most vulnerable to these types of cyberthreats. The latest of these POS attacks is known as Backoff, a malware with such brute force that the U.S. Department of Homeland Security (DHS) has gotten involved. The DHS recently released a 10-page advisory that warns retailers about the dangers of Backoff and tells them how they can protect their systems. Backoff and its variants are virtually undetectable low to zero percent by most antivirus software, thus making it more critical for retailers to make sure their networks and POS systems are secure.

How Backoff works

Backoff infiltrates merchant computer systems by exploiting remote desktop applications, such as Microsoft’s Remote Desktop, Apple Remote Desktop, Chrome Remote Desktop, Splashtop 2 and LogMeIn, among others. Attackers then use these vulnerabilities to gain administrator and privileged access to retailer networks. Using these compromised accounts, attackers are able to launch and execute the Backoff malware on POS systems. The malware then makes its way into computer and network systems, gathers information and then sends the stolen data to cybercriminals. The advisory warns that Backoff has four capabilities that enable it to steal consumer credit card information and other sensitive data: scraping POS and computer memory, logging keystrokes, Command & Control (C2) communication, and injecting the malware into explorer.exe. Although Backoff is a newly detected malware, forensic investigations show that Backoff and its variants have already struck retailers three times since 2013, the advisory revealed. Its known variants include goo, MAY, net  and LAST.

Prevent a Backoff attack

To mitigate and prevent Backoff malware attacks, the DHS’ recommendations include the following:

Configure network security. Reevaluate IP restrictions and allowances, isolate payment networks from other networks, use data leakage and compromised account detection tools, and review unauthorized traffic rules.

Control remote desktop access. Limit the number of users and administrative privileges, require complex passwords and two-factor authentication, and automatically lock out users after inactivity and failed login attempts.

Implement an incident response system. Use a Security Information and Event Management (SIEM) system to aggregate and analyze events and have an established incident response team. All logged events should also be stored in a secure, dedicated server that cannot be accessed or altered by unauthorized users.

Manage cash register and POS security. Use hardware-based point-to-point encryption, use only compliant applications and systems, stay up-to-date with the latest security patches, log all events and require two-factor authentication.

 

Posted in Point of Sale Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

July 22nd, 2014 by Elma Jane

Facebook has begun testing a buy button which lets users purchase products advertised on the social network. Meanwhile, Twitter is also stepping up its commerce game, acquiring payments outfit CardSpring.

Facebook users on desktop or mobile can now click a buy call-to-action button on ads and page posts to purchase a product directly from a business, without leaving the social network. Users can pay with a card that Facebook already has on file or enter new details and save them for future use or have them forgotten. No payment details are shared with advertisers. So far, the system is only being tested with a few small and medium-sized businesses in the US.

Separately, Twitter is also looking to strengthen its commerce credentials, buying CardSpring for an undisclosed fee. CardSpring provides an API designed to make it easy for developers to link digital applications to payment cards. It is expected that CardSpring’s technology will help merchants offer discounts in tweets, with customers entering their card details so that when they make a purchase at a later date, the saving is automatically applied.

Posted in Uncategorized Tagged with: , , , , , , , , , , , , , , , , ,

June 20th, 2014 by Elma Jane

A recent survey said, 82 percent of e-commerce merchants who currently do not employ a consumer authentication solution are afraid that such solutions will scare off online shoppers, but with more and more fraud expected to migrate online in the coming years, the payments industry needs to do a better job of informing merchants why authentication in the card-not-present realm is crucial to data security.

While a majority of payment service companies employ some type of 3-D Secure online authentication, and most large merchants do likewise, the rest of the merchant population, especially in North America, apparently do not. 55 percent of merchants surveyed, a majority of which are U.S.-based, do not use online authentication, noting that North America is the only world region where less than half of merchants use the technology. The reason so many U.S. merchants eschew consumer authentication is they see it as a sales killer.

The main reason appears to be fear, uncertainty and doubt (FUD) about how consumer authentication will impact sales conversion and user experience, 43 percent of merchant respondents are FUD-preoccupied, with 20 percent concerned about the effect of the technology on sales conversion, 13 percent worried about changing the user experience and 10 percent simply want nothing to do with consumer authentication. Beyond the FUD concerns, there is also a very real perception with merchants and service providers that integration is long and difficult, adding that 21 percent of merchants who do not employ authentication, citing the time and/or cost of integration as the barrier.

End to FUD

The solution to merchant adoption of some form of 3-D Secure technology is apparently education. Many FUD concerns are related to a hangover effect caused by bad experiences with previous iterations of consumer authentication. But the report provides evidence that the FUD factor can be overcome because of the happiness factor that authentication-using merchants express. 81 percent of merchant respondents showing satisfaction with the solutions they have employed.

The report said nearly half of merchants surveyed said authentication had no effect on sales conversion, either positive or negative; however, almost 20 percent believe it has had a positive effect on sales. The positive result seems to be related to merchants who use authentication selectively, on specific transactions rather than on all of them. Additionally, the technology results in many merchants experiencing lower numbers of chargebacks. Amongst merchants, 59 percent overall say the authentication program brought a decrease in chargebacks and this is true for more than half of merchants from each geographic region.

FYI on FUD

The adoption is very low because not many people understand it. Online verification does retard the checkout process as a second screen pops up that consumers must navigate in order to proceed with the purchase. However, these barriers can be overcome with education and simply getting people comfortable with the technology. If we had this solution from day one on all e-commerce sites today nobody would be complaining because people would be used to doing it. It is a question of achieving ubiquity rather than taking a piecemeal approach to implementation. It is a matter of if you do it at one place or every place. If you have to do it at only one location that makes that site really secure. If all sites ask the same question, you get used to it.

Consumer authentication is also something that requires buy-in from issuers, acquirers and merchants. It is a participation solution where the issuer and the acquirer have to be participating in it. If you are an e-commerce site and you are certified with Verified by Visa the card brands proprietary version of 3-D Secure, if the card issuer has not embraced that, then the security will not happen.

Increasing number and frequency of breaches is slowly eroding consumers’ trust in the safety of e-commerce It’s not good for the whole ecosystem. At some point people will come back ­­­­­­­­and say, this is too risky to do online transactions with cards. Before that point is reached, businesses should improve their online defenses, and consumer authentication is central to that defense. With the U.S. payments infrastructure in the process of transitioning to the Europay/MasterCard/Visa (EMV) chip card standard at the physical POS, fraud in the United States will sharpen its focus on the less secure online channel. EMV will do a lot of good in terms of card present security, but it does not do anything for card-not-present environments. So how are we going to contain the online fraud? We have to go to a 3-D Secure type solution

 

Posted in Best Practices for Merchants Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , ,

June 19th, 2014 by Elma Jane

API Software Inc. has created an application ISOs can use to help merchants tabulate the best payment services deals. The Square Deal Pro app for the merchant services industry enables sales reps to compare their company’s rates to those of Square, PayPal, Stripe and other payments aggregators. Essentially, the application takes the mathematics burden off of the merchant and helps an ISO or agent compare bundled pricing with interchange-plus pricing.

Frank Haggar, a software developer, started asking merchants why they chose a certain provider and they just said the pricing was simpler. It might be more expensive, but it was easier for them to understand. That moved to develop Square Deal Pro. It’s a software that salespeople can have right on their phones and it makes a comparison and is easy to understand. Square Deal Pro, which operates on iPhones, Android devices and Windows phones, was established as a vendor-neutral tool that is also available for merchants to download if they were inclined to want to crunch numbers themselves. Service providers pay for the application and all of its sales features, but a free version for price comparisons only is available to merchants.

Merchants are experts in what they know how to do and they may not want something that includes math distracting them from that, but the sales rep can do it for them and use it along the lines of a calculator helping someone figure out mortgage rates. ISOs have various tools at their disposal and lock in key information in their brains to prepare for sales presentations, but most will likely find Square Deal Pro a valuable addition. Something that takes complicated pricing schemes and factors it all into an easy interface that puts out a clear comparison that is valuable, certainly out in the field.

API Software has to deliver something difficult or impossible to copy because that would set this permanently apart as opposed to being a lead to other similar products in the market. An ISO can change rates or make adjustments for a client if the numbers show that another provider is offering a less expensive option, but the numbers in the app don’t lie. The app will show how a bundled rate can work in your favor, such as if you are selling Girl Scouts cookies at $3 a box. Then use Square all day long, but an ISO can compare how his product works compared to others and the app can show, that at a certain time, it might be beneficial to switch over.

Square Deal Pro takes into account factors other than interchange rates, including merchant volume, average ticket price and whether transactions are keyed or swiped or both. All of those things determine where you fit in on the diagram of how your rate should be structured. There is a lot of analysis on minimal focal points. The application may also help defuse potential problems with merchants who sometimes feel their sales rep was not providing a fair assessment of pricing structure or comparisons.

As for the application’s name, Haggar doesn’t want any confusion over whether this might be a new Square product.

Posted in Best Practices for Merchants Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

June 4th, 2014 by Elma Jane

Zavers, the online coupon program that was launched through Google 17 months ago, is just going to be one of those things that didn’t work out. Google announced yesterday that it is pulling the program, due to lack of interest. Zavers allowed users to clip coupons online and use them in-store. It was intended to help merchants’ build more targeted and effective loyalty and reward programs.

Zavers was basically a coupon program tied with the merchant point-of-sale system. The integration process with the POS systems were proving to be challenging and retailers were not too keen on sharing their data with Google.

Google has said it will continue to work closely with users through the transition away from Zavers and that it continues to move forward with greater focused on more successful areas of their initial entrance into payments such as product listing ads, Google Shopping Express and Google Wallet.

Posted in Uncategorized Tagged with: , , , , , , , , , , , , , ,