May 8th, 2014 by Elma Jane
The complexity derives from PCI’s Data Security Standards (DSS), which include up to 13 requirements that specify the framework for a secure payment environment for companies that process, store or transmit credit card transactions.
Make PCI DSS Assessment Easier
Training and educating employees. Technical employees should obtain any certifications or training classes necessary so that they can operate and monitor the security control set in place. Non-technical employees must be trained on general security awareness practices such as password protection, spotting phishing attacks and recognizing social engineering. All the security controls and policies in the world will provide no protection if employees do not know how to operate the tools in a secure manner. Likewise, the strongest 42-character password with special characters, numbers, mixed case, etc. is utterly broken if an employee writes it on a sticky note attached to their monitor.
For an organization to effectively manage its own risk, it must complete a detailed risk analysis on its own environment. Risk analysis goal is to determine the threats and vulnerabilities to services performed and assets for the organization. As part of a risk assessment, organization should define critical assets including hardware, software, and sensitive information and then determine risk levels for those components. This in turn allows the organization to determine priorities for reducing risk. It is important to note that risks should be prioritized for systems that will be in-scope for PCI DSS and then other company systems and networks.
Once the risk assessment has been completed the organization should have a much clearer view of its security threats and risks and can begin determining the security posture of the organization. Policies and procedures form the foundation of any security program and comprise a large percentage of the PCI DSS requirements. Business leaders and department heads should be armed with the PCI DSS requirements and the results of the risk analysis to establish detailed security policies and procedures that address the requirements but are tailored to business processes and security controls within the organization.
Building upon the foundation of security policies, the committee of business leaders and department heads should now review the PCI DSS requirements in detail and discuss any potential compliance gaps and establish a remediation plan for closing those gaps. This is where it is important to have the full support of business leaders who can authorize necessary funds and manpower to implement any remediation activities.
This is also the time to schedule the required annual penetration testing. These are typically performed by third parties, but is not required to be performed by third parties, and can take some time to schedule, perform, and remediate (if necessary). The results of a PCI DSS assessment will be delayed until the penetration test is completed so now is the time to schedule the test.
At this point the organization is ready for a full-scale PCI DSS assessment and can now enter a maintenance mode where periodic internal audits occur and regular committee meetings are held to perform risk assessments and update policies, procedures, and security controls as necessary to respond to an ever changing threat landscape. PCI DSS must become integrated into the everyday operation of the organization so that the organization remains secure and to ease the burden of the annual assessments.
Payment Card Industry (PCI) compliance assessment is a major task for any size organization, but you can make it easier.
Posted in Best Practices for Merchants, Credit Card Security, Payment Card Industry PCI Security Tagged with: assets, card, card transactions, compliance, compliance assessment, credit card transactions, credit-card, data security standards, DSS, networks, password protection, payment, Payment Card Industry, PCI, Phishing, process, risk, risk analysis, risk assessment, secure payment, Security, security control, security policy, transactions, transmit
February 21st, 2014 by Elma Jane
NationalTransaction.com QR Code
Emerging economies, such as the BRIC countries and the next layer of emerging markets, are seeing particularly fast growth of alternative payments, said Kevin Dallas, chief product and marketing officer for e-commerce at WorldPay. This means the complexity of the payment landscape will increase further. Merchants will need to ensure they understand diverging regional and sector trends in preferred methods of payment.
In three years alternative payments will eclipse credit card payments as the dominant way to pay online, according to a report yesterday from London-based e-commerce processor WorldPay. In Your Global Guide to Alternative Payments (Second Edition), WorldPay found card payments online, which accounted for 57 percent of transactions in 2012, will fall to 41 percent in 2017. Alternative payment methods (defined by the report as anything other than credit or debit cards including bank transfers, direct debits, e-wallets, mobile, COD and others) will rise to 59 percent of online transactions in the next three years. Part of the reason is the preferred payment methods in some of the fastest growing e-commerce markets are not cards.
The report predicts e-wallet transactions alone will equal the number of credit card transactions online at 41 percent, becoming the most popular method of paying online globally by 2017. Currently, PayPal is the most popular alternative payment method in the world with a market share of 57 percent. China’s Alipay is second at 20 percent.
Posted in Credit card Processing, Digital Wallet Privacy, e-commerce & m-commerce, Electronic Payments, Internet Payment Gateway, Mobile Payments, Mobile Point of Sale, Near Field Communication, Visa MasterCard American Express Tagged with: alternative payments, bank transfers, card payments online, cod, credit card payments, credit card transactions, debit cards, direct debits, e-commerce, e-commerce processor, e-wallet transactions, e-wallets, methods of payment, mobile, online transactions, pay online, paying online, payment, PayPal, transactions
February 18th, 2014 by Elma Jane
Payment Tokenization Standards
Tokenization is the process of replacing a traditional card account number with a unique payment token that is restricted in how it can be used with a specific device, merchant, transaction type or channel. When using tokenization, merchants and digital wallet operators do not need to store card account numbers; instead they are able to store payment tokens that can only be used for their designated purpose. The tokenization process happens in the background in a manner that is expected to be invisible to the consumer.
EMVCo – which is collectively owned by American Express, Discover, JCB, MasterCard, UnionPay and Visa – has announced that it is expanding its scope to lead the payments industry’s work to standardize payment tokenization. EMVCo says that the new specification will help provide the payments community with a consistent, secure and interoperable environment to make digital payments when using a mobile handset, tablet, personal computer or other smart device.
Key elements of EMVCo’s work include adding new data fields to provide richer industry information about the transaction, which will improve transaction efficiency and enhance the consumer and merchant payment experience by helping to prevent fraudulent card account use. EMVCo will also create a consistent approach to identify and verify the valid use of a token during payment processing including authorization, capture, clearing and settlement.
EMVCo’s announcement follows an earlier joint announcement from MasterCard, Visa and American Express that proposed an initial framework for industry collaboration to standardize payment tokenization. EMVCo says it will now build on this framework with collective input from all of its members and the industry as a whole.
Posted in Credit card Processing, Credit Card Reader Terminal, Credit Card Security, Digital Wallet Privacy, Electronic Payments, Financial Services, Payment Card Industry PCI Security, Visa MasterCard American Express Tagged with: American Express, authorization, capture, card account numbers, clearing, data fields, device, digital payments, Digital Wallet, Discover, EMV, emvco, fraudulent card account, interoperable, jcb, MasterCard, merchant, mobile handset, payment, payment processing, payment token, secure, security standards, settlement, smart device, specification, standardize, tablet, token, tokenization, transaction, visa
December 2nd, 2013 by Elma Jane
Post Office launches new payments service to help small businesses make more money.
The Post Office in partnership with WorldPay, has launched a new card payment service to help sole traders and small businesses. The Post office which services around four million small businesses, will offer them a range of ways to take secure card payments made in-store, online, via mail or telephone order, or on the move, which it hopes will plug a 20 per cent revenue gap between firms that accept card payments and those that don’t. According to new WorldPay research, 87 per cent of customers are likely to spend more money per transaction when paying with a debit or credit card, as opposed to cash.
The study also showed during the past year, one in five of UK consumers has had to abandon a purchase due to a small business or sole trader not accepting cards or because they weren’t carrying enough cash to pay. The service includes card machines for in-store payments or those made via mail or telephone order, and online payment pages for websites.
There is also a Pay As You Go option for sole traders and mobile businesses, like hairdressers or beauty therapists, who can sign up to take secure Chip and PIN card payments.
Posted in Credit card Processing, Electronic Payments, Mail Order Telephone Order Tagged with: card payments, Chip and PIN, credit-card, in-store, mail or telephone order, online, payment, purchase, secure, service, transaction, worldpay
December 2nd, 2013 by Elma Jane
Europay, Mastercard, and Visa (EMV) standards. Considered safer and widely used across Europe and other nations, the chip-based cards require insertion of the card into a terminal for the duration of a transaction, a break here from our traditional swipe-and-buy behavior. That’s just one way in which EMV changes things here… but it’s not the only way, nor is it the most important way. By way of reminder, October 2015 is the date by which all restaurants and other merchants are due to have implemented these standards, or potentially be liable for counterfeit fraud, which primarily reflects a shift from magnetic-stripe credit cards to chip cards.
The main driver in the EMV migration is card-related financial fraud. As an example, and traditionally, card fraud in the United Kingdom has always been considerably higher than here in the States, primarily because the U.K. previously used offline card authorization as opposed to the online card methodology used here. As losses due to fraud rose steadily in Europe, despite the best efforts of global law enforcement agencies to reduce it, the pressure to find a solution built around some alternative authentication strategy mounted. From this concern, EMV was born.
Is it working? Recent statistics from the European Central Bank (ECB) revealed that, despite growing card usage, fraud in the Single Euro Payments Area (SEPA) – a mature EMV territory that includes all 28 members of the European Union, Finland, Iceland , Liechenstein, Monaco and Norway, – fell 7.6% between 2007 and 2011. This decline is underpinned by a slowdown in the growth of ATM fraud as well as a 24% drop in fraud carried out at point of sale terminals. The 2008 Canadian roll-out of Chip and PIN had a dramatic impact on fraud there. Card Skimming had accounted for losses totaling $142 million, but that figure dropped to $38.5 million in 2009, according to figures provided by the Interac Association. Some critics point to the fact that most of this decrease comes in the form of face-to-face card fraud, and that criminals merely shift their focus onto some other area that is less anti-fraud focused. Still, there are positive gains and as technologies improve, more successes are sure to follow.
Part of the reason why the U.S. not embraced EMV sooner is because our fraud problem, while significant, has typically been among the lowest rates in the world among highly developed economically mature countries. Much of that is due to the online authentication methods at work here. Here at home, our online authentication methodology permits authorizations to be done in real-time, thus thwarting a significant percentage of the fraudulent attempts at the point-of-sale, the best place to stop fraud. Our online authentication methods also incorporate multiple fraud and risk parameters as well as advanced neural networks that are ‘built-in’ to the approval process. It’s been a highly effective system that works well, when compared to most alternatives. The effectiveness of our authentication processes has helped fuel the resistance to full EMV adoption here. However, the EMV migration has gained momentum to the point where it is only a matter of time. The truth is that, despite the gains in preventing credit card fraud, and despite the best efforts of EMV’s backers to push acceptance through, global adoption of the EMV standard is still considerably less than 100%.
In England’s old offline authentication method, credit card transactions were gathered together at specific times- typically, at the end of the business day- and then batched over to the card issuers for authorization. It’s a method that gave those committing fraud a significant time lag between the transaction and the authorization, and this time lag contributed greatly to the higher levels of fraudulent activities in England. However, for Europe and for much of the rest of the world, adoption of the EMV technologies changes things dramatically, at least in terms of authentication protocols for both online and offline purchases. During an offline transaction using the EMV chip card, the payment terminal communicates with the integrated circuit chip (ICC), embedded in the payment card. This is a break from the old method which involved using telecommunications to connect with the issuing bank. The ICC / terminal connection enables real-time card authentication, cardholder verification, and payment authorization offline. Alternatively, in an online EMV transaction, the chip generates a cryptogram that is authenticated by the card issuer in real time.
Posted in Electronic Payments, EMV EuroPay MasterCard Visa, Financial Services, Near Field Communication, Payment Card Industry PCI Security, Visa MasterCard American Express Tagged with: authentication, batched, card, card authorization, card-related, chip cards, chip-based, credit cards, cryptogram, EMV, EuroPay, financial, fraud, fraudulent, icc, insertion, integrated, magnetic stripe, MasterCard, Merchant's, networks, online, payment, restaurants, Skimming, standards, swipe-and-buy, terminal, transaction, verification, visa
November 14th, 2013 by Elma Jane
Los Angeles-based company Verifi, providing antifraud and risk-management services recently secured a patent for its dispute-resolution technology that enables merchants to avoid chargebacks by turning them into refunds earlier in the process. According to the patent abstract, the patent covers “receiving, at the partner platform, an inquiry/dispute event notification,” and “refunding the transaction or canceling future or recurring charges associated with the transaction.”
Verifi noted in the patent application, consumers are increasingly contacting their issuing bank first in the case of a disputed credit or debit card charge, cutting the merchant out until later in the process. The patent in question, in addition to streamlining the process for issuers engaged in the dispute process, helps recurring merchants by removing cardholders from the recurring payment program during the resolution process so additional charges will not come into question until the original dispute is settled.
Posted in Best Practices for Merchants, Credit card Processing, Payment Card Industry PCI Security Tagged with: antifraud, cardholders, chargeback, consumers, dispute-resolution, disputed, inquiry/dispute, issuing, Merchant's, patent, payment, platform, process, receiving, recurring charges, refund, refunding, resulution, risk-management, Security, services, settled, transaction, verifi
November 12th, 2013 by Elma Jane
Since Medical Transcriptions is one of the product and services by National Transaction Corporation under National Transcription Corporation I just want to share this topic.
The abuse of the medical credit card system is growing by the day because many doctors are making these cards appear like an in-house payment program. Most patients are inclined to pay their doctor for their services directly, but they are more hesitant when a credit card is involved. Some medical professionals are masking the true source of their lending services and thus putting their clients at risk.
An example of this form of abuse can be seen by a company called CareCredit. Nearly 90% of New Yorkers in the CareCredit program opted for a program with no interest if the amount was paid in full. A quarter of them ended up paying 26.99% interest on their accounts instead. CareCredit has more than seven million cardholders nationwide, and it is currently the defendant in a variety of civil lawsuits.
If you are offered a chance to take to a credit card to cover your medical expenses, you should fully research the card before signing on the dotted line. Fully understand the terms of the card before agreeing to anything so you don’t end up in heavy debt.
Medical credit cards are designed to help people pay for procedures they may not be able to afford on their own. These cards give patients a chance to undergo the procedures their insurance may not pay for, as well as giving the doctor the opportunity to get their money right away.
While this may seem like a great setup, most patients are pressured into getting medical credit cards without knowing the excessive costs sometimes associated with them. They can fall into a debt trap very quickly.
Posted in Credit card Processing, Electronic Payments, Medical Healthcare Tagged with: amount, cards, clients, credit-card, debt, doctors, heavy debt, interest, lending, medical transcriptions, money, paid, patients, payment, procedures, professionals, risk, services, signing, system, terms
October 24th, 2013 by Elma Jane
Reflecting recent research that concludes mobile payment adoption remains low, Total System Services Inc. (TSYS) issued results from a survey that confirm consumers prefer banking applications other than payments for their mobile devices.
While reinforcing the dominance of debit and credit cards as payment mechanisms, the TSYS 2013 Consumer Payment Choice Study revealed that mobile devices are used as a tool for ancillary financial services, such as checking account balances and accessing discounts and rewards.
“For now, the hype largely remains hope for mobile from a payments standpoint,” the survey said. “On a relative basis, consumers would overwhelmingly prefer to have the ability to use their smartphone to monitor transaction activity or prevent fraud versus using their mobile phone as a form factor in a transaction.”
Columbus, Georgia-based processor TSYS found in its third annual survey that, out of 1,000 consumers surveyed online in the summer of 2013, 40 percent of respondents were interested in using mobile devices to instantly stop illegitimate transactions. Additionally, 37 percent indicated that the ability to view in real-time the transactions made with debit and credit cards was also an important feature.
Receiving instant offers and promotions from stores being visited (33 percent); temporarily blocking and unblocking purchases using certain bankcards (29 percent); and paying for purchases using reward/loyalty points (28 percent) rounded out the top payment-related uses for smartphones.
At the bottom of the scale was to pay for purchases with mobile wallets (25 percent) and to use credit or debit card-funded prepaid accounts for the same purpose (22 percent). “Industry observers regard mobile payments as an assumed eventuality,” TSYS stated. “Our survey results indicate that consumers are presently more interested in increased non-payment functionality on their mobile device.”
But the processor remains optimistic about the promise of mobile payments. “We believe that as the infrastructure matures and the ability to use mobile payments becomes more widespread, this trend will change,” TSYS said.
Prepaid undermarketed?
In addressing the role of prepaid cards in the payment mix, TSYS expressed surprise that prepaid cards are apparently not being marketed aggressively by financial institutions. The processor noted that major banks jumped into the prepaid card industry in 2012 to offer general-purpose reloadable (GPR) prepaid cards as checking account alternatives.
But TSYS found that just over 10 percent of survey respondents indicated they had received GPR card offers from their banks. TSYS attributed that low percentage to the fact that the survey respondents were by default credit and debit card users, while GPR cards are primarily targeted to individuals without access to credit or debit cards.
Regardless, survey respondents aged 35 and younger accounted for 64 percent of those who had received such offers. “It could be that the younger demographic on average represents a less profitable checking relationship for banks, or that banks perceive them to be more receptive to the offering,” TSYS said.
Steady goes debit and credit
Consumer payment preferences in 2013 remain relatively unchanged from previous years, according to TSYS. Debit still trumps credit as the preferred payment instrument overall, with both methods being favored by every eight of 10 survey respondents. Debit is still the clear winner when it comes to supermarket shopping and gas purchasing, while credit is preferred when dining out and shopping in department stores. But when it comes to fast food cravings, cash is still king.
On the opposite end of the spectrum, and also consistent with TSYS’ 2012 report, only 11 percent of respondents said being able to set up text message alerts for account balances and transactions was most valuable, and a mere 6 percent valued the ability to register payment cards in mobile wallets.
However, credit tops debit for online purchases, TSYS said. Further of note is that PayPal Inc.’s digital wallet service rivals debit online, with both payment methods favored by roughly one-fifth of respondents. But for small-dollar purchases, like coffee and donuts, cash remains the preferred payment vehicle, despite innovative mobile schemes offered by companies like Starbucks and Dunkin’ Donuts.
Posted in Credit card Processing, Digital Wallet Privacy, e-commerce & m-commerce, Electronic Payments, Gift & Loyalty Card Processing, Internet Payment Gateway, Mail Order Telephone Order, Merchant Services Account, Mobile Payments, Smartphone Tagged with: account, adoption, applications, banking, checking, consumers, credit cards, debit, devices, discounts, financial services, form factor, general-purpose, gpr, infrastructure, low percentage, mechanisms, mobile, mobile wallets, non-payment, offers, online, payment, payment related, phone, prepaid, processor, profitable, promotions, real-time, reloadable, reward/loyalty, rewards, smartphone, transaction, tsys
October 18th, 2013 by Elma Jane
All Alerts, All The Time
Will mobile payment apps hail the arrival of mobile interruptions that never let up? Consumers worry that adopting a mobile wallet app will open them up to a barrage of alerts, sounding the alarm every time the local supermarket has toilet paper for half-off. The services can even track your purchases, opening the floodgates for targeted ads. Frequent alerts could be a deal breaker.
Battery Woes
As smartphones gets bigger, badder and more powerful, battery technology is struggling to keep up. That’s a problem if you want to make a call — but it could be an emergency if your smartphone is your wallet, too. Users are already scrambling to find a charging outlet by lunchtime. Soon, failure to recharge might mean you lack the funds to buy lunch in the first place. Meanwhile, credit cards never need a battery boost, and paper money has worked faithfully since well before the invention of the light bulb.
Do I Have The Right Phone?
You’re ready to make a mobile payment — but is your smartphone? Only the most popular new Android and Windows smartphones have NFC support to enable tap-to-pay services, and Apple has decided to forgo NFC altogether with its iPhone handsets. Users of budget smartphones are likewise out of luck. And though smartphones may seem ubiquitous, only a little more than half of U.S. adults have one.
Is It Secure?
Mobile payments open up a whole new frontier for fraudsters — or so cautious consumers worry. In fact, tap-to-pay technology is as secure as swiping a plastic bank card, and cloud services like PayPal Here support two-factor authentication for extra reassurance. Still, consumers worry their personal information could be intercepted during a transaction, and not everyone is convinced that Google can provide the same level of protection as their bank. But hope remains. The survey found about half of the most security-conscious respondents were much more likely to be interested in mobile payment options if they could be promised 100 percent fraud protection.
Limits, Limits, Limits
Even with a glut of mobile payment options, most lack at least one critical feature. Google’s Wallet app lets you stow your payment information in your phone to buy items in brick-and-mortar shops, but its touch-to-pay functionality is limited to Android devices on Sprint and other smaller carriers. Last year, Apple introduced Passbook, a mobile wallet app that lets users store gift card credits, loyalty card information and more on their iPhones — but only a handful of participating businesses support the app. The mobile payment model isn’t just fragmented — it’s fundamentally limited by countless companies competing for an ever-smaller piece of the pie.
Mobile What?
A recent CMB Consumer Pulse survey showed about half of smartphone users have never even heard of mobile payments. And of the 50 percent who have, a meager 8 percent said they’re familiar with the technology. Banks, credit card companies and others hoping to cash in on consumer interest will have to invest in better messaging first.
What Are The Perks?
Credit cards come with alluring perks — signing bonuses, cash back and travel accommodations, to name a few. But mobile payment systems have serious benefits. They can utilize GPS technology to direct you to deals, keep tabs on your bank account to alert you when you’re near your spending limit, and store unlimited receipts straight to the cloud. Businesses profit from mobile wallets, too, which often charge lower fees than credit card companies and encourage return trips by storing digital copies of loyalty cards.
What’s In It For Me?
To convince consumers to abandon trusted payment options for something new, companies must strike an undeniable value proposition. In the late ‘90s, electronic retail giants like Amazon compelled consumers to enter their 16-digit credit card numbers into online portals, opening up a whole new world of convenience with online shopping. But today’s consumers aren’t convinced that mobile wallets are any more convenient than their physical counterparts. Credit and debit cards already offer a speedy, reliable way to pay on the go. And since they’re accepted virtually everywhere, customers can fork over a card without worry or confusion. Convincing people that new technology is worth their time and effort might ultimately be the toughest nut to crack for mobile payment purveyors.
Where’s The Support?
Even the most enthusiastic adopters are out of luck if their favorite shops lack the infrastructure to process mobile payments. Big-box retailers sprang up in the infancy of computer technology, so joining the mobile payment revolution could necessitate updates to check out hardware and software. Mobile payments could be a boon to businesses, but installing the upgrades could be expensive and disruptive — especially when consumer interest remains low.
Which to Pick?
Even curious consumers are confounded by the array of mobile payment options available. Google, Visa, MasterCard and even mobile carriers like Sprint and Verizon are among the heavy hitters on the mobile payment scene, each offering a discrete service with different apps — and different rules. Some rely on Near Field Communication (NFC) technology that lets users simply tap their smartphone against a special reader to pay, while others offer up scannable QR codes. Mobile payments may never take off until one company rises above the rest with a single killer service.
Forget about cash or credit. In 2013, consumers can simply swipe or scan their smartphones at the checkout to pay. A huge array of mobile payment services have sprung up in recent years, urging customers to abandon their plastic credit cards for the “mobile wallet” revolution, but so far, adoption of mobile payment technology has been dismal.
Posted in e-commerce & m-commerce, Electronic Payments, Gift & Loyalty Card Processing, Internet Payment Gateway, Mobile Payments, Mobile Point of Sale, Near Field Communication, Smartphone Tagged with: alerts, Android, Apple, bank card, battery, cautious, consumers, crack, credit cards, deal, digital, fraud, gift card credits, google, GPS, information, Iphone, lower fees, loyalty cards, mobile, nfc, online, options, paper money, Passbook, payment, PayPal, personal, phone, plastic, portals, powerful, protection, purchases, secure, Smartphones, sprint, storing, support, Swiping, Tap to Pay, touch-to-pay, track, two-factor authentication, wallet, windows