Jul
07
2015
July 7th, 2015 by Elma Jane

Cashless society is about to happen, hard to believe for some. We are all unable to decide on the edge of a new, cashless world where mobile payments reign supreme. If so, is this a bad thing? For some people yes, because for them change can be scary.

Every revolution needs a good crisis in order to grow its seed. The cashless revolution is the same. Current global financial conditions serves as the potential crisis, and truly the cashless revolution is upon us. Society is on the brink of great economic change, which will likely usher in a new era of worldwide, electronic currencies. The cashless society is coming.

Advances in mobile payment options as evidence of this impending cashless society, consider the practical benefits of mobile payments for the consumer. The most obvious is convenience. Many people prefer to swipe their smartphone atop a scanner to carrying around a stack of cash. Electronic payments are traceable, which is useful for tracking one’s spending and can add a sense of security. Also, carrying around large stacks of cash isn’t always feasible or safe.

Mobile payments also offer interested individuals a way to incorporate social media into their purchases; they can check-in to a site and tell all their friends about an exciting new product they bought, or announce their presence at a new coffee shop, all with that same initial swipe of an NFC-enabled phone. Add to this the many practical benefits of mobile payments as far as business owners are concerned, and it’s easy to see why so the technology is becoming so widespread.

And yet for all the benefits of mobile payments and point of sale technology, the two don’t necessarily exclude cash.  Other company focuses on blending cash transactions with POS. This allows technologically savvy businesses to incorporate POS and mobile payment technology into their business, without excluding potential customers who prefer to use cash.

We aren’t necessarily evolving towards a cashless society, but towards a society with a plethora of payment options. POS technology is all about options. Want to pay with a swipe of your credit card? Swipe your credit card. Want to tap your NFC-enabled phone against a console. Tap and go. Want to pull a crisp twenty-dollar bill from your wallet and walk away from the counter with milk and eggs in your hand and a handful of coins jingling in your pocket? Go for it.

The question is: Will we ever become a truly cashless society? Maybe, maybe not, but as mobile payments become increasingly common, cash may very well fall into the retro category.

Posted in Best Practices for Merchants, Mobile Payments, Near Field Communication, Point of Sale Tagged with: , , , , , , ,

Jun
26
2015
June 26th, 2015 by Elma Jane

As you can tell from the name, Android Pay playbook is remarkably similar to Apple Pay. Android Pay will use an on-board Near Field Communication (NFC) chip and tokenization services from the major networks to deliver a token from the phone to an NFC-enabled point of sale. Just like Apple Pay. Android Pay is supported by more than 700,000 merchant locations and Android Pay will provide APIs for app developers to take in-app payments from the on-board wallet. Both Apple Pay and Android Pay have fingerprint scanners on phones, you can enable payments with just a fingerprint scan.

While details are barely sufficient, rumor has it Google won’t charge banks a fee as Apple does on the transactions and that’s the difference. Additionally, technical differences in the operating systems underlying the payment system exist, but they won’t affect how every day users experience the system. Android Pay will suffer a slower upgrade path than Apple Pay, due to the lack of hardware support for the newer operating system (it can take Android twice as long to get users upgraded).

There is no war between Apple and google. NFC won the war! We are seeing all of the armies gather together under its flag. As consumers, we love to see better products. When it comes to payments, we need standards and reliability.

With the alignment of the two operating system platforms on NFC, on user experiences like fingerprint unlocking and on both in-app and retail payments, consumers, retailers, and app developers can build an ecosystem we can all understand. Credit cards work great because they are ubiquitous. Everyone can use them everywhere, and every retailer has incentives to be a part of the system.

An NFC-based mobile payments experience will have this same effect. Over the next five years more and more retailers will add NFC-capable terminals. More phones will be fully capable of NFC payments with fingerprint sensors. More consumers will carry those phones.

So if it’s not a war, are there any losers? Companies focused on plastic cards, but not NFC. Transitory technologies like Samsung Pay’s MST (magnetic secure transmission) also have a strong transition period as they enable payments at non-NFC enabled terminals. MST (magnetic secure transmission) is a strong player because the user experience is very similar (hold a phone to a reader), even if the technical method is not the same.

 

Posted in Best Practices for Merchants, Near Field Communication Tagged with: , , , , , , , , , , , , ,

May
07
2015
May 7th, 2015 by Admin

Biometrics Market To Reach $14.9 Billion by 2024

The Biometrics market currently sits at $2 billion, by 2024, it will reach $14.9 billion, with a cumulative total revenue of $67.8 billion. This is being driven by new advancements in Biometrics Hardware and Software that are not only transforming payments, but also serving as frictionless alternatives to security in a myriad of use cases.

For consumer facing security, Biometrics can be deployed at a low price-point for high-volume authentication. Think an iris scan or finger swipe for quickly unlocking a mobile device like an iPhone 6 or Samsung Galaxy S6.

The forecast goes over use cases that spans from Point-of-Sale transactions, to voter identification, making the case for Biometrics embedding itself into a vast number of aspects in everyday life.

Posted in Best Practices for Merchants, Mobile Payments, Mobile Point of Sale, Point of Sale, Smartphone Tagged with: , , , , , , , , ,

Apr
21
2015
April 21st, 2015 by Elma Jane

An advanced strain of malware called “Punkey,” is capable of attacking Windows point of sale terminals, stealing cardholder data and upgrading itself while hiding in plain sight.

Researchers from Security vendor Trustwave discovered the new strain. The investigation found compromised payment card information and more than 75 infected, and active, Internet Protocol addresses for Windows POS terminals.

 

 

Punkey poses a unique threat to payment networks, particularly because it also can download updates for itself.

If the malware author has a new feature it wants to add or updates to get rid of bugs, it actually pushes the malware down from the command and control server, revealed by Trustwave’s SpiderLabs research center. Punkey operates like a typical Botnet.

The malware hides inside of the Explorer process, which exists on every Windows device and manages the opening of individual program windows. Punkey scans other processes on the terminal to find cardholder data, which it sends to the control server.

The malware performs key logging, capturing 200 keystrokes at a time. It sends the information back to its server to store passwords and other private information.

A year ago, security vendors warned retailers against using Windows XP at the point of sale, since Microsoft stopped supporting Windows XP security patches. However, even Punkey is not attacking Windows due to any vulnerability in the systems, so even merchants with newer versions of Windows are at risk.

Punkey just runs like any Windows binary would. Even if the system is upgraded or a new system is put in place, criminals are still getting malware on the POS in other ways.

Many retailers use remote desktop support software, which fraudsters take advantage of, they steal a password and install malware like a technician would install any software.

While Punkey represents a more sophisticated POS malware than Trustwave has seen previously, merchants can still protect themselves through attention to basic security best practices.

Merchants should update antivirus and firewall protections, monitor the remote access software, establish two-factor authentication and check network activity daily for anything out of the ordinary. Unfortunately, many organizations have neither the expertise nor the manpower to perform these tasks.

 

Posted in Best Practices for Merchants, Credit card Processing, Credit Card Reader Terminal, Credit Card Security, Mobile Point of Sale, Payment Card Industry PCI Security, Point of Sale Tagged with: , , , , , , , , , , ,

Apr
20
2015
April 20th, 2015 by Elma Jane

With each year comes a new set of security risks businesses need to be aware of. The threats that have seen the most growth over the last year include point-of sale (POS) malware, malware traffic within secure and encrypted HTTPS websites and attacks on computer systems designed to control remote equipment.

Everyone knows the threats are real and the consequences are dire, so we can no longer blame lack of awareness for the attacks that succeed. Hacks and attacks continue to occur, not because companies aren’t taking security measures, but because they aren’t taking the right ones.

The large number of highly publicized POS breaches last year has heighted the need to make sure that businesses that use these devices are properly protecting them.

Malware targeting point-of-sale systems is evolving drastically, and new trends like memory scraping and the use of encryption to avoid detection from firewalls are on the rise. To guard against the rising tide of breaches, retailers should implement more stringent training and firewall policies, as well as reexamine their data policies with partners and suppliers.

For many years, businesses thought using a secure HTTPS Web connection protected them from a security breach. That no longer appears to be the case. While the increased number of businesses moving to a more secure Web protocol is a positive trend, hackers have identified ways to exploit HTTPS as a means to hide malicious code. Since the malware transmitted over HTTPS is encrypted, traditional firewalls fail to detect it.

Just as encryption can protect sensitive financial or personal information on the Web, it unfortunately can also be used by hackers to protect malware. One way organizations mitigate this risk is through SSL-based Web-browser restrictions, with exceptions for commonly used business applications to avoid slowing company productivity.

Several identified trends and predictions for the coming year, including the following:

Android will remain a main target for hackers. More sophisticated techniques will be developed to hinder Android malware researchers and users by making the malware hard to identify and research.

As wearable technology becomes more prevalent, expect to see malware start to target these devices.

Digital currencies, including Bitcoin, will continue to be targeted.

More organizations will enforce security policies that include two-factor authentication, which will likely increase the number of attacks on these technologies.

 

Posted in Best Practices for Merchants, Credit Card Security, Mobile Point of Sale, Payment Card Industry PCI Security, Point of Sale Tagged with: , , , , , , ,

Apr
13
2015
April 13th, 2015 by Elma Jane

With only six months to go before the EMV chip-card liability shift takes effect, many U.S. merchants are not yet aware of the EMV migration.

When the Oct. 1 liability shift takes hold, merchants not accepting the new chip-card technology will become liable for any losses resulting from payment card fraud at the point of sale. Some merchants have stated that they would rather trust their existing security measures than pay for the upgrade to EMV, but others still need to educate themselves on the benefits and drawbacks of EMV – and it’s not even clear how many are out of the loop.

The challenge is that no one really knows about the level of EMV readiness because there is no single, common way to reach all of the merchants of all different levels and sizes at the same time.

Instead, various organizations are picking bits and pieces of the market they can reach and do everything they can to inform and help merchants to determine if they are moving toward chip-based technology or not.

EMV cards improve security at the point of sale by including technology that makes them resistant to counterfeiting. They can also be used with a PIN to address stolen card fraud. Though the card networks set an October deadline for conversion to EMV technology, it is not a mandate; companies will still be able to handle credit card transactions even if they do not have EMV technology in place.

And even the merchants that have the right technology installed may not be using it properly. During the EMV preparedness process, it has become apparent that installed EMV terminals had not been turned on or otherwise were not fully capable of accepting EMV transactions.

The confusion extends to the banks as well. Not all issuers will be ready for EMV, and some have outright stated that they do not think it will be possible to meet this year’s deadline.

In a move designed to get more small-business merchants on board with EMV, Visa Inc. introduced a 20-city small business chip education tour last month.

The real measurement of the implementation will be in transaction volumes, or actual chip-on-chip transactions.

Even though the liability shift is just six months away, still really early to make a determination on all of this.

Posted in Best Practices for Merchants, Credit Card Security, EMV EuroPay MasterCard Visa, Point of Sale, Visa MasterCard American Express Tagged with: , , , , , , , , , ,

Jan
21
2015
January 21st, 2015 by Elma Jane

With a crucial deadline, the payments industry is starting to look at just what kind of fraud liability and how much fraud merchant acquirers will have to assume if their merchants aren’t ready to accept Europay-MasterCard-Visa (EMV) chip cards by October.

While issuers currently absorb losses under card-network rules, that burden will shift to acquirers this fall in cases where the fraud occurs at merchants unprepared for EMV.

As a result, acquirers will have to reckon with a whole new category of risk exposure.

In card-not-present transactions, acquirers have faced this, but in the overwhelming majority of cases they’ll be confronting it for the first time.

Surprisingly, for all the talk in the industry about the imminent arrival of EMV, it appears few acquiring executives have fully accounted for what the shift really means for them.

Some 24% of U.S. point-of-sale terminals are “EMV-capable,” while 9% of debit/prepaid cards issued, and 2% of credit cards have EMV chips so far. But while terminals may be technically capable, it isn’t known just how many of these merchants have the software and trained personnel to accept EMV.

Foreign issuers, especially, may be licking their chops at the prospect of offloading their consumer-fraud risk onto U.S. acquirers. For years and years, these non-U.S. issuers have invested in EMV, but the U.S. is still using the mag stripe. So non-U.S. issuers appear to be very aware of the liability shift.

To be sure, acquirers’ increased risk exposure may be relatively short-lived. Under the network rules, liability rests with the issuer in cases where both the merchant and the issuer are EMV-compliant. That could be nearly universally the case within a few years. By 2018, nearly all cards and terminals will be compliant.

But that still leaves open the question of how many of these terminals will really be running chip card transactions.

The issue isn’t so much about terminals as about software. Many mid-size merchants are using so-called integrated solutions that run payments as part of a larger business-management system. That means acquirers must work with a number of other parties to reconfigure software, and that presents a challenge when it comes to getting masses of merchants EMV-compliant.

The bigger problem is the integrated point-of-sale market.

While the liability shift may impact acquirers, not all them are convinced their exposure will rise all that much. Some argue the risk of loss from lost/stolen/counterfeit cards at the point of sale is low and not likely to rise, especially for small-ticket merchants.

Fraudsters, are much more inclined to practice their trade online, where the risk of being caught is lower, compared to face-to-face transactions.

 

Posted in Best Practices for Merchants, Credit card Processing, Credit Card Reader Terminal, Credit Card Security, EMV EuroPay MasterCard Visa, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , ,

Oct
30
2014
October 30th, 2014 by Elma Jane

A partial authorization request enables an issuer to approve an amount that is lower than the total transaction amount in cases when the available card balance is not sufficient to cover the full transaction amount. It can also approve a $1500 authorization for a $15.00, and if the merchant does not look closely and pay attention to the details they may lose a lot.

Partial authorizations are used for prepaid and check / debit cards and are now supported by both Associations, as well as their issuers and payment processing companies. They make it possible for merchants to complete a transaction by using the remaining available balance on the prepaid or check card and accepting an additional payment form (e.g. cash, check or another bank card) for the remaining balance. This type of transaction is known as split tender.

Partial authorizations provide you with a way to eliminate decline authorizations due to insufficient funds. You should take advantage of this opportunity and understand how to process them.  There are reasons for authorization declines where there is nothing a merchant can do.

Partial Authorization Process

Customer swipes a card with available balance that is lower than the sale’s amount.

Merchant submits an authorization request with a Partial Authorization indicator to the issuer for the entire sale’s amount.

Issuer sends a partial authorization approval back to the merchant.

POS terminal subtracts the partially approved amount from total sale’s amount.

The customer makes a payment for the remaining balance using cash, check or another card.

The sale is now completed and a receipt is printed displaying the split tender amounts.
If the prepaid card used in a split tender transaction is a gift or an incentive card, the remaining balance is automatically sent to the point-of-sale (POS) terminal where it can be displayed to the merchant and printed on the sales receipt.

 

Posted in Best Practices for Merchants Tagged with: , , , , , , , , , , , ,

Sep
24
2014
September 24th, 2014 by Elma Jane

The CVV Number (Card Verification Value) on your credit card or debit card is a 3 digit number on VISA, MasterCard and Discover branded credit and debit cards. On your American Express branded credit or debit card it is a 4 digit numeric code.

The codes have different names:

American Express – CID or unique card code.

Debit Card – CSC or card security code.

Discover  – card identification number (CID)

Master Card – card validation code (CVC2)

Visa  – card verification value (CVV2) 

CVV numbers are NOT your card’s secret PIN (Personal Identification Number).

You should never enter your PIN number when asked to provide your CVV. (PIN numbers allow you to use your credit or debit card at an ATM or when making an in-person purchase with your debit card or a cash advance with any credit card.)

Types of security codes:

CVC1 or CVV1, is encoded on track-2 of the magnetic stripe  of the card and used for card present transactions. The purpose of the code is to verify that a payment card is actually in the hand of the merchant. This code is automatically retrieved when the magnetic stripe of a card is swiped on a point-of-sale (card present) device and is verified by the issuer. A limitation is that if the entire card has been duplicated and the magnetic stripe copied, then the code is still valid.

The most cited, is CVV2 or CVC2. This code is often sought by merchants for card not present transactions occurring by mail or fax or over the telephone or Internet. In some countries in Western Europe, card issuers require a merchant to obtain the code when the cardholder is not present in person.

Contactless card and chip cards may supply their own codes generated electronically, such as iCVV or Dynamic CVV.

Code Location:

The card security code is typically the last three or four digits printed, not embossed like the card number, on the signature strip on the back of the card. On American Express cards, the card security code is the four digits printed (not embossed) on the front towards the right. The card security code is not encoded on the magnetic stripe but is printed flat.

American Express cards have a four-digit code printed on the front side of the card above the number.

MasterCard, Visa, Diners Club,  Discover, and JCB credit and debit cards have a three-digit card security code. The code is the final group of numbers printed on the back signature panel of the card.

New North American MasterCard and Visa cards feature the code in a separate panel to the right of the signature strip. This has been done to prevent overwriting of the numbers by signing the card.

Benefits when it comes to security:

As a security measure, merchants who require the CVV2 for card not present payment card transactions are required by the card issuer not to store the CVV2 once the individual transaction is authorized and completed. This way, if a database of transactions is compromised, the CVV2 is not included, and the stolen card numbers are less useful. Virtual Terminals and payment gateways do not store the CVV2 code, therefore employees and customer service representatives with access to these web-based payment interfaces who otherwise have access to complete card numbers, expiration dates, and other information still lack the CVV2 code.

The Payment Card Industry Data Security Standard (PCI DSS) also prohibits the storage of CSC (and other sensitive authorization data) post transaction authorization. This applies globally to anyone who stores, processes or transmits card holder data. Since the CSC is not contained on the magnetic stripe of the card, it is not typically included in the transaction when the card is used face to face at a merchant. However, some merchants in North America require the code. For American Express cards, this has been an invariable practice (for card not present transactions) in European Union (EU) states like Ireland and the United Kingdom since the start of 2005. This provides a level of protection to the bank/cardholder, in that a fraudulent merchant or employee cannot simply capture the magnetic stripe details of a card and use them later for card not present  purchases over the phone, mail order or Internet. To do this, a merchant or its employee would also have to note the CVV2 visually and record it, which is more likely to arouse the cardholder’s suspicion.

Supplying the CSC code in a transaction is intended to verify that the customer has the card in their possession. Knowledge of the code proves that the customer has seen the card, or has seen a record made by somebody who saw the card.

 

Posted in Best Practices for Merchants, EMV EuroPay MasterCard Visa, Point of Sale, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Sep
23
2014
September 23rd, 2014 by Elma Jane

Home Depot, US retail chain says that 56 million payment cards are at risk following a malware-laden cyber-attack on eftpos tills across its stores in the US and Canada.

The investigation into a possible breach began on September 2nd,Tuesday morning, immediately after Home Depot received reports from its banking partners and law enforcement that criminals may have breached its systems.

According to Home Depot’s security partners, the malware had not been seen previously in other attacks.
Criminals used unique, custom-built malware to evade detection. The cyber-attack is estimated to have put payment card information at risk for approximately 56 million unique payment cards, after lurking in the company’s eftpos tills for four months between April and September.

While the breach has been seen as a further proof-point in the US push to adopt Chip and PIN at the point-of-sale, the fact that the outbreak also hit the home improvement chain’s Canadian stores, where the EMV standard has been implemented, leaves pause for thought. Nonetheless, the retailer has committed to installing 85,000 PIN pads at its US outlets, well ahead of the national 2015 deadline.

Home Depot has set aside $65 million to cover the cost to investigate the data breach, provide credit monitoring services to its customers, increase call center staffing, and pay legal and professional services. Approximately $27 million of the projected outlay will be covered by the company’s insurance.

Posted in Best Practices for Merchants, EMV EuroPay MasterCard Visa, Point of Sale Tagged with: , , , , , , , , , , , , , , , , , , ,

← Previous Article
Next Articles »