EMV
November 30th, 2015 by Elma Jane

Cybercriminals will continue to look for opportunities to steal payment information. Despite the superior security features associated with EMV technology, chip cards may still be vulnerable to certain types of fraud.

An EMV chip does not stop lost or stolen cards from being used in card-not-present transactions. Merchants who deal in card-not-present transactions like sales over the telephone or via the Internet are encouraged to adopt additional security measures to ensure the authenticity of cards used for transactions. The strength of the U.S. e-commerce market makes card-not-present fraud an equally important security issue that card issuers and merchants need to consider in the shift to chip cards for point-of-sale transactions.

Retailers and service providers who deal in card-present transactions are reminded that upgrading to EMV terminal at the POS is the best way to protect their customers and their business from fraudulent transactions.

EMV cards are available as either chip-and-PIN (requiring the cardholder to enter their personal identification number to complete a transaction) or chip-and-signature (requiring the cardholder’s signature), U.S. banks have primarily chosen to issue chip-and-sign cards for now.

While 59 percent of US adults have already received a new chip card, only 41 percent of them know its benefits and only 37 percent say their card issuers explained how to use the chip cards.

 

 

Posted in Best Practices for Merchants, e-commerce & m-commerce, EMV EuroPay MasterCard Visa, Point of Sale Tagged with: , , , , , , , , , ,

Convention
November 6th, 2015 by Elma Jane

Money 20/20 was billed as the largest convention in payments history held in Las Las Vegas, during the last week of October 2015.

The show delivered well-organized, incisive content such as Europay, MasterCard and Visa (EMV) migration, mobile payments, security and omnichannel commerce.

20/20 Highlights

  • Alternative lending and credit.
  • Bill Payments, Financial Services: Newly released market research provides insights into the future of household bill payments, millennials, and financial services.
  • Connected Commerce and the Mobile Enterprise: The Internet of Things is changing the way that consumers interact with their environments. Analysts predict up to 30 billion interactive devices will be connected to the Internet by 2020, noting that many of these devices will be payment-enabled.
  • Marketing and Customer Experience: Most marketers agree that the era of demographic profiles and pull marketing is over. Retailers, card brands and information technology professionals looked at the customer experience in the digital world. They explored new marketing practices, trends in e-commerce and mobile commerce, and big data findings in other industries that may be useful to financial service companies.
  • Mobile Banking: Banks are undergoing an incremental transformation as they learn to compete with nonbank lenders, balance cash management with digital currencies, and shift from local branches to online and mobile forms of banking.
  • Mobile Payments: Payments analysts reviewed Apple Pay a year after its launch and a range of other mobile wallet offerings, and they speculated on how third-party wallets will impact bank apps.
  • Payment Card Evolution: Payment card issuers, processors and network service providers analyzed the changing look, feel and role of payment cards in the greater ecosystem. Discussions ranged from card linking to the coolness factor of gift cards to how e-cards are expanding market opportunities.
  • POS, Processing and Open Platforms: Executive roundtables with leading acquirers explored front-end and back-end technology and omnichannel commerce for small and midsize businesses.
  • Regulatory Landscape: Increased federal and state oversight has had a significant impact on the financial services sector.
  • Security: Security analysts made in-depth presentations on tokenization, end-to-end encryption, and secure methods of authentication designed to protect consumers, merchants and industry stakeholders from cybercriminals. Many agreed that EMV implementation in the United States will drive fraudsters to the card-not-present space. They discussed how EMV adoption has changed fraud patterns in other regions and offered examples of best practices geared toward identifying and preventing electronic payment fraud.

More than 10,000 attendees and 3,000 exhibitors from 75 countries attended Money20/20. Financial services professionals from mobile, retail, marketing services, data and technology met at what show organizers described as the intersection of mobile, retail, marketing services, data and technology.

The years to come will be a turning point in the payments sector, and with the recent shift to EMV, the entire conference confirmed that all the players are more interested than ever in finding innovative solutions for combating online fraud.

 

 

Posted in Best Practices for Merchants Tagged with: , , , , , , , , , , , , , , , , , , ,

March 10th, 2015 by Elma Jane

If you can’t accept credit cards for your business, you are losing out on potential revenue. Most people don’t carry more than $20 in cash with them at a time, and people who use credit cards tend to spend more than their cash-carrying counterparts.

These days you can turn your smartphone or tablet into a credit card reader, but which service should you choose? What do you need to consider when deciding?

NTC is here to help you understand all the intricacies of taking credit card payments with your smartphone or credit card.

Credit card reader or Wedge are useful in a variety of industries and for businesses of all sizes. Arts and crafts business accepting credit card payments at conventions and other events. A pub that gives its servers credit card readers rather than having to pay for everything at the bar. POS systems with a mobile integration can swipe your card on the spot rather than taking credit cards over the phone when ordering delivery.

If you work in one of these fields it might be time to think about getting a wedge:

Arts and crafts vendors: Do you sell your wares at conventions, art shows, and other big events? You could be a book reseller, an artist, a jewelry maker, a clothing retailer, or even a makeup seller.

Food Service: Food trucks were among the earliest adopters of mobile card readers, but there is no shortage of restaurants that are using them now. There are companies both offer POS systems in addition to their mobile card readers, which is perfect for delivery services.

Service providers: If you don’t have a brick-and-mortar office or base of operation where customers visit you, or if you conduct your business in your customers’ homes (carpet cleaners, plumbers, lawn care, mobile dog groomers, exterminators, etc.), a credit card reader/wedge gives you flexibility as well as credibility, as well as added security.

 

Understanding the Costs of Accepting Credit Card Payments

In the traditional business model, to accept credit card payments you would have to set up a merchant account. A merchant account typically entails a detailed look at your credit history and business.

Credit card companies assess a small fee to merchants for processing payments. With merchant accounts and card readers, the cost is built in and deducted automatically, so you don’t have to worry about paying it yourself. With a merchant account, you typically get lower rates because of the decreased risk.

It’s not just the standard fees that you need to worry about when you want to accept credit card payments. There are costs hidden everywhere, so let’s address some of these issues:

Internet Availability                                                                                                                            Typically, smartphone and tablet card readers need some sort of Internet connectivity, via a cellular signal or Wi-Fi. Most smartphones these days are capable of becoming Wi-Fi hotspots, so you can create your own Wi-Fi. However, this option relies on your phone’s data plan. The more transactions you make, the more data you use.

Compatibility                                                                                                                                    You also need to make sure that your devices are compatible with the card reader. Check the list of compatible devices before you commit to one service over another.

Also note that you’re going to usually have to enable location services on your phone.

Card Compatibility, Manual Entry Fees, Location                                                                           There are card readers that seems to work best with a specific device. You’re typically going to pay more    for manually entering credit card numbers because of the greater risk – the card doesn’t have to physically    be present to complete the transaction.

Likewise, you’re usually going to pay more for accepting international cards, and you’re not always going to be able to accept payments outside the U.S.

Taxes and Tips                                                                                                                               Several mobile credit card readers will let you add sales tax to the base purchase without requiring you to calculate it, which is handy if you’re not fond of math or just want the transaction to go more quickly.

As an alternative, you can build the sales tax into the listed prices, which some of your customers might appreciate.

Finally, depending on your industry, you may want to check that the credit card reader you use allows your customers to add a tip.

Time to Get Your Money                                                                                                                   The final cost to consider for credit card readers is more of a convenience fee than anything — it’s the time before you can access your money.

If you’re in a high-risk industry or have a high volume of business, you are probably better off obtaining a merchant account and using one of their mobile solutions.

You’re also going to want to worry about refunds and chargebacks. If, for whatever reason, a consumer complains to his or her credit card company and there’s a chargeback.

 

Features to look For in Your Credit Card Reader                                                                      Features-wise, you can at least expect the basics to remain consistent across smartphone credit card readers: you can swipe cards, manually key them in, and issue receipts. It’s the little things that will ultimately set one service provider apart from the rest. Some of the things you may want to look out for include:

Record-Keeping for Cash and Checks                                                                                             Sure, you can manage your cash intake the old fashioned way and let your bank deal with checks. But some credit card readers, (which doesn’t actually require you to swipe cards, but more on that later) will let you create digital receipts for cash and check transactions as well.

POS Integration                                                                                                                              Depending on your needs, you might want to look for a service that has easy POS integration.

E-Commerce Integration                                                                                                                Likewise, look for easy integration with an online store, if you have one. Easy integration is ideal for centralizing your accounts.

 

Accounting Integration & More                                                                                                           Do you use an accounting service? If so, you might prefer the ability to transfer your data directly from your card swiping service to your accounting software. 

Invoicing                                                                                                                                              If you do custom orders, offer services, or provide goods to a business, you’re all too familiar with invoices. With some services, you can generate invoices through them and send them to clients via email. The biggest advantage to this is simply that you get your money quicker because there’s no need to cut a check and send it through snail mail.

Voids and Refunds                                                                                                                                It’s unfortunate, but you do need to make accommodations to process refunds and void transactions. Sometimes your finger slips on a key and you don’t notice until afterward, and sometimes the customer just changes their mind. Make sure that you understand how to use these features in whichever service you choose.

Card Reader Design                                                                                                                      Needless to say there is more than a bit of awkwardness trying to balance a phone with a 5.1-inch screen in your hand while also stabilizing the card reader while swiping the card. Especially when you’re working with limited table space. It’s worth looking at the card reader and the device it’s attached to and making sure that the design works for you.

Permissions for Multiple Users                                                                                                          Do you have several employees? The ability to give permissions to multiple users comes in handy here. With it, you can enable employees (or your friends) to accept payments without giving them full access to your account. This is great if you happen to have multiple booths at events, or if you send multiple employees out on location and each one needs to be able to accept payments.

Accepting credit card payments doesn’t have to be a terrifying prospect, even if you’re running just a small-time business. You can get a mobile credit card reader for free in many cases, and while you won’t pay the lower fees associated with traditional merchant accounts, the costs are still readily manageable. What you need to consider are the hidden costs — not necessarily in the service providers, but the ones that come from using a data connection, or requiring Wi-Fi. How soon you get your money should also be a top priority.

 

 

Posted in Best Practices for Merchants, Credit Card Reader Terminal, Mobile Payments, Mobile Point of Sale, Smartphone, smartSD Cards Tagged with: , , , , , , , , , , , , , ,

October 8th, 2014 by Elma Jane

When the PCI Security Standards Council (PCI SSC) launched PCI DSS v3.0 in January 2014, businesses were given one year to implement the updated global standard. Now that the deadline is fast approaching, interest is picking up in what v3.0 entails. On Jan. 1, 2015, version 3.0 of the Payment Card Industry (PCI) Data Security Standard (DSS) will reach year one of its three-year lifecycle.

Trustwave, a global data security firm, is on the frontlines of helping secure the networks of merchants and other businesses on the electronic payments value chain against data breaches. As an approved scanning vendor, Trustwave is used by businesses to achieve and validate PCI DSS compliance.

PCI DSS v3.0 is business as usual for the most part, except for a few changes from v2.0 that considers impactful for large swaths of merchants. The top three changes involve e-commerce businesses that redirect consumers to third-party payment providers. The expansion of penetration testing requirements and the data security responsibilities of third-party service providers.

Penetration testing

Penetration testing is the way in which merchants can assess the security of their networks by pretending to be hackers and probing networks for weaknesses. V3.0 of the PCI DSS mandates that merchants follow a formal methodology in conducting penetration tests, and that the methodology goes well beyond what merchants can accomplish using off-the-shelf penetration testing software solutions.

Merchants that are self assessing and using such software are going to be surprised by the rigorous new methodology they are now expected to follow.

Additionally, penetration testing requirements in v3.0 raises the compliance bar for small merchants who self assess. Those merchants could lower the scope of their compliance responsibilities by segmenting their networks, which essentially walls off data-sensitive areas of networks from the larger network. In this way merchants could reduce their compliance burdens and not have to undergo penetration testing.

Not so in v3.0. If you do something to try to reduce the scope of the PCI DSS to your systems, you now need to perform a penetration test to prove that those boundaries are in fact rigid.

Redirecting merchants

The new redirect mandate as affecting some, but not all, e-commerce merchants that redirect customers, typically when they are ready to pay for online purchases to a third party to collect payment details. If you are a customer and you are going to a website and you add something to your shopping cart, when it comes time to enter in your credit card, this redirect says I’m going to send you off to this third party.

The redirect can come in several forms. It can be a direct link from the e-commerce merchant’s website to another website, such as in a PayPal Inc. scenario, or it can be done more silently.

An example of the silent method is the use of an iframe, HTML code used to display one website within another website. Real Estate on the merchant’s website is used by the third-party in such a way that consumers don’t even know that the payment details they input are being collected and processed, not by the e-commerce site, but by the third party.

Another redirect strategy is accomplished via pop-up windows for the collection of payments in such environments as online or mobile games. In-game pop-up windows are typically used to get gamers to pay a little money to purchase an enhancement to their gaming avatars or advance to the next level of game activity.

For merchants that employ these types of redirect strategies, PCI DSS v3.0 makes compliance much more complicated. In v2.0, such merchants that opted to take Self Assessment Questionnaires (SAQs), in lieu of undergoing on-site data security assessments, had to fill out the shortest of the eight SAQs. But in v3.0, such redirect merchants have to take the second longest SAQ, which entails over 100 security controls.

The PCI SSC made this change because of the steady uptick in the number and severity of e-commerce breaches, with hackers zeroing in on exploiting weaknesses in redirect strategies to steal cardholder data. Also, redirecting merchants may be putting themselves into greater data breach jeopardy when they believe that third-party payment providers on the receiving end of redirects are reducing merchants’ compliance responsibilities, when that may not, in fact, be the case.

Service providers

Service provider is any entity that stores, processes or transmits payment card data. Examples include gateways, web hosting companies, back-up facilities and call centers. The update to the standard directs service providers to clearly articulate in writing which PCI requirements they are addressing and what areas of the PCI DSS is the responsibility of merchants.

A web hosting company may tell a merchant that the hosting company is PCI compliant. The merchant thought, they have nothing left to do. The reality is there is still always something a merchant needs to do, they just didn’t always recognize what that was.

In v3.0, service providers, specifically value-added resellers (VARs), also need to assign unique passwords, as well as employ two-factor authentication, to each of their merchants in order to remotely access the networks of those merchants. VARs often employ weak passwords or use one password to access multiple networks, which makes it easier for fraudsters to breach multiple systems.

The PCI SSC is trying to at least make it more difficult for the bad guys to break into one site and then move to the hub, so to speak, and then go to all the other different spokes with the same attack.

Overall, v3.0 is more granular by more accurately matching appropriate security controls to specific types of merchants, even though the approach may add complexity to merchants’ compliance obligations. On the whole a lot of these changes are very positive.

 

Posted in Best Practices for Merchants, Credit Card Security, Payment Card Industry PCI Security Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

September 5th, 2014 by Elma Jane

Businesses are rapidly adopting a third-party operations model that can put payment data at risk. Today, the PCI Security Standards Council, an open global forum for the development of payment card security standards, published guidance to help organizations and their business partners reduce this risk by better understanding their respective roles in securing card data. Developed by a PCI Special Interest Group (SIG) including merchants, banks and third-party service providers, the information supplement provides recommendations for meeting PCI Data Security Standard (PCI DSS) requirement 12.8 to ensure payment data and systems entrusted to third parties are maintained in a secure and compliant manner.

Breach reports continue to highlight security vulnerabilities introduced by third parties as a leading cause of data compromise. The leading mistake organizations make when entrusting sensitive and confidential consumer information to third-party vendors is not applying the same level of rigor to information security in vendor networks as they do in their own. Per PCI DSS Requirement 12.8, if a merchant or entity shares cardholder data with a third- party service provider, certain requirements apply to ensure continued protection of this data will be enforced by such providers. The Third-Party Security Assurance Information Supplement focuses on helping organizations and their business partners achieve this by implementing a robust third-party assurance program.

Produced with the expertise and real-world experience of more than 160 organizations involved in the Special Interest Group, the guidance includes practical recommendations on how to:

Conduct due diligence and risk assessment when engaging third party service providers to help organizations understand the services provided and how PCI DSS requirements will be met for those services.

Develop appropriate agreements, policies and procedures with third-party service providers that include considerations for the most common issues that arise in this type of relationship. 

Implement a consistent process for engaging third-parties that includes setting expectations, establishing a communication plan, and mapping third-party services and responsibilities to applicable PCI DSS requirements.

Implement an ongoing process for maintaining and managing third-party relationships throughout the lifetime of the engagement, including the development of a robust monitoring program. 

The guidance includes high-level suggestions and discussion points for clarifying how responsibilities for PCI DSS requirements may be shared between an entity and its third-party service provider, as well as a sample PCI DSS responsibility matrix that can assist in determining who will be responsible for each specific control area.

PCI Special Interest Groups are PCI community-selected and developed initiatives that provide additional guidance and clarifications or improvements to the PCI Standards and supporting programs. As part of its initial proposal, the group also made specific recommendations that were incorporated into PCI DSS requirements 12.8 and 12.9 in version 3.0 of the standard.One of the big focus areas in PCI DSS 3.0 is security as a shared responsibility. This guidance is an excellent companion document to the standard in helping merchants and their business partners work together to protect consumers’ valuable payment information.

Posted in Best Practices for Merchants, Credit Card Security, Payment Card Industry PCI Security Tagged with: , , , , , , , , , , , , , , , , , , , , , ,

August 19th, 2014 by Elma Jane

In response to the third-party threat, the PCI Security Standards Council has published a guide to help organizations and their business partners reduce risk by better understanding their respective roles in securing card data.

The Third-Party Security Assurance Information Supplement provides guidance practical recommendations to help businesses and their partners protect data, including:

Conduct due diligence and risk assessment when engaging third party service providers to help organizations understand the services provided and how PCI DSS requirements will be met for those services.

Develop appropriate agreements, policies and procedures with third-party service providers that include considerations for the most common issues that arise in this type of relationship.

Implement an ongoing process for maintaining and managing third-party relationships throughout the lifetime of the engagement, including the development of a robust monitoring program.

Implement a consistent process for engaging third-parties that includes setting expectations, establishing a communication plan, and mapping third-party services and responsibilities to applicable PCI DSS requirements.

One of the big focus areas in PCI DSS 3.0 is security as a shared responsibility. This guidance is an excellent companion document to the standard in helping merchants and their business partners work together to protect consumers’ valuable payment information.

 

Posted in Best Practices for Merchants, Credit Card Security, Payment Card Industry PCI Security Tagged with: , , , , , , ,

June 19th, 2014 by Elma Jane

API Software Inc. has created an application ISOs can use to help merchants tabulate the best payment services deals. The Square Deal Pro app for the merchant services industry enables sales reps to compare their company’s rates to those of Square, PayPal, Stripe and other payments aggregators. Essentially, the application takes the mathematics burden off of the merchant and helps an ISO or agent compare bundled pricing with interchange-plus pricing.

Frank Haggar, a software developer, started asking merchants why they chose a certain provider and they just said the pricing was simpler. It might be more expensive, but it was easier for them to understand. That moved to develop Square Deal Pro. It’s a software that salespeople can have right on their phones and it makes a comparison and is easy to understand. Square Deal Pro, which operates on iPhones, Android devices and Windows phones, was established as a vendor-neutral tool that is also available for merchants to download if they were inclined to want to crunch numbers themselves. Service providers pay for the application and all of its sales features, but a free version for price comparisons only is available to merchants.

Merchants are experts in what they know how to do and they may not want something that includes math distracting them from that, but the sales rep can do it for them and use it along the lines of a calculator helping someone figure out mortgage rates. ISOs have various tools at their disposal and lock in key information in their brains to prepare for sales presentations, but most will likely find Square Deal Pro a valuable addition. Something that takes complicated pricing schemes and factors it all into an easy interface that puts out a clear comparison that is valuable, certainly out in the field.

API Software has to deliver something difficult or impossible to copy because that would set this permanently apart as opposed to being a lead to other similar products in the market. An ISO can change rates or make adjustments for a client if the numbers show that another provider is offering a less expensive option, but the numbers in the app don’t lie. The app will show how a bundled rate can work in your favor, such as if you are selling Girl Scouts cookies at $3 a box. Then use Square all day long, but an ISO can compare how his product works compared to others and the app can show, that at a certain time, it might be beneficial to switch over.

Square Deal Pro takes into account factors other than interchange rates, including merchant volume, average ticket price and whether transactions are keyed or swiped or both. All of those things determine where you fit in on the diagram of how your rate should be structured. There is a lot of analysis on minimal focal points. The application may also help defuse potential problems with merchants who sometimes feel their sales rep was not providing a fair assessment of pricing structure or comparisons.

As for the application’s name, Haggar doesn’t want any confusion over whether this might be a new Square product.

Posted in Best Practices for Merchants Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,