April 11th, 2014 by Elma Jane

PCI DSS 3.0 standard, which took effect January 1st, introduces changes that extend across all 12 requirements, aimed to improve security of payment card data and reducing fraud. There will be some shakeups for many organizations when it comes to their day-to-day culture and operations. Transitioning to meet the new requirements will help e-business build a stronger, safer, lower-risk environment for their customers.

While the growing number of digital payment avenues offers convenience to customers, it also offers a larger attack surface for criminals.

As cloud technologies and e-commerce environments continue to grow, creating multiple points of access to cardholder data and online retailers will only become more appealing targets for hackers. Cybercriminals are cunning and determined. They understand payment card infrastructures as well as the engineers who designed them.

A scary proposition and it’s exactly why the payment card industry is so determined to help keep e-commerce organizations protected. Meeting the new standard, businesses will be better armed to fight evolving threats. Changes will also drive more consistency among assessors, help business reduce risk of compromise and create more transparent provider-customer relationships.

Transitioning to PCI DSS 3.0 will involve some work, but doing that work on the front end is going to save much work down the line. Adopting the new standard ultimately will drive your e-commerce business into a secure and efficient era.

Cultural Changes – One of the main themes of 3.0 is shifting from an annual compliance approach to embedding security in daily processes. Threats don’t change just once a year. They’re constantly evolving and that means e-commerce organizations must adopt a culture of vigilance. Only through a proactive business-as-usual approach to security can you achieve true DSS compliance. Realistically, this could mean the need to provide more education and build awareness with staff, partners and providers, so that everyone understands why and how new processes are in place.  

Operational Changes – The 3.0 standard addresses common vulnerabilities that probably will ring a bell with many of you. These include weak passwords and authentication procedures, as well as insufficient malware detection systems and vulnerability assessments, just to name a few. Depending on your current security controls program, this could mean you’ll need to step up in these areas by strengthening credential requirements, resolving self-detection challenges, testing and documenting your cardholder data environment and making other corrections.

Overview Changes – How much work lands on your plate will depend on your current security program. Examining your current security strategies and program is a good idea. Below are the areas requiring your attention, which this series will explore in more detail in future installments.

Service Provider Changes –  Some organizations made unsafe assumptions in the past when it comes to third-party providers. Some have paid the price, from failed audits to breaches. One reason that the new standard is designed to eliminate any confusion over compliance responsibilities. Responsibilities, specifically for management, operations, security and reporting all will need to be spelled out in detailed contracts. In addition to improved communication, an intensified focus on transparency means that you should have a clear view of your provider’s infrastructure, data storage and security controls, along with subcontractors that can impact your environment. So if your organization isn’t exactly clear on which PCI DSS requirements you manage and which ones your providers handle, prepare to get all of that hammered out.

The Compliance Rewards – The path to preparing for the 3.0 deadline in January 2015 sounds like it’s a lot of work. So to get started request your QSA’s opinion on how the changes will impact your organization, by doing the gap assessment and you’ll be able to address any shortcomings.    

Meeting the new 3.0 requirements isn’t just about passing audits. In fast paced payment IT landscape, staying smart and protected is part of our commitment to our customers. Beefing up security game not only reduce audit headaches, but also enjoy stronger brand reputation as a safe and reliable e-commerce business.

Posted in Best Practices for Merchants, Credit card Processing, Credit Card Security, e-commerce & m-commerce, Electronic Payments, Financial Services, Payment Card Industry PCI Security, Small Business Improvement, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

December 2nd, 2013 by Elma Jane

Europay, Mastercard, and Visa (EMV) standards. Considered safer and widely used across Europe and other nations, the chip-based cards require insertion of the card into a terminal for the duration of a transaction, a break here from our traditional swipe-and-buy behavior. That’s just one way in which EMV changes things here… but it’s not the only way, nor is it the most important way. By way of reminder, October 2015 is the date by which all restaurants and other merchants are due to have implemented these standards, or potentially be liable for counterfeit fraud, which primarily reflects a shift from magnetic-stripe credit cards to chip cards.

The main driver in the EMV migration is card-related financial fraud.  As an example, and traditionally, card fraud in the United Kingdom has always been considerably higher than here in the States, primarily because the U.K. previously used offline card authorization as opposed to the online card methodology used here. As losses due to fraud rose steadily in Europe, despite the best efforts of global law enforcement agencies to reduce it, the pressure to find a solution built around some alternative authentication strategy mounted. From this concern, EMV was born.

Is it working? Recent statistics from the European Central Bank (ECB) revealed that, despite growing card usage, fraud in the Single Euro Payments Area (SEPA) – a mature EMV territory that includes all 28 members of the European Union,  Finland,  Iceland ,  Liechenstein,  Monaco and Norway,  – fell 7.6% between 2007 and 2011. This decline is underpinned by a slowdown in the growth of ATM fraud as well as a 24% drop in fraud carried out at point of sale terminals. The 2008 Canadian roll-out of Chip and PIN had a dramatic impact on fraud there. Card Skimming had accounted for losses totaling $142 million, but that figure dropped to $38.5 million in 2009, according to figures provided by the Interac Association. Some critics point to the fact that most of this decrease comes in the form of face-to-face card fraud, and that criminals merely shift their focus onto some other area that is less anti-fraud focused. Still, there are positive gains and as technologies improve, more successes are sure to follow.

Part of the reason why the U.S. not embraced  EMV sooner is because our  fraud problem, while significant, has typically been among the lowest rates in the world among highly developed economically mature countries. Much of that is due to the online authentication methods at work here. Here at home, our online authentication methodology permits authorizations to be done in real-time, thus thwarting a significant percentage of the fraudulent attempts at the point-of-sale, the best place to stop fraud. Our online authentication methods also incorporate multiple fraud and risk parameters as well as advanced neural networks that are ‘built-in’ to the approval process. It’s been a highly effective system that works well, when compared to most alternatives. The effectiveness of our authentication processes has helped fuel the resistance to full EMV adoption here. However, the EMV migration has gained momentum to the point where it is only a matter of time. The truth is that, despite the gains in preventing credit card fraud, and despite the best efforts of EMV’s backers to push acceptance through, global adoption of the EMV standard is still considerably less than 100%.

In England’s old offline authentication method, credit card transactions were gathered together at specific times- typically, at the end of the business day- and then batched over to the card issuers for authorization. It’s a method that gave those committing fraud a significant time lag between the transaction and the authorization, and this time lag contributed greatly to the higher levels of fraudulent activities in England. However, for Europe and for much of the rest of the world, adoption of the EMV technologies changes things dramatically, at least in terms of authentication protocols for both online and offline purchases. During an offline transaction using the EMV chip card, the payment terminal communicates with the integrated circuit chip (ICC), embedded in the payment card. This is a break from the old method which involved using telecommunications to connect with the issuing bank. The ICC / terminal connection enables real-time card authentication, cardholder verification, and payment authorization offline. Alternatively, in an online EMV transaction, the chip generates a cryptogram that is authenticated by the card issuer in real time.

Posted in Electronic Payments, EMV EuroPay MasterCard Visa, Financial Services, Near Field Communication, Payment Card Industry PCI Security, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

October 10th, 2013 by Elma Jane

There are various payment processing rates that apply to credit and debit card transactions. Visa and MasterCard do not publish their rules and regulations or the payment processing standards required to get the lowest interchange rate. It’s up to credit card processing companies to understand and implement them to their merchants’ benefit. A high downgrade rate may indicate that your processor does not know the standards, or may be reluctant to implement best practices or new rules changes. The application of these rates is based on a variety of factors related to the particular circumstances of the sale and the way the payment is processed, as well as on the type of the card that was used. Typically payments processed in a card-not-present environment (e.g. online or over the phone) are assessed higher processing fees than payments processed in a face-to-face setting. Payments made with regular consumer types of cards are generally processed at lower rates than payments made with rewards, business-to-business or commercial cards. Debit cards are processed at lower interchange rates than credit cards. In order to simplify the pricing for their merchants, the majority of the processing companies have elected to use various tiered pricing models (two-tiered, three-tiered, six-tiered, etc.). There are three general classifications used in the various tiered pricing models:
Qualified Transaction (also referred to as the Swiped Rate) This is the rate charged per each transaction when the card is physically swiped through a credit card terminal. When a transaction is processed in accordance with the rules and standards established in the Payment Processing Agreement, signed by the merchant and the processing bank, and It involves a regular consumer credit card, It is processed at the most favorable rate. This rate is called a “Qualified Rate” and is set in the merchant’s Payment Processing Agreement. The Qualified Rate is set based on the way a merchant will be accepting a majority of their credit cards. For example, for an internet-based merchant, the internet interchange categories will be defined as Qualified, while for a physical retailer only transactions where cards are swiped through a terminal will be Qualified.

Mid-Qualified Transaction This is the rate charged when a transaction is manually keyed-in using AVS – Address Verification Service (card #, expiration date, address, zip code and CVV code all match). When a consumer credit card is keyed into a credit card terminal instead of being swiped or   The cardholder uses a rewards card, business-to-business or another special type of card the transaction is charged a discount rate that is less favorable than the Qualified. This rate is called a “Mid-Qualified Rate.”

Non-Qualified Transaction This is the rate charged when manually keying-in a transaction without using AVS – Address Verification Service. When a special kind of credit card is used (like a rewards card or a business card), or a payment is not processed in accordance with the rules established in the Payment Processing Agreement, or It does not comply with some applicable security requirements.
Qualified Transaction Conditions                                            

One electronic authorization request is made per transaction and the transaction/purchase date is equal to the authorization date.                                                                                                                         The authorization response data must also be included in the transaction settlement.                               The authorization transaction amount must match the settled (deposit) transaction amount.                     The card that is used is not a commercial (business) credit card                                                                 The credit/debit card is present at the time of the transaction, the card’s full magnetic stripe is read by the terminal, and a signature is obtained from the cardholder at the time of the transaction.
The transaction must be authorized and settled under a standard retail industry code.
The transaction must be electronically deposited (batch transmitted) no later than 1 day from transaction/purchase/authorization date.

Mid-Qualified Transaction Conditions
One or more of the Qualified conditions were not met

Non-Qualified Transaction Conditions
One or more of the Qualified conditions were not met, or                                                                               The card that was used was a commercial card without submitting the additional data or:
The transaction was electronically deposited (batch transmitted) greater than 1 day from the authorization date, or:
The transaction was not electronically authorized, or the authorization response data was not included in the transaction settlement.

 

 

 

Posted in Best Practices for Merchants, Credit card Processing, Electronic Payments, Financial Services, Merchant Services Account Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , ,