September 14th, 2017 by Elma Jane

Payments standards body EMVCo has updated its Payment Tokenisation Technical Framework to introduce the new roles of token programme and token user, refine the roles of token service provider and token requestor and detail their interrelationships within the global payments environment.

EMV Payment Tokenisation Specification — also includes expanded ecommerce use cases and operational management enhancements to support global interoperability and facilitate transaction security.

This latest version offers significant updates and use cases that reflect payment industry input to define how EMV payment tokens are generated, deployed and managed. The level of detail assists in establishing a stable payment environment and delivering a common set of tools to facilitate transaction security.

The technical framework needs to capture these industry requirements and be flexible enough to interoperate with the existing payment ecosystem while supporting ecommerce, new payment methods and regional variations.

EMVCo is calling on the payments community to get involved and provide feedback.

EMVCo was formed by Europay International, MasterCard International, and Visa International to manage, maintain and enhance the EMV specifications for payment systems.

Posted in Best Practices for Merchants Tagged with: , , , , , ,

Tokenization
May 5th, 2017 by Elma Jane

Tokenization is a powerful security feature that allows a merchant to support all of their existing business processes that require card data without the risk of holding card data and without any security implications, because tokens are useless to criminals, they can be saved by the merchant as they do not represent any threat.

The liability and costs associated with PCI compliance is substantially reduced and the risk of storing sensitive data is eliminated.

Tokenization applies to credit card and gift card.

Merchants set up for the tokenization service receive responses that include a token.

The token generated is not linked to a specific transaction but to a specific card number and the token generated for that transaction will be identical for every use of that card number and merchant.

Furthermore, you can generate a token and save the token with associated information in the Card Manager.

For Electronic Payments with Tokenization call now 888-996-2273

or click here NationalTransaction.Com

 

 

Posted in Best Practices for Merchants, Credit Card Security, Electronic Payments, Payment Card Industry PCI Security Tagged with: , , , , , , , , ,

Tokenization and Encryption
November 18th, 2016 by Elma Jane

Tokenization and Encryption are completely different technologies when it comes to securing ­sensitive data, such as credit cards.

Encryption tools and techniques is to mask original data, then allow it to be decrypted. It uses an algorithm to scramble credit card information that makes the data unreadable to anyone.

Encryption is most often “end-to-end.

Example:  When someone enters card data into a web browser to buy an item and decrypted when the purchaser’s authorized credit card information reaches its intended destination, which is the merchant’s e-commerce database.

Encrypted card data is unreadable while it’s “at rest” in a database or “in motion” during a purchase transaction; and inaccessible until a key decrypts it. The chances of a hacker stealing the data is minimal. But, if card data passes through multiple internal systems en route to an acquiring bank or payment gateway, the encrypt/decrypt/re-encrypt process could open a wide security hole, thus creating vulnerabilities to hackers.

Tokenization have found to be cheaper, easier to use and more secure than end-to-end encryption.

Tokenization completely removes credit card data from internal networks and replaces it with a generated, unique “token”. Tokens have no meaning and are worthless to criminals if a company’s system is breached.

Merchants use only the token to retrieve, access, or maintain their customers’ credit card information.

Example: Actual credit card number was 3234 4567 8789 78910, it might become FHIW145BVE65478 when a token is generated. The token is randomly generated and there is no algorithm to regain the original card number. hackers can’t reverse-engineer the actual credit card number, even if they were to grab the tokens off the servers.

Using tokens doesn’t change a merchant’s payment processing experience. Only they’re much safer for a merchant than actual credit cards.

Posted in Best Practices for Merchants, Credit Card Security Tagged with: , , , , , , , , , , ,

September 15th, 2016 by Elma Jane

 

Storing credit card data for recurring billing are discouraged.

But many feels storing is necessary in order to facilitate recurring payments.

Using a third party vault provider to store credit card data for recurring billing is the best way.

It helps reduce or eliminate the need for electronically stored cardholder data while still maintaining current business processes.

For recurring billing a token can be use, by utilizing a vault. The risk is removed from your possession.

Modern payment gateways allow card tokenization.

Any business that storing data needs to review and follow PCI DSS requirement in order for the electronic storage of cardholder data to be PCI compliant.

On the primary account number, an appropriate encryption will be applied. In this situation, the numbers in the electronic file should be encrypted either at the column level, file level or disk level.

 

Posted in Best Practices for Merchants, Credit Card Security Tagged with: , , , , , , , , ,

Token
December 15th, 2015 by Elma Jane

Visa Inc. has launched the Visa Token Service in Asia Pacific, in association with United Overseas Bank (UOB). Store tokens on mobile devices, cloud-based mobile applications, and e-commerce merchants carry less risk of security hack. This security technology will replace sensitive account information to make payments without exposing bank details.

Tokenized cards are linked to customer’s wallet application or mobile and validated by VisaNet. Biometric authentication and device identification features are available through this service. Visa debit or credit cardholders with NFC-enabled Android smarthphones cardholders will be able to make contacless payments.

 

Posted in Best Practices for Merchants, e-commerce & m-commerce Tagged with: , , , , , , , , , , , , , ,

July 23rd, 2015 by Elma Jane

11237919_953691038016869_6612538874204982877_n

The digital payments landscape is changing at a rapid pace. Consumers are finally adopting digital wallets, like Apple Pay and Android Pay.

The deadline for merchants to become EMV compliant, the global standard that covers the processing of credit and debit card payments using a card that contains a microprocessor chip, is quickly approaching.

Today’s consumers show an increasing desire to use new payment methods because they’re convenient. However, this presents a challenge to merchants, as many have not made the switch to the modern technology required to accept these methods since they’re generally hard-wired to resist technology changes.

Merchants must evolve with technology or they’ll find themselves unable to compete and in danger of losing customers.

Looking long term, the benefits of adopting new payment technology will outweigh the cost of transitioning. The fact is that new payment technology will reduce fraud risk due to counterfeit cards, provide greater insight into shoppers with sophisticated data and will ultimately lower costs for merchants over time.

The value merchants will get out of new payment methods: 

Security

Investing in new payment technology will help reduce the risk of fraud. EMV, as an example. Beginning in October 2015, merchants and the financial institutions that have made investments in EMV will be protected from financial fraud liability for card-present fraud losses for both counterfeit, lost, stolen and non-receipt fraud.

EMV is already a standard in Europe, where fraud is on the decline. In turn, American credit card issuers are being pressured to replace easily hacked magnetic strips on cards with more secure “chip-and-PIN” technology. Europe has been using Chip, and Chip & Pin for years.

There’s nothing that can guarantee 100 percent security, but when EMV is coupled with other payment innovations, like tokenization that separate the customer’s identity from the payment, much of the cost and risk of identity theft is eliminated. If hackers get access to the token, all they get is information from one transaction. They don’t have access to credit card numbers or banking accounts, so the damage that can be done is minimal.

As card fraud rises, there’s a strong case to upgrade to a payment system that works with a smartphone or tablet and accepts both EMV chip cards and tokens.

Insight into Customer Behavior

In addition to added security, upgrading to new payment technology opens up a door to greater customer insights, improved consumer engagement and enables merchants to grow revenue by providing customers with receipts, rewards, points and coupons. By collecting marketing data at the point of sale a business can save on that data that they only dreamed of buying.

Investment Outweighs the Cost

New technology does have upfront costs, but merchants need to think about it as an investment that will grow top-line revenue. Beware of providers offering free hardware. Business can benefit by doing some research on the actual cost of the hardware.

By increasing security, merchants are further enabling mobile and emerging technologies, which will make shopping easier.

Customers will also be more confident in using their cards.

As an added bonus to merchants, most EMV-enabled POS equipment will include contactless technology, allowing merchants to accept contactless and mobile payments. This will result in a quicker check-out experience so merchants can handle more transactions.

Faster customer checkout.                                               

The best system for is the one that makes the merchant as efficient and profitable as possible, as well as improves the customer checkout experience.

Retail climate is competitive, merchants have two choices:

Do nothing or embrace the fact that payments are changing. Transitions from old systems to new ones require work and risk, but merchants who use modern technology are investing in the future and will certainly outperform those who choose to do nothing.

Posted in Best Practices for Merchants, EMV EuroPay MasterCard Visa, Mobile Payments, Near Field Communication, Point of Sale Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , ,

May 19th, 2015 by Elma Jane

We’re now nearly midway through 2015, and payment security still remains a topic that stirs up great concern and confusion. While there is seemingly unanimous agreement on the need for heightened security, there’s uncertainty about those who are tasked with actually implementing it. Let’s dig deeper into EMV, P2PE and tokenization. How each will play a part in the next generation of securing payments, and how without properly working together they might just fall short.

 

 

Europay, MasterCard, and Visa (EMV) – A powerful guard against credit card skimming. EMV also uses cryptography to create dynamic data for every transaction and relies on an integrated chip embedded into the card.

Downside: For Independent Software Vendor (ISVs), the biggest downside of EMV is the complexity of creating an EMV solution. ISVs interested in certifying PINpads with a few processors face up to 22 months of costly work, and because there are a large number of pending certifications, processors will be backed up over the next few years.

It’s not impossible for an ISV to build EMV solutions in-house, but it’s difficult and unnecessary when there are plug-and-play EMV solutions available. These solutions include pre-packaged and pre-certified APIs that remove most of the need for research, the complexity and the burden of time and cost.

Point to Point Encryption (P2PE) – Secures devices, apps and processes using encrypted data with cryptographic keys only known to the payment company or gateway from the earliest point of the transaction, from tech-savvy criminals, jumping at their chance to intercept POS systems and scrape the memory from Windows machines.

How does a key get into card reader? Through an algorithm called derived unique key per transaction (DUKPT), or “duck putt.” DUKPT generates a base key that’s shared with device manufacturers securely, where output cardholder data is rendered differently each time a card is swiped, making it impossible to reverse engineer the card data. P2PE not only benefits the cardholders, but also the ISVs and merchants. PA-DSS certification was designed to address the problems created with cardholder data which is not encrypted.

Downside: P2PE isn’t cheap if an organization wants to do it in-house. The secure cryptographic device needed to manage the keys, Hardware Security Module (HSM), can cost $30-40,000 but when it’s built out, that total cost can jump to $100,000.

TOKENIZATION – The best way to protect cardholder data when it’s stored is using tokenization, a process which the PCI Security Standards Council describes as one where the primary account number is replaced with a surrogate value a token. For merchants dealing with recurring billing, future payments, loyalty programs and more, tokenization is critical.

Downside: Tokenization doesn’t prevent malware that’s remotely installed on POS devices. It’s possible, as seen with recent retail card breaches, for data to be stolen before it is tokenized. That’s why it’s essential to group tokenization together with P2PE and EMV to offer optimal security.

 

Posted in Best Practices for Merchants, Credit Card Security, EMV EuroPay MasterCard Visa, Payment Card Industry PCI Security, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

September 17th, 2014 by Elma Jane

Host Card Emulation (HCE) offers virtual payment card issuers the promise of removing dependencies on secure element issuers such as mobile network operators (MNOs). HCE allows issuers to run the payment application in the operating system (OS) environment of the smart phone, so the issuing bank does not depend on a secure element issuer. This means lower barriers to entry and potentially a boost to the NFC ecosystem in general. The issuer will have to deal with the absence of a hardware secure element, since the OS environment itself cannot offer equivalent security. The issuer must mitigate risk using software based techniques, to reduce the risk of an attack. Considering that the risk is based on probability of an attack times the impact of an attack, mitigation measures will generally be geared towards minimizing either one of those.

To reduce the probability of an attack, various software based methods are available. The most obvious one in this category is to move part of the hardware secure element’s functionality from the device to the cloud (thus creating a cloud based secure element). This effectively means that valuable assets are not stored in the easily accessible device, but in the cloud. Secondly, user and hardware verification methods can be implemented. The mobile application itself can be secured with software based technologies.

Should an attack occur, several approaches exist for mitigating the Impact of such an attack. On an application level, it is straightforward to impose transaction constraints (allowing low value and/or a limited number of transactions per timeframe, geographical limitations). But the most characteristic risk mitigation method associated with HCE is to devaluate the assets that are contained by the mobile app, that is to tokenize such assets. Tokenization is based on replacing valuable assets with something that has no value to an attacker, and for which the relation to the valuable asset is established only in the cloud. Since the token itself has no value to the attacker it may be stored in the mobile app. The principle of tokenization is leveraged in the cloud based payments specifications which are (or will soon be) issued by the different card schemes such as Visa and MasterCard.

HCE gives the issuer complete autonomy in defining and implementing the payment application and required risk mitigations (of course within the boundaries set by the schemes). However, the hardware based security approach allowed for a strict separation between the issuance of the mobile payment application on one hand and the transactions performed with that application on the other hand. For the technology and operations related to the issuance, a bank had the option of outsourcing it to a third party (a Trusted Service Manager). From the payment transaction processing perspective, there would be negligible impact and it would practically be business as usual for the bank.

This is quite different for HCE-based approaches. As a consequence of tokenization, the issuance and transaction domains become entangled. The platform involved in generating the tokens, which constitute payment credentials and are therefore related to the issuance domain, is also involved in the transaction authorization.

HCE is offering autonomy to the banks because it brings independence of secure element issuers. But this comes at a cost, namely the full insourcing of all related technologies and systems. Outsourcing becomes less of an option, largely due to the entanglement of the issuance and transaction validation processes, as a result of tokenization.

 

Posted in Best Practices for Merchants, Credit Card Security, EMV EuroPay MasterCard Visa, Near Field Communication, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

September 16th, 2014 by Elma Jane

When plastic cards become digital tokens, they become virtual. So how do you say that the Card is Present or Not Present.  The legendary regulatory difference that the cards industry has relied on to differentiate between interchange fees for Card Present and Card Not Present transactions.

Apple secured Card Present preferential rates for transactions acquired by iTunes on the basis that the card’s legitimacy is verified with the issuer at the time of registration and the token minimizes probability of fraud. If an API call to the issuing bank is sufficient to say that the Card is Present, who is to say that the same logic can’t apply to online merchants who also verify the authenticity of Cards on File when they tokenize them? How can one arbitrarily say that the transaction processed with token from an online merchant is Card Not Present, but the one processed with Apple Pay is Card Present even though both might have made the same API call to the bank to verify the card’s validity?

In the Apple case, a physical picture of the card is taken and used to verify that the person registering the card has it. It is not that hard for an online merchant to verify that the Card on File converted as a token does belong to the person performing an online transaction.

As we move towards chip and pin the card present merchants will spend substantial money upgrading their hardware and POS systems. That expense will be offset by that savings in losses due to fraud. MOTO and e-commerce transactions ( card NOT present ) will always have a higher cost because the nature of processing is NON face to face transactions. Of course the fraud and losses are higher when the card is manually entered or given to someone over the phone……Face to face will always have the lowest cost per transaction because it is usually the final step in the sale. Restaurants are low risk because you had the transaction AFTER you eat. If there is a dispute it happens before the merchant even sees the credit card.

In the long run, as cards become digital and virtual through tokens, we are all going to wonder if card is present or not present. May be some will say. Card is a ghost.

Posted in Best Practices for Merchants, Credit card Processing, EMV EuroPay MasterCard Visa, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

February 18th, 2014 by Elma Jane

Payment Tokenization Standards

Tokenization is the process of replacing a traditional card account number with a unique payment token that is restricted in how it can be used with a specific device, merchant, transaction type or channel. When using tokenization, merchants and digital wallet operators do not need to store card account numbers; instead they are able to store payment tokens that can only be used for their designated purpose. The tokenization process happens in the background in a manner that is expected to be invisible to the consumer.

EMVCo – which is collectively owned by American Express, Discover, JCB, MasterCard, UnionPay and Visa – has announced that it is expanding its scope to lead the payments industry’s work to standardize payment tokenization. EMVCo says that the new specification will help provide the payments community with a consistent, secure and interoperable environment to make digital payments when using a mobile handset, tablet, personal computer or other smart device.

Key elements of EMVCo’s work include adding new data fields to provide richer industry information about the transaction, which will improve transaction efficiency and enhance the consumer and merchant payment experience by helping to prevent fraudulent card account use. EMVCo will also create a consistent approach to identify and verify the valid use of a token during payment processing including authorization, capture, clearing and settlement.

EMVCo’s announcement follows an earlier joint announcement from MasterCard, Visa and American Express that proposed an initial framework for industry collaboration to standardize payment tokenization. EMVCo says it will now build on this framework with collective input from all of its members and the industry as a whole.

Posted in Credit card Processing, Credit Card Reader Terminal, Credit Card Security, Digital Wallet Privacy, Electronic Payments, Financial Services, Payment Card Industry PCI Security, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,