tokenization Archives - Page 3 of 4 - Payment Processing News
Dec
17
2015
Evolution of Electronic Payments
December 17th, 2015 by Elma Jane

Mobile Payments – It is bound to see more actions with tech giants Apple, Google and Samsung in mobile payment trends. We will also see new technologies like smartwatches, bracelets and rings that will give us the ability to provide payment options.

NFC – Near Field Communication, another familiar face among the payment trends. NFC, however, goes way beyond making payments using smartphones. These speed up POS payment processing quickly and easily without requiring a PIN or signature. While there are other POS payment methods, such as QR codes, NFC will come out on top. Merchants should ensure they have an overview of the current Point-of-Sale options and should, if needed, upgrade to the latest technology.

Security: Tokenization and biometric authentication will have a strong influence on the payment industry.

Tokenization –  when applied to data security, is an extremely interesting method of securing credit card data. As the credit card numbers are substituted by tokens that has no value, then no harm can be done if tokens are stolen, which makes tokenization a secure process.

There are several new inventions when it comes to payment processing authentication such as password, PIN, and fingerprint methods. But they are weak so two-factor authentication is increasingly used to improve security.

Biometrics Authentication –  like finger print scan, facial recognition, voice recognition, and pulse recognition are set to become increasingly significant. This will increase both security and convenience.

International E-Commerce It’s important that merchants offer shoppers their preferred local payment method. Merchants who are looking for e-commerce success will need to create an international strategy. Merchants should also consider checking with their payment service providers. Providers know their way around to alternative payment methods.

Cash on the Retreat Cashless Society? Some countries in Europe are certainly cutting down on the usage of cash. In Sweden, it is now almost impossible to use cash to pay for bus tickets. Acceptable payment methods include customer cards, credit cards, and payments via smartphone apps. Traditional cash-based bakeries no longer exist and instead, now display signs requesting that customers use cashless payment methods for even the smallest amounts. The situation in Denmark is similar; the government is currently debating whether or not to release smaller retailers from the obligation of having to accept cash as a payment method. Cash is on the retreat, and alternative payment methods are advancing. However, cash is still on the list.

Real-Time Payments (Instant Payments) The European Central Bank (ECB) will bring instant payments strongly in the near future. Instant or real-time payments are a trend which will be with us for a long time to come.

Regulatory Changes The first Payment Services Directive (PSD) from 2007 is still currently implemented domestically. After a tough two-year negotiation period, the EU has now, finally, agreed on a second payment services directive (PSD2). The European Banking Authority (EBA) is set to develop more detailed guidelines and regulatory standards for various industries. Payment industries should begin preparing themselves now for implementation, doing this will allow them to be ready for the appropriate steps necessary in 2016/2017.

Posted in Best Practices for Merchants, e-commerce & m-commerce, Near Field Communication, Point of Sale, Travel Agency Agents Tagged with: , , , , , , , , , , , , , , , , , , , , , , , ,

Nov
16
2015
Tokenization
November 16th, 2015 by Elma Jane

Combat Fraud With Layered Approach!

Encryption and Tokenization a strong combination to protect cardholder data at all points in the transaction cycle.

Encryption – the strongest protection for card data when it’s in transit. From the moment a payment card is swiped or dipped at a terminal featuring a hardware-based, tamper resistant security module. Encryption protects the card data from fraudsters as it travels across various systems and networks until it is decrypted at secure data center. Encryption is ideally suited for any businesses that processes card transactions in a face to face or card present environment.

Tokenization – protects card data when it’s in use and at rest. It converts or replaces cardholder data with a unique token ID to be used for subsequent transactions. This eliminates the possibility of having card data stolen because it no longer exists within your environment. Tokens can be used in card not present environments such as e-commerce or mail order/telephone order (MOTO), or in conjunction with encryption in card present environments. Tokens can reside on your POS/PMS or within your e-commerce infrastructure at rest and can be used to make adjustments, add new charges, make reservations, perform recurring transactions, or perform other transactions in use.

A layered approach can be the most effective way to combat fraud. Security solutions that provide layers of protection, when used in combination with EMV and PCI-DSS compliance; to ensure you’re doing all you can to protect cardholder data from increasingly complex and evolving security threats.

Posted in Best Practices for Merchants, Credit Card Security, e-commerce & m-commerce, EMV EuroPay MasterCard Visa, Mail Order Telephone Order, Mobile Point of Sale, Payment Card Industry PCI Security, Point of Sale Tagged with: , , , , , , , , , , , , , , , , ,

Nov
06
2015
Convention
November 6th, 2015 by Elma Jane

Money 20/20 was billed as the largest convention in payments history held in Las Las Vegas, during the last week of October 2015.

The show delivered well-organized, incisive content such as Europay, MasterCard and Visa (EMV) migration, mobile payments, security and omnichannel commerce.

20/20 Highlights

  • Alternative lending and credit.
  • Bill Payments, Financial Services: Newly released market research provides insights into the future of household bill payments, millennials, and financial services.
  • Connected Commerce and the Mobile Enterprise: The Internet of Things is changing the way that consumers interact with their environments. Analysts predict up to 30 billion interactive devices will be connected to the Internet by 2020, noting that many of these devices will be payment-enabled.
  • Marketing and Customer Experience: Most marketers agree that the era of demographic profiles and pull marketing is over. Retailers, card brands and information technology professionals looked at the customer experience in the digital world. They explored new marketing practices, trends in e-commerce and mobile commerce, and big data findings in other industries that may be useful to financial service companies.
  • Mobile Banking: Banks are undergoing an incremental transformation as they learn to compete with nonbank lenders, balance cash management with digital currencies, and shift from local branches to online and mobile forms of banking.
  • Mobile Payments: Payments analysts reviewed Apple Pay a year after its launch and a range of other mobile wallet offerings, and they speculated on how third-party wallets will impact bank apps.
  • Payment Card Evolution: Payment card issuers, processors and network service providers analyzed the changing look, feel and role of payment cards in the greater ecosystem. Discussions ranged from card linking to the coolness factor of gift cards to how e-cards are expanding market opportunities.
  • POS, Processing and Open Platforms: Executive roundtables with leading acquirers explored front-end and back-end technology and omnichannel commerce for small and midsize businesses.
  • Regulatory Landscape: Increased federal and state oversight has had a significant impact on the financial services sector.
  • Security: Security analysts made in-depth presentations on tokenization, end-to-end encryption, and secure methods of authentication designed to protect consumers, merchants and industry stakeholders from cybercriminals. Many agreed that EMV implementation in the United States will drive fraudsters to the card-not-present space. They discussed how EMV adoption has changed fraud patterns in other regions and offered examples of best practices geared toward identifying and preventing electronic payment fraud.

More than 10,000 attendees and 3,000 exhibitors from 75 countries attended Money20/20. Financial services professionals from mobile, retail, marketing services, data and technology met at what show organizers described as the intersection of mobile, retail, marketing services, data and technology.

The years to come will be a turning point in the payments sector, and with the recent shift to EMV, the entire conference confirmed that all the players are more interested than ever in finding innovative solutions for combating online fraud.

 

 

Posted in Best Practices for Merchants Tagged with: , , , , , , , , , , , , , , , , , , ,

Oct
01
2015
EMV
October 1st, 2015 by Elma Jane

The day the payments industry has pointed to for several years arrives today, a turning point in the U.S.‘s migration to EMV chip-and-PIN cards.

Rules set by Visa and MasterCard as of today, the liability for fraud carried out in physical stores with counterfeit cards belongs to the merchant if it has not yet upgraded its POS system to accept EMV-enabled chip cards. Banks will be issuing EMV Chip Cards.

An enormous change, as everyone learns to deal with the new technology that requires consumers to insert their cards and leave them in the store machines throughout a payment transaction, rather than swipe.

In a recent survey, less than a third of merchants overall have invested in EMV-compliant technology, and one study said 80 percent of small and midsize merchants have not upgraded their systems as of today’s liability shift.

Issuers are claiming to be more prepared than merchants, but according to the Smart Card Alliance, around 200 million chip cards have been issued to U.S. cardholders. That, however, is less than 17 percent of the approximately 1.2 billion payment cards in circulation.

What is clear is that today does not represent the end of the journey. The lack of preparedness at the physical point of sale, however, may be beneficial for card-not-present merchants.

Over the past few months, the mainstream media has awoken to the fact that implementing EMV does not mean fraud will disappear. Fraudsters quickly adapted to the difficulty of counterfeiting cards by attacking Card-Not-Present channels, where a chip has no effect.

In other markets, fraud migrated quite rapidly to card-not-present channels. It is necessary on e-commerce merchants to protect themselves with an array of tools, like device authentication, one-time passwords, randomized PIN pad and biometrics. Fraud mitigation tools like data analytics, address and CVV verification, 3D secure and tokenization. These services should be available from their merchant acquirer processor or gateway.

There should be a gradual reduction in card fraud over the next 12-18 months in spite of the delays in this country’s EMV migration. It’s going to take time for the technology to be adopted.

U.S. Merchants’ overall relative lack of preparedness for EMV may give e-commerce and mobile merchants time they didn’t think they would have to explore the options.

Sophisticated authentication technologies such as biometrics will help increase the security of card transactions. Device-based verification could be easily incorporated in an EMV transaction.

Banks have expressed interest more in using the phone as a biometrics. It’s all going to depend on what is the most convenient way to access your funds. The nice thing about biometrics is it’s meant to enable more convenience and stronger security.

 

Posted in Best Practices for Merchants, e-commerce & m-commerce, EMV EuroPay MasterCard Visa, Mobile Payments, Mobile Point of Sale, Point of Sale Tagged with: , , , , , , , , , , , , , , , , ,

Jul
23
2015
July 23rd, 2015 by Elma Jane

11237919_953691038016869_6612538874204982877_n

The digital payments landscape is changing at a rapid pace. Consumers are finally adopting digital wallets, like Apple Pay and Android Pay.

The deadline for merchants to become EMV compliant, the global standard that covers the processing of credit and debit card payments using a card that contains a microprocessor chip, is quickly approaching.

Today’s consumers show an increasing desire to use new payment methods because they’re convenient. However, this presents a challenge to merchants, as many have not made the switch to the modern technology required to accept these methods since they’re generally hard-wired to resist technology changes.

Merchants must evolve with technology or they’ll find themselves unable to compete and in danger of losing customers.

Looking long term, the benefits of adopting new payment technology will outweigh the cost of transitioning. The fact is that new payment technology will reduce fraud risk due to counterfeit cards, provide greater insight into shoppers with sophisticated data and will ultimately lower costs for merchants over time.

The value merchants will get out of new payment methods: 

Security

Investing in new payment technology will help reduce the risk of fraud. EMV, as an example. Beginning in October 2015, merchants and the financial institutions that have made investments in EMV will be protected from financial fraud liability for card-present fraud losses for both counterfeit, lost, stolen and non-receipt fraud.

EMV is already a standard in Europe, where fraud is on the decline. In turn, American credit card issuers are being pressured to replace easily hacked magnetic strips on cards with more secure “chip-and-PIN” technology. Europe has been using Chip, and Chip & Pin for years.

There’s nothing that can guarantee 100 percent security, but when EMV is coupled with other payment innovations, like tokenization that separate the customer’s identity from the payment, much of the cost and risk of identity theft is eliminated. If hackers get access to the token, all they get is information from one transaction. They don’t have access to credit card numbers or banking accounts, so the damage that can be done is minimal.

As card fraud rises, there’s a strong case to upgrade to a payment system that works with a smartphone or tablet and accepts both EMV chip cards and tokens.

Insight into Customer Behavior

In addition to added security, upgrading to new payment technology opens up a door to greater customer insights, improved consumer engagement and enables merchants to grow revenue by providing customers with receipts, rewards, points and coupons. By collecting marketing data at the point of sale a business can save on that data that they only dreamed of buying.

Investment Outweighs the Cost

New technology does have upfront costs, but merchants need to think about it as an investment that will grow top-line revenue. Beware of providers offering free hardware. Business can benefit by doing some research on the actual cost of the hardware.

By increasing security, merchants are further enabling mobile and emerging technologies, which will make shopping easier.

Customers will also be more confident in using their cards.

As an added bonus to merchants, most EMV-enabled POS equipment will include contactless technology, allowing merchants to accept contactless and mobile payments. This will result in a quicker check-out experience so merchants can handle more transactions.

Faster customer checkout.                                               

The best system for is the one that makes the merchant as efficient and profitable as possible, as well as improves the customer checkout experience.

Retail climate is competitive, merchants have two choices:

Do nothing or embrace the fact that payments are changing. Transitions from old systems to new ones require work and risk, but merchants who use modern technology are investing in the future and will certainly outperform those who choose to do nothing.

Posted in Best Practices for Merchants, EMV EuroPay MasterCard Visa, Mobile Payments, Near Field Communication, Point of Sale Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , ,

Jun
26
2015
June 26th, 2015 by Elma Jane

As you can tell from the name, Android Pay playbook is remarkably similar to Apple Pay. Android Pay will use an on-board Near Field Communication (NFC) chip and tokenization services from the major networks to deliver a token from the phone to an NFC-enabled point of sale. Just like Apple Pay. Android Pay is supported by more than 700,000 merchant locations and Android Pay will provide APIs for app developers to take in-app payments from the on-board wallet. Both Apple Pay and Android Pay have fingerprint scanners on phones, you can enable payments with just a fingerprint scan.

While details are barely sufficient, rumor has it Google won’t charge banks a fee as Apple does on the transactions and that’s the difference. Additionally, technical differences in the operating systems underlying the payment system exist, but they won’t affect how every day users experience the system. Android Pay will suffer a slower upgrade path than Apple Pay, due to the lack of hardware support for the newer operating system (it can take Android twice as long to get users upgraded).

There is no war between Apple and google. NFC won the war! We are seeing all of the armies gather together under its flag. As consumers, we love to see better products. When it comes to payments, we need standards and reliability.

With the alignment of the two operating system platforms on NFC, on user experiences like fingerprint unlocking and on both in-app and retail payments, consumers, retailers, and app developers can build an ecosystem we can all understand. Credit cards work great because they are ubiquitous. Everyone can use them everywhere, and every retailer has incentives to be a part of the system.

An NFC-based mobile payments experience will have this same effect. Over the next five years more and more retailers will add NFC-capable terminals. More phones will be fully capable of NFC payments with fingerprint sensors. More consumers will carry those phones.

So if it’s not a war, are there any losers? Companies focused on plastic cards, but not NFC. Transitory technologies like Samsung Pay’s MST (magnetic secure transmission) also have a strong transition period as they enable payments at non-NFC enabled terminals. MST (magnetic secure transmission) is a strong player because the user experience is very similar (hold a phone to a reader), even if the technical method is not the same.

 

Posted in Best Practices for Merchants, Near Field Communication Tagged with: , , , , , , , , , , , , ,

Jun
15
2015
June 15th, 2015 by Elma Jane

Merchants Provided Access to Digital Payments Innovations for Store-Branded Cards through Partnerships with Synchrony Financial and Citi Retail Services

Purchase, NY – June 15, 2015 – MasterCard today became the first payment network to provide tokenization services to private label (store-branded) credit card issuers, enabling merchants to take advantage of the latest digital payment innovations. BJ’s Wholesale ClubKohl’s and JCPenney will be among the first retailers to bring mobile payments to their private label cardholders later this year. The company also announced partnerships with some of the largest private label credit card issuers in the U.S., including Synchrony Financial and Citi Retail Services, to enable consumers to use their eligible credit cards within participating mobile payment and digital wallet services.

According to Equifax’s National Consumer Credit Trends Report, the number of open retail credit card accounts exceeded the 195 million mark by the fall of 2014. As the only network to offer private label support for wallet service offerings, MasterCard continues to enable consumers to pay when, where and how they want – and on the device of their choice.

Tokenization support for private label issuers is made possible through the MasterCard Digital Enablement Service (MDES), which enables a connected device to be securely used for everyday shopping and payments. MDES supports contactless (NFC) payments with a mobile device at a physical point of sale, as well as from within a mobile app. Transactions are secured using industry-standard EMV cryptography and take full advantage of the most secure payments technology in the world.

“Thanks to our ongoing innovation and strategic partnerships, we are helping shape the future of how private label credit cards work in whichever digital wallet customers choose,” said Margaret Keane, president and CEO of Synchrony Financial. “It was recently announced that our retail partner, JCPenney, will be among the first to offer its private label credit cardholders the ability to checkout with Apple Pay later this year. We are committed to working with our retail partners, MasterCard, and key payments industry players to preserve the benefits of our private label credit cards and patented Dual Cards in third-party digital wallets.”

“We’re seeing significant momentum and innovation around digital wallets, and a key focus for MasterCard is that consumers can leverage these new offerings safely and securely. MDES was developed to ensure that any connected device can be used to make purchases, and deliver the simplicity, security and convenience people have become accustomed to when using a MasterCard account of their choice,” said Ed McLaughlin, chief emerging payments officer, MasterCard.  “MasterCard is helping merchants capitalize on mobile payments, ensure the best possible consumer experience for their consumers and encourage both repeat business and customer loyalty.”

Since the announcement of MDES in 2013, millions of MasterCard accounts have been tokenized for use in popular digital wallet services. MDES currently provides tokenization services for credit, debit, co-brand, prepaid and small business cards, with private label tokenization beginning in the third quarter of this year.

 

          

Posted in Best Practices for Merchants Tagged with: , , , , , , ,

May
19
2015
May 19th, 2015 by Elma Jane

We’re now nearly midway through 2015, and payment security still remains a topic that stirs up great concern and confusion. While there is seemingly unanimous agreement on the need for heightened security, there’s uncertainty about those who are tasked with actually implementing it. Let’s dig deeper into EMV, P2PE and tokenization. How each will play a part in the next generation of securing payments, and how without properly working together they might just fall short.

 

 

Europay, MasterCard, and Visa (EMV) – A powerful guard against credit card skimming. EMV also uses cryptography to create dynamic data for every transaction and relies on an integrated chip embedded into the card.

Downside: For Independent Software Vendor (ISVs), the biggest downside of EMV is the complexity of creating an EMV solution. ISVs interested in certifying PINpads with a few processors face up to 22 months of costly work, and because there are a large number of pending certifications, processors will be backed up over the next few years.

It’s not impossible for an ISV to build EMV solutions in-house, but it’s difficult and unnecessary when there are plug-and-play EMV solutions available. These solutions include pre-packaged and pre-certified APIs that remove most of the need for research, the complexity and the burden of time and cost.

Point to Point Encryption (P2PE) – Secures devices, apps and processes using encrypted data with cryptographic keys only known to the payment company or gateway from the earliest point of the transaction, from tech-savvy criminals, jumping at their chance to intercept POS systems and scrape the memory from Windows machines.

How does a key get into card reader? Through an algorithm called derived unique key per transaction (DUKPT), or “duck putt.” DUKPT generates a base key that’s shared with device manufacturers securely, where output cardholder data is rendered differently each time a card is swiped, making it impossible to reverse engineer the card data. P2PE not only benefits the cardholders, but also the ISVs and merchants. PA-DSS certification was designed to address the problems created with cardholder data which is not encrypted.

Downside: P2PE isn’t cheap if an organization wants to do it in-house. The secure cryptographic device needed to manage the keys, Hardware Security Module (HSM), can cost $30-40,000 but when it’s built out, that total cost can jump to $100,000.

TOKENIZATION – The best way to protect cardholder data when it’s stored is using tokenization, a process which the PCI Security Standards Council describes as one where the primary account number is replaced with a surrogate value a token. For merchants dealing with recurring billing, future payments, loyalty programs and more, tokenization is critical.

Downside: Tokenization doesn’t prevent malware that’s remotely installed on POS devices. It’s possible, as seen with recent retail card breaches, for data to be stolen before it is tokenized. That’s why it’s essential to group tokenization together with P2PE and EMV to offer optimal security.

 

Posted in Best Practices for Merchants, Credit Card Security, EMV EuroPay MasterCard Visa, Payment Card Industry PCI Security, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

May
04
2015
May 4th, 2015 by Elma Jane

The rate of payments fraud is steadily decreasing, the current frequency stands at 0.06 percent or six basis points. 

The perception of risks associated with card payments are much larger than the actual threat or reported losses. But the lack of trust that comes from such perception could impact the growth of the payments industry.

Recent advancements in payments security, such as tokenization and multiple tier authentication protocols, have contributed to the manageable number of fraudulent transactions. The EMV migration is expected to push the figure even lower, as chip-enabled technology spreads to over 50 percent of the US by the end of 2015.

For criminals, breaking into robust financial systems is becoming more costly and time consuming, which has discouraged many from attempting such unlawful acts.

Fraud is something that we can’t say will be eliminated completely. But efforts by all stakeholders in the industry can contain it to the minimum.

Counterfeit cards and payments data falling into the wrong hands are the two most common types of fraud that consumers are facing today. The surge in e-commerce has been linked to greater risks of fraud in the online channel, and while counterfeiting cards may be more difficult with EMV in place, online fraud has historically increased in its place.  

Posted in Best Practices for Merchants, Credit Card Security, EMV EuroPay MasterCard Visa Tagged with: , , , , , , , , , , , ,

Sep
17
2014
September 17th, 2014 by Elma Jane

Host Card Emulation (HCE) offers virtual payment card issuers the promise of removing dependencies on secure element issuers such as mobile network operators (MNOs). HCE allows issuers to run the payment application in the operating system (OS) environment of the smart phone, so the issuing bank does not depend on a secure element issuer. This means lower barriers to entry and potentially a boost to the NFC ecosystem in general. The issuer will have to deal with the absence of a hardware secure element, since the OS environment itself cannot offer equivalent security. The issuer must mitigate risk using software based techniques, to reduce the risk of an attack. Considering that the risk is based on probability of an attack times the impact of an attack, mitigation measures will generally be geared towards minimizing either one of those.

To reduce the probability of an attack, various software based methods are available. The most obvious one in this category is to move part of the hardware secure element’s functionality from the device to the cloud (thus creating a cloud based secure element). This effectively means that valuable assets are not stored in the easily accessible device, but in the cloud. Secondly, user and hardware verification methods can be implemented. The mobile application itself can be secured with software based technologies.

Should an attack occur, several approaches exist for mitigating the Impact of such an attack. On an application level, it is straightforward to impose transaction constraints (allowing low value and/or a limited number of transactions per timeframe, geographical limitations). But the most characteristic risk mitigation method associated with HCE is to devaluate the assets that are contained by the mobile app, that is to tokenize such assets. Tokenization is based on replacing valuable assets with something that has no value to an attacker, and for which the relation to the valuable asset is established only in the cloud. Since the token itself has no value to the attacker it may be stored in the mobile app. The principle of tokenization is leveraged in the cloud based payments specifications which are (or will soon be) issued by the different card schemes such as Visa and MasterCard.

HCE gives the issuer complete autonomy in defining and implementing the payment application and required risk mitigations (of course within the boundaries set by the schemes). However, the hardware based security approach allowed for a strict separation between the issuance of the mobile payment application on one hand and the transactions performed with that application on the other hand. For the technology and operations related to the issuance, a bank had the option of outsourcing it to a third party (a Trusted Service Manager). From the payment transaction processing perspective, there would be negligible impact and it would practically be business as usual for the bank.

This is quite different for HCE-based approaches. As a consequence of tokenization, the issuance and transaction domains become entangled. The platform involved in generating the tokens, which constitute payment credentials and are therefore related to the issuance domain, is also involved in the transaction authorization.

HCE is offering autonomy to the banks because it brings independence of secure element issuers. But this comes at a cost, namely the full insourcing of all related technologies and systems. Outsourcing becomes less of an option, largely due to the entanglement of the issuance and transaction validation processes, as a result of tokenization.

 

Posted in Best Practices for Merchants, Credit Card Security, EMV EuroPay MasterCard Visa, Near Field Communication, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

← Previous Article
Next Articles »