Chip-and-PIN, or Chip-and-Choice? EMV Liability Shift For PIN Transactions

With US EMV adoption well under way in the US, merchants are in the next phase of decision making for their EMV environment, for those terminals and solutions that support it. Should I force chip and pin when the issuer supports it, or should I allow chip and choice? It’s a tough decision and the answer is not the same for everyone.

Point-of-Sale (POS) systems vary in both implementation and capability. For example, a salesperson for a popular POS solution I spoke to told me they don’t support chip and pin. He actually said, “Since debit card processing costs are the same either way now with regulated debit, pin doesn’t really matter any more anyway.” Not true.

Consider the implications for a specialty retail environment with higher average value transactions, such as building supply, automotive parts, and electronics.

RETAIL: HIGH VALUE
FORCED CHIP & PIN CHIP & CHOICE
PROS Maximize profit potential 3 ways: highest security supported to shift counterfeit fraud to issuer; Even with regulated debit, there’s some financial differential for sending transactions via debit network, though vastly decreased. Finally, not all debit is regulated, and costs do vary. Less friction at the point of sale, faster checkout.
CONS While consumers know their debit pins, studies estimate consumers’ knowledge of credit card PINs at 5-10%. What is financial impact if customer cannot recall pin, fallback to signature is not allowed, and customer has no other payment method? Potential losses based on US EMV liability shift rules which require the highest level of security to shift back to issuer; may vary by brand for counterfeit, lost and stolen cards.

As with everything EMV, there are many moving parts to certifications for chip card acceptance. In order to have a choice, the merchants ecosystem from terminal to payment gateway, if applicable, acquirer, etc must all support it, which may be a tall order.

IMPORTANT: This article highlights a few items and does not cover all brand, business type, transaction type, card type, nor reasons for determining liability. Refer to various card brand core manuals or your acquirer for more specific details about EMV and card acceptance rules.

RESOURCES & ARTICLES AROUND THE WEB

To avoid issues with broken outside links over time, please copy the URL’s below into your browser.

https://www.mastercard.us/en-us/about-mastercard/what-we-do/rules.html

Chip & PIN vs. Chip & Signature

Best article for thoroughness. October 2014 http://krebsonsecurity.com/2014/10/chip-pin-vs-chip-signature/

Chip-and-PIN, or Chip-and-Choice?

Worth a look. February 10, 2014, By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed. http://takeonpayments.frbatlanta.org/2014/02/chip-and-pin-or-chip-and-choice.html

Chip & Choice Keeping Security Flexible

From Visa web site today, great illustration on impact of choices in different market segments. https://www.visa.com/chip/clients-partners/issuers/credit-card-chip-technology/chip-and-pin-choices.jsp

Chip-and-PIN vs. ‘chip-and-sig’

Good global overview and stats By Janna Herron · Bankrate.com, August 28, 2013
 http://www.bankrate.com/financing/credit-cards/chip-and-pin-vs-chip-and-sig/#ixzz4ALnE5Ps9
“What’s the difference? What separates the two is how each is authenticated at the register. Chip-and-PIN cards require a personal identification number to be entered to complete a purchase, much like how many debit card transactions are carried out now with magnetic stripe cards.” Read more: http://www.bankrate.com/financing/credit-cards/chip-and-pin-vs-chip-and-sig/#ixzz4ALnUjB9D

Visa Core Rules AND OTHER CARD BRAND RULES

merchant bulletins – downloads

 

 

Credit Card Authorization Form and PCI Compliance Update

A Credit Card Authorization Form enables a business to charge a credit card one-time or for recurring purchases. Is your form PCI Compliant with 2016 standards? Edited from my original contribution to Credit Today, learn the pitfalls and solutions to traditional paper authorization forms.

Do your business practices meet current PCI Compliance standards?

  1. Is it OK to store the form in a locked drawer?
  2. Is it OK to store the form in the cloud if it’s encrypted?
  3. Is it OK to receive them via email?
  4. Is it possible to qualify for the lowest processing rates using them?
  5. Is it OK to key enter each transaction for cards on file?credit card authorization form pci compliant

Credit Card Authorization Forms and PCI Compliance Rules

  • Per PCI 3.2, Neither Primary Account Number (PAN) nor Card Verification Code (CVV) can be stored on paper after authorization.
  • Per PCI 3.4, must render PAN unreadable anywhere stored (including on portable digital media, backup media, and in logs) using one of four cited approaches.
  • No. Per PCI 2 Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.).
  • No. Most cards, except regulated debit, can qualify for multiple rates depending on how the transaction is submitted. For example, MasterCard World card rates:
Rate Name Rate Qualified Rate Reason
Standard 2.95% + $.10 Not all criteria met for another rate.
Merit I 2.05% + $.10 Key-entered or ecommerce and valid authorization + other criteria met.
Full UCAF 1.87% = $.10 Ecommerce; Cardholder authentication and other criteria met.

To qualify for UCAF, the customer must initiate payment.

Ecommerce includes online paypage and other electronic payment channels the customer initiates.

  • No. If a customer authorizes to store a card, then after the initial transaction, all subsequent transactions must be sent with the correct transaction type: recurring or repeat sale.

Alternative methods to process Card Not Present orders:

Hosted pay page. The merchant directs customers to web page to pay any invoice online. Acceptable implementation methods have changed in the last year or two for PCI Compliance. For maximum reduced PCI burden, send customers directly to the 3rd party payment gateway web URL. The gateway may or may not be the same as your processor. NOTE: If hosting on your own web site with an embedded payment (iframe) object, PCI requirements have changed; any old forms should be updated.

Electronic Bill Presentment & Payment. (EBPP or EIPP) This is basically a proactive version of the above. As a standalone solution, the merchant user logs in to a gateway web portal, and sends a payment request via text or email which the customer clicks and pays. Integrated to billing software, it sends the actual invoice, and may require customer to login to make the payment.

All the major payment gateways include a Virtual terminal, hosted pay page, and shopping cart checkout capability, tokenization to store card data for future orders. Some, including CenPOS also offer EBPP.

If you accept cards over the phone, gateways with a virtual encrypted keyboard can reduce PCI scope since card data never touches computers or networks.

Christine Speedy, CenPOS reseller, maximizes profits, efficiency, and security with payment processing solutions including EIPP, collections automation, and online payments. She can be reached at 954-942-0483 or cspeedy AT 3dmerchant.com.

 

 

Online Payment Form Security Alert

Is your online payment form out of date and a security risk? Securing online payment forms requires an annual review at a minimum. Just because a hosted paypage form still works, doesn’t mean it’s secure or PCI Compliant.

PCI Compliance requirements have steadily tightened since 2014 for pay pages and all ecommerce transactions.

Hosted paypage options:

  1. Merchant hosts the form and collects payment on their web site. Beginning with PCI 3.0, significant additional PCI burden applies. Highest risk.
  2. 3rd party payment gateway hosted pay page; Provide a link directly to customers to pay. The form is served by and submitted by the payment gateway. It significantly reduces the potential for malicious activity that could compromise cardholder data. Lowest risk.
  3. An iframe hosted paypage has the appearance of residing on the merchant web site, but the payment data is captured by the 3rd party directly on their web host. The implementation method using iframes for payments has changed over the years to meet current PCI Compliance requirements, including to combat malicious javascript and Cross-Site Scripting threats.

“If your iframe hosted paypage hasn’t been updated in the last year or so it’s likely not PCI Compliant,” Christine Speedy, Card Not Present Expert.

A payment gateway is a secure transaction engine that facilitates the transfer of sensitive information to the processor, and is required for all online payment forms. Some gateways provide online payment forms at no additional charge. Vendor selection has a significant impact on risk mitigation, payment processing fees, efficiency, and PCI Compliance burden.

A payment gateway can be proprietary to a specific processor, or agnostic and compatible with multiple processors. While one provider for both services may seem to be the best choice, there are significant reasons the opposite may also be true, including risk mitigation. Bots present a significant risk of exploitation of online payment forms and may result in profit loss if additional steps are not implemented to mitigate risk of ‘card testing’, where criminals use online forms to submit fake transactions to determine if cards are good or bad. Every attempted transaction has an associated cost with it, and adding in chargeback fees from resulting  disputes, the result could be tens of thousands in dollars in fees in a matter of hours.

If you don’t want to be the next law firm, CPA firm, hotel or distributor data breach headline, consult with a payments expert that understands the financial and risk ramifications of one payment gateway choice and implementation method over another vs ecommerce consultants or bankers that may have limited in-depth expertise to maximize your profits and mitigate risk exposure.

TIP FOR NON-TECHS: Does your online payment form look good on smart phones and other mobile devices? If not, there’s a pretty good chance your online payment page needs an update and is not PCI Compliant.

RESOURCES:

  • PCI – Payment Card Industry Data Security Standards
  • https://www.us-cert.gov/publications/securing-your-web-browser
  • http://pcisecuritystandards.org

For PCI compliant solutions to collect online payments from your customers, contact Christine Speedy today. Get paid via your preferred methods, including ACH, credit card, wire and Paypal, while increasing security and convenience.

Authorize.net Duplicate Transaction Settlement Error

Authorize.Net experienced an issue during a system update on October 17th that caused a subset of previously settled transactions from September to be sent for settlement again between October 17th and 18th. This issue is no longer occurring.

Authorize.Net is currently working to address any duplicate transactions in order to resolve the duplicate funding to merchants and potential duplicate transactions to their customers. We have already contacted your affected merchants and will continue to do so as we have updates.

If your merchants contact you about this issue, please advise them to NOT take any action on these transactions while we work to address them.

We will follow up with you with any further information, including information on potential reimbursements, as it becomes available.

To locate these transactions, please have your merchants follow these steps:
Log into the Merchant Interface at https://account.authorize.net/.
Click Search from the main toolbar.
Click Search by Batch from the menu on the left.
Select October 18 and October 17 in the From and To drop-down boxes in the Settlement Date section.
Click Search.
Any impacted transactions will have a Submit Date from September 20-25.

We apologize for this error and any inconvenience it may have caused. If you have any questions regarding this email, please contact support.

Sincerely,
Authorize.Net

###

Blogger Note: While uncommon, duplicate transaction and duplicate settlement issues do happen. They can emanate from anywhere in the transaction chain, though the payment gateway, or payment processor are likely more common causes. Because of that, merchants are advised to do nothing and the party that caused the problem usually reverses all the errors on behalf of merchants, typically within a day or two.