Visa, Mastercard reach $6.2B settlement in class-action lawsuit

The largest-ever class action settlement of an antitrust case appears to be nearing an end. Visa Inc, MasterCard Inc, and banks including Bank of America, J.P. Morgan Chase and Citigroup, have agreed to pay $6.2 billion as part of the settlement.

The class-action lawsuit was filed in 2005 by merchants who alleged card companies set credit-card fees and card-acceptance rules that benefit the banks, which owned Visa and MasterCard at the time. Both are now public companies. It was previously settled in US District Court but thrown out on appeals. After throwing out the the settlement, the court divided the merchants’ claims into two separate classes, one for monetary damages and the other for Visa and Mastercard’s business practices. This settlement is for the class focused on monetary damages.

What do merchants need to do? Nothing. The settlement must still be approved by a court. Further information will be released at a later date.

Recurly Visa Stored Credential Framework blog omission

A Recurly blog article “How Recurly is Supporting Visa’s Stored Credential Framework” has some misinformation. The cited dates are incorrect and merchant responsibilities are understated. Why is that important? Most payment gateways and technology solution providers are not keeping up with the rapid pace of rules and compliance changes, impacting merchant profits and risk. Therefore, payment technology vendor selection, including payment gateway selection, is critical.

Recurly, like others in the cloud solutions space, is partially dependent on their partners to keep their clients in compliance with a myriad of rules. When should technology partners alert their integrated solutions partners about industry changes affecting their mutual clients? Solutions providers and merchants are getting inaccurate advice, or none at all, from trusted advisors, technology providers, and consultants of all sizes and sources.

As soon as Visa released the news in their Merchant Business News Digest in August 2017, Recurly began reaching out to our gateway partners to get ahead of the work required to fulfill the mandates.” The real dates were much earlier than cited. Visa typically announces at least one year in advance of due dates for any significant change, which this update is. Updates were in the October 2016 Visa Core Rules and Visa Product and Service Rules rules, citing changes coming in April and October 2017. On April 27, 2017 Visa published further information for merchants via the Stored Credential Framework document, which also references prior articles published on the subject dating back to 2016.

For most merchants, the mandate went into effect October 14, 2017, not April 2018, however, Visa did announce a delay in compliance action to April 2018.

From Recurly, “There is no action needed from our customers.” While technology solutions and payment gateways manage technical aspects for compliance, there’s much that’s left to merchants. Here’s an excerpt from the Stored Credential Framework document:

Merchants and their third-party agents, payment facilitators, or stored digital wallet operators that offer cardholders the opportunity to store their credentials on file must:
• Disclose to cardholders how those credentials will be used.
• Obtain cardholders’ consent to store the credentials.
• Notify cardholders when any changes are made to the terms of use.
• Inform the issuer via a transaction that payment credentials are now stored on file.
• Identify transactions with appropriate indicators when using stored credentials.

I strongly recommend reading Visa Core Rules Table 5-20: Requirements for Prepayments and Transactions Using Stored Credentials and Disclosure to Cardholder and Cardholder Consent. For example, how will you provide proof of cardholder consent (think time and date stamp) upon request? Are you providing the required receipt with proper format for zero dollars when storing a card without running a transaction?

Note: This article is not a review, endorsement or complaint about the quality of Recurly services which I have never used. It is simply identifying errors and omissions related to the stored credential mandate that may impact merchant profits, risk and decision making. I would have written in their blog comments, but it wasn’t available. When choosing a payment gateway, consider how agile they’ve been in meeting deadlines for changes, and how they’ll help reduce compliance burden, among other factors.

Christine Speedy, CenPOS Authorized Reseller, 954-942-0483 is a PCI Council QIR certified professional based out of South Florida, near Fort Lauderdale, and Rochester, NY, with extensive payment gateway experience. Christine can uniquely help merchants and technology providers navigate the complexities of PCI, acquirer, and card brand compliance rules.

MasterCard Processing Integrity Final Auth Alert

Compliance is not just about payment security. Each card brand has a set of rules for payment processing. Follow them and get rewarded with increased authorizations, reduced fraud risk, and lower merchant fees. The cost of non-compliance is heavy and getting worse.

Look at this MasterCard PROCESSING INTEGRITY FINAL ATH Fee on a recent Chase Paymentech merchant statement.

mastercard PROCESSING INTEGRITY FINAL ATHOver $536,000 multiplied by .25% penalty fee for a total of $1,340.10 in avoidable costs. This is due to not properly authorizing and settling transactions, including reversals for unused authorizations. It’s too complicated to get into why this happens, but I’ve written multiple articles related to authorization validity, including one about the Visa Stored Credential Mandate.

The new fee of 0.25%, minimum $0.04 is assessed for each approved final authorization when:

  • Authorization expired. The Final Authorization transaction is not cleared within 7 calendar days of authorization date.
  • Authorization mismatch. The Final Authorization transaction cleared in 7 calendar days from the authorization date, but the transaction amount is different than the authorization amount and an authorization reversal was not performed within 7 days.
  • Unused Authorization. The Final Authorization transaction did not clear and full authorization reversal was not submitted. What’s really painful about this one, is if an order is cancelled, you can lose .25% of the transaction amount so you lost money not making a sale!

How can merchants avoid the MasterCard Processing Integrity fee?

Technology to manage the authorization and settlement process is the only way. Leaving it up to employees to figure out when an authorization is expiring and when a reversal is needed is a recipe for compliance fees like the above. Plus, chances are whatever system they’re using doesn’t even support the required data messages that need to go with the transaction.

The payment gateway plays a crucial role in authorization validity. A common misconception is that using a popular gateway, or even one owned by a card brand, or acquirer, will automatically get your transactions compliant. That is not the case.

I have extensive knowledge of many payment gateways. In my opinion, the CenPOS cloud commerce platform with suite of business solutions, including payment gateway, offers the best tools to automate authorization validity so you can avoid the MasterCard processing integrity final authorization fee as well as other penalty fees and assessments by multiple card brands.

CenPOS is an integrated commerce technology platform driving innovative, omnichannel solutions tailored to meet a merchant’s market needs. Providing a single point of integration, the CenPOS platform combines payment, commerce and value-added functionality enabling merchants to transform their commerce experience, eliminate the need to manage complex integrations, reduce the burden of accepting payments and create deeper customer relationships.
Powered by its enterprise-class, end-to-end transaction engine, CenPOS’ secure, cloud-based solutions seamlessly integrate with a merchants existing infrastructure minimizing disruption and saving time and money. Committed to a
merchant-centric approach CenPOS provides a one-to-one level of service and support, enabling merchants to focus on their core business.
Headquartered in Miami, Florida, CenPOS is reshaping the future of commerce through technology innovation and the secure, flexible and simple solutions this enables.

Christine Speedy, CenPOS Global Sales, 954-942-0483 is based out of South Florida, near Fort Lauderdale, and Rochester, NY.

cenpos logo

FRAUDSTERS TARGETING CALL CENTER CHAT AND NON-VOICE CHANNELS

Visa Security Alert to the risk of online chat solutions and non-voice channel services within call centers and merchant online environments, which are expected to increase along with artificial intelligence. There are known instances where threat actors compromised online chat service providers and were able to distribute malware to merchant clients designed to intercept payment card data during checkout.

Read the story here in the Visa library for merchants. https://usa.visa.com/support/merchant/library.html

The Visa alert also points out the importance of verifying your technology partners are secure and compliant. This is especially interesting in the context of this article.

The Visa Global Registry of Service Providers is Visa’s designated source for information on registered and PCI DSS-validated agents that provide payment-related services to Visa clients and merchants. Service providers that store, process or transmit Visa payment data must be registered with Visa and demonstrate PCI DSS compliance. All of the links in this article can be found on the merchant rules and  PCI compliance links

Christine Speedy, CenPOS Global Sales, 954-942-0483 is a PCI Council QIR certified professional based out of South Florida, near Fort Lauderdale, and Rochester, NY.

Why does my web site need SSL security 2018

Every web site needs SSL in 2018 to avoid web site insecure messages that scare away visitors.

Disabling TLS 1.1 and lower is recommended for all businesses. While web site security with SSL is commonly considered only necessary if accepting payments or using secure online forms, that’s no longer the case. It can impact Google listings, overall SEO, and whether visitors see your web site.

SSL secured web sites for years. Even though tech people still call it SSL, the next phase of ecommerce security was TLS. TLS 1.1 and lower, including SSL 1.0, are not considered secure. For that reason, all businesses accepting payments online must have disabled TLS 1.1 and lower on their servers for mandatory Payment Card Industry Data Security Standards  (PCI) compliance by June 30, 2018. Additionally, buyers with outdated browsers may be blocked from making purchases if not supporting the latest security standards.

If your web site does not have an SSL certificate, visitors will get a browser message, which may vary by browser, telling them your web site is not secure and that any information submitted could be viewed by others.

connection not secure message

Web browser warnings like this will scare away visitors.

FREE Test SSL/TLS for Browser and Servers:

Server penetration testing falls under the Computer Fraud and Abuse Act (CFAA) (18 U.S.C. 1030). It’s a federal crime to “intentionally access a computer without authorization or exceed authorized access”. If it’s not your web site, and you don’t have explicit permission to access, don’t run a server test. If you do have the right to run it, be sure to check the box, HIDE RESULTS. If you get a YES next to TLS 1.0, SSL 3, or SSL 2 on the server test, then hardening is needed. To modify your web site, it’s managed in host administration and disable in security settings. Free SSL and TLS test from Qualys. https://www.ssllabs.com/ssltest/index.html.

Godaddy gives a very good overview of options. https://www.godaddy.com/web-security/ssl-certificate#compare. I recommend getting the Extended Validation (EV) SSL for the value-added benefits.

Headquartered in Miami, Florida, CenPOS is reshaping the future of commerce through technology innovation and the secure, flexible and simple solutions this enables. Christine Speedy, CenPOS Global Sales, 954-942-0483 has extensive ecommerce experience dating back to the early internet days and can assist with any questions.