Currently when the magnetic stripe fails during a face-to-face transaction, the merchant key enters the account number and must manually imprint the card to prove the card was present during the transaction for protection against fraud chargebacks. Effective for new transactions processed on or after October 15, 2011, merchants may include Card Verification Value 2 (CVV2) in the authorization request for Visa U.S. Domestic key entered face-to-face transactions when the magnetic stripe cannot be read by the terminal.
In order to qualify for chargeback protection against reason code 81 “Fraud-Card Present” the transaction must meet the following criteria:

• Authorization Approval
• U.S. Domestic Transaction
• Card Present with magnetic stripe failure only
• Transaction was keyed entered
• CVV2 was included in the authorization request
• Signature obtained on the sales draft and retrieval request properly fulfilled

The following transaction types are excluded from the chargeback protection:

• Quasi Cash
• Cash Back
• Manual Cash Disbursement
• Betting, including lottery tickets
• Casino Gaming Chips
• Off-Track Betting and Wagers at a Race Track
• Visa International transactions

These merchants must continue to obtain an imprint of the card when the magnetic stripe cannot be read by the terminal for the protection against fraud chargebacks.

The Federal Reserve Board on Monday, October 17, 2011, announced the approval of a final rule to implement the resolution plan requirement in the Dodd-Frank Wall Street Reform and Consumer Protection Act.

The final rule requires bank holding companies with assets of $50 billion or more and nonbank financial firms designated by the Financial Stability Oversight Council for supervision by the Board to annually submit resolution plans to the Board and the Federal Deposit Insurance Corporation.

Each plan will describe the company’s strategy for rapid and orderly resolution in bankruptcy during times of financial distress. A resolution plan must include a strategic analysis of the plan’s components, a description of the range of specific actions the company proposes to take in resolution, and a description of the company’s organizational structure, material entities, interconnections and interdependencies, and management information systems.

Under the final rule, companies will submit their initial resolution plans on a staggered basis. The first group of companies, generally those with $250 billion or more in non-bank assets, must submit their initial plans on or before July 1, 2012; the second group, generally those with $100 billion or more, but less than $250 billion, in total non-bank assets, must submit their initial plans on or before July 1, 2013; and the remaining companies, generally those subject to the rule with less than $100 billion in total non-bank assets, must submit their initial plans on or before December 31, 2013.

CTIA-The Wireless Association® Releases “Guidelines for Mobile Giving”

October 12, 2011

Adherence to the Guidelines provides qualified charities a 60 percent discount for text-to-give campaigns that use dedicated short codes

WASHINGTON, D.C. – CTIA-The Wireless Association® today released its “Guidelines for Mobile Giving” to provide qualified charities a framework and 60 percent discount for mobile giving campaigns that use short codes. Created after months of collaboration among carriers, mobile giving service providers, major non-profits and non-profit accreditation groups, the Guidelines provide charities with “best practices” to help them create successful and reputable mobile donation campaigns.

The use of text message short codes for charitable donations was initially developed after the Indian Ocean tsunami in 2004, and gained prominence after the 2010 earthquake in Haiti.

The “Guidelines for Mobile Giving” will provide qualifying charitable organizations greater control over their unique short code. While charities may continue to conduct campaigns on shared short codes, a dedicated code mitigates donor confusion for qualifying organizations.

To qualify to lease a unique code at the discount, a charity must be accredited by the Better Business Bureau Wise Giving Alliance or receive three- or four-star rating from Charity Navigator. Accredited charities can mix communications, solicitations and mobile giving with their code as long as they follow the Mobile Marketing Association’s guidelines and provide consumers with a separate opt-in for each type of activity. In addition, a single code may be leased by chapter-based groups and used by all chapters or for unified campaigns.

“After the devastation of Hurricane Katrina to Haiti’s earthquake to Japan’s tsunami, Americans have generously sent millions of dollars in charitable donations via their wireless devices. The ‘Guidelines’ will help provide consumers with peace-of-mind when sending a text donation while ensuring their accredited charities are in accordance to their donors’ intent,” said Steve Largent, President and CEO of CTIA-The Wireless Association.

For more information about CTIA Guidelines for Mobile Giving, please visit: http://files.ctia.org/pdf/CTIA_Charitable_Giving_Guidelines_101211.pdf

###

CTIA-The Wireless Association® (www.ctia.org) is an international organization representing the wireless communications industry. Membership in the association includes wireless carriers and their suppliers, as well as providers and manufacturers of wireless data services and products. CTIA advocates on behalf of its members at all levels of government. The association also coordinates the industry’s voluntary best practices and initiatives, and sponsors the industry’s leading wireless tradeshows. CTIA was founded in 1984 and is based in Washington, D.C.

Which merchants will receive the new low debit fee rates? This video provides a detailed look at rate differences and how to examine your merchant agreement schedule A and statement. While all merchants qualify for them, only a fraction will actually have debit discounts passed down from their processor. Will you be one of them? Pull out your merchant statement, then watch the video so you can compare data.

On October 1, 2011, new debit interchange rates go into effect as a result of the Durbin Amendment, part of the Dodd-Frank Wall Street Reform Act.

For new Visa card transactions processed on or after October 14, 2011, Visa will increase the transaction receipt retention period of U.S. Merchant from 12 months to 13 months to align with the Visa International Operating Regulations. For merchants processing healthcare transactions, the transaction receipt retention period of 5 years remains unchanged.

This does not require any internal procedure change for CenPOS customers, who have 7 years of receipt storage, coinciding with IRS rules. With the average merchant account changing at least twice in 7 years, CenPOS provides a valuable single source retention and receipt research tool for merchants.

There are multiple bills pending regarding data breach responsbilities and summaries are below. With PCI Compliance never achieving the goal of 100%, can we really expect any better with theses other issues. Government regulation is increasing due to the failure of businesses to self police and protect data they collect.

 

S. 1535: Personal Data Protection and Breach Accountability Act of 2011

6/7/2011–Introduced.
Personal Data Privacy and Security Act of 2011 – Amends the federal criminal code to: (1) make fraud in connection with the unauthorized access of personally identifiable information (in electronic or digital form) a predicate for racketeering charges, and (2) prohibit concealment of security breaches involving sensitive personally identifiable information. Sets penalties for attempts and conspiracies to commit fraud and related activity in connection with computers. Requires a data broker to: (1) disclose to an individual, upon request, personal electronic records pertaining to such individual maintained or accessed for disclosure to third parties; (2) disclose adverse actions by third parties against an individual; and (3) maintain procedures for correcting inaccuracies and incompleteness in such records. Defines a “data broker” as a business entity that collects, transmits, or provides access to sensitive personally identifiable information on more than 5,000 individuals who are not the customers or employees of that business entity for purposes of providing such information to non-affiliated third parties on an interstate basis. Establishes standards for developing and implementing safeguards to protect the security of sensitive personally identifiable information. Imposes upon data brokers and business entities civil penalties for violations of such standards. Requires business entities to notify: (1) any individual whose information has been, or is reasonably believed to have been, accessed or acquired, (2) all nationwide consumer reporting agencies if an agency or entity is required to notify more than 5,000 such individuals, and (3) the United States Secret Service and the Federal Bureau of Investigation (FBI) if the number of individuals involved exceeds 10,000.
Authorizes the Attorney General and state attorneys general to bring civil actions against business entities for violations of this Act. Requires the Administrator of the General Services Administration (GSA), in considering contract awards totaling more than $500,000, to evaluate: (1) the data privacy and security program of a data broker, (2) program compliance, (3) the extent to which databases and systems have been compromised by security breaches, and (4) data broker responses to such breaches. Requires federal agency information security programs to include procedures for evaluating and auditing the information security practices of contractors or third party business entities supporting the agency information systems or operations involving personally identifiable information and for ensuring remedial action to address any significant deficiencies. Requires federal agencies to conduct a privacy impact assessment before purchasing personally identifiable information from a data broker.

7/22/2011–Introduced.
Data Breach Notification Act of 2011 - Requires any federal agency or business entity engaged in interstate commerce that uses, accesses, or collects sensitive personally identifiable information, following the discovery of a security breach, to notify: (1) any U.S. resident whose information may have been accessed or acquired, and (2) the owner or licensee of any such information that the agency or business does not own or license. Exempts: (1) agencies and business entities from notification requirements for national security and law enforcement purposes and for security breaches that a risk assessment concludes do not have a significant risk of resulting in harm if specified certification or notice is provided, subject to review by the Secret Service; and (2) business entities which utilize a security program that blocks the use of sensitive personally identifiable information and provide notice of a breach to affected individuals. Requires notifications regarding security breaches under specified circumstances to the Secret Service, the Federal Bureau of Investigation (FBI), the Postal Inspection Service, and state attorneys general. Authorizes the Attorney General to bring a civil action in U.S. district court against any business entity that violates this Act. Sets civil penalties for violations. Amends the Fair Credit Reporting Act to require agencies to include a fraud alert in the file of a consumer that submits evidence of compromised financial information to a consumer reporting agency. Authorizes: (1) civil actions by state attorneys general to enforce this Act, and (2) appropriations for costs incurred by the Secret Service to investigate and conduct risk assessments of security breaches.

 

You can follow these bills here:  Data Breach Protection US Congress (official list of bills and links)

Warning: preg_replace() [function.preg-replace]: Compilation failed: unknown option bit(s) set at offset 0 in /home/merch3d/public_html/blog/wp-includes/shortcodes.php on line 257

Warning: preg_replace() [function.preg-replace]: Compilation failed: unknown option bit(s) set at offset 0 in /home/merch3d/public_html/blog/wp-includes/shortcodes.php on line 257

Is it any surprise that actual Payment Card Industry (PCI) Data Security Standard (DSS) assessments by Verizon’s team of Qualified Security Assessors (QSAs) shows growth of compliance is stagnant? Even worse, organizations that suffered data breaches were much less likely to be compliant than a normal population of PCI clients? About 20 percent of organizations passed less than half of the DSS requirements, while 60 percent scored above the 80 percent mark. For all those merchants sounding off about an annual PCI Compliance Fee, the evidence is clear that merchants still have a long ways to go. 100% PCI DSS compliance is the only acceptable statistic.

Organizations struggled most with the following PCI requirements:

• 3 (protect stored cardholder data)
• 10 (track and monitor access)
• 11 (regularly test systems and processes)
• 12 (maintain security policies)

The first two of these can easily be resolved with our hosted payment processing technology, CenPOS. If you’re going to store cardholder data, it needs to be encrypted. One of the major problems with this has been ready access to solutions for storing cardholder data for variable billing. Most gateways have a PCI Compliant solution to store encrypted card data for recurring billing,  charging the same amount on a fixed schedule. However, CenPOS is unique to offer storing card data for billing a variable amount, token billing. Additionally, it is the only technology this writer is aware of that also includes interchange optimization, of major importance to companies trying to control credit card processing fees.

Requirement 10 (Tracking and Monitoring) is a major component of CenPOS. Every user has a unique login and management can micro manage permissions. Where others create a few tiered levels of permission such as cashier, finance, and administrator, CenPOS offers a plethora of options, plus management tracking and research tools.

• User Permissions: Control precise transaction types allowed, set maximum thresholds, set alerts based on responses, amounts and other criteria. Extensive Permissions enable maximum merchant protection from lower level employees, plus there are tools for secondary oversight at the admin level to mitigate risk of high level employee fraud.
• Tracking and Monitoring: The requirement calls for the tracking and monitoring of all access to network resources and cardholder data, the main objective is to maintain system logs and have procedures that ensure proper utilization, protection, and retention. According to the Verizon Report, this has historically been one of the most challenging, but is critical to forensic investigations if needed. CenPOS logs everything related to the payments process including user ID, time stamps and every other element of interaction with the system. Merchants must have their own internal logging system for their network.

Requirement 11 (Regular Testing) had the least compliance in the Verizon report. “Organizations continue to have difficulty meeting the sub-requirements regarding network vulnerability scanning (11.2), penetration testing (11.3), and file integrity monitoring (11.5).”  Our recommendation is that merchants hire a qualified outside vendor to assist them with this requirement. We have no direct affiliation with such companies but know several with good reputations should you need a resource.

Requirement 12 (Security Policies) While the best laid written plans may exist, there is still the human factor. Weaknesses identified include poorly written policies, including so long that they are stuffed in a desk never to be read again, and those that are too vague. Note that the requirements are directly related to the services in scope of the organization’s PCI DSS. The more the merchant reduces their scope, the more the burden is on their service provider instead of their internal personnel. CenPOS reduces the merchant scope in several ways, including but not limited to:

• Web payments on a hosted pay page, not the merchants web page
• Electronic Bill Presentment and Payment- same as above.
• Storing all card data, encrypted, on CenPOS servers, eliminating file drawer and merchant stored data

Learn more about how CenPOS can help you with PCI DSS Compliance.

 

 

 

PRESS RELEASE FOR IMMEDIATE RELEASE

Integrated Check And ACH Electronic Processing Technology Launched

Universal Payment Processing Platform Expands on Existing Credit And Debit Card Services

Lighthouse Pt., FL July 27, 2011 – 3D Merchant Services, a payment processing solutions consultancy, today announced CenPOS, an electronic payments developer, launched a new integrated check and ACH authorization solution. Merchants now have a single host-based solution for checks, credit and debit cards, EBT, gift and loyalty, from all sources including retail, mobile, call center and Internet.

CenPOS check services are currently certified with CrossCheck, T-Tech, and NCT and include check 21, check conversion, ACH, and check guarantee options. Checks can be processed one by one or in a batch via the Smart Virtual Terminal, the core of the CenPOS payments processing platform, where all payments flow through. The virtual terminal is accessible via FTP, web browser and API.

“A major benefit for merchants is having a single reporting dashboard for all payment types, improving efficiencies in accounting and providing critical business insights,” said Christine Speedy, CEO of 3D Merchant Services and a CenPOS direct agent. “Reconciliation is simplified, and merchants get all the other benefits of CenPOS, including mitigating risk and least cost routing,” continued Christine.

“A significant technology advancement is the ability to automatically route based on merchant managed rules. For example, a merchant may want to assume the risk for personal checks under $500, but use a check guarantee service for checks over $500. The merchant can further send checks for $500 to $1000 to one provider, and for over $1000 to another provider. Merchants have unparalleled flexibility to mitigate risk and manage costs.”

After a cashier enters the sale amount, the technology switch dynamically determines the desired service provider, and prompts the cashier for information required by that particular processor. Merchants are empowered to mitigate risk of unsuccessful future claims against bad checks and manage costs of accepting checks. Check authorization is also fully integrated into the Electronic Bill Presentment and Payment solution, enabling businesses to push out invoices via email and collect payment. CenPOS stores seven years of transaction data, dynamically searchable by numerous fields, to maximize business insights and minimize disruption during internal changes.

Integrated check and ACH services are immediately available. For additional information or for a demo, contact Christine Speedy at 954-942-0483 or visit www.3Dmerchant.com.

About 3D Merchant Services
3D Merchant Services is the marketing entity for a CenPOS major account sales team. 3D Merchant Services is engaged in growing CenPOS direct business relationships with ISO’s, banks, and resellers. The team also works with merchants directly, analyzing their methodology and cost of payment processing and associated services, and providing solutions through direct partner relationships. For more information contact 3D Merchant Services at (954) 942-0483 or visit www.3Dmerchant.com. Sales@3dmerchant.com

About CenPOS
CenPOS is a global technology leader for payment processing. The company develops solutions for merchants to accept, process and reconcile electronic payments, including credit and debit card, check, EBT, gift and loyalty. The proprietary payment engine includes retail, mobile, and ecommerce solutions, and provides merchants with unique insight and fraud protection. For more information visit www.cenpos.com and contact Christine Speedy at (954) 942-0483 or cspeedy AT cenpos.com.