Small Business Merchant Security Mandate

Small businesses are at high risk of a credit card data breach. To stem the tide of breaches, effective January 31, 2017, all level 4 merchants were mandated to only use Qualified Integrator & Reseller (QIR) for Point of Sale (POS) applications or terminal installation, integration or maintenance.The Payment Card Industry Data Security Council provides certification and maintains the official list of certified QIR people.  Any entity that installs Point of Sale in conjunction with a payment application must put at least one representative through the QIR training/qualification process.

What’s a level 4 merchant? Visa’s Level 4 merchant category encompasses businesses that process fewer than 20,000 Visa e-commerce transactions per year, and all other merchants processing up to 1 million Visa transactions, regardless of channel, per year. Visa has estimated this covers approximately 5 million merchants.

What is QIR Qualification? From the PCI Council:

QIR qualification is a set of requirements put in place by Visa for acquirers in an effort to ensure that small merchants are able to implement and maintain a secure Point of Sale environment. QIR qualification provides an opportunity for POS Providers (both VARs and ISVs) to receive training and subsequent qualification on the secure installation of PA-DSS validated payment applications into merchant environments so that said merchants can maintain ongoing PCI compliance. Many data breaches from past years could have been avoided if not for incorrect installation/maintenance of payment application and on-site merchant networks, so QIR qualification was implemented to ensure that only skilled/trained installers are installing payments products.

Who must be QIR certified? Anyone who touches something impacting the cardholder data environment, excluding internal employees. That could be the a Value Added Reselller (VAR) to a POS application. Or it could someone installing something from one of thousands of independent software vendors (ISVs) who provide payment applications that fall under the auspices of the PCI Security Standards Council’s Payment Application Data Security Standard (PA-DSS). People, not companies, are QIR certified, but all individuals are listed under company names.

qir certified speedyThe exam is tough. If you fail, there’s no feedback. Applicants must go back and study more, pay more, and retake the test. Annual continuing education is required to maintain certification. When I completed my exam, there were 452 certified in the world. Today, it’s 450, as two expired and did not complete renewal process.

Not enough companies are in compliance. It was $395 to take the exam and $150 to retake the exam until March 2018, plus ongoing annual recertification fees after year two. The PCI Council recently announced a change so it’s $100 for 3 attempts, plus $100 annually, in an attempt to get more people certified.

In my experience, most people involved in the payments process do not have the knowledge to complete an installation, or provide maintenance, unless they’ve been QIR certified. In my opinion, the longer they’ve been doing it, the more likely they are to use outdated techniques that put merchants at risk of a data breach. The same is true for application developers. There’s a ton of ‘trusted’ companies out there that integrate payments into web sites and other applications. They have a lot of experience. But payment processing is a moving target of complex security changes. Without specific training, including going through process of PA-DSS application certification, too many businesses are at risk.

Why should card not present merchants use QIR certified individuals? The QIR training encompasses all aspects of payments, including servers, networks etc. The QIR trained person is more likely to probe and identify potential weaknesses in any cardholder environment.

Why should level 1, 2, 3 merchants use QIR certified individuals? In my experience, there are weaknesses in businesses of every size. I can find a compliance problem in virtually any business. The key is to minimize risk and have a plan for continuous improvement.

Call Christine Speedy, QIR certified payments professional, right now at 954-942-0483, 9-5 ET.

3 Things CPA’s Must Advise B2B Clients in 2018

Accountants offer professional advice regarding cash flow, accounts receivable, tax preparation and all sorts of other consulting. Credit card processing and all the compliance it encompasses introduced immense new compliance challenges in 2017, and it’s fair to say, most businesses have no idea what they are, or what the repercussions are. A big problem is people think it’s someone else’s responsibility to keep their business compliant. Every single merchant must make internal changes to comply.

Three things every B2B company needs to know about credit card processing right now:

  1. If you store credit cards, you must be compliant with Visa Stored Credential Framework. This is arguably as huge as the retail shift to EMV chip card acceptance. There are significant financial and risk consequences for non-compliance. Some solutions companies reduce the compliance burden more than others, while maximizing profits and cash flow.
  2. PCI Compliance mandate for TLS disablement will disrupt business, mostly starting right now, February 2018. Businesses need to ensure they’re servers, software (if applicable) and browsers are compliant, and also have an plan to help internal and external customers overcome issues trying to login to portals, make online payments etc.
  3. It’s a Visa rules violation to request the card security code on a paper credit card authorization form, or any digital form where the business can decrypt and view it. It can’t be stored, period. Not by the merchant nor service provider, including payment gateway.

Why these 3 things? Because 100% of B2B companies I talk to will fail on at least one, and usually two or three. That includes CPA firms also. 86% of all data breaches in 2016 were from level 4 merchants, defined as “Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.” By complying with the three items on my list, B2B companies will harden their systems and increase profits. The latter occurs because compliance with rules reduces fees. 

Example of solutions to solve these problems:

  1. An intelligent payment gateway can automate compliance with many elements of the Visa Stored Credential Framework. Simply passing data as most payment gateways do is not enough.
  2. Engage internal or external IT team to test all systems for TLS compliance, and verify at SSLlabs.com.
  3. Empower customers to self pay via push (text or email), or pull (online hosted pay page) technology so that employees never have access to cardholder data again. Whatever the old justification for using paper forms with full card data, there is a technology solution that has negated the need.

Christine Speedy, CenPOS authorized reseller, 954-942-0483. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.

Validated P2PE Solution

Looking for a Validated P2PE Solution? CenPOS launched their PCI-Validated P2P Encryption 3.2 solution in 2017.

Florida-Based Payment Solutions Company, CenPOS, Strives to Make Customer Experience More Secure with Launch of PCI-Validated P2P Encryption.

Data breaches are on the rise and they are costing both consumers and merchants money.

The 2017 Identity Fraud Study, released by Javelin Strategy & Research, found that $16 billion was stolen from 15.4 million U.S. consumers in 2016.

When the consumer data that makes such fraudulent activity possible comes from the merchant’s database, then the merchant can also incur some major damages. In fact, the 2017 Cost of Data Breach Study: United States, found that the total average organizational cost of a data breach has reached a new high at $7.35 million.

CenPOS aims to reduce the vulnerability of sensitive consumer data — that could be used to drain debit card-linked bank accounts, make “clone” credit cards, or buy items on certain less-secure online sites — to hackers with the release of its Validated P2PE solution.

Officially released on July 7th of this year, CenPOS Validated P2PE encrypts cardholder data so businesses can simplify compliance with Payment Card Industry Data Security Standards (PCI DSS) and consumers can stop worrying about data being stolen between “the store” and the bank.

Surprisingly, Validated P2PE is not new technology. It’s the strongest level of data encryption in the market right now and is offered by other merchant payment services companies. However, CenPOS is the first and only company with the Qualified Integrator & Reseller (QIR) designation to offer a Validated P2PE solution.

The QIR designation is awarded by the Payment Card Industry Security Standards Council, a global open body formed to develop, enhance, disseminate and assist with the understanding of security standards for payment account security.

According to their standards, “the quality, reliability, and consistency of a QIR Company’s work” should provide confidence that the merchant’s payment application has been implemented in a manner that supports PCI DSS compliance.

Chris Justice, CEO of CenPOS, is quoted saying: “We believe that loyalty is built on trust and that trust is built by delivering great customer experience over and over again. So, when consumers can have greater peace of mind because they know that the merchant has the proper data security in place to reduce exposure to painful events, like data breaches, we believe customer experience is enhanced and that consumer will choose that merchant over others who are less diligent.”

CenPOS Validated P2PE launched on Friday, July 7, 2017. To learn more, visit https://cenpos.com/solutions/data-security
More facts and further information about CenPOS, can be discovered at https://www.cenpos.com/

About CenPOS
CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS’ secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships. | CenPOS | @CenPOS

##

Christine Speedy, CenPOS Sales 954-942-0483, 9-5 ET is based out of South Florida and NY, selling globally. When you call Christine, there is no middle man; all agreements are direct with CenPOS. As one of the very first to sell for CenPOS, I have deep experience to help merchants understand benefits and get live fast.

See also this article for important certifications.

VP2PE and Payment Card Industry Acronyms Revealed

Data breach prevention: update every device due to Intel vulnerability

News of the Intel chip flaw creating vulnerability in virtually everything with a computer chip in it was announced last week. Microsoft, Google and tech companies now have a fix so it’s time to update all your devices. These emergency updates are to address the bugs called Meltdown and Spectre.

“These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.”

“Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers.”

For PCI compliance, merchants must update software within 30 days, however, I wouldn’t wait. Prioritize updates now.

For more information on the bugs, see https://krebsonsecurity.com/2018/01/scary-chip-flaws-raise-spectre-of-meltdown/

Christine Speedy, CenPOS authorized reseller, 954-942-0483. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.

CenPOS Hosted Pay Page vs EBPP

I’m advising my CenPOS clients with card not present transactions to use either the hosted pay page or Electronic Bill Presentment and Payment (EBPP), also known as electronic invoice presentment and payment (EIPP) due to increasingly complex rules. Plus cardholders are weary about giving out card data over the phone, and paper or digital credit card authorization forms should be abolished. Reducing friction to collect payments, while putting cardholders in control of their data, is proven to increase sales, profits and cashflow so updating procedures is a win win for you and your customers.

What is a hosted pay page?

A hosted pay enables customers to passively pay bills online via a secure web page hosted on a CenPOS server. The form can be embedded on your web site secured with an SSL certificate or you can direct customers to your custom CenPOS URL. The most common payment types CenPOS users enable are credit cards, Paypal, and ACH (echeck).

  • The burden for completing data fields to make a payment is on your customer.
  • Your customer can optionally create an account and store their card data.
  • Depending on your agreement with your customer, either you or the customer can use a stored token on file to initiate future transactions.

What is EBPP?

With EBPP, the payment request is delivered to the customer via email or text. The message includes a custom link to pay a specific bill or invoice and some of the fields are pre-filled. Customers prefer EBPP vs hosted pay page. The most common payment types CenPOS users enable are credit cards, Paypal, ACH (echeck) and wire transfer. The last is very important for international businesses to streamline bank reconciliation and match deposits to invoices.

  • Data fields, including invoice number and amount, are pre-filled to save your customer time.
  • Customers can optionally create an account to store card data, pay multiple invoices, review payment and invoice history in the CenPOS hosted portal.
  • Depending on your agreement with your customer, either you or the customer can use a stored token on file to initiate future transactions.
  • With a CenPOS ERP or accounting software integration, your records are automatically updated with payments, and reminders are automatically delivered.
  • Optional 2-way texting service has many benefits, including communicating with customers via their preferred methods- whether phone, text or email.

What are the benefits of customer initiated payments with hosted pay page or EBPP?

  • Increased efficiency to comply with new stored credential rules.
  • Reduced merchant fees for some cards (3-D Secure cardholder authentication must be enabled.)
  • Increased approvals with cardholder authentication.
  • Mitigate chargeback risk – with cardholder authentication fraud liability shifts to issuer.

In summary, either method of online payments increases security and enables customers to pay 24/7 to increase cash flow. EBPP solutions have significant additional benefits and the cost to implement is virtually nil, with many businesses experiencing an instant ROI.

Christine Speedy, CenPOS authorized reseller, 954-942-0483. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.