— PCI Special Interest Group offers guidance to merchants to help secure payments accepted over the Internet—

WAKEFIELD, Mass., January 31, 2013 — Today the PCI Security Standards Council (PCI SSC), an open, global forum for the development of payment card security standards published the PCI DSS E-commerce Guidelines Information Supplement, a product of the E-commerce Security Special Interest Group (SIG). Businesses selling goods and services over the Internet can use this resource as a guide for choosing e-commerce technologies and third-party service providers that will help them secure customer payment data and support PCI DSS compliance efforts.
PCI Special Interest Groups (SIGs) are community-driven initiatives that provide additional guidance and clarifications or improvements to the PCI Standards and supporting programs.
In 2012, PCI Participating Organizations selected e-commerce security as a key area to address via the SIG process. More than 60 global organizations representing banks, merchants, security assessors and technology vendors collaborated to produce guidance that will help organizations better understand their responsibilities when it comes to PCI DSS; the risks they need to evaluate when considering ecommerce solutions; and how to determine their PCI DSS scope.
“Take SQL injections as an example. This is not a new attack, and something we’ve known about in the industry for years. Yet it continues to be one of the most common methods by which e-commerce websites are compromised, said Bob Russo, general manager, PCI Security Standards Council. “This can be addressed through simple, prudent coding practices, but merchants often don’t know where to start. These guidelines will help them better understand their responsibilities and the kinds of questions they need to ask of their service providers. In the case of SQL injections, one of the most important items to request of an e-commerce service provider is a description of the security controls and methods it has in place to protect websites against these vulnerabilities.”
The PCI DSS E-commerce Guidelines Information Supplement provides an introduction to e- commerce security and guidance around the following primary areas and objectives:

•  E-commerce Overview – provides merchants and third parties with explanation of typical e-commerce components and common implementations and outlines high-level PCI DSS scoping guidance to be considered for each.
• Common Vulnerabilities in E-commerce Environments – educates merchants on vulnerabilities often found in web applications (such as e-commerce shopping carts) so they can emphasize security when developing or choosing e-commerce software and services.
• Recommendations – provides merchants with best practices to secure their e- commerce environments, as well as list of recommended industry and PCI SSC resources to leverage in e-commerce security efforts.

The document also includes two appendices to address specific PCI DSS requirements and implementation scenarios:

•  PCI DSS Guidance for E-commerce Environments – provides high-level e-commerce guidance that corresponds to the main categories of PCI DSS requirements; includes chart to help organizations identify and document which PCI DSS responsibilities are those of the merchant and which are the responsibility of any e-commerce payment processor.
• Merchant and Third-Party PCI DSS Responsibilities – for outsourced or “hybrid” e- commerce environments, includes sample checklist that merchants can use to identify which party is responsible for compliance and specify the details on the evidence of compliance.

The information supplement can be downloaded from the documents library on the PCI SSC website at https://www.pcisecuritystandards.org/security_standards/documents.php.
Merchants who use or are considering use of e-commerce technologies in their cardholder data environment, and any third-party service providers that provide e-commerce services, e- commerce products, or hosting/cloud services for merchants can benefit from this guidance. This document may also be of value for assessors reviewing e-commerce environments as part of a PCI DSS assessment.
As with all PCI Council information supplements, the guidance provided in this document is supplemental and does not supersede or replace any PCI DSS requirements.
“E-commerce continues to be a target for attacks on card data, especially with EMV technology helping drive so much of the face-to-face fraud down in Europe and other parts of the world, said Jeremy King, European director, PCI Security Standards Council. “We are pleased with this guidance that will help merchants and others better understand how to secure this critical environment using the PCI Standards.”
Those interested in learning more about this guidance and how to use it are invited to join the PCI Council for a webinar on February 7 and 14, 2013. Visit the PCI SSC website for more information and to register: https://www.pcisecuritystandards.org/training/webinars.php.
About the PCI Security Standards Council
The PCI Security Standards Council is an open global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security. Founded in 2006 by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., the Council has over 600 Participating Organizations representing merchants, banks, processors and vendors worldwide. To learn more about playing a part in securing payment card data globally, please visit: pcisecuritystandards.org.
Connect with the PCI Council on LinkedIn: http://www.linkedin.com/company/pci-security- standards-council Join the conversation on Twitter: http://twitter.com/#!/PCISSC

CenPOS integrates with Magento, Prestashop, and Zen Cart. These open-source E-commerce solutions offer a complete shopping cart solution for CenPOS Merchants

Miami, FL (PRWEB) July 11, 2012

CenPOS, a fast-growing payment processing network, announced that it is now integrated into Magento, Prestashop and Zen Cart all of which are open-source E-commerce solutions. With these integrations CenPOS is now able to offer a complete shopping cart solution for e-commerce merchants.

The integrations allow e-commerce merchants and web designers to create an easy, convenient online shopping and payment experience for their customers. The shopping carts are integrated with all other CenPOS products so users will have access to CenPOS features such as interchange optimization, least cost routing, dynamic reporting systems, and more.

“These integrations with CenPOS are an ideal solution for both online businesses and brick-and-mortar stores who want to sell their products online,” said Jorge Fernandez, CEO, CenPOS. “These shopping carts allow for easy inventory management while CenPOS efficiently and securely processes customer payments,” added Fernandez.

About CenPOS
http://www.cenpos.com/

“Creating efficiencies through payment innovation”

Founded in 2009, Miami-based CenPOS is a payment technology provider. CenPOS is committed to providing its customers and partners with innovative solutions for today’s rapidly evolving consumer payment choices.
CenPOS is an intelligent payment processing network that streamlines the payment experience for businesses and consumers by using state-of-the-art technology to replace inefficient, outdated payment systems. The network reflects the core values that drive the experienced and innovative CenPOS team: Simplicity, Scalability, Security and a holistic approach to payment processing strategies.

CenPOS provides solutions to a range of organizations including but not limited to retail, card not present merchants, automotive dealers, professional services and academic institutions; special programs are also available for non-profits. Call us: (305) 630-7960, or toll free: (877) 630-7960.

LinkedIn: http://www.linkedin.com/company/820255
Twitter: http://twitter.com/cenpos @CenPOS

Accept payments via mobile, internet, and at fundraising events all with a single gateway solution that provides optimum security and cost containment. Fundraising solutions for any candidate must include a variety of payment methods, cost controls, reporting tools, and be simple to implement. This article explores how our solution achieves this.

Just like a business, accepting funds via credit card can be expensive when running for Congress, Senate, President or other offices. However, thanks to debit legislation under the Durbin Amendment that went into effect October 2011,  it’s not nearly as much as it used to be. With a wholesale cost of .05% and $.21 per transaction for non-exempt debit cards, the overall cost of credit card processing has been greatly reduced. With a wholesale merchant account, you’ll pay interchange fees at all levels plus a small merchant discount.

Understanding merchant accounts.

1. You can apply for an ecommerce merchant account, MOTO (mail order/phone order), or Retail (card present /swipe). It’s against card association rules to process ecommerce transactions on a MOTO or Retail merchant account. But if you have an ecommerce merchant account, you’ll pay higher card not present rates on swiped transactions. The solution? Our CenPOS gateway  automatically identifies the transaction method and sends the appropriate data so that the transaction will qualify for retail. The CenPOS patent pending switching technology is not available from other vendors and saves big money. For example, save .3% on Visa Rewards cards- the difference between retail and card not present.
2.  Fees are made up of fixed non-negotiable interchange fees, network fees, card association fees, fees that vary by vendor (some hard costs vendors incur may vary), and negotiable merchant discount fees. Altogether when you divide your total fees by the net transactions we call this your effective rate. With a wholesale merchant account, an estimated effective rate for political fundraising campaigns is 2.2%, or 3.5% for very small campaigns. If you’re not paying any where near that, contact us for alternatives.
3. Different payment acceptance points can result in disparate reporting, which is never a problem until you’re trying to research something and then it becomes a nightmare.
4. A gateway is required to accept payments online. You need both a merchant account and a gateway. CenPOS is a universal gateway, compatible with all major processors.

Campaign Fundraising Concerns and how we solve them with the CenPOS gateway:

• Need to accept payments via many methods:  At the core of CenPOS is a Virtual Terminal for card swipe, online payments, mobile payments and any other method. CenPOS automatically switches payment routing for least cost.
• Need to accept multiple payment types: Check and credit/debit cards are currently accepted, and more options will be available in 2012.
• Large volunteer base may assist in payment collection. This creates potential liability for data security, but also a need for simple solution. Have you ever handed out donation cards at a fundraising event that requests credit card information to be written down? Identity theft is a major threat. Instead, use smart phones with the free CenPOS app and get cards swiped at the table or door, or add a card reader to any laptop. Micro manage user permissions and shut them down on demand. CenPOS prompts both the user and the donor for the appropriate actions. “Dummy proof” your payment collection to reduce costs and improve record keeping.
• Donor Management: An API (application interface) is available to exchange data with your donor management software. CenPOS supports recurring billing and can send the appropriate secure token to your software as well. CenPOS stores 7 years of data storage vs the typical 18 months of merchant services providers and gateways.
• Finance scrutiny and Fraud protection: CenPOS mitigates risk of fraudulent cards and also offers advanced protection to block certain payment types including anonymous and foreign issued cards. You’re in control of how tight you want to control donations.

“My client is currently using CenPos as their virtual terminal and I honestly have not heard of them before. I am wondering if this can be integrated with the Ecommerce Template without too much trouble.”

The CenPOS API can be integrated with Ecommerce Templates and many other shopping carts.  There are multiple implementation options so the amount of time depends on your specific needs and your skill level. We can provide a payment object that you can apply in 10 minutes. Or you can use our API. Integration can be done in 1-8 hours in most cases, usually less than 4.

The current API can only be obtained from authorized personnel.  Do not attempt to use any file from any other source as there is no guarantee of file reliability, accuracy, or security.

Why haven’t you heard of CenPOS? Quite simply, we’ve been quietly building market-share without any promotion as part of our marketing strategy. CenPOS users now include:

• 5 of the top 30 Auto Dealers in the US (2010 Wards)
• 1 of the top 10 cellular providers
• Clients at 5 of the top 5 US Acquirers

CenPOS has been built from the ground up to be multi-platform and processor agnostic. There has been nothing on this level in the marketplace before for the mid-size business, our core target market.

Key differentiators from the other well known gateways, including authorize.net, Payflow Pro and Orbital:

• Interchange optimization automatically optimizes for lowest cost to process any credit card type. This is crucial and entirely unique.
• Payment acceptance flexibility: Payments accepted via retail, ecommerce, MOTO, mobile, web page, EBPP, batch and just about any way you can imagine.
• Mitigates risk of internal and external fraud with built-in micro management tools and alerts.

So we can focus on our core business of continually developing the worlds most advanced payment processing gateway, we’re actively seeking developers and VARS to create integrations. With our exploding growth, your experience as a CenPOS integrator will help you attract new customers.

Please contact us for the current API, integration questions, or for more information. Please note, we offer both a referral program and an reseller program.

Ecommerce receipts must include the Authorization Code and Transaction Type,  Purchase or Credit to protect merchants from chargebacks as a result of customer disputes, per the 2011 chargeback management guidelines for Visa merchants.

Please see page 23 in the 2011 chargeback-management-guidelines-for-visa-merchants PDF

When a merchant cannot produce a receipt per the guidelines, the consumer will normally automatically win any dispute*, resulting in a chargeback to the merchant. This presents significant risk to ecommerce store owners. 

Receipt requirements are different for card present, thus the requirement to state the URL where the transaction occured. If a merchant submits an ecommerce transaction on a merchant account without the ECI indicator (ie a retail or MOTO account) this is another way merchants can automatically lose disputes.

Search “ECI” in the PDF for related ecommerce items. Customers cannot reverse transactions, they can only dispute them and the bank can reverse pending investigation.

Because the auth code is dynamically generated, this is a function of the shopping cart application and gateway.

* Although the Visa document contains “guidelines” merchants affirm that in their experience, it’s hard to win any dispute that does not meet all guidelines.

I received a cold call from a representative of HostedPCI so I decided to review what they offer. HostedPCI sales pitch is to offer an quick and easy way to become PCI DSS compliant by offering an interface to your existing applications. Basically, their ‘vault’ receives the payment information, tokenizes it, and from that point, only the token is used for processing payments., regardless of the connection interface such as authorize.net.

The core services are currently call center and checkout express. The call center application changes the customer over to a secure payment call session where the consumer enters their card information. Then the operator gets a pop up on the screen with the token ID which can then be used for processing. This removes the operator from hearing the card information, improving security, and also making it easier to comply with regulations regarding recording payment information over the phone. Is this a one time use token? Is the customer told their card data is being stored? How long is it stored for? Whether they exist now or later, there are certain to be new regulations coming regarding the rules for storing, even with a secure token.

The company 2138617 Ontario Inc., dba HostedPCI appears to be Canadian, though it’s not entirely transparent since there is no address on the web site.

It is not a gateway and the salesperson said you’d still need one to accept payments online. I have to wonder, what is the real value of this application vs our Smart Virtual Terminal?

Tokenization – Yes, they both have it. HostedPCI tokenizes every transaction.  Our Smart VT only tokenizes data if there is a need for a repeat sale, and the merchant can issue an approval form for signature, perfect for B2B needs. There are so many other benefits for ours vs theirs (see our token billing page), there is really no comparison. Winner: Smart Virtual Terminal.

Call center - HostedPCI wins hands down because we don’t offer any voice related services. However, you can explore 3rd party options that already exist and if it makes business sense, we’ll integrate.

Gateway- HostedPCI integrates with gateways, ours Smart VT replaces them, eliminating gateway fees. Winner- open to interpretation.

Shopping cart integration- Hosted PCI Checkout Express uses an iFrame and also offers an API, same as our Smart VT. Hosted PCI has ready made API’s for Drupal and Magento;  We’ve never had a customer ask for this so we haven’t made one specifically for this purpose yet. Winner: open to interpretation.

Reporting: HostedPCI doesn’t mention any and our Smart Vt is more robust than anything else on the market. There is no comparison. Winner: Smart Virtual Terminal.

Flexibility: HostedPCI is developing new applications. Smart Virtual Terminal is ready today for Kiosk, EBPP, ecommerce, web payments, mobile, and retail POS and accepts loyalty, credit/debit, check, check guarantee, ACH and other payment methods. Numerous ground breaking features are in the works. Winner” Smart Virtual Terminal.

With prices that start at $.30 per transaction for HostedPCI, if you have an ecommerce PCI Compliance problem and spend less than $100 per month in gateway fees now,  then HostedPCI may be a viable option for you. If you have a call center, check the legal requirements in your state on what’s allowed, including phone script requirements. Smart Virtual Terminal provides significantly more value for mid size merchants at competitive prices (non-published).

Company Launches Patent Pending Netswipe Solution to Reduce Fraud for Merchants; Makes Online and Mobile Payments Easier and More Secure than Ever

MOUNTAIN VIEW, CA JULY 26, 2011 – Payment company Jumio today unveiled a new technology solution for businesses to increase security and ease of use for online and mobile credit card payments. Jumio’s patent pending Netswipe solution turns any webcam into a secure credit card reader that allows merchants to more easily and efficiently accept payments online.

“Jumio bridges the gap between the security and trust of credit card payments at the point of sale and the availability and convenience of modern day online transactions,” says Jumio founder and CEO Daniel Mattes. “Consumers love the ease-of-use and the smooth experience associated with completing a transaction. At a time when both consumers and businesses are looking for more efficient and safe ways to make credit card purchases, Netswipe promises to usher in a new era of disruption that makes online payments easier than ever before.”

Bringing Card Present Transactions Online

Netswipe is the first and only solution that enables online card-present-transactions: Checking out just like at the point of sale (POS). To complete a transaction, consumers briefly hold their credit card in front of their webcam. Through secure videostreaming, the credit card details are recognized and verfied. No snapshot image is taken, no data is stored on the computer that is used for the payment.

A More Efficient Payment Technology for Merchants

Business owners can implement Jumio’s Netswipe service into their payment process to reduce fraud and increase sales due to a heightened user experience.

“During our pilot phase, we have conducted a customer survey with a focus group who have used Netswipe.  Amongst other impressive numbers, the churn rate decreased significantly from 52% to 21%.“ (Mattes)

With the launch, Jumio has introduced three products for merchants that simplify the online payment process: Netswipe Start, Netswipe Scanning and Netswipe Processing. Additional products including a mobile solution will be released later this year.

Partners, High Profile Board of Directors

Jumio’s pre-launch negotiations attracted an impressive list of partners. Facebook co-founder Eduardo Saverin, member of the Jumio board of directors, previously led a Series A funding round of US$ 6.5m and will oversee Jumio’s rollout into the Asian market.

Says Saverin: “I am very excited to be involved with Jumio, which has developed a ground breaking technology that fulfills two of the most important aspects of payments processing: heightened security and a simplified user experience.”

Additionally, Jumio’s advisory board includes former executives from Google, Amazon and NASA.

About Jumio

Jumio offers an advanced technology that increases security and ease of use for online and mobile credit card payments. Jumio is the inventor of Netswipe, a patent pending solution that turns any webcam into a credit card reader. Jumio’s advisory board includes Zain Khan, former Google executive, Mark Britto, former Amazon executive, Thomas Jungreithmeir, managing director of TJP and Bjorn Evers, former gaming industry CEO. Facebook co-founder Eduardo Saverin has a seat on the board of directors.
Jumio Inc. is headquartered in Mountain View, California and operates a development center in Linz, Austria. The company was founded in 2010 by Daniel Mattes and employs 35 people. More onwww.jumio.com

Frequently the root of recurring billing complaints involves ecommerce transactions with an opt-out third party transaction that pops up after the initial purchase is completed. The Restore Online Shoppers’ Confidence Act signed into law December 29, 2010 to protect consumers from certain aggressive sales tactics on the Internet.

SEC. 2. FINDINGS; DECLARATION OF POLICY.