iPad Mobile payments- important security notice

With a proliferation of newcomers to the market, merchants need to be aware of potential mobile payments security problems. The PCI Security Standards Council recently released new standards for developers as well as guidelines for merchants. One important aspect to ask questions about, is ‘store and forward‘.

If the mobile application enables you to accept credit cards when you cannot connect to the internet, clearly the data resides on the device, which creates a potential security risk.  This issue is addressed in a new Best Practice for Mobile Payments Developers released by the PCI Security Standards Council. Who can access the card information, pending presentment to your processor for an authorization? In what format does that data reside? If the user cannot access, is it possible other malware could access the data?

Editor’s note: Our CenPOS iPad mobile app does not support store on device and forward for presentment later. Merchants must have access to an internet connection. There are multiple options should you need to store payment data with that live connection:

  1. Zero dollar auth- validate the card only, and store data for later billing.
  2. Auth- Get an authorization for a specific sale, but don’t charge yet; store data for later billing.
  3. Repeat sale- Process transaction now, and store payment information for future billing.

In each case above, the credit card information is encrypted and replaced by a random alpha-numeric character, or ‘token’.   The encrypted payment information can never be seen again.
Accepting Mobile Payments with a Smartphone or Tablet  (PDF download from PCI Security Standards Council)

For additional information about mobile payments solutions, please contact Christine.

3D Merchant Services Powered by CenPOS
2633 NE 26th Ave Metro South FloridaFL33064 USA 
 • 954-942-0483

What is a Visa compliant credit card authorization form?

Do you accept fax order forms from your customers? Are you a business to business company needing to store credit card data on file for recurring billing of variable amounts? The typical fax authorization form does not meet Visa requirements.

Card Acceptance Guidelines for Visa Merchants (2012) PDF download from Visa.com

You won’t find a “fax authorization form” in the guidelines, however, there is much information about receipt requirements.

Transaction Receipt Requirements are referenced on page 495 and Recurring Transactions starts on pg 585. The guidelines vary depending on whether your recurring billing order is from an ecommerce or other method.

Sample of a receipt for a sale from a stored card transaction:

recurring sale receipt compliant

A fax order form for a one time purchase should comply with the  standard receipt requirements. The invoice detail is generally accepted on  a separate page for B2B; the invoice number should be on the receipt.

A recurring billing order form should comply with the recurring rules and standard receipt requirements.

Chargeback prevention tips for business to business, card not present:

  • Deliver a receipt via email to the cardholder immediately upon charging the card. If there is going to be a dispute, resolve the issue quickly.
  • Send an invoice detail.
  • Use EBPP.  If you send an electronic invoice to the cardholder and they click and pay, it’s pretty hard to dispute someone else ordered the items.
  • Bill to and ship to addresses should match unless you have something in writing from the cardholder that they authorize shipping to another address.
  • Get a signed recurring billing authorization form if you’re storing card data.
  • Make sure your receipts have ‘recurring’ or ‘repeat sale’ for recurring billing.
Sample of stored card data authorization to pay form, replacing a fax form.

Fax authorization form compliant

There are too many variables to address all the options for a compliant fax authorization form in this article. For PCI DSS compliance, we recommend you replace all traditional forms with exposed credit card or check data with one that references tokens, an alpha numeric string that replaces the card data and is useless outside your payment processing system, even if stolen.

CenPOS is a universal payment processing platform that provides efficiencies for merchants and their customers, reduces PCI DSS compliance burden, and many other benefits.

WHERE TO BUY

CenPOS is sold through direct agents and resellers. There is also a referral program. Click here to become a CenPOS agent, reseller, or referral partner.  Click here to become a customer or call the hotline at the top of this web page.

 

 

Legal billing and payment technology increases cash flow

Here’s a sneak preview of two innovations that will improve your EBITDA in 2012 with very little effort by your legal staff. The first improves billable time data capture and the second enhances payment acceptance with a flexible PCI Compliant solution, while mitigating risk.

Capture more billable time with a new innovative mobile time tracker that enables you to capture and assign billable time by matter code and client. A key feature is the pop-up on incoming calls; when you hang up, you can immediately assign the call to a client for billing and even enter notes. The length of call is prefilled for you. This data is all accessible back in the office via a web based dashboard.

legal expense record on mobile device

Expense record on mobile device. Assign and submit billable/ reimbursable expenses on the go.

Our  innovative payment gateway works with your existing payment processors, creating numerous efficiencies, increasing cash flow, and reducing the cost of payment acceptance. Partners will have unprecedented access to client billing and payment data based on permissions granted. Clients will have new ways to receive invoices and make payments. Finance staff will have tools to automate processes and control payment processing costs. You’re in control of the most flexible, scalable payment solution available today.

virtual terminal and web payment page for law firm

Image shows example of a custom secure payment page on a law firm web site. When clients select a location, the system automatically routes the transaction to the correct merchant account and related bank account for deposit. Fully configurable for your specific needs, clients can store multiple payment methods and save time for future payments. Future proof and PCI Compliant.

We’ve been too busy bringing clients on board to create comprehensive marketing materials; technology is ready for immediate implementation. Payment Modules include: virtual terminal, batch upload, Electronic Bill Presentment & Payment (EBPP), Dashboard Reporting, report writer, shopping cart and pay page.

Legal Payment Brochure (pdf Download) . This one page document will be updated in the future.

Join clients listed in the 2011 U.S. News – Best Lawyers ‘Best Law Firm’ Rankings. Contact us now to find out why they chose our technology.

 

Verizon 2011 PAYMENT CARD INDUSTRY COMPLIANCE REPORT

Is it any surprise that actual Payment Card Industry (PCI) Data Security Standard (DSS) assessments by Verizon’s team of Qualified Security Assessors (QSAs) shows growth of compliance is stagnant? Even worse, organizations that suffered data breaches were much less likely to be compliant than a normal population of PCI clients? About 20 percent of organizations passed less than half of the DSS requirements, while 60 percent scored above the 80 percent mark. For all those merchants sounding off about an annual PCI Compliance Fee, the evidence is clear that merchants still have a long ways to go. 100% PCI DSS compliance is the only acceptable statistic.

Organizations struggled most with the following PCI requirements:

  • 3 (protect stored cardholder data)
  • 10 (track and monitor access)
  • 11 (regularly test systems and processes)
  • 12 (maintain security policies)

The first two of these can easily be resolved with our hosted payment processing technology, CenPOS. If you’re going to store cardholder data, it needs to be encrypted. One of the major problems with this has been ready access to solutions for storing cardholder data for variable billing. Most gateways have a PCI Compliant solution to store encrypted card data for recurring billing,  charging the same amount on a fixed schedule. However, CenPOS is unique to offer storing card data for billing a variable amount, token billing. Additionally, it is the only technology this writer is aware of that also includes interchange optimization, of major importance to companies trying to control credit card processing fees.

encrypt cardholder data token billing variable amount

Tokens are issed for stored card data, worthless if stolen.

Requirement 10 (Tracking and Monitoring) is a major component of CenPOS. Every user has a unique login and management can micro manage permissions. Where others create a few tiered levels of permission such as cashier, finance, and administrator, CenPOS offers a plethora of options, plus management tracking and research tools.

  • User Permissions: Control precise transaction types allowed, set maximum thresholds, set alerts based on responses, amounts and other criteria. Extensive Permissions enable maximum merchant protection from lower level employees, plus there are tools for secondary oversight at the admin level to mitigate risk of high level employee fraud.
  • Tracking and Monitoring: The requirement calls for the tracking and monitoring of all access to network resources and cardholder data, the main objective is to maintain system logs and have procedures that ensure proper utilization, protection, and retention. According to the Verizon Report, this has historically been one of the most challenging, but is critical to forensic investigations if needed. CenPOS logs everything related to the payments process including user ID, time stamps and every other element of interaction with the system. Merchants must have their own internal logging system for their network.

Requirement 11 (Regular Testing) had the least compliance in the Verizon report. “Organizations continue to have difficulty meeting the sub-requirements regarding network vulnerability scanning (11.2), penetration testing (11.3), and file integrity monitoring (11.5).”  Our recommendation is that merchants hire a qualified outside vendor to assist them with this requirement. We have no direct affiliation with such companies but know several with good reputations should you need a resource.

Requirement 12 (Security Policies) While the best laid written plans may exist, there is still the human factor. Weaknesses identified include poorly written policies, including so long that they are stuffed in a desk never to be read again, and those that are too vague. Note that the requirements are directly related to the services in scope of the organization’s PCI DSS. The more the merchant reduces their scope, the more the burden is on their service provider instead of their internal personnel. CenPOS reduces the merchant scope in several ways, including but not limited to:

  • Web payments on a hosted pay page, not the merchants web page
  • Electronic Bill Presentment and Payment- same as above.
  • Storing all card data, encrypted, on CenPOS servers, eliminating file drawer and merchant stored data
Verizon 2011 PAYMENT CARD INDUSTRY COMPLIANCE REPORT

Verizon 2011 PAYMENT CARD INDUSTRY COMPLIANCE REPORT (PDF) download

Learn more about how CenPOS can help you with PCI DSS Compliance.

 

 

 

PCI standards for phone call recordings of payments over the phone

Does your company record calls for quality assurance or other purposes? The PCI Security Standards Council has issued supplemental guidelines “Protecting Telephone-based Payment Card Data” for you to maintain PCI DSS ( Payment Card Industry Data Security Standards) compliance. The intent is to provide supplemental guidance, and does not replace or supersede PCI DSS requirements.
Why Telephone Card Payment Security is Important
In face-to-face and e-commerce environments, risk-mitigating technologies have helped significantly reduce fraud rates, resulting in a shift of card fraud towards the Mail Order / Telephone Order (MOTO) space. Additionally, a number of regulatory bodies are requiring some companies to record and store telephone conversations in a range of situations. The Payment Card Industry Data Security Standard (PCI DSS), however, stipulates that the three-digit or four-digit card verification code or value printed on the card (CVV2, CVC2, CID, or CAV2) cannot be retained after authorization, and full primary account numbers (PANs) cannot be kept without further protection measures.

As such, there is a risk that organizations taking customer payment card details over the telephone may be recording the full cardholder details to comply with various regulatory bodies, thereby causing them to be in contravention of PCI DSS requirements and potentially exposing cardholder data to unnecessary risk.

Recap: The PCI SSC FAQ
PCI SSC FAQ 5362 – Are audio/voice recordings containing cardholder data and/or sensitive authentication data included in the scope of PCI DSS?
This response is intended to provide clarification for call centers that record cardholder data in audio recordings, and applies only to the storage of card validation codes and values (referred to as CAV2, CVC2, CVV2 or CID codes by the payment brands).
It is a violation of PCI DSS Requirement 3.2 to store any sensitive authentication data, including card validation codes and values, after authorization even if encrypted.
It is therefore prohibited to use any form of digital audio recording (using formats such as WAV, MP3, etc.) for storing CAV2, CVC2, CVV2 or CID codes after authorization if that data can be queried; recognizing that multiple tools exist that potentially could query a variety of digital recordings.
Where technology exists to prevent recording of these data elements, such technology should be enabled. If these recordings cannot be data-mined, storage of CAV2, CVC2, CVV2 or CID codes after authorization may be permissible as long as appropriate validation has been performed. This includes the physical and logical protections defined in PCI DSS that must still be applied to these call-recording formats.

stored card data chart

August 2011 chart from PCI Security Standards

Note: Encrypting sensitive authentication data is not by itself sufficient to render the data non-queriable.
For data to be considered “non-queriable” it must not be feasible for general users of the system or malicious users that gain access to the system to retrieve or access the data. Access to the types of functions listed above must be extremely limited, explicitly authorized, documented, and actively monitored. Additionally, controls must be in place to prevent unauthorized access to these functions.
Other methods that may help to render SAD non-queriable include but are not limited to: a. Removing call recordings from the call recording solution b.    Taking the call recordings offline c.    Vaulting the call recordings d.    Enforcing dual access controls to the vaulted call recordings e.    Allowing only single call recordings to be retrieved from vaults

Before considering this option, every possible effort must first be made to eliminate sensitive authentication data. In general, no cardholder data should ever be stored unless it is necessary to meet the needs of the business. There must be a documented, legitimate reason why sensitive authentication data cannot be eliminated (for example, a legislative or regulatory obligation), and a comprehensive risk assessment performed at least annually. The detailed justification and risk assessment results must be made available to the acquiring bank and/or payment card brand as applicable. This option is a last resort only, and the desired outcome is always the elimination of all sensitive authentication data after authorization.    If technologies are available to fulfil PCI DSS requirements without contravening government laws and regulations, these technologies should be used.

The PCI Security Standards Council (PCI SSC) is not responsible for enforcing compliance or determining whether a particular implementation is compliant. It is the primary recommended source for all merchants to obtain current PCI DSS information.

Download the complete report here
PCI Data Security Standard (PCI DSS) Protecting Telephone-based Payment Card Data