Need a QIR in South Florida?

A certified Qualified Integrator and Reseller (QIR) is required for any third party credit card point-of-sale solution installation. Qualified Integrators and Resellers are specially trained by Payment Card Industry (PCI) Security Standards Council to address critical security controls while installing merchant payment systems. Christine Speedy is located in South Florida and is QIR certified. After the sale, the same applies. No third party can modify or touch the system unless QIR certified.

The mandate is only for level 4 merchants, due to more frequent security problems. For example, 80 percent of small merchant breaches are associated with insecure POS implementation and servicing by integrators and resellers. Level 4 merchants are defined as less than 20,000 Visa or MasterCard e-commerce transactions annually, and all other merchants processing up to 1 million Visa or MasterCard transactions annually.

pci qir certified logo

The council changed the QIR certification requirements after my certification in an effort to reduce barriers to certification, both financially and with the depth of training. While QIR certification always was for individuals, they were tied to companies. The tie to companies has been removed so as QIR’s change jobs the certification is not disrupted. Due to this change, the PCI council recently updated the web site search navigation. My company used to be the first listing when you clicked on the QIR link. Now, the only way to find me or any other QIR certified person is to do a search. You can find Christine by searching for Christine Speedy in Florida.

Do you need a QIR in another state? Just ask.

Christine Speedy, Founder 3D Merchant Services, is a credit card processing expert with specialized expertise in card not present and omnichannel technology. Christine is an authorized reseller for Elavon and CenPOS products and services, in addition to other solutions.

2020 Merchant Credit Card Data Breach List

Updated June 2020, not all inclusive. Is your business safe from a credit card data breach? The list below highlights some credit card data breaches and the primary cause at the time the data breach was announced. While malware reigns as a top cause of payment data breaches, employee theft is still a problem too. To make the list, typically companies are only listed if full card data is stolen.

Restaurants

January 2020- Landry’s owns over 600 popular American restaurants across the U.S., including Del Frisco’s Grill, Joe’s Crab Shack, Bubba Gump, Rainforest Café and more. This is the second data breach since 2016, a result a POS malware. Some waitstaff were accessing an old system with card swipers without end to end encryption. TIP: When updating systems, remove all old terminals from facility; leaving on site commonly leads to reuse. As a consumer, avoid any place that uses card swipers.

Retail & Ecommerce

January 2020: Hanna Andersson– online store malware Magecart in their Salesforce Commerce Cloud (previously known as Demandware). I loved this brand when my kids were growing up. Criminals are hacking into vulnerable e-commerce platforms used by online stores and inject malicious JavaScript-based scripts into checkout pages that collect the customers’ payment info and send it to attacker-controlled remote sites. This is an old problem that updated checkout code prevents.

March 18, 2020: TrueFire online store malware Magecart attack, stolen card numbers for 6 months. Ouch.

June 15, 2020: Claires online store only, Magecard attack. Uses Salesforce Commerce Cloud, previously known as Demandware. This appears to be a new twist on Magecart breach.

Technology

April 22, 2020 Paay, a NY card payments processor startup, left a database containing 2.5 million card transaction records accessible online without a password. The exposed payment transaction belonging to 15 to 20 merchants includes full plaintext credit card number, expiry date and the amount spent.

January 28, 2020 Cornerstone Payment Systems, Christian-friendly company that does “not process credit card transactions for morally objectionable businesses,” left online a database with customer payment transaction data. The database contained 6.7 million records since 2013, and was updating by the day. The database was not protected with a password, allowing anyone to look inside. While there was not full card data taken, I felt notable to list.

April 2020 nCourt runs two payment sites courtpay.org and utilitypay.org using a system called GovPSA. Only hashed data was stolen, but newsworthy because affected data was from a legacy system, which commonly have security issues. The first and last four digits were exposed with other card data from at least three years’ worth of transactions up to and including November 2019.

April 6, 2020: Key Ring, a digital wallet app, left stored customer data of 14 million users accessible in an unsecured database. Users store scans and photos of membership and loyalty cards to a digital folder in their mobile device. The exposed data includes names, full credit card details (including CVV numbers)

North Country Business Products (NCBP), a Minnesota-based provider of point-of-sale (POS) products, initial breach report roughly January 2, 2019 to January 25, though for most, the window is just a day or two. Mostly restaurants and small businesses, usually “level 4” merchants requiring a a PCI Council Qualified Integrators and Resellers for Point of Sale installation. QIRs are integrators and resellers specially trained by PCI Security Standards Council to address critical security controls while installing merchant payment systems. North Country Business Products has a lot of QIR’s. At least 139 impacted restaurants with credit card data breach dates here. NCBP POS systems are installed at over 6,500 locations.

Don’t be the next credit card data breach victim!

Christine Speedy is Qualified Integrator and Reseller certified by the Payment Card Industry Security Standards Council. QIRs are integrators and resellers specially trained by PCI Security Standards Council to address critical security controls while installing merchant payment systems. QIRs reduce merchant risk and mitigate the most common causes of payment data breaches by focusing on critical security controls. Call Christine for technology, merchant services and check processing needs.

Credit Card Processing from AX to D365 F&O

Upgrading from Dynamics AX to D365 Finance & Operations?

Consultants help with planning and migration, however, when it comes to choosing a payment connector to capture revenues, engaging a payment processing professional can save boatloads of time and money. Why?

  1. The payment connector, including payment gateway, influences credit card processing fees. Compliance with authorization and settlement rules is complicated and connectors manage processes differently because of where they are in technology development. It’s the single largest influencer of fees and penalties you’ll pay. Look at this MasterCard Integrity Fee on a Chase Paymentech merchant statement:
mastercard PROCESSING INTEGRITY FINAL ATH

$536,042.54 multiplied by a .25% penalty fee for a total of $1,340.10 in avoidable costs. This is due to not properly authorizing and settling transactions, including reversals for unused authorizations. There are many ways to get authorization penalty fees and I’ve written multiple articles about them, including this on the Visa Stored Credential Mandate.

2. The payment connector makes a huge difference in internal automation for related processes, such as updating journals, as well as external customer automation including self-service access to invoices, payment history, managing payment methods and more.

3. The ISV payment connector package may include other items in your development road map. An independent payment processing professional will assess needs and provide insights on multiple connectors to help guide your business to the best choice. Which support the stored credential mandate for unscheduled credential on file? How will it help meet current and future Covid-19 side effect needs? How will it protect the business from a data breach as a result of workers at home?

In my experience, consultants don’t consider the payment connector until the project is defined and well under way, a contributing factor why more than 50% of ERP implementations fail to meet time, budget, or benefit objectives. Specification decisions are based on ‘securing payments’, without knowing how the connector might already have built-in solutions for other areas including customer service, sales, accounting, call center and more. If brought in sooner, the payments professional can eliminate some customization, reduce implementation time and costs, while improving immediate benefits.

To summarize, a flip phone and a smart phone are both capable of making phone calls, but the experience is completely different. Which would you prefer?

Christine Speedy, 3D Merchant blogger and CenPOS Global Sales, 954-942-0483 is an Independent Payments Professional and is independently Qualified Integrator Reseller (QIR) certified by the PCI Council.

Elavon wins best CNP credit card processor awards

Elavon Receives industry recognition for the Third consecutive year

Elavon, a global payments provider and subsidiary of U.S. Bank, won both the Judges Choice and People’s Choice awards for best processor 2020 Card Not Present (CNP) Awards, sweeping the Best Processor category for the third year in a row.

Best Processor: Judges Choice

The company provides end-to-end payment processing solutions and services to more than 1.3 million customers in the U.S., Europe, Canada, Mexico and Puerto Rico. It transmits data safely three billion times each year and enables $300 billion worth of commerce. Its solutions are designed to solve pain points for small to enterprise-sized businesses.

“Elavon has been a leader in payment processing, leveraging the world’s best technologies for our partners from large worldwide enterprises, to locally owned small businesses,” the company said. “We extend powerful payment solutions for all payment types and processing environments, ensuring that your business is well-connected. Elavon is consistently rated among the top global payment providers, with more than one million customers trusting us to process their payments.”

Last year Elavon also won Best Processor in both categories.

Christine Speedy, Founder 3D Merchant Services, is a credit card processing expert with specialized expertise in card not present and is an authorized reseller for the suite of Elavon products and services. Christine is also a Qualified Integrator and Reseller certified by the Payment Card Industry Security Standards Council, a requirement for all level 4 merchants, defined as less than 20,000 Visa or MasterCard e-commerce transactions annually, and all other merchants processing up to 1 million Visa or MasterCard transactions annually. Services include standalone and integrated technology, optional merchant services and other solutions. 954-942-0483.

Remote checkout with credit card

Businesses are shifting to remote credit checkout to avoid close contact with customers. Remote checkout systems range from cheap to pricey, but when comparing safe and secure solutions, it’s important to know what questions to ask to maximize profits and mitigate risk. In particular, telephone credit card transactions, text, and work from home practices directly impact profits and risk.

A popular practice is to eliminate customer entry into facilities. Communication methods include expansion of telemedicine and secure portals. Two areas are lacking: text and credit card payment. Even the most advanced facilities fall short in one way or another.

Credit card number via phone problems for typical retail merchant account:

  1. Merchants are prohibited from writing sensitive cardholder data on paper (Visa sec. 5).
  2. Key entering into computer:
    1. Results in 100% invalid – yet issuer approved- authorizations*, typically increasing costs 30-100% per transaction.
    1. Increases data breach risk with home and office hardware and network in scope for Payment Card Industry Data Security Standards (PCI).
    1. Employees access to cardholder data an added risk
  3. Key entering into desktop terminal:
    1. Same authorization problem as above (See merchant statement for non-qual, STD, EIRF, Level I etc)
    1. All transactions at risk of consumer or issuer chargeback since EMV chip/swip data expected but not received.
  4. Ties up phone lines for already overwhelmed staff;  another data breach risk
  5. Note: Digital forms that can be decrypted are unacceptable
  6. If storing/tokenizing cardholder data, most solutions are PCI compliant, not but not compliant for network (Vcardholder agreement and future transaction authorizations

Card not present alternatives:

SMS/text with secure pay

  1. 80-95% of Americans have a smart phone; all age groups, including seniors, are texting
  2. Puts customers in control of entering, storing, managing cardholder data

Email with secure pay- also eliminates employee access to cardholder data. A growing threat is business email compromise with phishing schemes increasing during Covid-19 crisis.

Hosted pay page- I do not recommend as this is not efficient during quick check in and check out needs.

What merchants should look for in vendor solutions:

  1. 3-D Secure cardholder authentication for customer initiated payments; qualify for reduced card not present rates plus fraud disputes for “I didn’t authorize” disappear. The benefit is much like EMV chip for retail, and merchants can save even more on interchange fees for some cards due to lower risk.
  2. 3rd party app or web based solution that segregates all devices, hardware and networks from scope for PCI, including key entered transactions; The latter can be managed via special terminal, app, or encrypted virtual keypad, perfect for workers at home and on the go.
  3. 3rd party app or web based text solution that eliminates client data from employee devices and hardware, and is compliant with various text/telecom rules (FCC, TCPA etc). If employees are texting on their devices, it’s incredibly difficult or impossible to get that data later if needed in a legal dispute.
  4. Checkout option to enter authorized 3rd party for animal pick up, time of day, and even details about car or truck if desired.
  5. Automated authorization optimization for card present, phone order, card on file and customer initiated transactions. This is either managed by technology (preferred) or multiple merchant accounts. Ok, many probably don’t know what this means, but it’s the difference between employees having to optionally take certain steps and technology automatically managing it.
  6. One-way texting with payment collection has minimal additional compliance burden for various rules.
  7. Two-way texting is much more robust, with even more upside for efficiency (think photo/video, updates throughout the stay, promotional link with notification animal entered surgery, survey at end, and continued opt-in to future marketing). The value of opted-in marketing, when used wisely, cannot be understated.

Merchants will benefit from increased approvals, more profits, happier customers, less phone time, and more secure operations. All of this adds up to both internal and external customer experience improvements during a stressful time dealing with Covid-19 repercussions and beloved animals needing urgent care.

Christine Speedy’s Analysis:

Merchant’s lack the right technology tools, which have been used by other industries for years, to meet new card not present requirements while maximizing profits and mitigating risk. Rapid adoption will reap virtually immediate rewards.

* Issuers will approve most requests if funds are available, but merchants must comply with various card acceptance rules based on how an authorization is requested or pay penalties. For example, a retail merchant account requires EMV chip or swipe data. When the don’t get it, penalties apply. Solutions to dynamically qualify per different rules require a technology update, typically via 3rd party solution.

Research Links:

Card network rules: http://3dmerchant.com/blog/merchant-bulletins-downloads

PCI Compliance: pcisecuritystandards.org

Christine Speedy, Founder 3D Merchant Services, is a credit card processing expert with specialized expertise in card not present and omnichannel. Christine is Qualified Integrator and Reseller certified by the Payment Card Industry Security Standards Council, a requirement for all level 4 merchants, defined as less than 20,000 Visa or MasterCard e-commerce transactions annually, and all other merchants processing up to 1 million Visa or MasterCard transactions annually. Services include standalone and integrated technology, optional merchant services and other solutions. 954-942-0483.

For more 3D Merchant Services news and information, visit 3Dmerchant.com or  https://www.linkedin.com/in/cspeedy

Contacts:

Christine Speedy

954-942-0483