EMVCo has announced the publication of the EMV 3-D Secure Protocol and Core Functions Specification v2.2.0.
14 December 2018 – EMVCo today announces the publication of the EMV® 3-D Secure Protocol and Core Functions Specification v2.2.0. The updated specification includes enhancements to promote an optimised consumer experience while supporting new authentication channels when making e-commerce transactions.
EMV 3DS is a messaging protocol that promotes frictionless consumer authentication and enables consumers to authenticate themselves with their card issuer when making card-not-present (CNP) ecommerce purchases. The additional security layer helps prevent unauthorised CNP transactions and protect the merchant from exposure to CNP fraud.
Version 2.2.0 builds upon the current specification version 2.1.0
which is available on the EMV 3DS Test Platform, enabling 3DS product
providers to confirm that their solutions will perform in accordance
with the specification. Support of v2.1.0 is required in order to
implement v2.2.0. Key updates within version 2.2.0 include:
Improved communication between merchants and issuers, enabling
Europe’s Second Payment Services Directive (PSD2) exemptions for Strong
Consumer Authentication to be applied.
Two new features to enable authentication for various payment
scenarios including mail order and telephone order transactions: 3DS
Requestor Initiated (3RI) payments and decoupled authentication –
allowing cardholder authentication to occur even if the cardholder is
offline.
Expansion of existing data elements to promote communication of
pre-checkout authentication events and associated data as part of the
EMV 3DS transaction from systems such as those supporting the FIDO
Alliance standards.
These enhancements are available if all 3DS components involved in the transaction have updated their software to support v2.2.0.
“EMV 3DS exists to promote secure, consistent consumer authentication for e-commerce transactions across all channels and connected devices, while optimising the cardholder’s experience,” comments Stephanie Ericksen, Chair of the EMVCo Executive Committee. “Our work in this area continues to evolve to ensure we respond to new marketplace requirements. EMVCo continues to encourage the payments community to get involved and provide feedback on the EMV 3DS activity.”
Earlier this year EMVCo announced the availability of the full EMV 3DS Test Platform, which enables the functional testing of EMV 3DS solutions. Letters of Approval are currently being issued for those 3DS products that have successfully tested against version 2.1.0. A list of approved products can be found on the EMVCo website. Products submitted for EMV 3DS v2.2.0 compliance testing will also be tested against EMV 3DS v2.1.0 to receive an EMV 3DS v2.2.0 Letter of Approval. Testing support for version 2.2.0 is expected to be available mid-2019. Progress updates will be posted on the EMVCo website. To stay informed of the latest EMVCo developments and receive advanced access to EMV Specifications and related documents, join the EMVCo Associates Programme or become a Subscriber.
Jul 22, 2019
Agreements Establish Restitution Fund for Consumers
ATLANTA, July 22, 2019 /PRNewswire/ — Equifax Inc. (NYSE: EFX) today announced a comprehensive resolution of significant U.S. consumer-related litigation and regulatory matters facing the company related to its 2017 cybersecurity incident.
The $671 million
resolution includes settlement agreements that would resolve the
multi-district consumer class action litigation, as well as
investigations by the Federal Trade Commission (FTC), the Consumer
Financial Protection Bureau (CFPB), the Attorneys General of 48 states, Puerto Rico and the District of Columbia, and the New York Department of Financial Services (NYDFS).
If approved by the Court, a consumer restitution fund of up to $425 million
will be available to pay for three-bureau credit monitoring for
consumers whose information was impacted in the 2017 breach, actual
out-of-pocket losses related to the breach, and other consumer benefits
such as identity restoration services. Equifax has been providing free
credit monitoring services to consumers since September 2017.
“This comprehensive settlement is a positive step for U.S.
consumers and Equifax as we move forward from the 2017 cybersecurity
incident and focus on our transformation investments in technology and
security as a leading data, analytics, and technology company,” said
Equifax Chief Executive Officer, Mark W. Begor. “The consumer fund of up
to $425 million that we are announcing today reinforces
our commitment to putting consumers first and safeguarding their data –
and reflects the seriousness with which we take this matter. We have
been committed to resolving this issue for consumers and have the
financial capacity to manage the settlement while continuing our $1.25 billion
EFX2020 technology and security investment program. We are focused on
the future of Equifax and returning to market leadership and growth.”
As
part of the resolution, Equifax has agreed to continue the significant
steps it has taken in the wake of the cybersecurity incident to enhance
its information security and technology program. It also has agreed to
make payments totaling $290.5 million directly to certain
state and federal regulatory agencies and to pay attorneys’ fees and
costs in the multi-district litigation. Equifax recorded an accrual of $690 million in the first quarter of 2019 and expects to increase its accrual by approximately $11 million in the second quarter of 2019 principally related to the comprehensive consumer settlement, resulting in a total $701 million accrual related to the 2017 cybersecurity incident.
If
the Court approves, members of the settlement class will receive
notification of their rights and options as part of the multi-district
litigation. More information can be found at www.equifaxbreachsettlement.com.
Additional
detail on the terms of the proposed settlement in our Form 8-K filed
today with the Securities and Exchange Commission.
Equifax CEO Mark Begor will provide details in the following conference calls:
9:00 a.m. ET Conference call for investors, analysts and others U.S. and Canadian participants should dial: (888) 254-3590. International callers should dial: (786) 789-4797. A
replay of this conference call will be available beginning Monday, July
22 at 12:00 p.m. ET and ending at 12:00 p.m. ET on Monday, July 29. To
access the replay, please register.
9:30 a.m. ET Conference call for media U.S. and Canadian participants should dial: (800) 289-0438. International callers should dial: (786) 789-4783.
Please
dial the appropriate number 5-10 minutes prior to the start of the
calls to complete registration. Name and affiliation/company are
required to join.
Forward-Looking Statements
This
release contains forward-looking statements and forward-looking
information. These statements can be identified by expressions of
belief, expectation or intention, as well as statements that are not
historical fact. These statements are based on certain factors and
assumptions. While the company believes these factors and assumptions to
be reasonable based on information currently available, they may prove
to be incorrect.
Several factors could cause actual results to
differ materially from those expressed or implied in the forward-looking
statements, including, but not limited to, potential adverse
developments in new and pending legal proceedings or government
investigations, including the failure to obtain final court approval of
the agreements which make up the Consumer Settlement; uncertainties
regarding the ultimate amount and timing of payments the Company may be
required to make in connection with the Consumer Settlement; the cost of
compliance with the Company’s non-monetary obligations associated with
the Consumer Settlement; uncertainties regarding the outcome of the
remaining legal proceedings or government investigations related to the
2017 cybersecurity incident; and limitations on the Company’s ability to
access the capital markets and corresponding effects on the Company’s
ability to finance its obligations. A summary of additional risks and
uncertainties can be found in the Company’s Annual Report on Form 10-K
for the year ended December 31, 2018, including without limitation under
the captions “Item 1. Business — Governmental Regulation” and “—
Forward-Looking Statements” and “Item 1A. Risk Factors,” and in the
Company’s other filings with the U.S.
Securities and Exchange Commission. Forward-looking statements are
given only as at the date of this release and the company disclaims any
obligation to update or revise the forward-looking statements, whether
as a result of new information, future events or otherwise, except as
required by law.
About Equifax Equifax is a global data, analytics, and technology company and believes knowledge drives progress. The Company blends unique data, analytics, and technology with a passion for serving customers globally, to create insights that power decisions to move people forward. Headquartered in Atlanta, Equifax operates or has investments in 24 countries in North America, Central and South America, Europe and the Asia Pacific region. It is a member of Standard & Poor’s (S&P) 500® Index, and its common stock is traded on the New York Stock Exchange (NYSE) under the symbol EFX. Equifax employs approximately 11,000 employees worldwide. For more information, visit Equifax.com and follow the company’s news on Twitter and LinkedIn.
Rules for storing and using stored cards changed for merchants in 2017, yet many payment gateways in 2019 still don’t support the transaction requirements, opening risk of issuer chargeback, fines, and assessments to merchants. Since the card networks are now notifying acquirers of non-complaint merchants, it’s time to get serious about making updates. This article updated authorize.net and Cybersource information on June 4, 2020.
The four types of stored credential transactions are recurring billing, installment billing and Unscheduled Credential On File, where buyer agrees to store the card and future transactions will be initiated either by merchant or buyer. Read more about the stored credential rules either by searching the blog for ‘credential’ or click here for card network rules. The payment gateway manages most of the compliance after merchants make the appropriate changes for standalone or integrated solutions, but merchants also have responsibility for getting the proper wording and opt-in record keeping for agreements to store cards.
Which payment gateways support authorization requirements for stored credentials? Ask gateways if they support your specific card not present transaction type. Even if they do, merchant compliance is not automatic and merchants cannot rely on web developers to automatically get them updated either. This list is valid as of today. Please comment below if you have new information about updates or more payment gateways to add to the list.
Authorize.net- No, see developer forum for note. 6/4/2020 update: Upon further information gleaned from various sources, merchants are being advised to ‘upgrade’ to Cybersource not only for stored credential but also Strong Customer Authentication (SCA2) and other items.
Bluepay- Unable to determine.
Braintree- Yes, added MasterCard 1/18/19, Visa 2018.
CenPOS– Yes, since 2017, all transaction types. CenPOS does not publish developer information online. See contact info below for sales, integrations and developer assistance.
Cybersource- When this blog post was publised, the answer was no per this article (original link to https://www.cybersource.com/mitsc_mandate/#1 is now 404, page not available, however, as of June 4, 2020, Cybersource documentation is still referring to the same broken page which says they are getting ready.) An April 21, 2020 note says they are ready on some processors https://support.cybersource.com/s/article/Support-for-Merchant-Initiated-Transactions-and-Credential-on-File-for-Visa-Mastercard-and-Discover. I question the accuracy of the zip file contents here https://support.cybersource.com/s/article/Support-for-Merchant-Initiated-Transactions-and-Credential-on-File-for-Visa-Mastercard-and-Discover1.Establishment of Relationship. The initial transaction must be identified as a COF transaction even when it is the first instance (whether a zero-dollar authorization or first transaction). The cardholder must be present for this initial transaction.I agree with the logic as it applies to Cybersource, however, “cardholder must be present” is not applicable to payment gateways, for example CenPOS, capable of dynamically delivering the correct authentication data regardless of channel at the time of authentication and also future transactions.
Ingenico- Maybe. Yes, with Ingenico ePayments DirectLink on the international web site, but I was unable to find the related developer code for updating US ePayments needs.
Vantiv/WorldPay- Maybe. With the merger of these companies, merchants might or might not be using a payment gateway that supports it. Developer info for Worldpay.
How can you easily identify if you’re compliant with card network rules? Here’s a few items to check for:
Is there a checkbox for customer to accept terms?
Are you asking for the security code? While not required if using alternative 3-D Secure cardholder authentication, in my experience, if you’re not asking for it, it’s outdated 100% of the time.
This article is not meant to be a comprehensive list of requirements and may be outdated. The most important takeaway is merchants and developers should not assume that their partners are automatically keeping them current or compliant with the latest rules for card acceptance compliance. In fact, with the update in 2020, it’s coming up on THREE YEARS since the rules went into effect. For continuous compliance, you need a trusted payments expert that knows the rules. Developers can implement programming, but are not experts in processing.
Call Christine Speedy, CenPOSGlobal Sales. 954-942-0483, 9-5 ET for a payment gateway compliant with stored credential rules that can be quickly implemented. CenPOS is an integrated commerce technology platform driving innovative, omnichannel solutions tailored to meet a merchant’s market needs. Providing a single point of integration, the CenPOS platform combines payment, commerce and value-added functionality enabling merchants to transform their commerce experience, eliminate the need to manage complex integrations, reduce the burden of accepting payments and create deeper customer relationships.
What’s an economical payment gateway for D365? One that enables business to qualify for the lowest rates possible for any given card type, mitigates chargeback risk, and creates efficiencies. Many businesses using AX 2012 and D365 need to store a card and charge on demand. To qualify for the lowest rates and mitigate risk of penalties and fines, compliance with the card network rules is required.Minimum requirements to potentially qualify for the best rates are:
For card not present payments, including invoice portal, support 3-D secure; some issuers offer a lower rate averaging 20 BPS (.20%) less.
Compliance with 2017 Visa stored credential mandate (which will also get you compliant with MasterCard etc). Many payment gateways do not support this yet. Ask, ” Do you support “Unscheduled Credential On File” rules?; store the card, charge on demand. Currently authorize.net, Red Maple and Payflow Pro do not.
If doing preauthorizations, a method to reauthorize expired auths, and a method to make initial and final auth the same amount if it changes after the preauth. Failure to do so increases the qualified credit card rate an average of 30% for businesses on pass-through interchange pricing.
Reversing unused authorizations; Mastercard penalty is now a hefty .25% for misuse of authorization.
Call Christine Speedy, CenPOSGlobal Sales. 954-942-0483, 9-5 ET for a D365 payment gateway that can be quickly implemented. CenPOS is an integrated commerce technology platform driving innovative, omnichannel solutions tailored to meet a merchant’s market needs. Providing a single point of integration, the CenPOS platform combines payment, commerce and value-added functionality enabling merchants to transform their commerce experience, eliminate the need to manage complex integrations, reduce the burden of accepting payments and create deeper customer relationships.
Need an alternative to Authorize.net to comply with stored credential rules, including for both recurring and Unscheduled Credential On File? Authorize.net does not yet offer a solution for Visa stored credential or Mastercard. This includes both merchant initiated transaction and customer initiated transaction in addition to the other items in the Visa Stored Credential Transaction framework and mandates effective October 14, 2017.
The payment gateway is the biggest piece of the puzzle for compliance. My clients were compliant back in 2017. Whether integrated or standalone, I can help you comply with this and many other rules that impact merchant fees and chargeback risk. Even B2B companies that never have chargebacks are at risk.
Call Christine Speedy, CenPOSGlobal Sales. 954-942-0483, 9-5 ET for all your recurring billing and stored credential payment gateway and virtual terminal needs. CenPOS is an integrated commerce technology platform driving innovative, omnichannel solutions tailored to meet a merchant’s market needs. Providing a single point of integration, the CenPOS platform combines payment, commerce and value-added functionality enabling merchants to transform their commerce experience, eliminate the need to manage complex integrations, reduce the burden of accepting payments and create deeper customer relationships.
We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.