Delay in Compliance Action for Visa Stored Credential Framework

From the Visa Merchant Business News Digest, October 17, 2017.

In the 1 September 2016 edition of the Visa Business News, Visa introduced new rules related to credential-on-file transactions, including merchant disclosure requirements and transaction identifier requirements went into effect for merchants and acquirers on 14 October 2017.

However, based on stakeholder feedback, and after assessing market readiness and taking into account the holiday season system freeze, Visa will extend the time to make the necessary system changes until 30 April 2018.

While the rule is still effective as of 14 October 2017, Visa will not take any compliance action or assess non-compliance assessments to non-compliant entities prior to 30 April 2018. Entities that comply with the rule by 30 April 2018 will not be required to submit a waiver request to Visa.

https://usa.visa.com/support/merchant/library/visa-merchant-business-news-digest.html

End Visa bulletin.

The stored credential framework applies to all merchants that store credit cards. Note, while some stakeholders were not ready as per the above statements, CenPOS was. CenPOS replaces other payment gateways, for example authorize.net, as well as solutions such as BillTrust, while enabling customers to keep their acquirers and other partners.

See more info here https://usa.visa.com/dam/VCOM/global/support-legal/documents/stored-credential-transaction-framework-vbs-10-may-17.pdf

Christine Speedy, CenPOS authorized reseller, 954-942-0483. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.

Test and fix TLS 1.0 to TLS v1.2 for merchant non-compliance notice

To keep your data safe, the Payment Card Industry Security Standards Council (PCI SSC) has mandated a security upgrade impacting all merchants where web browsers can be used in the payment process. Acquirers and payment gateways have set various deadlines in advance of the required PCI TLS v1.2 Security Protocol Upgrade by  2018. Either hardware may need to be replaced or software updated.

Recently, multiple vulnerabilities have been uncovered. Criminals are using the vulnerabilities at massive levels over prior years. Security company Zscaler blocked an average of 8.4 million SSL/TLS-based malicious activities per day in the first half of 2017 for its customers on its Zscaler cloud platform. That’s why all merchants need to upgrade to the most current version of TLS (Version 1.2) and should do so as soon as possible. Because this is an absolute necessity, merchants are getting emails about hard stop dates; if not fixed, merchants will not be able to process transactions after the deadline.

TLS Deadlines vary by acquirer and payment gateway. Dates have been changing due to non-compliance so check with your partners.

  • Chase Paymentech, September 30, 2017.
  • Authorize.Net, February 28, 2018.
  • First Data varies by solution. Datawire will remove SSL v3, TLS v1.0, and TLS v1.1 on February 15th 2018.

TLS 1.0 and TLS 1.1 need to be disabled from browsers, servers and related applications. SSL 3.0 should have been disabled years ago.

Do not rely on server host companies or consultants to do this for you. It’s up to merchants to maintain PCI Compliance. If you get a notice of non-compliance from your acquirer and use a virtual terminal, test your browser below.

FREE Test SSL/TLS for Browser and Servers and updating TLS for card not present transactions:

Free SSL and TLS test from Qualys. https://www.ssllabs.com/ssltest/index.html.  If you get a YES next to TLS 1.0, SSL 3, or SSL 2, then hardening is needed.

Try updating your browser and then run the test again. If the browser is current, go to your web browser settings or preferences and disable SSL and TLS 1.0. Run the same test on your web site. If you get a yes, go to your host administration and disable in security settings.

What is TLS Security Protocol?

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL) are both frequently referred to as “SSL”. When you go to a web page and the URL is “https”, the S stands for secure, and the domain host has a security certificate installed and enabled on the web host. Websites use TLS to secure all communications between their servers and web browsers. For example, when a merchant logs into a virtual terminal using a web browser, or a customer makes a payment online via a hosted pay page or ecommerce shopping cart.

 

Christine Speedy, CenPOS authorized reseller, 954-942-0483. B2B cloud payments solutions and CenPOS enterprise cloud payment solutions expert. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.

Mastercard Simplifies Managing Your Digital Footprint with Launch of Consumer Control

New solution will help the 60 percent of people who say they don’t know where their card credentials are stored

PURCHASE, N.Y. –October 23, 2017 – Do you know all the places you’ve stored your payment card details? From shopping sites to billers, keeping track of where your card credentials are held can be a daunting task. Today, Mastercard Consumer Control was introduced to address just this. The solution provides consumers a central view of where their cards are stored across all digital channels, as well as the ability to control how, when and where those cards are used.

This solution enables consumers to look no further than their own trusted bank or credit union to take control of their digital payment footprint – across devices and channels. Through this solution, issuers can help their cardholders more easily add their cards to their preferred shopping sites and payment devices, and optimize spend across the digital ecosystem.

“As digital payments continue to evolve, cardholders have more and more options to enable new types of devices for payment, and to pay in new ways online and in-app,” said Jessica Turner, executive vice president Digital Payments & Labs, Mastercard. “In our ongoing commitment to deliver consumer-centric solutions, Mastercard is introducing a series of APIs that will give the consumer direct control to view where their card is stored and manage spend across all digital channels – all from right within their mobile banking app or website.”

Your Bank Your Control

According to the findings of a recent Mastercard study, about three-quarters (73%) of Americans are interested in digital management of their credit/debit card information, and they want it from their bank or credit union. Mastercard Consumer Control uniquely empowers issuing partners to deliver a bank-branded, all-digital payment solution to provide consumers full oversight of their digital payment footprint. The solution helps issuers differentiate their mobile banking offering by adding powerful new functionalities. First Tech Federal Credit Union will be among the first issuers to support Mastercard Consumer Control.

The Simplest, Most Secure Path Forward

Mastercard is also partnering with token service providers, merchants and device manufacturers like Fitbit (NYSE: FIT), Fitpay and Garmin to enhance the overall consumer experience while delivering a streamlined solution across card on file and IoT devices. Layering services including tokenization with bank identification and verification of cardholders, Mastercard Consumer Control also leverages the most advanced security methods today. And with more than three quarters (78%) of survey respondents hesitant to store their financial information online, this added peace of mind is critical.

Consumer Control is one of the more than 35 APIs available through our Mastercard Developers portal. Mastercard envisions a future powered by an API for everything – one that inspires innovators to bring their ideas to life by plugging our technology into their solutions without having to start from scratch. Through our Payments, Data Services and Security APIs, we enable customers and partners to easily integrate Mastercard proprietary technology, products and services into their digital solutions. In the last year alone, the Mastercard API Platform has seen a 400% increase in usage.

About Mastercard

Mastercard (NYSE: MA), www.mastercard.com, is a technology company in the global payments industry. We operate the world’s fastest payments processing network, connecting consumers, financial institutions, merchants, governments and businesses in more than 210 countries and territories. Mastercard products and solutions make everyday commerce activities – such as shopping, traveling, running a business and managing finances – easier, more secure and more efficient for everyone. Follow us on Twitter @MastercardNews, join the discussion on the Beyond the Transaction Blog and subscribe for the latest news.

Visa ID Intelligence Moves Payment Security Beyond Passwords

Biometrics and other authentication technologies help the payment industry create seamless and secure commerce experiences

SAN FRANCISCO–(BUSINESS WIRE)–Oct. 19, 2017– Visa (NYSE:V) today announced Visa ID Intelligence, a platform that allows issuers, acquirers and merchants to quickly adopt emerging authentication technologies and create more secure and convenient ways for consumers to shop, pay and bank on their connected devices. Available through Visa Developer Platform, Visa ID Intelligence offers a curated selection of leading third-party authentication technologies with simple integration using Visa APIs and SDKs—allowing clients to create, test and adopt new authentication solutions.

The Internet of Things is expected to grow to 20 billion connected devices by 2020, exponentially expanding the devices and environments in which commerce can take place—from wearables, such as rings and watches, to home personal assistants and connected cars. Many of these devices are voice activated and not designed for typical passwords—requiring a new approach to authentication, such as face, fingerprint or voice recognition, document verification, or device and user identification. A 2017 Visa survey showed that 69 percent of US consumers believe that biometric authentication will make payments easier than using passwords.

“A consumer encounters many authentication moments during the course of a day, whether making a payment, checking a balance, or sending money to family and friends,” said Mark Nelsen, senior vice president of risk and authentication products, Visa. “But traditional methods for authenticating a customer can create frustration or are simply not designed for the new ways people are shopping and paying. We built Visa ID Intelligence to help accelerate smarter and easy-to-use authentication solutions for any commerce environment—to better protect against fraud and to move closer to a world without passwords.”

Recent Aite Group research found that, as the speed and complexity of fraud and cyberattacks increases, institutions and companies must look to nimble technology solutions that provide consumers with security as well as convenience. While many competitors offer solutions, not all of them are ideal for the payments industry and the high level of privacy, security and regulatory oversight that are required for financial transactions. Financial institutions and merchants can adopt effective and secure solutions and accelerate time-to-market with streamlined onboarding and implementation through Visa as a single trusted source. Visa has vetted technology providers to ensure they meet industry expectations for security and consumer privacy, including onsite Visa security assessments, penetration testing, and ongoing compliance audits. The platform also enables simplified contracting, saving clients potentially months of negotiations.

“Financial institutions and merchants are working hard to create streamlined and delightful digital experiences,” said Julie Conroy, research director, retail banking practice, Aite Group. “At the same time effective consumer authentication is critically important, given the escalating cyber threat landscape. The good news is that a variety of technologies can help businesses find the win-win, providing superior security while at the same time removing unnecessary friction.”

Authentication Capabilities

Today, Visa ID Intelligence features include:

  • Identity Documents evaluates identification documents and matches selfies to photo IDs (e.g., driver’s license, passport, military ID), while extracting and converting document information into digital form. This authentication process can help financial institutions or merchants make smarter decisions and instantly provision banking services. Uses include creating new accounts, and as an alternative to customer service calls to perform password reset and lost or stolen card replacement. Au10tix provides identity document services through the Visa ID Intelligence platform.
  • Biometrics – allows clients to use biometrics such as face, fingerprint and voice to create simpler authentication experiences that meet consumer needs for convenience, security and speed. Applications include app login, payments, step-up authentication, and more. Daon, a global authentication and identity assurance solutions provider, will offer Visa ID Intelligence biometric authentication services.

Visa ID Intelligence offerings will expand in 2018 to user data and device data to improve digital identity decisioning, working with Neustar and ThreatMetrix. More information about Visa ID Intelligence can be found at www.visaidintelligence.com.

About Visa Inc.

Visa Inc. (NYSE: V) is the world’s leader in digital payments. Our mission is to connect the world through the most innovative, reliable and secure payment network—enabling individuals, businesses and economies to thrive. Our advanced global processing network, VisaNet, provides secure and reliable payments around the world, and is capable of handling more than 65,000 transaction messages a second. The company’s relentless focus on innovation is a catalyst for the rapid growth of connected commerce on any device, and a driving force behind the dream of a cashless future for everyone, everywhere. As the world moves from analog to digital, Visa is applying our brand, products, people, network and scale to reshape the future of commerce. For more information, visit usa.visa.com/aboutvisa, visacorporate.tumblr.com and @VisaNews.

Source: Visa Inc.

B2B Steps to Visa Stored Credential Mandate Compliance

How can merchants get compliant with the Visa Stored Credential Transaction framework and mandates effective October 14, 2017?

Step by step getting started guide for B2B merchants:

Plan how you’ll comply with consent record requirements. See Improving Authorization Management for Transactions with Stored Credentials https://usa.visa.com/dam/VCOM/global/support-legal/documents/stored-credential-transaction-framework-vbs-10-may-17.pdf . Are you going to manage documenting everything or are you going to use technology to help you manage it? Ask your gateway if they’re going to provide a checkbox for consent and if you’ll be able to pull the opt-in records on demand. CenPOS, a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement will automates multiple elements for clients.

PCI Compliant credit card authorization form

Partial CenPOS PCI Compliant stored credential authorization form.

Update workflow and documents. Ensure your sales order or associated credit documents include sale, refund and cancellation policies. Add a checkbox for customer opt-in to terms, including online payments. CenPOS has an opt-in box and you can customize the text.hosted online pay pageVerify if you have a system to manage authorization validity. What the heck does that mean? Many B2B companies have complex needs including pre-authorizations, incremental authorizations, delayed shipping etc. While you may get issuer approvals, that doesn’t mean the authorization is valid. The two most common rules B2B businesses struggle with are Settlement within timeframe for card not present sales, and Authorization amount and settlement amount must be equal. Per Visa Core Rules October 2017, for typical distributor and manufacturer card not present transactions, the authorization must settle no later than 7 calendar days from the date of the initial Approval Response. CenPOS automates compliance. Other payment gateways are incapable or may leave it up to developers to create a solution. Are you compliant now? Look at your merchant statement ‘pending interchange fees. If you see  EIRF or STD, that’s a red flag there’s a problem.

Replace paper credit card authorization forms, and any digital form that you can decrypt and view sensitive card data. Offer your customers a way to self-manage their own wallet with either a hosted online pay page or Electronic Bill Presentment & Payment. CenPOS offers both options, including a lite ‘request a payment’ option, and lets your customers choose both text and email. For those not ready to give up paper, CenPOS creates a printable PCI Compliant credit card authorization form for every stored card.

New to online payments? See Visa best practices to prevent brute force attacks. https://usa.visa.com/support/merchant/library/visa-merchant-business-news-digest.html. CenPOS includes recaptcha and client managed velocity and other rules as part of a layered security approach.

Verify your gateway is ready or will be ready to send correct transaction data for the initial transaction and subsequent transactions for both customer initiated and merchant initiated use of the stored credential.  You’ll want the payment gateway to perform a zero dollar authorization and authenticate the cardholder with 3-D Secure. Ask your gateway if it will automatically flag a transaction as customer initiated stored credential or merchant initiated stored credential, or if they’ll require you to have multiple gateway accounts, one for each type. CenPOS does all this for you now in a single account.

Get an ecommerce merchant account. This is needed for online payments. Don’t run mail order telephone order (MOTO) transactions on the ecommerce account unless you know your payment gateway can alter the flag sent with transaction to change the transaction type. Many cannot. CenPOS manages all compliance seamlessly in the background; whether you need multiple merchant accounts varies by acquirer/processor.

Register for 3-D Secure, including Verified by Visa, with your acquirer. Don’t do this until you know which payment gateway will be used and get their instructions if applicable.

Communicate with customers. Advise any upcoming changes will increase efficiency and security for everyone.

Why comply? With full compliance, merchants can expect better qualified interchange rates, increased approvals (avoid declines based on issuer risk averse algorithms), reduced PCI Compliance burden, and increased efficiency for both buyer and seller. The cost of non-compliance is hefty, including higher interchange rates, penalty fees, and risk of both issuer and cardholder chargebacks.  

interchange rate qualification

The same transaction can process at different rates as shown above, depending on which rules you follow. CenPOS Smart Rate Selector automates compliance to qualify transactions at the lowest rate possible. Which rates are on your merchant statement now?

Why should developers choose CenPOS for their integrated payment gateway? CenPOS has native modules for ERP, shopping cart, accounting and other software.

  • Increase profits faster
  • More efficient, quicker reconciliation
  • More secure- from Encrypted Virtual Keypad to elimination of credit card auth forms
  • More robust- Wire, ACH, check, Paypal, credit card and more; text and email payments supported. No 3rd party Electronic Invoice solution needed such as BillTrust; CenPOS invoice portal and automated collections included.

Where can I buy CenPOS or learn more? You’ve already found one of the top salespeople, Christine Speedy. All agreements are direct with CenPOS, no middle man.

Resources and documentation https://3dmerchant.com/blog/merchant-bulletins-downloads – bookmark it!.  Join Christine Speedy’s email list.

DISCLAIMER: condensed and incomplete information! Information may be quickly outdated.

With the fast pace of changing rules, companies need a technology partner to automate compliance. Did you know?

  • CenPOS has a suite of solutions for companies just like yours, solving common problems and increasing profits virtually overnight.
  • For those not ready to give up paper, CenPOS creates a printable PCI Compliant credit card authorization form for every stored card.
  • CenPOS has ERP, ecommerce shopping cart, accounting and other plug-in modules available for quick and easy implementation.
  • I’ve been selling for CenPOS since day 1. Though I have other payment gateways available in my arsenal, nothing else compares for meeting business to business needs.

Christine Speedy, CenPOS authorized reseller, 954-942-0483 is based out of South Florida and NY. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.