Chip-and-PIN, or Chip-and-Choice? EMV Liability Shift For PIN Transactions

Posted on December 7, 2016 by Christine Speedy

With US EMV adoption well under way in the US, merchants are in the next phase of decision making for their EMV environment, for those terminals and solutions that support it. Should I force chip and pin when the issuer supports it, or should I allow chip and choice? It’s a tough decision and the answer is not the same for everyone.

Point-of-Sale (POS) systems vary in both implementation and capability. For example, a salesperson for a popular POS solution I spoke to told me they don’t support chip and pin. He actually said, “Since debit card processing costs are the same either way now with regulated debit, pin doesn’t really matter any more anyway.” Not true.

Consider the implications for a specialty retail environment with higher average value transactions, such as building supply, automotive parts, and electronics.

RETAIL: HIGH VALUE	FORCED CHIP & PIN	CHIP & CHOICE
PROS	Maximize profit potential 3 ways: highest security supported to shift counterfeit fraud to issuer; Even with regulated debit, there’s some financial differential for sending transactions via debit network, though vastly decreased. Finally, not all debit is regulated, and costs do vary.	Less friction at the point of sale, faster checkout.
CONS	While consumers know their debit pins, studies estimate consumers’ knowledge of credit card PINs at 5-10%. What is financial impact if customer cannot recall pin, fallback to signature is not allowed, and customer has no other payment method?	Potential losses based on US EMV liability shift rules which require the highest level of security to shift back to issuer; may vary by brand for counterfeit, lost and stolen cards.

As with everything EMV, there are many moving parts to certifications for chip card acceptance. In order to have a choice, the merchants ecosystem from terminal to payment gateway, if applicable, acquirer, etc must all support it, which may be a tall order.

IMPORTANT: This article highlights a few items and does not cover all brand, business type, transaction type, card type, nor reasons for determining liability. Refer to various card brand core manuals or your acquirer for more specific details about EMV and card acceptance rules.

RESOURCES & ARTICLES AROUND THE WEB

To avoid issues with broken outside links over time, please copy the URL’s below into your browser.

https://www.mastercard.us/en-us/about-mastercard/what-we-do/rules.html

Chip & PIN vs. Chip & Signature

Best article for thoroughness. October 2014 http://krebsonsecurity.com/2014/10/chip-pin-vs-chip-signature/

Chip-and-PIN, or Chip-and-Choice?

Worth a look. February 10, 2014, By David Lott, a retail payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed. http://takeonpayments.frbatlanta.org/2014/02/chip-and-pin-or-chip-and-choice.html

Chip & Choice Keeping Security Flexible

From Visa web site today, great illustration on impact of choices in different market segments. https://www.visa.com/chip/clients-partners/issuers/credit-card-chip-technology/chip-and-pin-choices.jsp

Chip-and-PIN vs. ‘chip-and-sig’

Good global overview and stats By Janna Herron · Bankrate.com, August 28, 2013

http://www.bankrate.com/financing/credit-cards/chip-and-pin-vs-chip-and-sig/#ixzz4ALnE5Ps9
“What’s the difference? What separates the two is how each is authenticated at the register. Chip-and-PIN cards require a personal identification number to be entered to complete a purchase, much like how many debit card transactions are carried out now with magnetic stripe cards.” Read more: http://www.bankrate.com/financing/credit-cards/chip-and-pin-vs-chip-and-sig/#ixzz4ALnUjB9D

Visa Core Rules AND OTHER CARD BRAND RULES

Merchant Alerts & Rules Links

Authorize.net Duplicate Transaction Settlement Error

Posted on October 20, 2016 by Christine Speedy

Authorize.Net experienced an issue during a system update on October 17th that caused a subset of previously settled transactions from September to be sent for settlement again between October 17th and 18th. This issue is no longer occurring.

Authorize.Net is currently working to address any duplicate transactions in order to resolve the duplicate funding to merchants and potential duplicate transactions to their customers. We have already contacted your affected merchants and will continue to do so as we have updates.

If your merchants contact you about this issue, please advise them to NOT take any action on these transactions while we work to address them.

We will follow up with you with any further information, including information on potential reimbursements, as it becomes available.

To locate these transactions, please have your merchants follow these steps:
Log into the Merchant Interface at https://account.authorize.net/.
Click Search from the main toolbar.
Click Search by Batch from the menu on the left.
Select October 18 and October 17 in the From and To drop-down boxes in the Settlement Date section.
Click Search.
Any impacted transactions will have a Submit Date from September 20-25.

We apologize for this error and any inconvenience it may have caused. If you have any questions regarding this email, please contact support.

Sincerely,
Authorize.Net

###

Blogger Note: While uncommon, duplicate transaction and duplicate settlement issues do happen. They can emanate from anywhere in the transaction chain, though the payment gateway, or payment processor are likely more common causes. Because of that, merchants are advised to do nothing and the party that caused the problem usually reverses all the errors on behalf of merchants, typically within a day or two.

Visa Account Updater for U.S. Issuers and Issuer-Processors Mandate

Posted on October 3, 2016 by Christine Speedy

Effective 1 October 2016, Visa will require U.S. issuers to participate in Visa Account Updater (VAU) for their consumer credit and debit portfolios. In addition, all U.S. issuer-processors will be required to enable their credit and debit issuing platforms to support VAU.

Oracle Micros Data Breach

Posted on September 27, 2016 by Christine Speedy

Micros, a hugely popular restaurant and hospitality is the subject of a major data breach investigation. On Monday, 8 August 2016, Oracle Security informed Oracle MICROS customers that it had detected malicious code in certain legacy MICROS systems. Oracle is currently investigating the compromise.

Micros is used by many of the large hotel brands as well as restaurants. Over the last year, many in the hospitality industry have announced data breaches, though a link between the two has not been announced.

RESOURCES

Visa Compromise Notification (Micros)

Data Breach At Oracle’s MICROS Point-of-Sale Division (krebsonsecurity.com)

MAGENTO VULNERABILITIES IMPACT PCI COMPLIANCE

Posted on September 26, 2016 by Christine Speedy

Magento, a popular e-commerce platform, released multiple security patches this year, several addressing critical and high credit card data breach vulnerabilities. Merchants that haven’t deployed security patches, as required by PCI standards, are vulnerable to remote exploits that can compromise customer account and credit card data.

One cross-site scripting (XSS) flaw potentially allows an attacker to add malicious JavaScript code to a comment via the PayFlow Pro payment module. The JavaScript code is executed server-side when the targeted site’s administrator views the attacker’s order.

PCI Compliance Requirement 6: Develop and maintain secure systems and applications. All critical systems must have the most recently released software patches to prevent exploitation. The average merchant relies upon third party developers for web site maintenance, but unless specifically contracted to update the e-commerce software and add-on modules, don’t count on it.

Only 16.4% of organizations that had suffered a data breach were compliant with Requirement 6, compared to an average of 64% of organizations assessed by our QSAs in 2014- Verizon 2015 PCI Compliance Report.

Payment gateway implementation requirements have changed over time as a result of cross-site scripting and cross-site request forgery (CSRF) to meet current PCI Compliance standards. Merchants should verify all components of their ecommerce ecosystem are current, and have a system for ongoing monitoring and updating.