Retailers Ask FTC to Investigate Credit Card Industry’s PCI Security Group for Antitrust Concerns

Posted on June 2, 2016 by Christine Speedy

WASHINGTON – The National Retail Federation today announced that it has asked the Federal Trade Commission to conduct an investigation into an organization founded by the credit card industry that sets data security standards, saying the group’s controversial practices raise antitrust concerns.

“We urge the FTC not to rely on PCI DSS for any purpose, particularly not as an example of industry best practices nor as a benchmark in determining what may constitute responsible data security standards in the payment system or any other sector,” NRF Senior Vice President and General Counsel Mallory Duncan said in a letter to FTC Chairwoman Edith Ramirez and other commission members.

The Payment Card Industry Security Standards Council is “a proprietary organization formed and controlled by a single industry sector – the major credit card networks” and “fails to meet any of the principles adopted by the federal government for voluntary standard-setting organizations,” Duncan said. “We believe you will conclude PCI itself is an inappropriate exercise of market power by the dominant U.S. payment card networks and PCI should not continue setting data security standards through its current processes.”

NRF’s request comes as the FTC is conducting an inquiry into how third-party companies perform assessments of PCI compliance by retailers and other businesses that accept credit cards. NRF understands that the FTC is also considering PCI requirements as an example of industry best practices.

The PCI council was formed in 2006 by the major credit card companies – Visa, MasterCard, American Express, Discover and JCB. It imposes its rules on millions of U.S. businesses but continues to be governed by an executive committee made up of representatives of only those five companies.

In a 19-page white paper submitted to the FTC, NRF said the card companies use their market power to “unfairly leverage their brands and proprietary technology through webs of closely controlled interdependent bodies and compliance regimes” including the council. While portrayed as voluntary, the Payment Card Industry Data Security Standard requirements set by the council are “forced upon businesses that cannot refuse to accept credit and debit cards.”

The council’s practices “raise antitrust concerns” for a number of reasons, including “general antitrust dangers when competitors collaborate on setting market standards” and “more targeted concerns insofar as they allow the networks to leverage their proprietary technology,” the paper said.

Among other concerns, PCI requirements act as “as an anticompetitive barrier to innovation” because they “exhaust” funds and other resources retailers have available for data security, the paper said.

NRF asked that the FTC investigate the council’s practices in general and particularly their impact on competition. The FTC should also reject government use of PCI standards as any benchmark for data security, and instead work with “legitimate U.S. standard setting bodies” such as the American National Standards Institute, NRF said.

NRF is the world’s largest retail trade association, representing discount and department stores, home goods and specialty stores, Main Street merchants, grocers, wholesalers, chain restaurants and Internet retailers from the United States and more than 45 countries. Retail is the nation’s largest private sector employer, supporting one in four U.S. jobs – 42 million working Americans. Contributing $2.6 trillion to annual GDP, retail is a daily barometer for the nation’s economy. NRF’s This is Retail campaign highlights the industry’s opportunities for life-long careers, how retailers strengthen communities, and the critical role that retail plays in driving innovation. NRF.com

EMVCo Updates Payment Tokenisation Specification to Introduce ‘Payment Account Reference’ or PAR

Posted on March 27, 2016 by Christine Speedy

Newly defined data element reduces reliance on primary account numbers when managing security requirements and delivering value-added services.

29 March 2016 – Global technical body EMVCo has released a bulletin updating the EMV® Payment Tokenisation Specification – Technical Framework to provide the payment community with a global, consistent framework to implement ‘Payment Account Reference’ (PAR). To be used by merchants, acquirers and payment processors, PAR can enhance security by limiting references to a cardholder’s primary account number (PAN) in the payment ecosystem.

Payment tokenisation is the process of replacing a PAN with a unique payment token that may be restricted in its usage, for example, with a specific device, merchant, transaction type or channel. Traditional PAN-based payments will continue to be used alongside EMV Payment Tokens. The introduction of PAR, which does not contain financially sensitive data, enables the payment acceptance community to link a cardholder’s payment token with their PAN transactions without needing to use their underlying card account number. This allows for a consolidated view of transactions on a payment account. This is also needed for security and regulatory reasons, such as risk analysis and anti-money laundering. It is also important for value-added services, as these often leverage historical transactional data to derive analytics and measurements to support customer programmes such as loyalty.

Mike Matan, current Chair of the EMVCo Executive Committee, comments: “Payment tokenisation enhances the underlying security of digital payments by limiting the risks associated with the compromise or unauthorised use of PANs. As well as increasing security, we want to ensure the payment acceptance community can continue to deliver associated payment processing and value-added services which are currently enabled by PAN. PAR addresses this by enabling all payment transactions – regardless of how they are initiated – to be processed in a consistent manner.”

The presence of PAR fulfils a fundamental need to link PAN-based and token-based transactions together. PAR enables the industry to move away from dependence on the PAN as the primary linkage. PAR data cannot be reverse-engineered to reveal the PAN or EMV Payment Token and cannot be used on its own to initiate a transaction such as authorisation, capture, clearing or chargeback. Users of PAR data are required to protect PAR data in accordance with national, regional or local laws and regulations.

“EMVCo recognises the need to continually adapt and advance the EMV payment infrastructure to support and promote user convenience without compromising security,” adds Jack Pan, EMVCo Board of Managers Chair. “Our work to establish a secure and scalable payment tokenisation ecosystem is no different. Since EMVCo launched its activity to focus on the development of a tokenisation specification, we have been working with industry stakeholders and EMVCo Associates to solicit feedback and determine appropriate updates to the framework, which will optimise the benefits of this technology. In addition to PAR, EMVCo has launched a Token Service Provider (TSP)

Registration Process, to promote transparency and interoperability of TSP entities. We look forward to continuing our work with the industry to manage and evolve this payment technology further.”

EMVCo – which is collectively owned by American Express, Discover, JCB, MasterCard, UnionPay and Visa – launched the EMV Payment Tokenisation Specification – Technical Framework v1.0 in March 2014. The PAR framework is designed to ensure global interoperability and support broad industry adoption. These latest updates are documented in the EMV Specification Bulletin No. 167, available to download without charge from the EMVCo website.

The specification bulletin accomplishes the following:

• Introduces PAR as an industry aligned data structure.

• Describes the presence of PAR in payment token and underlying PAN transactions.

• Defines PAR to be used as a consistent value for all payment tokens affiliated with an underlying PAN.

• Outlines how PAR can be used by acquirers, payment processors and merchants to link payment token transactions to those of the underlying PAN.

To join other industry stakeholders in contributing to EMVCo’s development of the tokenisation framework, become an EMVCo Associate.

– ENDS –

For further EMVCo media information please contact Sarah Jones / David Amos – Tel: +44 1943 468007 or email: sarah@iseepr.co.uk / david@iseepr.co.uk

Notes to Editors:

EMV® is a registered trademark in the U.S. and other countries and an unregistered trademark elsewhere. The EMV trademark is owned by EMVCo.

About EMVCo:

EMVCo is the global technical body that facilitates the worldwide interoperability and acceptance of secure payment transactions by managing and evolving the EMV Specifications and related testing processes. Adoption of EMV Specifications and associated approval and certification processes promotes a unified international payments framework, which supports an advancing range of payment methods, technologies and acceptance environments. The specifications are designed to be flexible and can be adapted regionally to meet national payment requirements and accommodate local regulations.

EMVCo is collectively owned by American Express, Discover, JCB, MasterCard, UnionPay and Visa, and focuses on the technical advancement of the EMV Specifications. To provide all payment stakeholders with a platform to engage in its strategic and technical direction, EMVCo operates an Associates Programme and encourages all interested parties to get involved.

Visit www.emvco.com for further information and join EMVCo on LinkedIn.

Steps to Reduce Credit Card Fraud For Distribution Industry

Posted on March 22, 2016 by Christine Speedy

dealer fraud credit card processing Credit card fraud is still rampant in the US, even after US EMV liability shift convinced many merchants to purchase terminals to support chip cards. Marine, auto, and other high value parts dealers have long had a problem mitigating fraud risk with local and international parts.

For card not present orders, require self-pay with cardholder authentication. Taking cards over the phone, and or requiring a credit card authorization form, will not protect against all forms of counterfeit card fraud. However, consumer authentication shifts liability back to the issuer; the issuer guarantees payment, and because it’s lower risk, dealers can qualify for lower interchange rates, the bulk of merchant fees. Online payment, ecommerce payment, and electronic bill presentment and payment are the 3 methods dealers can use to enable self-payment.
For retail orders, EMV is mandatory. Not by regulation, but by necessity. If a chip card is presented, and merchant supports, they’re 100% protected from counterfeit card fraud, and sometimes lost or stolen cards; if not supported by the merchant, the merchant can be automatically charged back at the issuers discretion and there’s no dispute process for merchants.
Check guarantee. Whether in person or via echeck, check guarantee services are only good if they don’t reject your checks later on. Surprisingly (or maybe not), some services seem to look for ways not to approve your claim, such as information is missing from checks. This can be avoided with technology that forces users to collect the right data, including for remote self-payers.

If all of the above are implemented, dealers are protected from virtually any type of credit card fraud. The following tips will help prevent other types of lost disputes, or serve as supporting documentation if not all the above are implemented.

Get a signed sales order. This can reduce non-fraud claims related to disputes about what was expected. The sales order should clearly state what was sold, refund policy, and cancellation policy, or refer to another document that specifies the information, but is initialed acceptance on the sales order.
Ship to cardholder billing address. If not possible, then get cardholder approval that states bill to and ship to address are different, and they’re approval.
Require all communications to cardholder business email address if selling wholesale. Free email like gmail is not OK.
Require cardholder respond from business email address approving transaction receipt. This is a strong document in the case of a dispute for “I didn’t approve it”, especially when a third party is picking up the part from the dealer.
The marine, automotive and other distribution companies are hit particularly hard with non-qualified transaction penalties when shifting between retail, key entered, and online payments. It’s critical that transactions are presented properly not only to qualify for lower rates, but to protect against lost disputes that require specific evidence for each type of transaction.

Not related to security, but critical for interchange rate qualification, the bulk of credit card processing fees, all services (retail, MOTO, ecommerce) should support level III processing.

In summary, dealers need US EMV and cardholder authentication to maximize risk mitigation from credit card fraud. US EMV requires terminal certification, and gateway certification* to your merchant account provider. Cardholder authentication requires a payment gateway certified for the service. There are very few companies that meet all these requirements so if your credit card processing salesperson gives you a blank stare when you ask, it’s time to explore other options.

*A payment gateway certified for level III retail to your acquirer is required; countertop terminals are incapable of sending level III data.

4 Credit Card Processing Tips for Consultants & Accountants

Posted on November 30, 2015 by Christine Speedy

Following several years of regulatory and technology credit card processing changes, 2015 has been another big year of changes. As we close out 2015, what are you advising clients to maximize profits? Every consultant to distributors, especially for building materials, including lumber and millwork, electrical, marble & stone, and plumbing supply, needs to update their merchant services knowledge. These businesses tend to have both a retail and a ‘to the trade’ component, making old solutions potentially outdated, risky, and costly.

EMV liability shift October 2015, shifted liability for counterfeit card, and sometimes lost and stolen card, transaction losses from the issuer to the merchant, if the merchant does not support EMV chip card acceptance. Since businesses never saw this fraud, the financial risk is unknown, but guesses put it in the 1-2% of sales range. The first acquirer (Vantiv) announced penalties effective January 1 if a retail operation does not support EMV chip card transactions. These fees will grow throughout the payment chain in 2016, and be passed down to the merchant. If profit margins are important, EMV compliance is not optional. Between growth in credit card fraud losses and new penalties, distributors need to make the change ASAP.
EMV terminal selection. Retail Distributors fall into two categories: Those who use countertop terminals, and those who use anything else, including mag swipe reader or signature capture terminal. Only the latter are even capable of supporting level 3 data, critical for qualifying for level 3 interchange rates, which makes up more than 95% of credit card processing, or merchant, fees. Yet, the vast majority of recommended EMV solutions are incapable of level 3, and or there is no certification for it. While updating, add NFC for ApplePay and newer payment methods, and P2PE, which encrypts at the terminal head, further mitigating data breach risk. The best EMV terminal selection for distributors may reduce merchant fees an average of 32% and mitigate data breach risk. Conversely, the wrong choice will directly reduce profit margins.
PCI Compliance. Internal and external data breaches are a serious growing problem (Lowes and Home Depot both admitted), and best practices are being shared among peers that are ‘risky’ at best. Top areas of concern are paper credit card authorization forms and electronically storing card data (without certified compliant tokenization such as a payment gateway). Both should be eliminated. Online pay pages and other technology solutions have negated the need for employees to ever have access to credit card data, not even for a minute. Has your own company eliminated them?
Quickbooks. For operations that used Intuit Merchant Services because there was no other integrated choice, that’s no longer an issue. Third party integrations empower businesses to use any acquirer. Look for one that supports all payment methods needed (ACH, check, wire, credit card etc). If processing more than $500k annually, fees may drop up to 50%.

CHRISTINE’S RECOMMENDATIONS FOR CLIENT ADVICE TO DISTRIBUTORS:

Implement EMV ASAP to avoid penalties and fraud losses.
Only implement an EMV solution certified for level 3 processing to maximize profit margins.
Get PCI 3.0 Compliant to mitigate risk of financial losses from a data breach- Replace all practices that include credit card access by any employee, even for a minute, with a technology solution.
Replace Intuit Merchant Services to maximize profit margins.

Note: this advice is applicable to any business that has a customer base which includes some business to business and retail, even if retail is a small part of the overall payment types accepted.

Building Supply Industry Profits Impacted by EMV chip card terminals

Posted on November 9, 2015 by Christine Speedy

EMV terminal selection directly impacts interchange rate qualification, the bulk of credit card processing fees.

November 4, 2015– EMV, short for Europay, MasterCard,Visa, chip card terminals are in high demand, short supply, and most likely an unwelcome expense. Building material suppliers go to great lengths to negotiate with their payment processors for reduced rates, but this approach only impacts a fraction of costs. There is much bigger value is managing the entire payment process to affect the biggest component of fees – card interchange. The EMV terminal implemented will directly impact interchange rate qualification, and none of the most popular terminals recommended today meet critical lumber and building supply requirements.

Interchange rates are non-negotiable, but they can be influenced. There are hundreds of fees that can be tacked on based on each transaction type. Due to complexities, building material suppliers must have an intelligent solution to manage the payment process and ensure compliance with all the rules.

PURCHASING CARDS

To qualify for the lowest interchange rates, transactions must meet all the rules for the specific card and transaction method. For building material suppliers business to business (B2B), processing level III data for Corporate, Purchasing, and Business cards is critical. Their card use is growing and savings of 90 basis points or more for some cards is an attractive margin difference worth achieving.

Sample interchange rates for the same credit card transaction; Failing to follow rules results in costly extra fees.

Countertop terminals like the popular First Data FD Series, Verifone VX series, or Ingenico iCT series, with downloaded programming, cannot support level III. The US EMV ecosystem requires a web-based payment gateway with EMV terminal and level III retail certification. For example, CenPOS has certified the Verifone MX915 to First Data, Chase Paymentech and Tsys, the latter which enables use with most processors. Merchants can use CenPOS via a web browser virtually instantly or an integrated application.

EMV COMPLIANCE DATES

While EMV is not a mandate, effective October 1, the party that does not support EMV (short for Europay, MasterCard, Visa) chip card acceptance is liable for counterfeit card, and sometimes lost or stolen card transactions. Because card issuers previously absorbed most of these losses without any notification to the merchant, businesses can expect losses if action is not taken. Additionally, non-EMV compliance fees have already been announced by at least one provider, NPC, starting January 1, 2016.

Christine Speedy, CenPOS global sales and integrated solutions reseller, 954-942-0483. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS? secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant?s banking relationships.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Card Not Present, CenPOS, credit card processing

B2B Cloud payment processing technology blog about increasing profits, efficiency and security.

Category Archives: industry news