Stopping Online Credit Card Testers

Online credit card testing by fraudsters can dramatically drive up payment gateway fees.  Historically, card not present financial fraud grows exponentially in countries after implementing EMV chip card processing, as thieves seek the weakest link for fake credit card purchases. Thieves use software to rapidly send cardholder data to payment web sites to verify if stolen cards are good, card testing, and since merchants pay a per transaction fee, regardless of approval, the financial impact can be devastating.

Companies with online pay pages are at increased risk. Since October 2015, online fraud attacks were up 11% 2015 Q4 Vs Q3, and up 215 percent from 2015 Q1. 83% of attacks involved botnets. Source: The Global Fraud Attack Index™, a PYMNTS/Forter collaboration. The preferred web pay pages have no login required, and provide detailed decline response reasons. I’m often asked by others in the industry to provide the latter, and for the same reason as for retail, it’s better than no one knows the reason for the decline. If you inform a criminal the expiration date is no good, they just need to figure out the right one.

PREVENTING ONLINE CARD TESTING

A layered approach is required to stop card testers since no single solution will stop fraudsters. Generally, the harder you make it, the more likely they will seek a path of less resistance.

  • Block known fraudulent incoming IP addresses. The bad guys also use hostile proxy servers, with dynamically changing IP addresses every authorization attempt, but this is still a first step everyone should employ.

For additional assistance, please contact us. I won’t make it easier for criminals by identifying all the tools here in the blog!

Why should B2B CFO’s, business consultants and accountants partner with a B2B payments consultant?

Financial consultants from CPA’s to business advisors can increase profits by partnering with outside experts. A business to business payments consultant will help financial consultants differentiate services offered to win more business and increase retention. Get clients paid faster, cheaper, and more securely, and they’ll reward you with their loyalty and refer you more business.

REAL RESULTS FROM COMPANIES USING MY TECHNOLOGY

  • Reduced DSO from 45 days to 15 days
  • Reduced merchant fees 34%- with the same merchant account
  • Exposed long-term internal fraud by trusted employee at a $2B+ company
  • Reduced internal accounting staff by 20%
  • Reduced cashier staff by 30%
  • Improved customer experience, directly increasing revenue per customer, and manufacturer bonus rebates

My core expertise is cloud-based financial transaction technology critical to staying current with regulatory and compliance changes, and the resulting impact on risk management, cash flow, and EBITDA. Examples of payment acceptance types can include credit card processing, check processing, ACH, wire, and others.

Why Christine Speedy? The industry is loaded with people selling substandard payment acceptance solutions, particularly B2B merchant services because they don’t know any better or they put themselves first. For example,

  • Web developers tell you to use either authorize.net or Payflow Pro payment gateway because they’re ‘reliable’ and they’ve had good results. Yes, they’re reliable, but so are others that provide far better customer and merchant experiences, while also maximizing profits.
  • US banks don’t have retail solutions enabling B2B merchants to qualify for the lowest interchange rate possible for purchasing, business, and corporate cards so they sell substandard alternatives. For example, building supply and distribution companies that cater to businesses pay millions in extra fees because of inadequate technology.
  • Industry associations offer member benefits for services in which they profit share; these ‘exclusive trusted partners’ are kept at all costs, even if it’s not the best service for their members.
  • Merchant salespeople tell you it’s Ok to store credit card authorization forms in a locked file drawer. No, it’s not. It’s never ok to store sensitive cardholder data in any format, but they don’t have a solution to fix your reason for storing it.

You need a trusted, confidential resource.

WHAT I DO: Analyze, recommend, sell new or modify existing solutions

Part 1: What is the revenue picture?

  1. Types and costs of payments accepted
  2. How and where are payments accepted? Who touches? Credit, collections, and treasury management (risk, currency) reviewed.
  3. Software and hardware
  4. Security and PCI Compliance at a glance- I can typically uncover problems in 100% of businesses within 5-10 minutes of probing.

Part 2: What are merchant business priorities in next 3-6-12 months?

These do not have to be related to part 1, but are critical to understanding business.

Part 3: Action items

Based on account review and priorities, what are critical and non-critical action items? How will these impact efficiency, security, profits, customer experience? What vendor, hardware, software changes are recommended?

MERCHANT SERVICES WHAT YOU NEED TO KNOW NOW

US EMV chip card implementation is impacting every company that accepts credit cards, retail and card not present. This is the biggest change since Durbin (debit), and again, there’s loads of misinformation and poor recommendations being made.

TARGET MARKETS

Minimum $5M-100 annual revenue, sweet spot; Clients include $1M to $2B. Manufacturer, distribution, technology, dealer, anything B2B.

NO THANK YOU – No supermarkets, restaurants, education, fuel or travel agencies

FREE TEST – While credit card processing may be a small portion of cash flow in target markets, it’s also a pain point I can typically help with immediately. Send 2 consecutive merchant statements for any B2B company you’re satisfied is as profitable as possible. If you like my report, we can go deeper into full analysis.

Replacing ICVerify with authorize.net for caging service providers

ICVERIFY Software, a PC based payment software solution, is end of life and must be replaced with an internet, or cloud-based, payment gateway. Authorize.net is one replacement option for caging service providers, including donation processing, that doesn’t require changing credit card processing companies, also known as merchant services provider or acquirer. For business to business, I don’t recommend authorize.net, read about another ICVerify alternative here.

What’s the difference between ICVerify and Authorize.net Payment Gateway for Credit Card Processing for fundraising service providers?

  1. There’s no software to install. Users process payments via a virtual terminal by logging in to a secure web page and processing single transactions, or via batch upload.
  2. The merchant, or fundraising non-profit, completes a payment gateway application for each merchant account, just like any other financial account, with an authorized reseller, such as 3D Merchant Services.
  3. Transaction fees are standard. Fees can be paid via credit card or ACH debit. Merchants may have individual merchant accounts that include free gateway services, though unlikely, and there’s two limitations. First, if the merchant (non-profit or other entity) changes their acquirer, any tokens saved for recurring billing will be invalid. Second, it may increase lockbox service provider development and maintenance time for multiple gateway file specifications.
  4. Merchants are billed directly by Authorize.net for gateway fees, including when opened through authorized reseller 3D Merchant Services (Christine Speedy).
  5. Merchants control user access to payment gateway account

Christine Speedy alleviates the pain of switching merchants from ICVerify to authorize.net, including providing a single point of contact for all accounts, managing the application process, providing personal customer service, and offering volume transaction rates for entire client portfolio. Her payment expertise helps minimize fundraising expenses, reduce donor management friction, and reduce PCI Compliance burden. Merchants can call Christine or authorize.net for customer support after an account is opened.

REPLACING ICVERIFY – IMPACT FOR LOCKBOX SERVICE PROVIDER BATCH UPLOAD

  • Create a CSV file for upload to authorize.net, per file set up specifications
  • Login to merchant authorize.net account
  • Upload file
  • Download results the next day

REPLACING ICVERIFY – IMPACT FOR FUNDRAISERS / MERCHANTS

  • Open Authorize.net account; contact us for special volume rates
  • Add users and assign permissions, including users for your service provider
  • Download transaction reports on demand by logging into online portal via web page. Note, these reports are limited and do not replace, but rather supplement, reports from your lockbox service provider. 24 month record retention and search.
  • Authorize.net will automatically debit account monthly

Working with a single payment specialist for all fundraising channels maximizes net dollar educes PCI Compliance burden, misinformation, and

This article makes no reference to the value of authorize.net as a vendor selection, only the implementation and maintenance of using it as ICVerify alternative. Contact Christine Speedy at 954-942-0483 for all integrated, standalone and batch upload payment gateway needs from authorize.net and other solutions.

ERP and Payments: PCI Compliance Nightmare

A PCI Compliant ERP solution doesn’t make a merchant PCI Compliant. The features of the payment integration drive customer decisions to use or not use the an ERP payment module. When payment vendor choices are restricted artificially by using technology to control merchant services options, merchants often enter ERP relationships with a level of dissatisfaction right from the start.

Severely restricted payment gateway options, especially for business to business, results in either the merchant using an alternative non-integrated payment solution, thus sacrificing efficiency, or using the integrated solution, and failing to meet PCI 3.0 requirements or other payment needs. How can I make this statement? B2B companies that accept credit cards  typically have a portion of their sales via the telephone. To mitigate risk of fraud, they use paper credit card authorization forms. However, the forms are inherently risky in many ways.

  • Sensitive authentication data, which includes the security code (CVV/CID), can never be stored.
  • Forms offer option to send via email. Unprotected data cannot be sent via messaging technologies such as e-mail, instant messaging, chat, etc. (PCI section 4.2). Even if the form doesn’t offer it, customers sometimes ignore instructions and send via email.

In the absence of a best practice, employees will revert to whatever is necessary to get their job done and reduce the risk of looking bad (fraud losses). If the ERP payment module doesn’t help merchants eliminate credit card authorization forms, the entire operation may be at risk of a potential data breach.

For retail, data breaches have become commonplace. Few ERP Point of Sale (POS) solutions are using Point to Point (P2P) encryption and other best practices to reduce data breach risk. They raced to bring mobile to market, and many now have neither EMV chip terminals nor P2P, both increasing financial risk to merchants.

Why does an ERP restrict options for merchant services? Because it’s part of their revenue stream. When competition is eliminated, there’s almost no chance of having the best solution in the marketplace. The proof is a long string of failures to meet business needs. Failure to offer electronic bill presentment and payment, which would increase cash flow and efficiency. Failure to offer US EMV chip card acceptance solution prior to liability shift. Failure to offer level 3 processing for all sales channels. Failures reduce cash flow, profits, and security as companies attempt to work with the ERP limitations, or find ways to work around them.

The argument that it’s to protect merchants from data breaches is only partially true. For any modern payment gateway integration, the payment activity is usually outside the ERP to reduce PCI scope. That won’t change from one gateway to another, so the risk doesn’t change, provided the third party gateway is level 1 PCI Compliant.

Examples of ERP’s that restrict payment gateway and merchant services choices are Netsuite and Sage. Additionally, consultants are often compensated for payment gateway recommendations. Consulting with an independent payment specialist, like blog author Christine Speedy, can expose pros and cons of different options.

ERP’s holding onto merchant services and gateway revenue streams are short sighted, as these business practices that anger customers. Can you imagine if an ERP wouldn’t communicate with any other software, for example, Magento? ERP’s focused on delivering the best business software for all facets of a business, and enabling the merchant to follow best practices for PCI Compliance must give users the flexibility needed to run their business with their own financial partners.

If an ERP relies so much on their revenue stream from merchant services revenue share that they won’t let you choose your own financial partners, I’d think seriously about whether it’s the best ERP for your business.

Microsoft Dynamics AX EMV terminals certified today

EMV chip certified solutions are now available for Microsoft Dynamics AX. As they’re still fairly new, it’s important to ask questions about functionality. EMV chip card acceptance certification is complicated, which is why many companies did not complete their certifications by the October 2015 liability shift.

Dynamics AX EMV for Retail tips to compare solutions:

  • How is pin-debit managed? Is EMV chip and pin supported? Can customers bypass entering pin? This is important because whoever supports the highest level of security determines liability for fraud.
  • Is level III data supported? This is important if the customer base includes business to business. For example, building materials distributors have retail and wholesale customers, and qualifying transactions for level 3 interchange rates can significantly improve profits.
  • What are the acquirer options? Can you choose your own, or are you required to use a specific processor?
  • Is P2P supported? Point to point encryption is an extra layer of security to prevent data breaches from malware and other criminal activities.
  • What is the audit trail? Identifying who did what and when is a part of PCI Compliance.
  • Can user functions be limited by job role, required for PCI Compliance?
  • If omnichannel, how will the solution help with all sales channel needs?
verifone MX915 EMV terminal

Verifone MX915 multilane signature capture terminal

ingenico mobile emv icmp

Christine Speedy, 3D Merchant Services owner,  can help guide you through the complexity of choosing the best solution for your business. Which terminal is certified with which processor? From mobile to multilane, Christine’s knowledge and experience will help you implement faster, and take the pain out of consulting with multiple vendors that come up short on solutions.