What is carding and how can merchants mitigate risk?

Posted on December 7, 2020 by Christine Speedy

Ecommerce merchants have been hit by credit card carding attacks by fraudsters for years. There’s tons of cardholder data on the dark web and even DIY instructions on how to commit fraud. With EMV implemented in retail, and the fast growth of ecommerce due to Coronavirus, carding is a serious risk for merchants for both attempted and successful transactions.

What is carding?

Carding, also known as credit card stuffing or card verification, is a web security threat where unauthorized people (carders or attackers) use multiple software tools, primarily bots, to attempt to verify if a debit or credit card is good. A typical bot attack will incur thousands of attempted authorizations. Bots do not typically seek a particular site, just opportunities to exploit a weakness.

What are the costly repercussions of carding attacks?

The merchant is dealt with several financial blows:

Attempted transactions will incur a payment gateway fee.
Attempted transactions may incur a merchant account authorization fee if the gateway didn’t kill before getting to the acquirer. This can happen if the gateway supports a rules based decision making.
Completed transaction fraud whereby the product was shipped to the fraudster because the card was approved.
Chargeback fees can be initiated by the issuer or the cardholder. If the merchant is not using 3-D Secure, they will surely be out of luck.

How can merchants mitigate risk of bot attacks?

A key first line of defense is preventing the bot initiating an exchange with payment gateway. For example, reCAPTCHA is a free developer tool from Google to protect your web site from abuse. reCAPTCHA v3 returns a score for each request without user friction, which means if it passes, the user can check out. Have you ever had to go through multiple screen challenges to identify the sidewalks or traffic lights? reCAPTCHA v3 is different from older versions. The score is based on interactions with your site and enables you to take an appropriate action for your site automatically. For more information click here for Google reCAPTCHA.

Note, PCI DSS V 3.2.1 Requirement 6: Develop and maintain secure systems and applications. this section includes web sites. Visa cites using Velocity tools specifically in their ecommerce guidance for merchants. For example, a fraud mitigation velocity tool might automatically manage attempted transactions based upon number of attempts from same IP address or other duplicate data within a specific timeframe. Note, fraudsters have gotten smarter and bot attacks are not as simplistic to detect as just a few years ago. For this reason, the use of AI and other tools is growing, especially for larger merchants.

Call Christine Speedy, for simple solutions to card not present payment transaction problems, 954-942-0483, 9-5 ET. Christine is Founder of 3D Merchant Services, PCI Council Qualfied Integrator Reseller (QIR), and is a credit card processing expert with specialized expertise in card not present and B2B payment processing technology. Less than 1% of all merchant services sales representatives are QIR certified. Christine is an authorized independent sales agent for a variety of merchant services and payment technology solutions.

Free credit card transaction fees checkup 2020

Posted on November 24, 2020 by Christine Speedy

Merchant services fees gradually increased over time? While technology can optimize fee management, there are multiple reasons new fees or rising fees may occur. With this information, you can do a quick self-assessment and determine whether it’s worthwhile to engage with a payments professional for further review. This method is easier than my B2B credit card processing fact check, while still revealing problems that must be resolved. As a processor neutral payments expert, Christine Speedy offers a unique perspective.

The areas needing most attention are rate qualification and other fees.

Here’s a shortcut to determine if you have authorization problems, which directly impact credit card transaction fees. Why is this important? Because unless you fix the underlying problem, switching merchant accounts will only provide partial relief from escalating transaction fees like the new MasterCard .25% misuse of authorization fee. If you have any of these items below on your merchant statement, there’s a problem that is causing unnecessary extra costs.

Misuse
Integrity
Compliance or Non-compliance
Standard / STD (any)
EIRF
Data rate I
Data Rate II or Data Rate 2
Chargeback: FRAUD TRANS-NO CARDHOLDR AUTH
Chargeback reason: Compliance

Hint: If you open your merchant statement in Adobe Acrobat, in OSX with command F you can copy and paste the terms above. It’s not foolproof due to varying abbreviations, but you only need to have one of the bad items to know there’s a problem.

For card not present business to business, these are two interchange types you should see, but many often don’t and that is also a problems resulting in higher costs.

Full UCAF
Data Rate III

I don’t know why, but I get calls from other salespeople in the industry looking for solutions to help customers qualify for Data Rate II. Why wouldn’t you want the customer to qualify at Data Rate III? Makes no sense.

I also hear from merchants how they were told that the new solution would fix their level 3 data problems, but it didn’t. If you do preauthorizations, and the solution doesn’t automatically get new authorizations and manage reversals it’s not going to fix authorization problems. Always ask, “how will the payment gateway manage authorization reversals if we don’t settle for the original preauthorization amount’? That’s one of several critical key questions. If they don’t know the answer instantly, move on.

Due to massive changes in card network rules and data security compliance rules over the last two years, a review by a neutral payments expert is essential. Did you have any red items? It’s time for a deeper dive into why. Your FREE report will identify issues impacting profits and security, include action items how to fix them, and rarely requires changing financial partners.

credit card transaction fee checkup form

Call Christine Speedy, to reduce merchant fees with new or existing merchant account at 954-942-0483, 9-5 ET. Less than 1% of merchant account salespeople are PCI Council QIR certified. With Christine as your account manager you’re assured a unique experience to maximize profits and security without business disruption.

Credit card authorization form 2020

Posted on November 23, 2020 by Christine Speedy

Looking for a PCI Compliant Credit card authorization form template? Downloadable PDF or Word forms all over the internet are never PCI compliant nor compliant with card network rules, plus the form might introduce malicious code into your network, leading to a future data breach. In this article learn about compliant credit card authorization form problems and solutions.

Merchants must replace traditional paper credit card authorization forms. Per Visa rules, merchants are never allowed to ask for the security code in any written form. I know companies that are skirting this rule by using a paper form and then calling the customer for the security code. They are stuck on the idea that a signature is going to make a difference if there is a dispute later, which was true in the past but not any more. Merchants also cannot store the form with full card numbers nor store the security code after authorization. Traditional credit card authorization forms increase risk of fraud and identity theft and nobody likes them!

pci security standards — PCI Security Standards Council guidelines for storage of cardholder data.

Is it OK to use a digital credit card authorization form? That depends. Cloud digital credit card authorization forms may not be PCI compliant.

The rise in digital credit card authorization forms is downright scary, because despite claims by sellers, merchant implementation of them is often not PCI Compliant. Here’s a few reasons why:

Neither merchants nor third parties can store the security code after authorization.
Neither merchants nor third parties can store the card number unmasked after authorization.
Merchants will be hard pressed to prove PCI Compliance in the event of a data breach. Who had access to the forms and when? How is the server wiped of the data? What about back up servers?
What’s the point of getting a signed form if you can’t save it?
If the service offers an authorization to verify cardholder, but the merchant then types card number into another system with no connection to the initial verification, all subsequent transactions are in violation of rules for storing and using stored cards thus are open to issuer chargeback risk.

What’s a better solution? Use a third party hosted solution to reduce PCI Compliance burden and empower customers to self-pay and self-store their cardholder data. Ensure that the solution supports 3-D Secure, which shifts friendly fraud (it wasn’t me, I didn’t authorize it) liability to the issuer. This could be a static pay page or secure link you push out via text or email. My CenPOS customers have had this solution for nearly a decade.

Benefits of compliant solution:

Reduced merchant fees for some cards (3-D Secure cardholder authentication such as Verified by Visa must be enabled.)
Increased approvals with cardholder authentication.
Mitigate chargeback risk – with 3-D Secure cardholder authentication, fraud liability shifts to issuer.
More convenient for buyers- 24/7 payments on their schedule, not yours.
Buyers are in control of choosing to store payment methods.

How can merchants get 3-D Secure? Contact us for the latest instructions or call your merchant services provider.

Call Christine Speedy, PCI Council QIR certified, for simple solutions to card not present payment transaction problems, 954-942-0483, 9-5 ET.

References: Search the blog for credential or form or click on the navigation for links for more resources on rules and compliance.

P2PE for Dynamics AX & D365

Posted on October 29, 2020 by Christine Speedy

Microsoft Dynamics AX and D365 validated P2PE solution elements vary by vendor plugin and their certifications which can be researched on the PCI security standards council website here https://www.pcisecuritystandards.org/assessors_and_solutions/point_to_point_encryption_applications?reference=2017-00113.005. Merchants can choose either P2PE terminals or validated P2PE solutions with their terminals. The latter requires extra steps to implement and maintain.

A PCI P2PE solution can significantly reduce the PCI Data Security Standard (PCI DSS) validation effort of a merchant’s cardholder data environment as well as the cost of a third party assessor reviewing a merchant’s card data environment. Another benefit is simply the reduced risk of a data breach, and the potential millions in costs and lost reputation. An qualified assessor informed me at a conference, there has never been a data breach in an environment with properly implemented validated P2PE solution; The same cannot be said for merchants using P2PE terminals.

P2PE Applications are intended to be loaded onto PCI-approved point of interaction (POI) devices used as part of a P2PE Solution. Use of a P2PE Application on a PTS-approved POI device (outside of a listed P2PE Solution) does not constitute use of a P2PE Solution. I am frequently asked by consultants about other payment gateway compatibility with Cardconnect and the related CardConnect Bolt application dependency. Other payment gateways and or P2PE solutions, including CenPOS, are distinct solutions. Each has its own P2PE certification as documented on the PCI council website. Two different solutions cannot be used together; merchants must decide which is the better overall solution for their environment. Sidenote: CenPOS does not have any application dependencies for their P2PE certification.

Can you mix P2PE solutions, for example, for call centers vs retail? Excellent question. Certainly transactions would need to be run on different merchant accounts and each would be defined as to scope i.e. not entire business, but only part of an operation. This arrangement is not ideal, but maybe is a useful gap solution during a software or hardware migration.

Which P2PE application is best for your Microsoft Dynamics AX or D365 environment? This question is best answered by speaking with a payments consultant who is familiar with credit card processing rules, data security rules, and integration nuances. Differences in the integration methods and native features for the respective products often determine why to choose one vs another.

Christine Speedy, Founder 3D Merchant Services, is a credit card processing expert with specialized expertise in card not present and omnichannel technology. Christine is an authorized reseller for Elavon and CenPOS products and services, in addition to other solutions and is QIR certified by the PCI Council. Call Christine for all your Microsoft Dynamics payment gateway and payment processing needs.

Best Credit Card Processing Services 2020 Reviews- or not?

Posted on July 8, 2020 by Christine Speedy

Don’t you love it when people write articles about subjects they clearly either don’t know about, don’t know the best resources for information or are just out to make money on what you read via affiliate, advertising or referrals, so it doesn’t matter? That’s the case with articles on “Best Credit Card Processing Services for 2020″. I’ll dissect some reasons why and how to really help you find what you need.

First, there are some critical factors which determine what is the best credit card processor for your business:

Volume- a couple transactions or a lot each month
Transaction size average- For example, under $25 or over $5,000?
Transaction type- phone or mail (MOTO), in-person (Retail), or ecommerce (any type of remote payment, including e-invoice, text and ecommerce shopping cart. on the road.
How the sale occurs: tradeshow, water, plane, home service, phone sales, invoice, physical store, shopping cart, online pay page
Business type- distribution, service, restaurant, fuel, travel, etc

Only with information above should anyone recommend what is the best credit card processing service because it impacts how you need to get paid and how much cost will vary depending on the solution. As you can imagine, the matrix of options gets complex. Examples:

During Covid, someone decides to make masks at home and sell them. In that case Paypal might be the best solution because of it’s flexibility and simplicity.
A window and door company has wholesale to the trade and retail consumer sales. This company needs technology to properly manage authorizations for both sales types. I recommend using an agnostic technology solution and a processor that supports level 3 data, which all the big ones do.
A restaurant needs to expand their pick up and delivery options due to Covid-19 and projected dining changes over the next 10 years. They need omnichannel technology that will work with different platforms, such as Uber Eats and Door Dash, plus their own online ordering, text specials, and pay at the table.

My general rule of thumb is that for under $250,000 annually it almost doesn’t matter what you pick because the difference between one and another on price will probably be inconsequential. For that reason, I don’t work with businesses that small; just do your research and pick one that you can get out of later if you don’t like it or grow too much and needs change.

Secifically addressing solutions others are touting as the top 10 best my answers are relevant for B2B merchants, and businesses that have a B2B element:

Square: This started as a mom and pop solution for service people, artists (art shows), and other small business needs. I’d dig deeper into options.

Payline Data: I never heard of them and had to look it up. Payline Data is a reseller for First Data and Fifth Third Bank. More on what that means at the end.

Intuit Quickbooks: My pet peeves are fees are taken out of transactions daily, creating extra burden for reconciliation, bundled pricing, which is higher than alternatives, and issues with how it handles customer name and cardholder name differences, since B2B the customer is usually a business.

Helcim:

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Card Not Present, CenPOS, credit card processing

B2B Cloud payment processing technology blog about increasing profits, efficiency and security.

Category Archives: Merchant Services