What is carding and how can merchants mitigate risk?

Ecommerce merchants have been hit by credit card carding attacks by fraudsters for years. There’s tons of cardholder data on the dark web and even DIY instructions on how to commit fraud. With EMV implemented in retail, and the fast growth of ecommerce due to Coronavirus, carding is a serious risk for merchants for both attempted and successful transactions.

What is carding?

Carding, also known as credit card stuffing or card verification, is a web security threat where unauthorized people (carders or attackers) use multiple software tools, primarily bots, to attempt to verify if a debit or credit card is good. A typical bot attack will incur thousands of attempted authorizations. Bots do not typically seek a particular site, just opportunities to exploit a weakness.

What are the costly repercussions of carding attacks?

The merchant is dealt with several financial blows:

  • Attempted transactions will incur a payment gateway fee.
  • Attempted transactions may incur a merchant account authorization fee if the gateway didn’t kill before getting to the acquirer. This can happen if the gateway supports a rules based decision making.
  • Completed transaction fraud whereby the product was shipped to the fraudster because the card was approved.
  • Chargeback fees can be initiated by the issuer or the cardholder. If the merchant is not using 3-D Secure, they will surely be out of luck.

How can merchants mitigate risk of bot attacks?

A key first line of defense is preventing the bot initiating an exchange with payment gateway. For example, reCAPTCHA is a free developer tool from Google to protect your web site from abuse. reCAPTCHA v3 returns a score for each request without user friction, which means if it passes, the user can check out. Have you ever had to go through multiple screen challenges to identify the sidewalks or traffic lights? reCAPTCHA v3 is different from older versions. The score is based on interactions with your site and enables you to take an appropriate action for your site automatically. For more information click here for Google reCAPTCHA.

Note, PCI DSS V 3.2.1 Requirement 6: Develop and maintain secure systems and applications. this section includes web sites. Visa cites using Velocity tools specifically in their ecommerce guidance for merchants. For example, a fraud mitigation velocity tool might automatically manage attempted transactions based upon number of attempts from same IP address or other duplicate data within a specific timeframe. Note, fraudsters have gotten smarter and bot attacks are not as simplistic to detect as just a few years ago. For this reason, the use of AI and other tools is growing, especially for larger merchants.

Call Christine Speedy, for simple solutions to card not present payment transaction problems, 954-942-0483, 9-5 ET. Christine is Founder of 3D Merchant Services, PCI Council Qualfied Integrator Reseller (QIR), and is a credit card processing expert with specialized expertise in card not present and B2B payment processing technology. Less than 1% of all merchant services sales representatives are QIR certified. Christine is an authorized independent sales agent for a variety of merchant services and payment technology solutions.

P2PE for Dynamics AX & D365

Microsoft Dynamics AX and D365 validated P2PE solution elements vary by vendor plugin and their certifications which can be researched on the PCI security standards council website here https://www.pcisecuritystandards.org/assessors_and_solutions/point_to_point_encryption_applications?reference=2017-00113.005. Merchants can choose either P2PE terminals or validated P2PE solutions with their terminals. The latter requires extra steps to implement and maintain.

A PCI P2PE solution can significantly reduce the PCI Data Security Standard (PCI DSS) validation effort of a merchant’s cardholder data environment as well as the cost of a third party assessor reviewing a merchant’s card data environment. Another benefit is simply the reduced risk of a data breach, and the potential millions in costs and lost reputation. An qualified assessor informed me at a conference, there has never been a data breach in an environment with properly implemented validated P2PE solution; The same cannot be said for merchants using P2PE terminals.

P2PE Applications are intended to be loaded onto PCI-approved point of interaction (POI) devices used as part of a P2PE Solution. Use of a P2PE Application on a PTS-approved POI device (outside of a listed P2PE Solution) does not constitute use of a P2PE Solution. I am frequently asked by consultants about other payment gateway compatibility with Cardconnect and the related CardConnect Bolt application dependency. Other payment gateways and or P2PE solutions, including CenPOS, are distinct solutions. Each has its own P2PE certification as documented on the PCI council website. Two different solutions cannot be used together; merchants must decide which is the better overall solution for their environment. Sidenote: CenPOS does not have any application dependencies for their P2PE certification.

Can you mix P2PE solutions, for example, for call centers vs retail? Excellent question. Certainly transactions would need to be run on different merchant accounts and each would be defined as to scope i.e. not entire business, but only part of an operation. This arrangement is not ideal, but maybe is a useful gap solution during a software or hardware migration.

Which P2PE application is best for your Microsoft Dynamics AX or D365 environment? This question is best answered by speaking with a payments consultant who is familiar with credit card processing rules, data security rules, and integration nuances. Differences in the integration methods and native features for the respective products often determine why to choose one vs another.

Christine Speedy, Founder 3D Merchant Services, is a credit card processing expert with specialized expertise in card not present and omnichannel technology. Christine is an authorized reseller for Elavon and CenPOS products and services, in addition to other solutions and is QIR certified by the PCI Council. Call Christine for all your Microsoft Dynamics payment gateway and payment processing needs.

3 Things Accountants Must Advise B2B Clients in 2020

Credit card processing may be a big part of the revenue stream or a small part. It doesn’t matter. B2B companies all suffer from the same issues that impact EBITDA and risk. Compliance, cost and security. It’s fair to say, most businesses have no idea what the hot buttons or repercussions are.

Three things every B2B company needs to know about credit card processing right now:

  1. If you store credit cards, you must be compliant with Visa Stored Credential Framework. I posted this in 2017. Guess what? Most payment gateways (if you accept payments online from an invoice or any other source, a payment gateway is involved) are still not compliant! There are significant financial and risk consequences for non-compliance, including penalty fees, fines, and issuer generated chargebacks.
  2. Failure to settle transactions with a proper authorization will be even more expensive starting in April 2020. For example, many Visa credit card rates will go to 3.15%, reflecting upwards of 0.75% increase in some cases; that’s strictly interchange fees, nothing more. Instead of assuming you’re already settling properly, go to your merchant statement and look for DATA RATE I (instead of Data Rate III), STD/Standard, and EIRF. Do you have any of these? See also https://3dmerchant.com/blog/merchant-processing-services/credit-card-transaction-fees-checkup
  3. It’s a Visa rules violation to request the card security code on a paper credit card authorization form, or any digital form where the business can decrypt and view it. It can’t be stored, period. Not by the merchant nor service provider, including payment gateway. Yet even the AICPA

Why these 3 things? Because 100% of B2B companies I talk to will fail on at least one, and usually two or three. That includes CPA firms. Among the American Institute of Certified Public Accountants missions is to provide “the most relevant knowledge, resources” etc. Yet as of this writing, AICPA affinity credit card processing partners include a long list of technology solutions that are not compliant with all three of the above.

86% of all data breaches in 2016 were from level 4 merchants, defined as “Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.” By complying with the three items on my list, B2B companies will harden their systems and increase profits. The latter occurs because compliance with rules reduces fees. 

If your current acquirer could truly fix all the problems above, why haven’t they taken the initiative to help you in the past? By the way, if someone ever says they help you qualify for level 2 rates, run! All B2B companies should have the right technology to qualify for level 3 rates. Why pay more?

Christine Speedy, 954-942-0483. For a fast, free checkup on your merchant account, contact us today for a secure, cloud-based solution optimizing acceptance for all payment types across multiple channels without disrupting banking relationships.

New Visa SaaS subscription rules for trial periods

Effective April 18, 2020, merchants must comply with new Visa subscription billing terms and conditions. These are, once again, big changes that merchants must take action on to comply with. The payment gateway will be critical, and not all are ready to meet the new technology requirements for authorization and receipts.

Who do the new Visa rules apply to?

  • All merchants globally
  • Merchants that offer a free or discounted introductory offer as part of a subscription service

What are key Visa SaaS subscription changes?

  • Merchants must get express consent to enter into agreement for recurring billing. For example, if an online purchase, a checkbox agreeing to the terms is acceptable.
  • Notification via text, email, or other agreed upon method (not realistic for most businesses), of the subscription terms including start date, product/service details, billing frequency, billing start date, and link to cancel.
  • Notification at least 7 days in advance of the expiration

Revised sale transaction receipts are required.

  • Details to include length of trial period, introductory offer, or promotional period, and notice the cardholder will be charged unless the cardholder takes steps to cancel.
  • Date it starts, even if no payment is due, and date subsequent recurring transactions begin.
  • A link to cancel or other simple method.

Payment Gateway and settlement changes to support new Visa Authorization is required.

Many payment gateways are not yet compliant with the October 2017 stored credential mandate and they won’t be ready with this either as it is not a simple update.

  • A new descriptor, “trial” or similar, must be sent with Merchant Name field of the Clearing Record for the first transaction at the end of a trial period. This descriptor will then appear on cardholder statements, online banking etc.

“This is another huge change that most merchants will probably have difficulty complying with because of outdated payment gateways,” according to Christine Speedy, 3D Merchant Services payment gateway expert.

Merchants must make it easier to cancel recurring billing.

This is actually an extension of rules and recommended changes over the last few years. For example, if a customer signs up online, they should be able to cancel online, not have to call on the phone. The new rule now says regardless of where they signed up, retail store or other, they must be able to cancel online.

Visa expands cardholder dispute rights for subscription billing via existing condition “Misrepresentation”.

Basically, merchants need to be able to prove that the cardholder expressly opted in, and they notified customer before processing after the trial period.

Visa will actively monitor trial period compliance.

This is huge. While they don’t state how, the advances of Artificial Intelligence (AI) make if fairly easy. Additionally, merchants that are using recurring billing properly already notify the parties in financial ecosystem that they are doing recurring billing via the 2017 recurring billing stored credential changes.

What are merchants benefits to comply with Visa rules?

Merchants can expect increased authorization approvals, better rate qualification (higher profits), and increased customer satisfaction. Merchants avoid getting shut down, fined, assessed fees, penalty fees and also reduce customer service bandwidth.

DISCLAIMER: condensed and incomplete information. Information may be quickly outdated. Follow links from our Merchant Rules web page here or click here to download Visa’s PDF with review and quick reference card. Two page PDF, 675kb.

Call Christine Speedy for compliant payment gateway solutions to maximize profits and improve your customer experience. 954-942-0483, 9-5 ET for all your recurring billing and stored credential payment gateway and virtual terminal needs.

D365 Customer facing invoice portal D365 F&O

Looking for D635 F&O solution for clients to access online portal to view and pay invoices? One of the key solution differentiators is the integrated payment gateway for credit card processing. Easily overlooked, it’s most impactful on profits. Other than merchant discount, the payment gateway is the single largest influence on the cost of credit card acceptance and chargeback risk.

How can a payment gateway impact costs?

  1. Authorization management. There’s a slew of rules, which are continually changing, regarding what has to happen in order to qualify transactions for the lowest cost possible. Virtually no payment gateways support all of them. For example, authorize.net doesn’t support unscheduled credential on file (stored card on file). Reference https://community.developer.authorize.net/t5/Integration-and-Testing/Visa-Stored-Credentials/td-p/60149. The average cost differential for a Mastercard business card is 1% for a transaction with valid authorization vs invalid (but approved).
  2. Customer disputes and chargebacks. A merchant can only defend disputes if they have proper authorization in #1. Instead of wasting time defending disputes, merchants can prevent them with 3-DSecure 2.0, a global cardholder authentication solution. If the payment gateway supports it, “it wasn’t me, I didn’t authorize it” goes away; liability belongs to the issuer.
  3. Rate Qualification. Items 1 and 2 above both reduce the cost of card acceptance. So does supporting level 3 data. It amazes me how many calls I get from consultants and merchant services salesmen that just want to help their customers qualify business and purchasing cards for level 2 rates. Why wouldn’t you want all clients to qualify for level 3 rates, which are substantially lower for business to business transactions?
  4. Stored credential compliance. This is not just securely tokenizing cardholder data, but complying with a new set of rules established in 2017, which all merchants and acquirers are required to comply with. Payment gateways have no such requirement. They can choose to provide the services to clients or not. The trickiest is unscheduled credential on file, which is what most business to business companies need, unless they have a SaaS billing model. Towards the end of 2019, a few more gateways were offering this, but the list is very small.

Few payment gateways support all four items above.

Call Christine Speedy for D365 F&O invoice portal with compliant payment gateway to maximize profits and improve your customer experience. 954-942-0483, 9-5 ET for all your recurring billing and stored credential payment gateway and virtual terminal needs.