Small Business Merchant Security Mandate

Small businesses are at high risk of a credit card data breach. To stem the tide of breaches, effective January 31, 2017, all level 4 merchants were mandated to only use Qualified Integrator & Reseller (QIR) for Point of Sale (POS) applications or terminal installation, integration or maintenance.The Payment Card Industry Data Security Council provides certification and maintains the official list of certified QIR people.  Any entity that installs Point of Sale in conjunction with a payment application must put at least one representative through the QIR training/qualification process.

What’s a level 4 merchant? Visa’s Level 4 merchant category encompasses businesses that process fewer than 20,000 Visa e-commerce transactions per year, and all other merchants processing up to 1 million Visa transactions, regardless of channel, per year. Visa has estimated this covers approximately 5 million merchants.

What is QIR Qualification? From the PCI Council:

QIR qualification is a set of requirements put in place by Visa for acquirers in an effort to ensure that small merchants are able to implement and maintain a secure Point of Sale environment. QIR qualification provides an opportunity for POS Providers (both VARs and ISVs) to receive training and subsequent qualification on the secure installation of PA-DSS validated payment applications into merchant environments so that said merchants can maintain ongoing PCI compliance. Many data breaches from past years could have been avoided if not for incorrect installation/maintenance of payment application and on-site merchant networks, so QIR qualification was implemented to ensure that only skilled/trained installers are installing payments products.

Who must be QIR certified? Anyone who touches something impacting the cardholder data environment, excluding internal employees. That could be the a Value Added Reselller (VAR) to a POS application. Or it could someone installing something from one of thousands of independent software vendors (ISVs) who provide payment applications that fall under the auspices of the PCI Security Standards Council’s Payment Application Data Security Standard (PA-DSS). People, not companies, are QIR certified, but all individuals are listed under company names.

qir certified speedyThe exam is tough. If you fail, there’s no feedback. Applicants must go back and study more, pay more, and retake the test. Annual continuing education is required to maintain certification. When I completed my exam, there were 452 certified in the world. Today, it’s 450, as two expired and did not complete renewal process.

Not enough companies are in compliance. It was $395 to take the exam and $150 to retake the exam until March 2018, plus ongoing annual recertification fees after year two. The PCI Council recently announced a change so it’s $100 for 3 attempts, plus $100 annually, in an attempt to get more people certified.

In my experience, most people involved in the payments process do not have the knowledge to complete an installation, or provide maintenance, unless they’ve been QIR certified. In my opinion, the longer they’ve been doing it, the more likely they are to use outdated techniques that put merchants at risk of a data breach. The same is true for application developers. There’s a ton of ‘trusted’ companies out there that integrate payments into web sites and other applications. They have a lot of experience. But payment processing is a moving target of complex security changes. Without specific training, including going through process of PA-DSS application certification, too many businesses are at risk.

Why should card not present merchants use QIR certified individuals? The QIR training encompasses all aspects of payments, including servers, networks etc. The QIR trained person is more likely to probe and identify potential weaknesses in any cardholder environment.

Why should level 1, 2, 3 merchants use QIR certified individuals? In my experience, there are weaknesses in businesses of every size. I can find a compliance problem in virtually any business. The key is to minimize risk and have a plan for continuous improvement.

Call Christine Speedy, QIR certified payments professional, right now at 954-942-0483, 9-5 ET.

ICVERIFY Alternatives 2017

ic verify replacement alternativeICVerify Software is still in use in 2017, even though it was end of life back in 2015.  Alternatives are abundant, but none are comparable to CenPOS for meeting business to business (B2B) companies.

What does ICVERIFY Software end of life mean?

First Data sales, product development and support have ended. Continued use of the product will invalidate a merchants PCI Compliance.

What happens if my ICVERIFY Software stops working?

You will get zero support. If you cannot open due malfunction, you’ll have no access to records. If you’re acquirer shuts down your ability to send transaction data, and this is happening frequently because it’s not PCI Compliant, they will not turn it back on. If your acquirer finds out you’re using ICVerify in 2017, you will get shut down. It’s imperative to migrate to new solution as soon as possible.

What are alternative solutions to ICVERIFY?

A cloud payment gateway is required. There’s no software to install. You can use a payment gateway via integrated or non-integrated options, which include mobile app and virtual terminal via secure web site. ICVERIFY was a buy once and use forever product. Payment gateways have transaction fees. Many businesses make the mistake of using the one with the cheapest fee or the one that their developer or consultant is familiar with because they’ve used it for a decade or more. Are you using the same cell phone you did 10 years ago? The cheapest fee could result in the highest actual cost or inefficiency. For example, most gateways do nothing to help merchants reauthorize after an authorization expires. That matters because even though the issuer may approve the transaction, it won’t qualify for the best rate, which could be half the cost of the non-qualified rate.

What is best alternative payment gateway to ICVERIFY for a B2B company?

I’m not going to waste your time listing all the cloud payment gateways on the planet like First Data Payeezy, authorize.net, Payflow Pro, Paytrace, Cybersource, Orbital, 3Delta Systems, or 3DSI and their differences. Each has bits and pieces but none has the whole package of solutions B2B companies need. CenPOS is the only solution I know of today that will get merchants compliant with all these critical items:

  1. Comply with 2017 Visa stored credential framework and mandates. It’s complicated. CenPOS automates compliance with things like sending the merchant initiated or customer initiated use of stored credential flag.
  2. Eliminate paper credit card authorization forms with multiple digital ways to accept payments and store cards, including text and email. Sure, some gateways offer a hosted pay page, but can they generate a PCI Compliant authorization form automatically for those that still like paper?
  3. Automate authorization management, including requirement for preauthorization and settlement match and renew expired authorizations for card not present transactions.
  4. Automate compliance to qualify transactions properly for level 3 interchange rates for corporate, purchasing and business cards. Supporting level 3 is not enough, it’s complicated.
  5. Mitigate fraud risk with a layered approach, including supporting 3-D Secure, which shifts fraud liability to issuer.
  6. Encrypted Virtual Keypad (EVK) to reduce PCI Compliance scope and burden. (No card data touches your system for phone orders; avoid key logger dangers.)
  7. Audit trail as required for PCI. Every user, every touch. Available minimum 7 years.

What else makes CenPOS the best alternative payment gateway to ICVERIFY for a B2B company?

  • Graphically pleasing, easy to use. It’s like marrying the coolness of Apple design with an Amazon buying experience. People love it. Customers are happier (proven by our clients conducting their own studies).
  • Wire transaction support with electronic bill presentment and payment services. Stop the madness associated with matching deposits to invoices and getting paid the wrong amount.
  • Reports. Dynamic search and view online or download; robust custom reports, alerts and distribution. So much faster to research anything!
  • No capital investment. We make companies more profitable virtually overnight.
  • Deposits equal receivables, not net of fees. Other services are mixed. For example, authorize.net echeck service takes it’s fees out of your deposit so then you have to do some accounting magic to reconcile.

Will I be able to port over my existing data? Yes. Per PCI Compliance rules, merchants need to securely remove sensitive cardholder data from all systems. Qualified Security Assessor (QSA) companies are independent security organizations that have been qualified by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS. You can find one here https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors.

Ready to get started with CenPOS? Contact Christine Speedy right now at 954-942-0483.

Christine Speedy, CenPOS authorized reseller, 954-942-0483 is based out of South Florida and NY. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.

Point of Sale for Heavy Equipment Rentals – Credit Card Processing Rules Changes 2017

Heavy equipment rental companies and dealers must make changes to comply with new Visa credit card acceptance rules. The sweeping changes to rental industry card acceptance rules were announced in October 2016, with April and October 2017 mandates for compliance.  The changes are complex and require cloud technology to automate compliance. Countertop terminals are not capable of compliance, and must be replaced.

fd130 emv terminal

Countertop terminals such as the FD130 and the Verifone VX520 are not capable of compliance for heavy equipment rentals, and must be replaced.

Visa rules changes include:

  • Defining who initiated the transaction (customer self-pay or merchant)
  • Transaction data sent
  • Authorization rules
  • Stored card rules
  • Customer communications.

Compliance will increase approvals and mitigate fraud risk; Failure to comply will increase risk of financial losses and issuer declines while reducing EBIDTA. These changes are significant, impacting chargeback risk and financial penalties to heavy duty equipment rental.

Visa compliant solutions:

The complexity of compliance with both card present and card not present rules requires a solution that can dynamically manage it, removing employees from making decisions that could impact profits. Everyone must change in the ecosystem- card issuer, acquirer (credit card processor),  payment gateway and merchant. Whatever you had in 2016 was not compliant since all the other players were not ready yet.

Merchants should update to a payment gateway that supports at a minimum:

  • Estimated, initial, incremental, and final authorization requests (traditional terminals cannot comply
  • Authorization Reversals for unused authorization (amount changed)
  • Authorization validity periods
  • Stored credential rules
  • Creation and retrieval of customer opt-in records
  • Automated authorization and settlement amount matching (otherwise transaction downgrades to worst rate possible and other repercussions)
  • Verified by Visa, which uses the 3-D Secure protocol to shift fraud liability to the issuer, much like EMV does for retail.
  • verifone MX915 EMV terminal

    The Verifone MX915 EMV chip terminal is an option to use in a compliant rental solution.

If you have a payment gateway, or need one, ask these questions:

  • How will you help us comply with the new Disclosure to Cardholder and Cardholder Consent rules?
  • What does the consent record look like?
  • How will we retrieve records?
  • How long are the records retained?

Contact Christine Speedy to get a compliant solution for your rental services needs. 954-942-0483. The ROI for most businesses is virtually overnight! Month to month risk free solutions.

Another change of note is revisions have been made to split the “Other Fraud” Dispute condition under Enhanced Dispute Resolution into separate conditions for Card-Present and Card-Absent Transactions, and to incorporate changes to the payment
flow related to Disputes. For merchants that comply, it’s all good. For merchants that do not comply, there will be more risk of financial penalties and risk of issuer initiated chargeback. A key component to mitigate chargeback risk is support for Verified by Visa.

There are many nuances to the rules and potential chargeback reason code 72 risk, which were non-existent in the past. Rather than consumer initiating a chargeback, the issuer will be within their rights to initiate a chargeback if the merchant fails to comply with the rules, for example, failing to submit the correct authorization flag for an estimate.

Reference: Visa Core Rules and Visa Product and Service Rules, 15 October 2016. See especially Table 5-14, 5-21, 5-22. https://3dmerchant.com/blog/merchant-bulletins-downloads

Resources:

• https://usa.visa.com/support/merchant/library/visa-merchant-business-news-digest.html see articles on Visa Stored Credentials mandate and updated revisions on Visa Stored Credentials framework

• Some acquirers put out statement alerts on their April, June and or July merchant statements.

See also, Visa Stored Credential Mandate.

Contact Christine Speedy to get a compliant solution for your rental services needs. 954-942-0483. You’ll be more profitable, efficient, and

MasterCard Bin 2 Series In Play: Declines and Fines

Previously, MasterCard announced a new card number BIN series, requiring everyone in the payment ecosystem to update in order to support the new card acceptance. Merchants need to update software and or terminals to comply by the June 30, 2017 mandate deadline. The consequences are both transaction declines and heavy fines.

Credit card processing:

  • Traditional countertop terminals may need a software download, contact your processor.

    Verifone vx520 emv terminal

    Verifone vx520

  •  Point of Sale solutions or the payment gateway that drives terminals need to be updated. This may occur seamlessly in the background with no impact to merchants and nothing to download.
    verifone MX915 EMV terminal

    Verifone MX915 EMV chip terminal

    Equipment & Payment Gateway NOT affected:

    • Authorize.net
    • BridgePay
    • Cayan
    • CenPOS
    • Clover
    • Ingenico w/ EMV Chip Card Technology
    • First Data w/ EMV Chip Card Technology
    • Future POS (Version 5.0.96.30)
    • Gravity Gateway
    • Lavu
    • Merchant Link
    • Micros
    • NMI
    • Payeezy
    • Paytrace
    • Shift 4
    • Shopkeep
    • Swipe Simple
    • USAePay/Gravity Link

    Credit Card Terminals Requiring a Software Update:

    • Apriva cellular terminal
    • FD 50 TI (Non EMV Chip Card)
    • FD 100 TI (Non EMV Chip Card)
    • FD 130 (Non EMV Chip Card)
    • FD 200 TI (Non EMV Chip Card)
    • Ingenico (Non EMV Chip Card)
    • Verifone VX520

    Credit Card Terminals Requiring Replacement: These terminals are end of life and cannot be updated.

    • All Hypercomm Terminals
    • Fd 50 (non TI)
    • FD 100 (non TI)
    • FD 200 (non TI)
    • FD 300 (non TI)
    • VX 510
    • VX 570

    Consequences for non-compliance with MasterCard Bin 2 Series

  • Mastercard Transactions for cards beginning with a 2 in the range of 222100-272099 will be declined.
  • If you do not update your software before the deadline, you will fall into a status of non-compliance. A non-compliant occurrence is defined as any attempted and failed transaction that is confirmed as failed due to a merchant’s lack of readiness to support 2-Series BIN transactions.
    • $2,500 per occurrence in the first 30 days.
    • Escalating up to $10,000 in the next 60 days.
    • Up to $20,000 per occurrence for the subsequent violations.

    These fines may be assessed per merchant location per failed transaction for not implementing support of the new cards.

    Fines will be pushed to acquirers. If acquirers are compliant, but the merchant is not, the fines will be passed down. If you’re sitting on old software and terminals, now is the time to change! It’s simple for MasterCard to identify non-compliance.  Contact us for immediate help- keep your merchant account, get new compliant credit card processing technology.

Disclaimer: This list and accompanying information may be out of date at any time. Check with your acquirer for the most current information.

 

Mastercard Lane and Unique Terminal Identification (TID) Mandate

The Mastercard Unique Terminal ID mandate is another attempt to stem and more quickly identify fraud at merchants using integrated retail point of sale solutions. This mandate was announced back in 2013, and requires unique terminal identifiers for each independent card reading device at a single location, not to be confused with the acquiring TID.

Effective January 1, 2017, merchants who do not adhere to the MasterCard Unique Terminal ID mandate will fall into a status of noncompliance. Fines for non-compliance go into effect December 31, 2017. Multiple card-reading devices, such as PIN pads and terminals, connected to a single host terminal are each required to have a Unique Device ID to remain compliant and avoid potential fines from Mastercard.

MasterCard Fines will be assessed for each transaction that violates this mandate.

If you do not regularly update your POS software, as is also required for PCI Compliance, you’re probably not compliant. with MasterCard and may be fined. Action: contact your POS provider for further information. Read your merchant statement messages for these and other critical alerts.