Category Archives: EMV

B2B Credit Card Payments And EMV Technology

Posted on by
Reply

What’s the best EMV payment technology for business to business (B2B) merchants? Once the requirements are defined for non-EDI payments, the options are limited. Whether card not present only, or a mix of retail, phone, and ecommerce, B2B payments are different.

B2B Credit Card Payment Minimum Requirements.

  • Tokenization to store credit card, and possibly check and wire data
  • Level 3 processing (significantly reduces merchant fees through lower qualified interchange rates)
  • Payment optimization to qualify transactions properly. For example, if merchant does a pre-authorization, and captures at a later date, certain rules need to be met to avoid higher non-qualified interchange rates.
  • 24/7 payment options for customers to serve multi-time zone and increase security

EMV Terminals for B2B.

There are no desktop or countertop terminals that support level III processing, and that won’t change. These terminals are programmed with the acquirer instructions via download, and less frequently, may be connected to Point of Sale (POS) software.

To meet the minimum B2B requirements, a payment gateway is required. Merchants process transactions by accessing a virtual terminal via a secure web page, or with an integrated software solution. The gateway must certify level III processing for each card brand, and EMV, and the specific terminal, for each acquirer.

For example, CenPOS has certified the Verifone MX915 to TSYS, with P2P encryption, level III processing. Most acquirers and banks support TSYS as a way to connect to their platfor; for example, First Data, Chase Paymentech, and Bank of America Merchant Services. To date, no other gateway has certified level 3 processing for retail and EMV. The difference for distributors is huge; it’s not uncommon to reduce merchant fees an average of 30%.

Pending Certifications

Exercise caution on claims of pending certifications, if the solutions provider:

  • Doesn’t have any certifications to date, after a year or more to prepare.
  • Has never had level III processing for retail certification
  • Does not offer a way to automate interchange management in a mixed retail & card not present environment, or for card not present only

 

 

 

EMV chip and pin liability shift hidden merchant risk

Posted on by
Reply

EMV terminal and EMV technology selection can impact merchant liability depending on chip and pin capabilities and management of them. Use this information to ask key questions before selecting an EMV solution.

Liability shift for stolen cards for MasterCard, American Express, and Discover

  • If the card is chip & sign, and the terminal is EMV only, the card issuer is liable
  • If the card is chip & pin, and the terminal is EMV only, the merchant is liable
  • If the card is chip & pin, and the terminal is EMV with pin, the issuer is liable

What if the terminal supports EMV & pin, but the customer does chip & sign? The merchant is liable.  Acquirers generally support chip and pin bypass to chip and signature. The only way to effectively manage liability is to steer customers to the action protecting the merchant.

emv fraud liabilityTerminals may be able to be programmed to disable pin bypass; First Data ships terminals with PIN bypass disabled.

  • Integrated payment gateways and and standalone virtual terminals can also drive terminals; because the terminals have no programming, the payment technology must have the capability to dynamically determine the best way to process, and prompt the consumer to the actions allowed. This is a tall order for most gateways, as they do not have that type of dynamic capability, and or, the gateway may not have the needed EMV certification. CenPOS disables the consumers ability to select signature over pin at the POS.

The entire EMV transaction process is certified. If an EMV certified terminal, including integrated or non-integrated payment gateway with terminal, doesn’t support the option to require chip and pin when the card issuer supports it, merchants need to weigh the associated financial risks.

 

NAFCU to House Small Business Committee: EMV Not a ‘Silver Bullet’ to Broader Problem of Data Security

Posted on by
Reply

NAFCU to House Small Business Committee: EMV Not a ‘Silver Bullet’ to Broader Problem of Data Security

Washington (Oct. 7, 2015) – State Department Federal Credit Union President and CEO Jan Roche will testify today on behalf of the National Association of Federal Credit Unions (NAFCU) before a House Small Business Committee hearing on how credit unions are protecting consumers in the payment system, the impact of the EMV transition and what steps are needed to better protect consumer financial data moving forward. Roche is telling lawmakers that EMV “is not a ‘silver bullet’ to the broader solution of data security” and is urging action from Congress to enact H.R. 2205, the “Data Security Act of 2015.”

“NAFCU urges Congress to modernize data security laws to reflect the complexity of the current environment and insist that retailers and merchants adhere to a strong federal standard in this regard,” Roche says in her prepared testimony.

Roche, whose credit union is headquartered in Alexandria, Va., is testifying before the House Small Business Committee in today’s hearing, “The EMV Deadline and What it Means for Small Businesses,” which began at 11 a.m. Eastern.

NAFCU’s Participation in Data Security and Cyber Initiatives

Roche highlights NAFCU’s involvement in various industry and government payments, data security and cyber initiatives. NAFCU is a member of the Payments Security Task Force, a diverse group of participants in the payments industry that is driving a discussion on payments system security. NAFCU is also a member of the Financial Services Sector Coordinating Council and the Financial Services Information Sharing and Analysis Center, which work on infrastructure cybersecurity.

The EMV Transition

The EMV transition deadline established by the four major U.S. credit card issuers (Mastercard, Visa, Discover and American Express) was Oct. 1 of this year. Roche says that her credit union “was an early adapter to the U.S. transition, first issuing EMV cards in June of 2012 for new cards and replacements for lost and stolen cards. Our credit card portfolio of over 28,000 cards is now 100 percent EMV.”

“It is important to note that the EMV transition in the U.S. is a voluntary one established by the market, and not a government mandate,” says Roche. Consumers remain protected in the new system as “all credit cards have zero-liability provisions for consumers, and the Electronic Funds Transfer Act limits consumer liability for any fraud on debit cards.”

A NAFCU study of its members found that a majority of credit unions are ready for the EMV transition and are issuing EMV credit cards to members as they issue new cards or replace oldmagnetic strips. “There is a greater cost for an EMV card for credit unions,” Roche says. She states that at her credit union, the cost (not including staff costs, set-up and postage) to produce a non-EMV card is approximately $3.04 and to produce a new EMV card it is approximately $5.81.

A study released by the Strawhecker Group on Sept. 17 of this year reported only 27 percent of merchants were going to meet the EMV deadline. “We believe that successful protection of the payments system requires all parties to be actively involved and hope that these businesses will work with the financial services community to recognize their role in making the payments system safer,” says Roche.

The PIN Debate

Roche discusses the debate among some that the EMV transition should have included a PIN mandate so consumers would be required to enter PINs for each transaction. “Imposing such a mandate or requirement would be unrealistic and would not be a panacea for the problem of data security,” Roche says. “It is the chip technology that makes new cards secure, not the PIN or signature.”

Roche states, “A truly secure payments system must be one that is constantly evolving to meet emerging threats and uses a wide range of dynamic authentication technologies – EMV, tokenization, encryption, biometrics and more.”

Credit Unions and Consumers Suffer from Data Breaches

A survey of NAFCU-member credit unions found that respondents were alerted to potential breaches an average of 164 times in 2014; two-thirds of respondents said they saw an increase in these alerts from 2013. In response to merchant data breaches that took place last year, 88.5 percent of credit union respondents said they notified a member; 65.4 percent issued new cards at a member’s request; and 57.5 percent placed a fraud alert on a member’s account.

“A credit union faces potential fines of up to $1 million per day for compliance violations,” says Roche. “In contrast, retailers are not covered by any federal laws or regulations that require them to protect the data and notify consumers when it is breached.”

Consumers are also the victims of data breaches. “Data security breaches are more than just an inconvenience to consumers as they wait for their plastic cards to be reissued,” says Roche. “Breaches often result in compromised card information leading to fraud losses, unnecessarily damaged credit ratings, and even identity theft.”

Credit Unions and the Gramm-Leach-Bliley Act

Credit unions and financial institutions have been subject to strict data security standards since the passage of the Gramm-Leach-Bliley Act in 1999. “Under the rules promulgated by the NCUA, every credit union must develop and maintain an information security program to protect customer data,” says Roche. “Additionally, the rules require third-party service providers that have access to credit union data take appropriate steps to protect the security and confidentiality of the information.” Roche states the “GLBA and its implementing regulations have successfully limited data breaches among credit unions.”

Preventing Future Data Breaches

NAFCU has long argued for a national data security standard for retailers and merchants similar to what credit unions already comply with under the GLBA. In addition, NAFCU has developed a number of key principles that should be considered and incorporated into the data security debate. These include:

Payment of breach costs by breached entities
National standards for safekeeping information
Data security policy disclosure
Notification of the account servicer
Disclosure of breached entity
Enforcement of prohibition on data retention
Burden of proof in data breach cases
While some have argued that voluntary industry standards should be the solution, the recently released Verizon 2015 Payment Card Industry Compliance Report found that four out of every five global companies fail to meet the widely accepted Payment Card Industry (PCI) data security standards for their payment card processing systems.

Legislative Solutions

NAFCU urges Congress to support H.R. 2205, the “Data Security Act of 2015,” introduced by Reps. Randy Neugebauer, R-Texas, and John Carney, D-Del. This bipartisan legislation “creates a national data security standard that is flexible and scalable, does not mandate static technology solutions and recognizes those who already have a working standard under the GLBA,” Roche says.

The National Association of Federal Credit Unions is the only national trade association focusing exclusively on federal issues affecting the nation’s federally insured credit unions. NAFCU membership is direct and provides credit unions with the best in federal advocacy, education and compliance assistance.www.nafcu.org.

###

Credit Card Processing and EMV For Business to Business

Posted on by
Reply

Are business to business merchants being steered to expensive EMV credit card processing solutions? Yes. Too many banks, acquirers and software companies have limited EMV terminal solutions, and none of them are the best solution for business to business (b2b) companies that have a retail component.

Critical Credit Card Processing Needs for Business to Business

  1. Level 3 processing to reduce merchant fees. level 3 interchange rates
  2. Card not present risk mitigation for key entered and online payments, including securing card data collection, and preventing fraud.
  3. Token billing to securely store card data for variable recurring billing.
  4. Flexibility to collect payments from multiple sources and multiple payment types.

Common B2B EMV terminal solutions

There are two types of terminals. The most common type has software loaded on the terminal. For example, the Verifone VX520 with Vx820 EMV & NFC pinpad.

Verifone VX520 VX805 EMV terminal

Verifone VX520 with VX805 EMV terminal

The second type requires an internet connection to a payment gateway. The gateway  manages the terminal, which is essentially a slave to the gateway.

ingenico isc250 signature capture terminal

ingenico isc250 touch signature capture terminal with EMV and NFC.

The first option above doesn’t meet any of the critical B2B needs, yet is the most common solution offered to every company, without regard to business type. The second option is capable of meeting critical B2B needs, but only if the payment gateway supports them.  The only payment gateway with EMV certified terminal and level III processing retail certification is CenPOS. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS’s secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships. 3D Merchant Services is an authorized CenPOS reseller.

Business to business merchants with a retail business element are advised to consult with a payments expert who offers level III processing for retail. The rest doesn’t matter if this need cannot be met, so it’s an easy way to differentiate those who are selling whatever they have to offer and those who are solving problems to make your business more profitable.

Which acquirers are ready to accept chip card transactions on EMV certified terminals today?

Posted on by
Reply

emv smart cardUnofficial list of acquirers for retail merchants who want to be EMV Compliant by October 1. As merchants and industry sales people are discovering, not all processors are ready. For those merchants that want to be EMV Compliant to accept chips cards for the liability shift, this is a huge problem.

This list is to help avoid confusion about getting you ready vs getting you EMV enabled.

Every acquirer,  terminal manufacturer, and industry reseller has language in their marketing materials about ‘getting you ready’. And that’s exactly what will happen. Merchants who install EMV capable terminals or Point of Sale systems will be ‘ready’ for when everyone (equipment manufacturer, acquirer, POS or gateway, as applicable) completes their certification.

EMV Compliant: Merchant has certified EMV terminals and their merchant account has been EMV enabled to accept chip cards.

10 largest merchant acquirers of 2013 were:

1. Bank of America
2. Chase Paymentech Solutions
3. First Data
4. Vantiv
5. Elavon
6. Wells Fargo Merchant Services
7. Citi Merchant Services
8. Global Payments
9. Heartland Payment Systems
10. WorldPay

In no particular order, this is a list of acquirers supporting terminal options for merchants to get EMV enabled. There’s one big provision. Acquirers have multiple transaction processing platforms. A merchant could be on a platform that’s not EMV capable yet, though the acquirer has another EMV capable platform. Additionally, the certified terminal solution may require a third party gateway. If changing processors, confirm with the acquirer, Independent Service Organization (ISO), or bank that they can accept chip cards immediately. To make the list, the terminal must support contact EMV debit and credit at a minimum.

Merchant acquirers with EMV Compliant solution today with countertop terminal:

  • First Data- FD50, FD100, FD200 series with FD35 required; FD130, FD130 DUO with FD35 required. Note, all terminals require specific application revision.

Merchant acquirers with EMV Compliant solution today with multi-lane terminal:

Multi-lane signature capture terminals require a payment gateway. To List of integrated solutions vendors and their certifications:

  • CenPOS certified Verifone MX 915 to First Data
  • CenPOS certified Verifone MX 915 to TSYS

Merchant acquirers with EMV Compliant solution today with mobile terminal:

  • ChargeAnywhere certified Miura Shuttle M006 & M010 to First Data
  • Highline retail cloud software certified VeriFone E315/E335 PINPAD to First Data. Requires using Highline all-in-one- POS software and merchant services.

TSYS offers transaction processing products and solutions to financial institutions, including banks and acquirers, among other services. For example, a bank may use both TSYS and First Data in their merchant services environment. TSYS is available as a connection option to most if not all the big acquirers. Bottom line: if your acquirer does not have the EMV certified terminal desired, TSYS may be the solution to more choices. Ask the EMV solution provider, not the acquirer questions, because the acquirer is less likely to know anything about products and services they don’t sell.

Resources:

Acquirer, Payment Gateway and POS Solutions Provider EMV Roadmap- Links to the related EMV certification list and or schedule for EMV certification. Bookmark this page now!

  • authorize.net – scroll down the page ETA support dates are 2016; no equipment specifics listed. Note: NFC payments also not supported yet.
  • Shift4 emv roadmap – the 3rd graphic is completed certifications; none in US to date.

Sales contacts: 3D Merchant Services offers EMV compliant solutions, including CenPOS, for retail merchants with $1M minimum annual processing; new merchant account may not be required.

Data Source: Web sites, acquirer bulletins to industry, Linkedin –  I maintain this subject for open comment on the Linkedin US EMW discussion board with over 3,500 members, mostly industry insiders. Recommended reading- EMV handbook for merchants by Verifone. It has a great Q&A section.

Have an addition or update? Please add your comments!