PCI Security Standards Council Extension of PCI PTS POI v3 Devices

Posted on by
Reply

PCI Security Standards Council Bulletin: Extension of Expiration of the Approval of PCI PTS POI v3 Devices, March 10, 2020.

Due to supply-chain disruptions related to the coronavirus, the PCI Council has extended the expiration date of PIN Transaction Security Point-of-Interaction (PTS POI) v3 devices from 30 April 2020 to 30 April 2021.

For those countries and entities not impacted by the coronavirus, we strongly encourage the deployment and use of next generation solutions such as devices approved to PTS POI v4 or v5 and migrating to POI v6 devices when the standard is released later this year.

On advisement from our industry stakeholders, the Council has determined the preventive controls to stop the spread of the coronavirus will impact previously planned rollouts of POI v3 devices. While recognizing that earlier versions of POI devices may be less robust in withstanding certain of the latest generations of attacks, we do not believe that this limited one-year extension of the approval expiry date for POI v3 devices will materially impact that risk.

The PCI SSC advises merchants, financial institutions, vendors and other users of PTS POI v3 devices, specifically v3 PEDs (PIN entry devices), non-PEDs, EPPs (encrypting PIN pads), UPTs (unattended payment terminal), and SCRs (Secure Card Readers) to contact their device vendors regarding the availability of more recently approved models to use as replacements and in new deployments. Effective 30 April 2021, the affected devices will be removed from the approved POI devices list on the PCI SSC website and listed separately here

Here are examples of credit card terminals with expiring PCI PTS 3.x April 30, 2021:

  • Vx525- Hardware #: M252-5xx-xx-xxx-3
  • Optimum M-5 (Verix)-

M465-x7x-xx-xxx-3
M465-x8x-xx-xxx-3
M465-x9x-xx-xxx-3

  • SCR-710, Mx760 SCR-

P090-719-30-RB
SUB090-004-01-A

  • FD55- M252-1xx-x3-FD1-3
  • VX 690, VX 690B

M260-x1x-xx-xxx-3
M260-x1x-xx-xxx-3B
M260-x1x-xx-xxx-3C
M260-x1x-xx-xxx-3D
M260-x5x-xx-xxx-3
M260-x5x-xx-xxx-3B
M260-x5x-xx-xxx-3C
M260-x5x-xx-xxx-3D

  • Vx600 Bluetooth/ MPM-100

M087-241-xx-xxx-3
M087-241-xx-xxx-3a
M087-251-xx-xxx-3
M087-251-xx-xxx-3a
M087-261-xx-xxx-3

  • Vx825

OP: 2.x.x
QT830017
QT830106
QT830109
QT830120
QT830240
QT830241
QT830245
QT830246.xxxxxxxx
QT830340
QTyy0400.xxxxxxxx
QTyy0500.xxxxxxxx
QTyy0530.xxxxxxxx
QTyy0540.xxxxxxxx
QTyy520.xxxxxxxx

  • Vx675 (VOS)

M266-x7x-xx-xxx-3
M266-x8x-xx-xxx-3
M266-x9x-xx-xxx-3

  • IWL220, IWL250- IWL2xx-01Txxxxx
  • IPP220, IPP280Hardware #: iPP2xx-01Txxxxx
  • ICT220, ICT250- Hardware #:iCT2xx-11Txxxxx
  • iCMP-

Hardware #: ICMxxx-01Txxxxx (Non CTLS) ICMxxx-11Txxxxx (CTLS)
ICMxxx-21Txxxxx
ICMxxx-31Txxxxx

  • Ingenico iSC 250 & TOUCH 250 Hardware #: iSC2xx-01Txxxxx

iSC2xx-21Txxxxx
iSC2xx-31Txxxxx

  • ISC Touch 480

Hardware #: ISC4xx-01Txxxxx (no CTLS)
ISC4xx-11Txxxxx (CTLS)

ISC4xx-01Txxxxx
ISC4xx-11Txxxxx

iPP310, iPP320, iPP350

FD130- Hardware #: T0PXXXXB1CXX4X

The Ingenico is a good example of varying PCI PTS within the same model. The Ingenico iSC TOUCH 250 PCI 4.0 Certified

For a complete list , click here https://www.pcisecuritystandards.org/assessors_and_solutions/pin_transaction_devices?agree=true PCI Security Standards Council (“PCI SSC”) LIST OF VALIDATED PRODUCTS AND SOLUTIONS

What happens if you continue using an expired terminal?

  • If there is a data breach, the cost of which typically exceeds $1 million, you’ll have no safe harbor because you used expired equipment.
  • Your acquirer could shut you down at any time. They know what type of equipment you have because when your account is established they create a communication connection (TID or terminal identification). It’s happened before. I picked up four new clients in one month that were all shut down by their processor for using outdated equipment and or software. There were left with no way to process at all and felt they should have been contacted to make a change before it happened.

Where can you buy a new terminal?

Buy one from Christine! Never buy a terminal on Ebay or any unknown source. Terminals should ship directly from an authorized entity that also does pin debit encryption. Never let a salesperson or any non-employee install your credit card terminal unless they are PCI Council QIR certified; Level 4 merchants are mandated to only use QIR individuals. The QIR designation belongs to individuals, not companies.

Disclaimer: This is not a comprehensive list and does not include add related data for individual products. Merchants should review current information at the PCI Council web site, pcisecuritystandards.org.

Call Christine Speedy, for all your merchant account, hardware and virtual terminal needs. 954-942-0483, 9-5 ET. Christine is Founder of 3D Merchant Services, PCI Council Qualfied Integrator Reseller (QIR), and is a credit card processing expert with specialized expertise in card not present and B2B payment processing technology. Less than 1% of all merchant services sales representatives are QIR certified. Christine is an authorized independent sales agent for a variety of merchant services and payment technology solutions.

U.S. Bank earns No. 1 position in J.D. Power Merchant Services Satisfaction Study for 2020

Posted on by
Reply

The bank also had the highest ranking in two key categories

U.S. Bank has earned the top spot in the inaugural J.D. Power U.S. Merchant Services Satisfaction Study for 2020, with an overall score of 882. In addition to the top overall satisfaction ranking, U.S. Bank had the highest ranking in two key categories: cost of service, and security and chargeback management.

U.S. Bank utilizes Elavon, its global merchant processing subsidiary, to complement the services it provides to small business owners for accepting payments in stores, online and by mobile device. 

“It is gratifying to see that our customers are satisfied with the experience they have with U.S. Bank,” said Shailesh Kotwal, vice chair and head of Payment Services at U.S. Bank. “Our employees are focused on the customers, listening to their needs and delivering a unified experience whether it’s a bank account, merchant processing, a loan or a combination of services, with the speed and security they deserve and expect.”

J.D. Power also found merchants that utilize eCommerce as their primary sales channel have higher satisfaction. U.S. Bank has been investing in its Elavon business with the specific intent to enhance the eCommerce experience and integrate payment capabilities with software that businesses use for other purposes, such as inventory or payroll. 

In the last 18 months, U.S. Bank and Elavon have announced acquisitions of Electronic Transaction Services (ETS) in Virginia, CenPOS in Miami, talech in Palo Alto, Calif., Payius in Sweden and Sage Pay in the UK. Elavon also became part owner in Poynt, a smart terminal provider that can accept multiple forms of payment and integrates with other software to provide useful data to the business. 

“We’re fortunate to have a strong Payments business and deep experience in this industry,” Kotwal said. “U.S. Bank is a great choice for businesses looking for a financial partner that understands their needs and has capabilities to help them take money in and make payments to their vendors quickly and seamlessly.”

About U.S. Bank

U.S. Bancorp, with more than 70,000 employees and $495 billion in assets as of December 31, 2019, is the parent company of U.S. Bank National Association, the fifth-largest commercial bank in the United States. The Minneapolis-based bank blends its relationship teams, branches and ATM network with mobile and online tools that allow customers to bank how, when and where they prefer. U.S. Bank is committed to serving its millions of retail, business, wealth management, payment, commercial and corporate, and investment services customers across the country and around the world as a trusted financial partner, a commitment recognized by the Ethisphere Institute naming the bank a 2019 World’s Most Ethical Company. Visit U.S. Bank at usbank.com or follow on social media to stay up to date with company news.

Contact
Teri Charest, U.S. Bank Public Affairs and Communications
612.303.0771, teri.charest@usbank.com

Blog Editors Note:

a

3 Things Accountants Must Advise B2B Clients in 2020

Posted on by
Reply

Credit card processing may be a big part of the revenue stream or a small part. It doesn’t matter. B2B companies all suffer from the same issues that impact EBITDA and risk. Compliance, cost and security. It’s fair to say, most businesses have no idea what the hot buttons or repercussions are.

Three things every B2B company needs to know about credit card processing right now:

  1. If you store credit cards, you must be compliant with Visa Stored Credential Framework. I posted this in 2017. Guess what? Most payment gateways (if you accept payments online from an invoice or any other source, a payment gateway is involved) are still not compliant! There are significant financial and risk consequences for non-compliance, including penalty fees, fines, and issuer generated chargebacks.
  2. Failure to settle transactions with a proper authorization will be even more expensive starting in April 2020. For example, many Visa credit card rates will go to 3.15%, reflecting upwards of 0.75% increase in some cases; that’s strictly interchange fees, nothing more. Instead of assuming you’re already settling properly, go to your merchant statement and look for DATA RATE I (instead of Data Rate III), STD/Standard, and EIRF. Do you have any of these? See also https://3dmerchant.com/blog/merchant-processing-services/credit-card-transaction-fees-checkup
  3. It’s a Visa rules violation to request the card security code on a paper credit card authorization form, or any digital form where the business can decrypt and view it. It can’t be stored, period. Not by the merchant nor service provider, including payment gateway. Yet even the AICPA

Why these 3 things? Because 100% of B2B companies I talk to will fail on at least one, and usually two or three. That includes CPA firms. Among the American Institute of Certified Public Accountants missions is to provide “the most relevant knowledge, resources” etc. Yet as of this writing, AICPA affinity credit card processing partners include a long list of technology solutions that are not compliant with all three of the above.

86% of all data breaches in 2016 were from level 4 merchants, defined as “Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.” By complying with the three items on my list, B2B companies will harden their systems and increase profits. The latter occurs because compliance with rules reduces fees. 

If your current acquirer could truly fix all the problems above, why haven’t they taken the initiative to help you in the past? By the way, if someone ever says they help you qualify for level 2 rates, run! All B2B companies should have the right technology to qualify for level 3 rates. Why pay more?

Christine Speedy, 954-942-0483. For a fast, free checkup on your merchant account, contact us today for a secure, cloud-based solution optimizing acceptance for all payment types across multiple channels without disrupting banking relationships.

New Visa SaaS subscription rules for trial periods

Posted on by
Reply

Effective April 18, 2020, merchants must comply with new Visa subscription billing terms and conditions. These are, once again, big changes that merchants must take action on to comply with. The payment gateway will be critical, and not all are ready to meet the new technology requirements for authorization and receipts.

Who do the new Visa rules apply to?

  • All merchants globally
  • Merchants that offer a free or discounted introductory offer as part of a subscription service

What are key Visa SaaS subscription changes?

  • Merchants must get express consent to enter into agreement for recurring billing. For example, if an online purchase, a checkbox agreeing to the terms is acceptable.
  • Notification via text, email, or other agreed upon method (not realistic for most businesses), of the subscription terms including start date, product/service details, billing frequency, billing start date, and link to cancel.
  • Notification at least 7 days in advance of the expiration

Revised sale transaction receipts are required.

  • Details to include length of trial period, introductory offer, or promotional period, and notice the cardholder will be charged unless the cardholder takes steps to cancel.
  • Date it starts, even if no payment is due, and date subsequent recurring transactions begin.
  • A link to cancel or other simple method.

Payment Gateway and settlement changes to support new Visa Authorization is required.

Many payment gateways are not yet compliant with the October 2017 stored credential mandate and they won’t be ready with this either as it is not a simple update.

  • A new descriptor, “trial” or similar, must be sent with Merchant Name field of the Clearing Record for the first transaction at the end of a trial period. This descriptor will then appear on cardholder statements, online banking etc.

“This is another huge change that most merchants will probably have difficulty complying with because of outdated payment gateways,” according to Christine Speedy, 3D Merchant Services payment gateway expert.

Merchants must make it easier to cancel recurring billing.

This is actually an extension of rules and recommended changes over the last few years. For example, if a customer signs up online, they should be able to cancel online, not have to call on the phone. The new rule now says regardless of where they signed up, retail store or other, they must be able to cancel online.

Visa expands cardholder dispute rights for subscription billing via existing condition “Misrepresentation”.

Basically, merchants need to be able to prove that the cardholder expressly opted in, and they notified customer before processing after the trial period.

Visa will actively monitor trial period compliance.

This is huge. While they don’t state how, the advances of Artificial Intelligence (AI) make if fairly easy. Additionally, merchants that are using recurring billing properly already notify the parties in financial ecosystem that they are doing recurring billing via the 2017 recurring billing stored credential changes.

What are merchants benefits to comply with Visa rules?

Merchants can expect increased authorization approvals, better rate qualification (higher profits), and increased customer satisfaction. Merchants avoid getting shut down, fined, assessed fees, penalty fees and also reduce customer service bandwidth.

DISCLAIMER: condensed and incomplete information. Information may be quickly outdated. Follow links from our Merchant Rules web page here or click here to download Visa’s PDF with review and quick reference card. Two page PDF, 675kb.

Call Christine Speedy for compliant payment gateway solutions to maximize profits and improve your customer experience. 954-942-0483, 9-5 ET for all your recurring billing and stored credential payment gateway and virtual terminal needs.

Verifone PCI 3 End of Life Terminals

Posted on by
Reply

Did you know terminals have their own Payment Card Industry or PCI certification? The standards are part of the overall merchant requirements to maintain the security of cardholder data. Those rules change over time and a bunch of Verifone equipment is expiring, including the popular Vx520 countertop terminal and Vx820 pinpad.

Last August, Verifone issued end of life notification on their PCI 3 range of payment devices in compliance with the PCI Security Standards Council PCI 3 expiration date of April 30, 2020. Often merchants will get notifications like this from their acquirer on their merchant statement.

Which Verifone terminals are impacted?

  • Vx520, VX510, VX570
  • Vx805 – M280-703-0X-XXX-X
  • Vx820 pin pad
  • Vx675, Vx680, Vx685, Optimum M5
  • Mx915 (PN 132-XX…), Mx925 (PN 132-XX…)
  • H5000
  • This list does not include all devices! Merchants should check with their providers especially if using a non-EMV device or if you were an early EMV chip adopter.
  • verifone vx510

What does End of Life mean?

  • Final date for new terminal sales (fall 2019)
  • End of Development- Improvements or changes have stopped
  • End of Support Date- Verifone will not issue software updates after April 2020, except that, until April 2023 they will continue to provide error corrections for Severity 1 (Critical) software errors, including security vulnerabilities.
  • End of Service Date- April 2023. Verifone will honor any extended support contracts to their term. Subject to component availability and other factors, Verifone will also continue to provide repair.

(PCI) PIN Transaction Security (PTS) v4 expires April 30, 2023. PCI PTS v5 expires April 30, 2026.

Are merchants PCI Compliant if they continue to use PCI 3 terminals after April 2020? The PCI Council urges but does not mandate merchants use approved PTS devices in their payment environments. However, in our experience, between payment brand and acquirer requirements, merchants generally need to use only approved PTS devices or risk getting shut down. Research expiration dates of terminals on the PCI Council web site. I’d be concerned about liability and the ability to prove PCI compliance, especially in the event of a data breach. Verifone will not issue software updates or provide development support after April 2020. If security vulnerabilities or exploits are identified by the processors after April 2020, and you’re using the terminals, who’s to say when or even if a solution could be found to fix it?

How disruptive would it be for your business to have to shut down using them and get another solution? There are always people who procrastinate making changes. And when something goes wrong, phone calls to processors explode, so change is usually not as swift as you’d like.

Note, only employees and PCI QIR certified individuals can install or touch your credit card terminals. Terminals are one of the most important factors determining rates you pay and chargeback risk. Why? Call now to learn more. This is the perfect time for an external account review by a payments expert.

TIP for Christine Speedy Verifone Mx915 customers: If you have a part number that starts with this “PN 132”, replace the terminal. If you were an early adopter and had your terminals deployed prior to the EMV chip liability shift in October 2015, there’s no need to check part numbers; They need to be replaced. Please contact me directly to consult on replacement options.

Call Christine Speedy , PCI QIR certified, for new PCI 5 terminals, technology review and or merchant account review to maximize profits and improve your customer experience. 954-942-0483, 9-5 ET