Are You Compliant? B2B Credit Card Processing Fact Check

Merchant compliance with various credit card processing rules maximizes profits while mitigating risk. This is especially true for business to business companies. But that task is getting harder and harder with the onslaught of new rules, and virtually impossible if not using a sophisticated cloud solution to help manage compliance.

b2b visa stored credentialIf your B2B company stores credit cards, there’s a pretty good chance you’re not compliant. For example, Visa’s 2017 Stored Credential Transaction framework (PDF download from Visa) outlines merchant responsibilities to obtain customer consent as well as storing credit cards, using stored credentials (token), and managing stored tokens. Failure to comply with Authorization rules, for example preauthorization and final settlement do not match, has far-reaching consequences including higher interchange rates (the bulk of credit card processing fees), penalty fees and new chargeback risks. With so many new rules across multiple card brands that vary based on business and transaction type how can a business quickly ascertain if they’re compliant?

Quick tips to validate compliance:

  1. Is cardholder authentication performed when a new card is stored? When the cardholder data is entered and submitted, the issuer responds with an approval or declined message. A small charge is not an acceptable practice to submit transaction for approval; instead a zero dollar authorization request for authentication is submitted. If authentication is via 3-D Secure -Verified by Visa, MasterCard Secure Code, whereby the customer self-authenticates vs merchant initiating, reduced rates may apply. Under the new rules, two transactions occur at the time a card is stored. Compliant answer is yes.
  2. Is a transaction receipt delivered to customer when you store a credit card? This will be either for an amount or a zero dollar authorization. When stored credit card credential (token) is created, a transaction receipt is generated with the approval or decline and other mandatory fields. Compliant answer is yes.
  3. Does the receipt include “RECURRING” or “REPEAT SALE” for token transactions? Compliant answer is yes.
  4. Review merchant statements, usually the last 1-2 pages with the heading “pending interchange” or “fees” section. Do you see EIRF, STANDARD (STD), or DATA RATE I? Compliant answer is no.
  5. Can you produce documentation of customer consent to store their card (including with 3rd party service) and how it will be used?

If you’re not in compliance, your payment gateway is the most likely culprit, followed by ERP or other software integration limitation. I can fix that.

Reference: Links for all Card brands.

Need help getting compliant?

Call Christine Speedy, , for simple solutions to complex payment transaction problems, 954-942-0483, 9-5 ET. CenPOS authorized reseller based out of South Florida and NY. CenPOS is an integrated commerce technology platform driving innovative, omnichannel solutions tailored to meet a merchant’s market needs. Providing a single point of integration, the CenPOS platform combines payment, commerce and value-added functionality enabling merchants to transform their commerce experience, eliminate the need to manage complex integrations, reduce the burden of accepting payments and create deeper customer relationships.

3dcart and CenPOS Payment Gateway Partner To Grow B2B Vertical

Miami, FL April 23, 2018. The business-to-business (B2B) e-commerce sales channel presents new opportunities and challenges, particularly with increasingly complex credit card processing requirements. 3dcart, a leading e-commerce platform, has partnered with CenPOS, an integrated technology commerce platform. The CenPOS ‘Super Payment Gateway’ maximizes profits while mitigating the higher dollar value transaction risk in the B2B vertical.

Payment gateways directly impact the cost of credit card acceptance, including interchange fees, the bulk of merchant fees. The CenPOS 3dcart integration offers all the required elements to qualify B2B transactions for the lowest rates possible, including:

  •  Level 3 data for purchasing, corporate and business cards
  • Resolve authorization and settlement amount mismatch
  • Visa unscheduled, recurring, and installment stored credential mandate compliance
  • 3-D Secure – Verified by Visa, MasterCard SecureCode, American Express Safekey and Discover ProtectBuy

“Our first mutual customer reduced fees over 30% just by changing their payment gateway,” commented Christine Speedy, CenPOS sales expert for 3dcart users. “Both our customers can expand into new markets while maximizing profits, security and compliance.”

“With the CenPOS integration, we expand the payment solutions offered by 3dcart to provide existing and prospective customers globally an additional alternative to how they process credit cards today, with any acquirer they choose,” stated Gonzalo Gil, 3dcart CEO.

The 3dcart CenPOS integration currently supports credit card, EFT/echeck with and without guarantee, Paypal and alternative payment methods. CenPOS POS and mobile and are available standalone now and will be integrated in the future to provide 3-D Cart customers a validated point to point encryption (P2PE) option. A validated P2PE solution significantly reduces merchant scope for PCI Compliance. CenPOS also includes to all 3dcart customers their electronic bill presentment and payment (EBPP) solution, supporting wire payments, text messaging, and other key B2B items of interest.

cenpos logoAbout CenPOS

CenPOS (https://www.CenPOS.com is a merchant-centric, end-to-end payments engine that drives enterprise-classsolutions for businesses, saving them time and money, while enabling merchants to create deeper lasting relationships with their customers. CenPOS’ secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.  PCI Level 1 Service provider, QIR Certified, P2PE Validated, HIPAA compliant. https://www.cenpos.com/ CenPOS 877-630-7960, Christine Speedy direct 954-942-0483.

logo 3dcartAbout 3dcart

3dcart (https://www.3dcart.com) is the most SEO-friendly eCommerce platform for retailers and internet marketers to grow their online stores’ traffic and sales. 3dcart includes 24×7 Technical Support, 100+ Mobile-Ready Themes, order management software, built-in blog, email marketing tools and more. Since 1997, the company has been a leader in the eCommerce market, building online stores for businesses of all sizes. Today, 3dcart is Visa PCI Certified and a Google Partner. Sales 800-828-6650

Ransomware still a top cybersecurity threat, warns Verizon 2018 Data Breach Investigations Report

Ransomware attacks double since 2017, and now target business critical systems

  • Ransomware is the more prevalent variety of malicious software, found in 39 percent of malware-related cases.
  • Human factor continues to be a weakness: financial pretexting and phishing attacks now target Human Resource (HR) departments.
  • 11th edition of the DBIR includes data from 67 contributing organizations, with analysis on over 53,000 incidents and 2,216 breaches from 65 countries.

NEW YORK, April 10, 2018 (GLOBE NEWSWIRE) — Ransomware attacks are a key cybersecurity threat for global organizations, warns Verizon’s 2018 Data Breach Investigations Report (DBIR). Ransomware is the most common type of malware, found in 39 percent of malware-related data breaches – double that of last year’s DBIR – and accounts for over 700 incidents. What’s more, Verizon’s analysis show that attacks are now moving into business critical systems, which encrypt file servers or databases, inflicting more damage and commanding bigger ransom requests.

DBIR analysis also flags a shift in how social attacks, such as financial pretexting and phishing, are used. Attacks such as these, which continue to infiltrate organizations via employees, are now increasingly a departmental issue. Analysis shows that Human Resource (HR) departments across multiple verticals are now being targeted in a bid to extract employee wage and tax data, so criminals can commit tax fraud and divert tax rebates.

“Businesses find it difficult to keep abreast of the threat landscape, and continue to put themselves at risk by not adopting dynamic and proactive security strategies,” says George Fischer, president of Verizon Enterprise Solutions. “Verizon gives businesses data-driven, real-life views on the cyber-threat landscape, not only through the DBIR series but also via our comprehensive range of intelligent security solutions and services. This 11th edition of the DBIR gives in-depth information and analysis on what’s really going on in cybercrime, helping organizations to make intelligent decisions on how best to protect themselves.”

Major findings in summary

The 11th edition of the DBIR continues to deliver comprehensive data-driven analysis of the cyber threat landscape. Major findings of the 2018 report include:

  • Ransomware is the most prevalent variety of malicious software: It was found in 39 percent of malware-related cases examined this year, moving up from fourth place in the 2017 DBIR (and 22nd in 2014). Most importantly, based on Verizon’s dataset it has started to impact business critical systems rather than just desktops. This is leading to bigger ransom demands, making the life of a cybercriminal more profitable with less work.
  • The human factor continues to be a key weakness: Employees are still falling victim to social attacks. Financial pretexting and phishing represent 98 percent of social incidents and 93 percent of all breaches investigated – with email continuing to be the main entry point (96 percent of cases). Companies are nearly three times more likely to get breached by social attacks than via actual vulnerabilities, emphasizing the need for ongoing employee cybersecurity education.
  • Financial pretexting targets HR: Pretexting incidents have increased over five times since the 2017 DBIR, with 170 incidents analyzed this year (compared to just 61 incidents in the 2017 DBIR). Eighty eight of these incidents specifically targeted HR staff to obtain personal data for the filing of file fraudulent tax returns.
  • Phishing attacks cannot be ignored: While on average 78 percent of people did not fail a phishing test last year, 4 percent of people do for any given phishing campaign. A cybercriminal only needs one victim to get access into an organization.
  • DDoS attacks are everywhere: DDoS attacks can impact anyone and are often used as camouflage, often being started, stopped and restarted to hide other breaches in progress. They are powerful, but also manageable if the correct DDoS mitigation strategy is in place.
  • Most attackers are outsiders: One breach can have multiple attackers and we found the following: 72 percent of attacks were perpetrated by outsiders, 27 percent involved internal actors, 2 percent involved partners and 2 percent feature multiple partners. Organized crime groups still account for 50 percent of the attacks analyzed.

“Ransomware remains a significant threat for companies of all sizes,” says Bryan Sartin, executive director security professional services, Verizon. “It is now the most prevalent form of malware, and its use has increased significantly over recent years. What is interesting to us is that businesses are still not investing in appropriate security strategies to combat ransomware, meaning they end up with no option but to pay the ransom – the cybercriminal is the only winner here! As an industry, we have to help our customers take a more proactive approach to their security. Helping them to understand the threats they face is the first step to putting in place solutions to protect themselves.”

Sartin continued: “Companies also need to continue to invest in employee education about cybercrime and the detrimental effect a breach can have on brand, reputation and the bottom line. Employees should be a business’s first line of defense, rather than the weakest link in the security chain. Ongoing training and education programs are essential. It only takes one person to click on a phishing email to expose an entire organization.”

Biggest risks per industries analyzed

This year’s report highlights the biggest threats faced by individual industries, and also offers guidance on what companies can do to mitigate against these risks. Key industry findings include:

  • Education – Social engineering targeting personal information is high, which is then used for identity fraud. Highly sensitive research is also at risk, with 20 percent of attacks motivated by espionage. Eleven percent of attacks also have “fun” as the motive rather than financial gain.
  • Financial and insurance – Payment card skimmers installed on ATMs are still big business; however, we’re also now seeing a rise in “ATM jackpotting,” where fraudulently installed software or hardware instructs the ATMs to release large amounts of cash. DDoS attacks are also a threat.
  • Healthcare – This is the only industry where insider threats are greater than threats from the outside. Human error remains a major contributor to healthcare risks.
  • Information1 – DDoS attacks account for over half (56 percent) of the incidents within this sector.
  • Public sector – Cyber-espionage remains a major concern, with 43 percent of breaches being espionage motivated. However, it is not only state-secrets that are a target – personal data is also at risk.

Other industries examined within the report include accommodation and food services; professional, technical and scientific services; and manufacturing and retail.

_________________________
1 Publishers, motion picture and sound recording companies

The time to act is NOW

Sixty-eight percent of breaches took months or longer to discover, even though 87 percent of the breaches examined had data compromised within minutes or less of the attack taking place. While safety cannot be guaranteed, proactive steps can be taken to help keep organizations from being victims. These are:

  1. Stay vigilant – log files and change management systems can give you early warning of a breach.
  2. Make people your first line of defense – train staff to spot the warning signs.
  3. Keep data on a “need to know” basis – only employees that need access to systems to do their jobs should have it.
  4. Patch promptly – this could guard against many attacks.
  5. Encrypt sensitive data – make your data next to useless if it is stolen.
  6. Use two-factor authentication – this can limit the damage that can be done with lost or stolen credentials.
  7. Don’t forget physical security – not all data theft happens online.

Still the most authoritative data-driven cybersecurity report around

Now in its 11th year, the Verizon 2018 Data Breach Investigations Report leverages collective data from 67 organizations across the world. This year’s report includes analysis on 53,000 incidents and 2,216 breaches from 65 countries. The DBIR series continues to be one of the most data-driven security publications on the globe, combining data from multiple sources towards a common goal – slicing through the fear, uncertainty and doubt around cybercrime.

Verizon will be showcasing its latest intelligent security solutions, including the recently launched Verizon Risk Report, at RSA 2018 in San Francisco, Moscone North Hall, booth #4121.

About Verizon
Verizon Communications Inc. (NYSE:VZ) (Nasdaq:VZ), headquartered in New York City, generated $126 billion in 2017 revenues. The company operates America’s most reliable wireless network and the nation’s premier all-fiber network, and delivers integrated solutions to businesses worldwide. Its Oath subsidiary reaches about one billion people around the world with a dynamic house of media and technology brands.

[24]7.ai Issues Statement After Data Breach Affecting Delta & Sears

SAN JOSE, Calif., April 4, 2018 /PRNewswire/ — [24]7.ai discovered and contained an incident potentially affecting the online customer payment information of a small number of our client companies, and affected clients have been notified. The incident began on Sept. 26, and was discovered and contained on Oct. 12, 2017. We have notified law enforcement and are cooperating fully to ensure the protection of our clients and their customers’ online safety. We are confident that the platform is secure, and we are working diligently with our clients to determine if any of their customer information was accessed.

About [24]7.ai
[24]7.ai is redefining the way companies interact with consumers. Using artificial intelligence and machine learning to understand consumer intent, the company’s technology helps companies create a personalized, predictive and effortless customer experience across all channels. The world’s largest and most recognizable brands are using intent-driven engagement from [24]7.ai to assist several hundred million visitors annually, through more than 1.5 billion conversations, most of which are automated. The result is an order of magnitude improvement in digital adoption, customer satisfaction, and revenue growth. For more information, visit: http://www.247.ai.

[24]7 and [24]7.ai are trademarks of [24]7.ai, Inc. All other brands, products or service names are or may be trademarks or service marks of their respective owners.

###

Information related to the statement from other sources is below. The company systems were not compromised, but rather they were all using [24]7.ai’s customer service chat widget to interact with customer service personnel, which can result in end users inputting payment card and other personal data.

Delta said a small number of its customers saw their payment information stolen by hackers. The company was alerted to the data breach last week. Sears also said under 100,000 card numbers were taken.

https://securingtomorrow.mcafee.com/consumer/consumer-threat-notices/247-ai-breached-customer-data-delta-airlines-sears-kmart-best-buy/

https://nypost.com/2018/04/04/delta-says-customers-payment-info-breached-in-cyberattack/

Delta Data Breach 2018: Was Your Payment Info Exposed?

Final note. Need a secure payment solution for your chat widget? Call now.

Small Business Merchant Security Mandate

Small businesses are at high risk of a credit card data breach. To stem the tide of breaches, effective January 31, 2017, all level 4 merchants were mandated to only use Qualified Integrator & Reseller (QIR) for Point of Sale (POS) applications or terminal installation, integration or maintenance.The Payment Card Industry Data Security Council provides certification and maintains the official list of certified QIR people.  Any entity that installs Point of Sale in conjunction with a payment application must put at least one representative through the QIR training/qualification process.

What’s a level 4 merchant? Visa’s Level 4 merchant category encompasses businesses that process fewer than 20,000 Visa e-commerce transactions per year, and all other merchants processing up to 1 million Visa transactions, regardless of channel, per year. Visa has estimated this covers approximately 5 million merchants.

What is QIR Qualification? From the PCI Council:

QIR qualification is a set of requirements put in place by Visa for acquirers in an effort to ensure that small merchants are able to implement and maintain a secure Point of Sale environment. QIR qualification provides an opportunity for POS Providers (both VARs and ISVs) to receive training and subsequent qualification on the secure installation of PA-DSS validated payment applications into merchant environments so that said merchants can maintain ongoing PCI compliance. Many data breaches from past years could have been avoided if not for incorrect installation/maintenance of payment application and on-site merchant networks, so QIR qualification was implemented to ensure that only skilled/trained installers are installing payments products.

Who must be QIR certified? Anyone who touches something impacting the cardholder data environment, excluding internal employees. That could be the a Value Added Reselller (VAR) to a POS application. Or it could someone installing something from one of thousands of independent software vendors (ISVs) who provide payment applications that fall under the auspices of the PCI Security Standards Council’s Payment Application Data Security Standard (PA-DSS). People, not companies, are QIR certified, but all individuals are listed under company names.

qir certified speedyThe exam is tough. If you fail, there’s no feedback. Applicants must go back and study more, pay more, and retake the test. Annual continuing education is required to maintain certification. When I completed my exam, there were 452 certified in the world. Today, it’s 450, as two expired and did not complete renewal process.

Not enough companies are in compliance. It was $395 to take the exam and $150 to retake the exam until March 2018, plus ongoing annual recertification fees after year two. The PCI Council recently announced a change so it’s $100 for 3 attempts, plus $100 annually, in an attempt to get more people certified.

In my experience, most people involved in the payments process do not have the knowledge to complete an installation, or provide maintenance, unless they’ve been QIR certified. In my opinion, the longer they’ve been doing it, the more likely they are to use outdated techniques that put merchants at risk of a data breach. The same is true for application developers. There’s a ton of ‘trusted’ companies out there that integrate payments into web sites and other applications. They have a lot of experience. But payment processing is a moving target of complex security changes. Without specific training, including going through process of PA-DSS application certification, too many businesses are at risk.

Why should card not present merchants use QIR certified individuals? The QIR training encompasses all aspects of payments, including servers, networks etc. The QIR trained person is more likely to probe and identify potential weaknesses in any cardholder environment.

Why should level 1, 2, 3 merchants use QIR certified individuals? In my experience, there are weaknesses in businesses of every size. I can find a compliance problem in virtually any business. The key is to minimize risk and have a plan for continuous improvement.

Call Christine Speedy, QIR certified payments professional, right now at 954-942-0483, 9-5 ET.