6 Ways To Increase Omnichannel Payment Security & PCI Compliance

Posted on by
Reply

Chip card acceptance has propelled companies to rethink how EMV compliance impacts overall PCI Compliance strategies. According to the Verizon 2015 PCI COMPLIANCE REPORT, 80% of companies fail an interim Payment Card Industry Data Security Standards (PCI-DSS) audit. CenPOS deploys multiple cloud solutions to reduce data security risk, and comply with EMV, while meeting top business priorities like improving customer engagement and the customer experience.

Point-to-Point Encryption (P2PE) – Working with Verifone and Ingenico, CenPOS Enterprise Payments Suite encrypts card data at the point of card swipe or insertion to prevent clear text information from traversing the network thereby protecting data in transit.

Electronic Bill Presentment and Payment (EBPP) – Key entering cardholder data into a computer without the use on an encrypting keypad introduces vulnerabilities that can be exploited by key logging malware.  EBPP allows you to push final invoices to consumer mobile devices via text and email so that they can complete the transaction—eliminating your staff’s need to enter data and reducing vulnerabilities.

Consumer Validation – As chip cards proliferate the United States, counterfeit card fraud rapidly migrates to online channels.  CenPOS Consumer Validation shifts risk to the consumer’s bank, reduces acceptance costs, and increases the approval rate for higher sales.

Chip Card Acceptance (EMV) – The deadline to avoid shifting liability associated with EMV acceptance was October 1, 2015.  Chip card transactions processed using legacy magnetic stripes could result in a chargeback to the merchant with no possibility of reversal.  CenPOS has certified the Verifone MX915 to all processing platforms to protect businesses from the liability shift. CenPOS has been processing chip transactions on multi-lane terminals since January 2015.

Tokenization – Sensitive cardholder data is replaced by a surrogate number, called a token, that eliminates the risk of storing customer information on internal systems.  Subsequent transactions and adjustments can be processed safely using the token to facilitate a transaction.  This service is automatically deployed.  Any attempt to store sensitive cardholder data evokes the tokenization system.

Encrypted Virtual Keypad (EVK) – In some instances, it is desirable to manually enter cardholder information into a system, but this increases data breach, including from key logger malware, on site, from call centers and remote employees.  The CenPOS EVK uses advanced technology to secure data entry by clicking the numbers on an encrypted screen-based keypad, segregating sensitive cardholder data from local hardware and networks.

encrypted virtual keyboard evk cenpos

The combination of these solutions reduces the risk of data loss along with the financial and brand damage associated with security breaches. Additionally, merchants also benefit from increased efficiency, cash flow and EBITDA.

Contact Christine Speedy for P2PE, EBPP, EMV and Customer Validation options, including integrated solutions,

PCI Compliance email

Posted on by
Reply

PCI Compliance, credit card authorization form, and CenPOS bulletin were all in the February 2016 enewsletter. Did you miss it? Subscribe here for payment news.

PCI Compliance Fail

80% of companies FAIL an interim Payment Card Industry Data Security Standards (PCI-DSS) audit. It’s time to admit it- you’re company is one of the many struggling to keep up with new rules.

Have you noticed $19.95 fee sneak back into your merchant statements?

Check your quarterly scans. You may discover a scan failed with a reason related to SSL.  Fight back to stop these monthly fees. Not only is it premature, but the Payment Card Industry Security Standards Council (PCI SSC) changed the migration to date requiring TLS 1.1 encryption or higher from June 2016 to June 2018.

 Credit card authorization forms – a weak link for compliance

“We keep all cardholder data in a locked file drawer and I’m the only one with a key” does not comply with PCI 3.0 standards.
For new best practices, think like a forensic auditor. In the event of a suspected breach, how will you identify who, what, when, how, and maybe even where card data was touched? Without a system to automate logging, the time and cost of an audit will explode.

TIPS.

  • Unprotected data cannot be sent via messaging technologies such as e-mail, instant messaging, chat, etc. (PCI section 4.2)
  • PAN data (card number) cannot be stored unencrypted. (PCI section 3.x)
  • Sensitive authentication data, which includes the security code (CVV/CID), can never be stored. (PCI section 3.2)

Every moment a paper form exists, there’s an opportunity for misuse and identity theft. If your company extends credit, then Red Flags Rules also apply. The FTC can seek both monetary civil penalties and injunctive relief for violations. All told, the expense of a breach could run over a million dollars, uncovered by insurance, plus ongoing lost business due to damaged reputation.

Is your service provider PCI Compliant?

If a third party touches card data, they’re required to register with the card brands and have an annual on-site audit. That includes your payment gateway, caging service, and other software if their payments are not segregated from the applications. Click here to search the Visa service provider database 

Software Updates
Reminder: PCI section 6.1 mandates software security updates be applied within 30 days.  With all the activity lately, that means every month. Windows XP users are automatically non-compliant. Click here for Internet Explorer & other Microsoft CRITICAL updates issued this year

CenPOS Question of the Month

How can we collect cardholder data for B2B card not present customers without our credit card authorization form?

  1. Hosted online pay page
  2. Electronic request for payment (push to email or text)
  3. Electronic bill presentment & payment
  4. All of the above and a PCI Compliant authorization form

PCI Compliant credit card authorization form example: Video

Training & educational videos https://www.youtube.com/user/3Dmerchant/videos

Christine Speedy


WHAT DOES CHRISTINE SPEEDY DO ANYWAY?
Omnichannel payment solutions targeting  middle market ($10M to $1B per year), primarily to technology companies and distributors. With one call, I can provide any gateway, acquirer, or integrated solution.  Best of all, I’m agnostic- you can keep your merchant services or check processors. Call today for a free consultation and for answers about any burning question for business to business.

CenPOS is a processor agnostic end to end payment engine that increases EBITDA virtually instantly. From compliance to automating collections, we solve everyday business problems. Protecting the front door with US EMV certified multi-lane terminals for all processors and the back door with 3-D Secure certified solutions for customer initiated sales. Now in over 140 countries.

Batch processing accounts receivable and donations- Caging services solutions
Feb 01, 2016 1:04 pm | Christine Speedy

Replacing ICVerify or other legacy software for batch credit card processing? Whether you’re in the cloud, or headed there, methods of payment processing have changed to meet current and future requirements for PCI Compliance and fraud prevention. For service providers, … Continue reading ?

comments | read more
Like Batch processing accounts receivable and donations- Caging services solutions on Facebook   Google Plus One Button   share on Twitter
Accept Payments Online
Jan 25, 2016 11:14 am | Christine Speedy

Winter Storm Jonas is a reminder of the importance for business to business companies to accept payments online. What if you have a desktop terminal, but staff is working from home? How can accounts receivable be reached for call in … Continue reading ?

comments | read more
Like Accept Payments Online on Facebook   Google Plus One Button   share on Twitter
CAPK expired error messages on VeriFone EMV terminals
Jan 13, 2016 8:36 am | Christine Speedy

Getting a VeriFone EMV Vx520, FD55, Vx510, Vx570 CAPK expired error message? Visa has extended the EMV key’s expiration date from 12/31/2015 to 2022, and the terminal must be updated. OPTION 1: UPDATE CAPK FILE ONLY via partial download For … Continue reading ?

comments | read more
Like CAPK expired error messages on VeriFone EMV terminals on Facebook   Google Plus One Button   share on Twitter
Card Not Present Token Billing Best Practice & CenPOS Training
Jan 12, 2016 2:04 pm | Christine Speedy

Ready to improve PCI Compliance with token billing? Step by step instructions for CenPOS card not present token billing including creating, modifying, and using tokens follows. In the virtual terminal admin, Create a new Role* or Modify an existing role … Continue reading ?

comments | read more
Like Card Not Present Token Billing Best Practice & CenPOS Training on Facebook   Google Plus One Button   share on Twitter
3rd PARTY CREDIT CARD AUTHORIZATION FORM
Jan 11, 2016 12:26 pm | Christine Speedy

Need a 3rd party credit card authorization form template? Don’t count on wikiform.org and other internet resources that scrape the internet for free content and then redistribute it. There’s no guarantee that anything published is accurate, legal, or virus free. … Continue reading ?

comments | read more
Like 3rd PARTY CREDIT CARD AUTHORIZATION FORM on Facebook   Google Plus One Button   share on Twitter
Calendar Notes
February 5 – out of office, CenPOS training
February 12 – 15 Tampa/ Orlando
February 18 – 24 Atlanta
Contact me for FREE consultation
Monthly: Login to Paymentech Resource online- use it or lose it

About Christine Speedy

Global payment solutions; focused on card not present and omnichannel merchants. Is your integrated solution failing to keep up with technology? Send me an integration referral and I’ll send you a cool gift!

Batch processing accounts receivable and donations- Caging services solutions

Posted on by
Reply

Replacing ICVerify or other legacy software for batch credit card processing? Whether you’re in the cloud, or headed there, methods of payment processing have changed to meet current and future requirements for PCI Compliance and fraud prevention. For service providers, including non-profit mail processing, payment gateway selection impacts efficiency, merchant fees, and even client PCI Compliance burden.

The first way efficiency can be increased is the batch upload process. It’s basically the same for credit card processing and check processing. Here’s comparisons for payment gateway methodology for batch upload service:

CenPOS Batch Processing File Upload

  1. Save file to configurable directory (listening folder)

CenPOS Batch Processing Response File Retrieval

  1. Retrieve one or multiple files from configurable directory (response folder)

Authorize.net, Payeezy (First Data) and similar Batch Processing File Upload

  1. Log in to your Merchant Interface at https://account.authorize.net or other
  2. Click Upload Transactions.
  3. Click Upload New Transaction File.
  4. Click Browse.
  5. Locate from your system the file that you want to upload.
  6. Click Upload File.

Authorize.net, Payeezy (First Data)and similar Batch Processing Response File Retrieval

  1. Log into the Merchant Interface at https://account.authorize.net or other
  2. Click Tools from the main toolbar.
  3. Click Upload Transactions.
  4. Click View Status of Uploaded Transaction Files.
  5. Select the desired uploaded transaction file from the Select Upload File drop-down list.
  6. Click Submit.

CenPOS increases efficiency to upload and retrieve responses, reduces friction with no login required, and also supports multi-merchant login, enabling users to toggle between accounts, creating efficiency for both the service provider and the merchant.

More BATCH UPLOAD differences authorize.net CenPOS
Custom fields (share across channels) No Yes
Reporting 2 years Indefinite
Telephone support no yes 24/7

Merchant fees are impacted when a transaction does not qualify at the lowest interchange rate possible. For example, business to business companies must submit level III data to qualify for related rates, which are often 90 basis points (0.90%) lower than without. The payment gateway must be certified for level III to each acquirer supported. Only a few payment gateways are level III certified, and even fewer of those offer an acceptable batch upload solution.

PCI Compliance burden is reduced with tokenization, outsourced payment processing, reduced vendors and reporting. The latter is critically important for forensic audits, as well as financial. The average gateway only saves data for two years, and has limited data retrieval capabilities. CenPOS audit reports cover every touch to the platform- who, what, when, and more, with records available for a minimum of 7 years to match IRS requirements, reducing the cost of on-site and remote audits.

To learn more about batch credit card processing, replacing ICVerify, and cloud payment differentiators, Contact Christine Speedy for a free consultation for all your omnichannel global payment needs.

Accept Payments Online

Posted on by
Reply

Winter Storm Jonas is a reminder of the importance for business to business companies to accept payments online. What if you have a desktop terminal, but staff is working from home? How can accounts receivable be reached for call in or fax payments? Cash flow and efficiency will improve with 24/7 online payments.accept payments onlineTo accept payments online via a self-serve 24/7 online payment form, a payment gateway is required to secure the transaction. The most popular non-integrated methods:

  1. Hosted pay page – merchant provides customers an email or web site link to make payments on the payment gateway hosted web page. Click here for hosted pay page example.
  2. Embedded payment object– the buyer stays on the merchant web site, with the gateway html code embedded as an iframe.

Online Payments FAQ

What is the rate? There are two service types: Payment gateway or bundled gateway with merchant account. For flexibility to change merchant accounts, which most businesses will do every few years, keep your gateway separate to minimize business disruption. When the merchant account changes, there’s no programming needed. Just update the gateway settings with the new merchant account information. Never, ever choose a payment gateway by comparing the cost per transaction. Instead, measure the net transaction cost, including gateway fees, for card types accepted. (Click here for online payments example of authorize.net vs CenPOS for business to business.) B2B companies need a gateway solution that supports level III processing and will help qualify transactions for the lowest rate.

How long does it take to get started? Usually 2-5 days after the decision has been made, from gateway sign up to accepting payments. The actual implementation time is minimal.

How do I know when someone makes a payment? An email is automatically sent with details. TIP: Create an email alias to a distribution list. For example, epay@mydomain.com.

Can my invoices be automatically marked as paid in my accounting software? With an integration, yes. Depending on your software, and the gateway, there may be a module available for quick and easy implementation.

Where can I view transaction reports? By logging in to the virtual terminal via a secure web browser, or in some cases, via mobile app.

Can customers save their credit card information? With most gateways, yes.

Is it PCI Compliant? All the major US payment gateways are PCI Compliant. Accepting payments online can improve PCI Compliance for merchants, as risky practices like credit card authorization forms are abolished.

Can customers pay with an echeck (ACH)? It depends on the gateway.

 

CAPK expired error messages on VeriFone EMV terminals

Posted on by
2

Getting a VeriFone EMV Vx520, FD55, Vx510, Vx570 CAPK expired error message? Visa has extended the EMV key’s expiration date from 12/31/2015 to 2022, and the terminal must be updated. Chip cards contain the issuers private keys which need to be verified by the card issuer’s public keys during online authorization requests.  The keys come from the Certification Authority Public Keys (CAPK), and they expire periodically. Your card reader will reject transactions (decline) when an incorrect or expired CAPK is used.

VX520 emv NFC verifone terminal

OPTION 1: UPDATE CAPK FILE ONLY via partial download

For the Vx520, Vx510, Vx570, start from the main screen (Sale/Refund/Void):

  • Press the ENTER button
  • Press F2 for setup
  • Enter the password *
  • Press ENTER
  • Press YELLOW Cancel button
  • Press far left PURPLE button (scrolls you through the menu)
  • F3 button should be “EMV Key Update” PRESS F3 (if you don’t see EMV Key Update, continue to scroll to find it)
  • The terminal will connect for the update and reboot to the main screen.

For the FD55, start from the main screen (Sale/Refund/Void):

  • Press the ENTER button
  • Press 1 for setup
  • Enter the password *
  • Press the ALPHA button 5 times
  • Press 3 for EMV Key Update
  • Press 1 to confirm update
  • The terminal will dial out, get the update and reboot to the main screen.

OPTION 1: FULL DOWNLOAD. In some instances the CAPK instructions listed above may cause the terminal to freeze or go into a constant reboot. If this should happen, please perform a full download of your terminal’s application and update the CAPK files immediately thereafter (standard step as part of the download process).

If you haven’t already downloaded the EMV file, then you do not need to download the CAPK update, as the file is included as part of the standard download process. For additional information about downloads, click here for the Verifone VX520 Reference Guide. (PDF download from Verifone web site)

If you still have problems or cannot perform the download, contact your acquirer.

*If you cannot resolve your issue with the information herein, contact your merchant services relationship manager or the help desk phone number on your merchant statement for support. We cannot help you fix your terminal via chat or any other method and that seems to bother some web site visitors.

  1. You’re paying another company to provide you service, not us. If you don’t like your existing credit card processor service from your acquirer and want to explore ours instead, we’d love to hear from you.
  2. We have no relationship with your business and merchant account- it’s not possible to provide you technical support.

ALERT SEPTEMBER 2019- Payment Card Industry (PCI) PIN Transaction Security (PTS) v3, used by the VX520 and many other terminals, expires April 30, 2020. Your terminal may need replacing.

Want to learn about replacement terminals or new merchant account options? Contact us for a consultation to determine the best solution, get a competitive price, and learn about alternative processing options if interested.Call Christine Speedy, 954-942-0483, 9-5 ET or click here.