Stopping Online Credit Card Testers

Online credit card testing by fraudsters can dramatically drive up payment gateway fees.  Historically, card not present financial fraud grows exponentially in countries after implementing EMV chip card processing, as thieves seek the weakest link for fake credit card purchases. Thieves use software to rapidly send cardholder data to payment web sites to verify if stolen cards are good, card testing, and since merchants pay a per transaction fee, regardless of approval, the financial impact can be devastating.

Companies with online pay pages are at increased risk. Since October 2015, online fraud attacks were up 11% 2015 Q4 Vs Q3, and up 215 percent from 2015 Q1. 83% of attacks involved botnets. Source: The Global Fraud Attack Index™, a PYMNTS/Forter collaboration. The preferred web pay pages have no login required, and provide detailed decline response reasons. I’m often asked by others in the industry to provide the latter, and for the same reason as for retail, it’s better than no one knows the reason for the decline. If you inform a criminal the expiration date is no good, they just need to figure out the right one.

PREVENTING ONLINE CARD TESTING

A layered approach is required to stop card testers since no single solution will stop fraudsters. Generally, the harder you make it, the more likely they will seek a path of less resistance.

  • Block known fraudulent incoming IP addresses. The bad guys also use hostile proxy servers, with dynamically changing IP addresses every authorization attempt, but this is still a first step everyone should employ.

For additional assistance, please contact us. I won’t make it easier for criminals by identifying all the tools here in the blog!

ERP and Payments: PCI Compliance Nightmare

A PCI Compliant ERP solution doesn’t make a merchant PCI Compliant. The features of the payment integration drive customer decisions to use or not use the an ERP payment module. When payment vendor choices are restricted artificially by using technology to control merchant services options, merchants often enter ERP relationships with a level of dissatisfaction right from the start.

Severely restricted payment gateway options, especially for business to business, results in either the merchant using an alternative non-integrated payment solution, thus sacrificing efficiency, or using the integrated solution, and failing to meet PCI 3.0 requirements or other payment needs. How can I make this statement? B2B companies that accept credit cards  typically have a portion of their sales via the telephone. To mitigate risk of fraud, they use paper credit card authorization forms. However, the forms are inherently risky in many ways.

  • Sensitive authentication data, which includes the security code (CVV/CID), can never be stored.
  • Forms offer option to send via email. Unprotected data cannot be sent via messaging technologies such as e-mail, instant messaging, chat, etc. (PCI section 4.2). Even if the form doesn’t offer it, customers sometimes ignore instructions and send via email.

In the absence of a best practice, employees will revert to whatever is necessary to get their job done and reduce the risk of looking bad (fraud losses). If the ERP payment module doesn’t help merchants eliminate credit card authorization forms, the entire operation may be at risk of a potential data breach.

For retail, data breaches have become commonplace. Few ERP Point of Sale (POS) solutions are using Point to Point (P2P) encryption and other best practices to reduce data breach risk. They raced to bring mobile to market, and many now have neither EMV chip terminals nor P2P, both increasing financial risk to merchants.

Why does an ERP restrict options for merchant services? Because it’s part of their revenue stream. When competition is eliminated, there’s almost no chance of having the best solution in the marketplace. The proof is a long string of failures to meet business needs. Failure to offer electronic bill presentment and payment, which would increase cash flow and efficiency. Failure to offer US EMV chip card acceptance solution prior to liability shift. Failure to offer level 3 processing for all sales channels. Failures reduce cash flow, profits, and security as companies attempt to work with the ERP limitations, or find ways to work around them.

The argument that it’s to protect merchants from data breaches is only partially true. For any modern payment gateway integration, the payment activity is usually outside the ERP to reduce PCI scope. That won’t change from one gateway to another, so the risk doesn’t change, provided the third party gateway is level 1 PCI Compliant.

Examples of ERP’s that restrict payment gateway and merchant services choices are Netsuite and Sage. Additionally, consultants are often compensated for payment gateway recommendations. Consulting with an independent payment specialist, like blog author Christine Speedy, can expose pros and cons of different options.

ERP’s holding onto merchant services and gateway revenue streams are short sighted, as these business practices that anger customers. Can you imagine if an ERP wouldn’t communicate with any other software, for example, Magento? ERP’s focused on delivering the best business software for all facets of a business, and enabling the merchant to follow best practices for PCI Compliance must give users the flexibility needed to run their business with their own financial partners.

If an ERP relies so much on their revenue stream from merchant services revenue share that they won’t let you choose your own financial partners, I’d think seriously about whether it’s the best ERP for your business.

Volusion for B2B? No way!

Volusion for B2B ecommerce shopping cart is unacceptable. B2B companies are going omnichannel, yet Volusion lacks critical tools distribution companies need to maximize profits, security, and efficiency.

  1. Payment gateways and level III data– Wholesalers average 30% premium in merchant fees because NO Volusion payment gateways help businesses properly qualify for level 3 interchange rates across ALL sales channels, from ecommerce to retail. They have continually ignored requests to support, instead adding dozens and dozens of ‘me too’  gateways that are pretty much all alike.
  2. Retail – B2B retailers need US EMV options that support their needs. Whether it’s signature capture terminals like the Verifone MX915, or mobile terminals. None of their gateways has ever supported level 3 processing for retail, and is there even an US EMV terminal with P2P encryption certified for any processor today that works with Volusion?
  3. Omnichannel flexibility and PCI Compliance – How many business to business companies have a sales force taking phone orders? What is Volusion doing to help secure that transaction and help prevent fraud? Not nearly enough.

Over the decade that I owned a Volusion B2B ecommerce store, I recommended them over and over again. So much that their product development reached out to me to ask if there was anything I needed. It’s been seven years and the one thing I wanted, a modern payment gateway that meets business to business needs, they still haven’t done, even though the work is minimal. Why not? Well I’m tired of waiting and if someone finds my positive reviews online, I want everyone to know, there are many compelling reasons why I do not recommend Volusion for B2B ecommerce.

Batch processing accounts receivable and donations- Caging services solutions

Replacing ICVerify or other legacy software for batch credit card processing? Whether you’re in the cloud, or headed there, methods of payment processing have changed to meet current and future requirements for PCI Compliance and fraud prevention. For service providers, including non-profit mail processing, payment gateway selection impacts efficiency, merchant fees, and even client PCI Compliance burden.

The first way efficiency can be increased is the batch upload process. It’s basically the same for credit card processing and check processing. Here’s comparisons for payment gateway methodology for batch upload service:

CenPOS Batch Processing File Upload

  1. Save file to configurable directory (listening folder)

CenPOS Batch Processing Response File Retrieval

  1. Retrieve one or multiple files from configurable directory (response folder)

Authorize.net, Payeezy (First Data) and similar Batch Processing File Upload

  1. Log in to your Merchant Interface at https://account.authorize.net or other
  2. Click Upload Transactions.
  3. Click Upload New Transaction File.
  4. Click Browse.
  5. Locate from your system the file that you want to upload.
  6. Click Upload File.

Authorize.net, Payeezy (First Data)and similar Batch Processing Response File Retrieval

  1. Log into the Merchant Interface at https://account.authorize.net or other
  2. Click Tools from the main toolbar.
  3. Click Upload Transactions.
  4. Click View Status of Uploaded Transaction Files.
  5. Select the desired uploaded transaction file from the Select Upload File drop-down list.
  6. Click Submit.

CenPOS increases efficiency to upload and retrieve responses, reduces friction with no login required, and also supports multi-merchant login, enabling users to toggle between accounts, creating efficiency for both the service provider and the merchant.

More BATCH UPLOAD differences authorize.net CenPOS
Custom fields (share across channels) No Yes
Reporting 2 years Indefinite
Telephone support no yes 24/7

Merchant fees are impacted when a transaction does not qualify at the lowest interchange rate possible. For example, business to business companies must submit level III data to qualify for related rates, which are often 90 basis points (0.90%) lower than without. The payment gateway must be certified for level III to each acquirer supported. Only a few payment gateways are level III certified, and even fewer of those offer an acceptable batch upload solution.

PCI Compliance burden is reduced with tokenization, outsourced payment processing, reduced vendors and reporting. The latter is critically important for forensic audits, as well as financial. The average gateway only saves data for two years, and has limited data retrieval capabilities. CenPOS audit reports cover every touch to the platform- who, what, when, and more, with records available for a minimum of 7 years to match IRS requirements, reducing the cost of on-site and remote audits.

To learn more about batch credit card processing, replacing ICVerify, and cloud payment differentiators, Contact Christine Speedy for a free consultation for all your omnichannel global payment needs.

EMV payment systems – payment gateway certification list

Which payment gateways have an EMV certified terminal solution today? Not many. Our lists include gateways with an EMV chip card acceptance solution that can be enabled today, those that are working on it, and those that are not going to integrate.
POS software can integrate a payment gateway to segregate payments from applications, and reduce PCI Compliance scope. The payment gateway is responsible for EMV equipment certifications to each acquirer, in addition to P2PE and other features that may be available.

Agnostic Payment Gateways with US EMV certified terminal solutions today

  • CenPOS – standalone or integrated ** . The Verifone MX915 and Ingenico ISC250 are both certified today, with additional pending. Certifications include First Data, Tsys with chip and pin. Click here to see CenPOS EMV chip card transaction.

    verifone MX915 EMV terminal

    Verifone MX915 multilane signature capture terminal.

Acquirer or Software Dependent Payment Gateways with integrated gateway US EMV certified terminals today

Payment Gateways planning to certify US EMV terminals

Payment Gateways and Software Vendors not planning to certify US EMV terminals:

These First Data Independent Software Vendors (ISV’s) are not planning to do EMV certification *. Since First Data is one of the largest acquirers, it may be reasonable to assume the gateways will not certify to any acquirer. The ISV’s may have a replacement product, thus that’s the reason for not planning to certify.

• Delta Systems
• Forte Payments
• Skip Jack
• Future POS
• Payment Processing, Inc.
• PayTrace
• Pronto Software
• onePOS
• Rocketgate

* Source: First Data EMV update handout

** CenPOS Sales & Integrations:  Contact Christine Speedy 954-942-0483, authorized reseller.