Archive for the ‘Data security’ Category

« Older Entries

MasterCard and Discover Announce New Processing Rules

Wednesday, March 31st, 2010

MasterCard and Discover are modifying their rules concerning the processing of debit, prepaid and gift cards. Specifically, MasterCard and Discover will now require that most merchants support the processing of partial authorizations, real-time full authorization reversals, and balance response transactions.  MasterCard’s rule changes go into effect May 1, 2010, and Discover’s rule changes go into effect April 16, 2010.

The changes are being made because MasterCard and Discover have identified three main areas of concern that cause transactions to decline for customers using debit, prepaid and gift cards:

  1. Customers do not always know their available balance on their card.
  2. If a customer tries to spend more than the balance available on their card, the purchase is declined, with no option to use the card’s available balance along with another form of payment.
  3. If a customer wants to use a debit, prepaid or gift card, and the merchant gets an authorization, but then the transaction is not completed, the available balance on the card is temporarily reduced unless the merchant reverses the authorization.

The following  section hopefully will answer many questions you may have.  Otherwise,  you need to refer to Customer Service of your processor provider.

What are the new compliance requirements and how will complying with them  benefit me the merchant?

MasterCard and Discover are requiring that merchants support the following three transaction types for debit, prepaid and gift cards:

  1. Partial Approval (or Partial Authorization) — Merchants are required to partially approve a transaction if a cardholder does not have enough balance on their debit, prepaid or gift card.  Also, the merchant must allow cardholders to pay the remaining balance owed with another form of payment. This is called a split-tender purchase transaction.

    Benefit: Prior to implementing partial approvals, a debit, prepaid or gift card with an insufficient balance was declined, often costing the merchant a sale.  By supporting partial approvals, the merchant can turn a potential decline or negative cardholder experience into a completed sale by asking for an additional form(s) of payment to cover a purchase.

  2. Authorization Reversal — Merchants are required to reverse an authorized transaction if a cardholder decides they do not want to proceed with the split-tender purchase upon receiving a partial approval. Authorization reversals will free up the available balance on a customer’s debit, prepaid or gift card when transactions are not completed.

    Benefit: By supporting authorization reversals, the merchant restores the cardholders’ available balance, which enables them to potentially make a purchase (within their debit, prepaid or gift card’s balance) at your store instead of a decline.

    Additional Authorization Reversal Questions

    • If a transaction has been captured (i.e., an auth capture transaction type), can the authorization be reversed?
      No, authorization reversals can only be performed on transactions that have already been authorized but not captured  (auth only transactions). If the transaction has been captured, then the merchant should initiate a void if the transaction has not settled, or a refund if it has been settled.

    • Does this apply to full authorization reversals or partial authorization reversals?
      The requirement applies to both full authorization reversal as well as partial authorization reversals. A partial authorization reversal is applicable for situations where the capture request amount is less than the authorized amount, and the difference will have to be partially reversed. In the case of a partial auth reversal, merchants do not need to do anything; this is done automatically.

 

  1. Balance Response — Merchants are required to print the prepaid card balance on the customer receipt or display it on a customer-facing terminal/POS device/Web page, or both. Prepaid card balance information is made available by the prepaid issuer only for some, but not all, prepaid cards, and support of this requirement is limited to those particular cards.

    Benefit: By supporting balance responses and making the information available to the consumer, the consumer is better informed regarding their available balance on their prepaid cards, and could make additional purchases based on that balance.

    Additional Balance Response Questions

    • Will merchants be required to print the remaining prepaid account balance on both the receipt and display it on the customer-facing POS device or Web page?
      No. Merchants can choose to print the balance, or display the balance to the cardholder, or both.

    • Will the balance be displayed/printed for all debit and prepaid products?
      No. For security reasons, balances will only be returned by the issuer for prepaid cards (and even then, only for select cards) to avoid, for example, printing a customer’s checking account balances. If the”available balance” is present in the record, merchants are required to print and/or display it to the customer, regardless of the dollar amount.

Which payment card types does this change impact?

The compliance requirements apply to regular debit, prepaid and gift cards for the following payment card types:

  • MasterCard
  • Discover
  • Diners Club
  • JCB – U.S. transactions only
When do these requirements go into effect?
MasterCard’s rule changes go into effect May 1, 2010, and Discover’s rule changes go into effect April 16, 2010.   
 
Do I have to support the requirements?
MasterCard and Discover are requiring all merchants to support the requirements with the exception of merchants that exclusively process transactions via batch uploads, mail order/telephone order (MOTO), or recurring payment transactions. Your Merchant Service Provider (MSP) is ultimately responsible for determining if the requirements apply to your business, so please contact them for assistance in determining if your company is exempt.
 
What do I need to do to support the requirements?
The steps that you will need to take to support the requirements depend on how you connect to the payment gateway. For example, if you connect using a shopping cart, point-of-sale device, or other solution, you will need to contact your solution provider to confirm that they will be supporting the requirements. If you connect using a direct integration, you should contact your Web developer for assistance. 
 
Are the requirements global or U.S. only?
At this time, the requirements are mandated for U.S. merchants only.
 
Do issuers support these new compliance requirements?
Yes. Effective November 1, 2008, all Debit MasterCard and Maestro debit and prepaid issuers were required to process and respond appropriately to merchants that support partial approvals and real-time reversals (full and partial). In addition, prepaid Debit MasterCard and Maestro issuers must support the account balance response.
 
Are e-commerce merchants required to support these changes as well?
Yes, e-commerce merchants are required to offer at least one opportunity for customers to submit an additional form of payment after receiving a partial approval.
 
Are there any transaction types that are exempt?
Yes. The following transaction types are exempt: batch uploads, mail order/telephone order (MOTO), and recurring payment transactions.
 
Can the auth reversal be made several days after the original authorization request?
Yes, the authorization reversal for e-commerce and other card-not-present transactions should be generated whenever a purchase transaction is not, or cannot, be completed, and the transaction has not yet been captured.

Note: The account balance response only needs to be supplied to the cardholder in an authorization response to a real-time authorization request.

How do these requirements impact split shipments?
Merchants should be aware of the impact of the requirements on split shipments. A capture submitted for a partial shipment will be matched against the original authorization and release the hold of funds in the cardholder’s account. If the merchant expects to make a second shipment of goods, a new authorization should be taken against the card in the amount of the second shipment and captured when the second shipment is sent.
 
What if a merchant does not comply? Is there a non-compliance fee?
Yes. Merchants are obligated to support the requirements and make the appropriate changes to support these transactions. The payment card brands will be performing frequent “Compliance Monitoring” of these rules changes and will follow through with the appropriate parties if merchants are found to be non-compliant. The amount of fees assessed will be as per the MasterCard and Discover association “non-compliance” fines described in their operating regulations and rules. For more information, please contact your Merchant Service Provider (MSP).

As a reminder, your MSP is ultimately responsible for determining if the requirements apply to your business, so please contact them for assistance in determining if your company is exempt.

Our thanks to Authorize.net for bringing these issues and their clarifications to our attention. 

  • Share/Bookmark

Posted in Data security, Debit Card Processing, Merchant Accounts, Tips & Advise, Useful Business Services, eCommerce | 2 Comments »

PCI FAQ’s

Thursday, March 11th, 2010

PCI Security is a very hot topic in the credit card processing industry these  days  .  Merchants don’t understand or accept PCI, and are frustrated by the new PCI compliance fees they are seeing on their merchant statements (if you haven’t seen yours yet–look harder).  Even worse, several processors and shady merchant services sales people are distorting facts and downright lying in the never-ending quest to steal a merchant account from a competitor in order to make an extra dollar. pcilogo

Let’s set the record straight once and for all.  If you are a merchant of any kind, any size, any industry, here is a concise listing of everything you MUST know about PCI Security compliance:

 

What is PCI DSS?

The Payment Card Industry Data Security Standards are requirements designed to minimize theft and misuse of sensitive credit card data at every level of credit card processing.

Who has to Comply?

Member Banks – Acquiring Bank and Card Issuing Banks.
MerchantsAny merchant who accepts any of the major card brands, including Visa, Mastercard, American Express and Discover.
Service Providers – Internet Gateways, Shopping Cart Vendors and Hosting Companies

What does PCI Compliance mean to my business?

The card associations require that cardholder information be handled and maintained in a secure fashion. ALL merchants are required to meet the PCI compliance guidelines.

What is the difference between compliance and validation?

Compliance is the process of implementing the security controls and policies required by the standard. Validation is the process of proving that you are compliant. PCI compliance requires both functions to be performed.

How often do I have to validate my compliance?

You are required to validate compliance every 12 months.

What if I change my merchant service provider in the next 12 months?

You will receive a Certificate of Compliance once you have completed the required SAQ and scan, if required, that you will be able to provide to your new merchant service provider to validate your compliance.

What happens if I am not in compliance?

Failure to comply with these requirements can result in significant fines and the possible cancellation of payment processing capability.

Am I liable if my service provider is breached?

It depends, but it is certainly possible. If you use a 3rd party service provider to process your credit card transactions it is your responsibility to ensure they are PCI compliant. If they aren’t and they are breached you can be held liable also. There are known cases of that happening currently.

Does PCI compliance apply to non-profit organizations?

Yes, the liability and risks still exist and need to be addressed. In fact, because you are a non-profit organization the effects of a data breach could be even more damaging to your business due to the fines and other possible penalties.

How do I determine the specific requirements that apply to my business?

Compliance requirements vary by method of processing, such as using a stand alone landline, wireless communications or the internet to process. Simply review the table provided, click on the letter next to the description that best describes your business, and you will be taken directly to the applicable requirements.

What is a Self-Assessment Questionnaire?

The Self-Assessment Questionnaire “SAQ” is a validation tool for merchants and service providers who are not required to do on-site assessments for PCI DSS compliance.

What is cardholder data?

Primary Account Number (PAN)
Cardholder Name
Expiration Date
Sensitive Authentication Data
Full magnetic stripe data
Card Validation Code/Value
Personal Identification Number (PIN)

What can never be stored, even if encrypted?

Full magnetic stripe
Card Validation Code/Value
Personal Identification Number (PIN/PIN block)

What are the 12 requirements?

  • Install and maintain a firewall configuration to protect cardholder data.
  • Do not use vendor-supplied defaults for system passwords and other security parameters.
  • Protect stored cardholder data.
  • Encrypt transmission of cardholder data across open, public networks.
  • Use and regularly update anti-virus software.
  • Develop and maintain secure systems and applications.
  • Restrict access to cardholder data by business need-to-know.
  • Assign a unique ID to each person with computer access.
  • Restrict physical access to cardholder data.
  • Track and monitor all access to network resources and cardholder data.
  • Regularly test security systems and processes.
  • Maintain a policy that addresses information security.

    •  

  • What’s the difference between a QSA and an ASV? A Qualified Security Assessor (QSA) is a firm certified by the PCI Security Standards Council to perform the annual audits required for Level 1 Merchants. An Approved Scanning Vendor (ASV) is certified to perform the quarterly scanning required by all levels. Level 4 Merchants do not require the services of a Qualified Security Assesor.Are there different ways to satisfy requirement 6.6?Possibly, depending on your situation one of the following may satisfy the requirement:
  • Perform a code review of all in-house developed web applications.
  • Run all web application code through automated code analysis tools.
  • Perform a manual penetration test on each web application.
  • Purchase and install an application layer firewall in front of each web server.How do I find my IP Address?Consult your network administrator.How do I know if my IP address is Static or Dynamic?Consult your network administrator. 

    What is the difference between a Static IP and a Dynamic IP address?

    A static IP address is the number assigned to a computer by an Internet service provider to be its permanent address on the Internet. If you have a static IP your IP address remains the same every time you log in. Once you have provided JDS with your IP address your scans will be performed without any action required on your part.

    A dynamic IP address is your IP address for only as long as you are logged in for a session on the Internet. Once you disconnect from the Internet, that dynamic IP address goes back into the IP address pool so it can be assigned to another user. Consequently you will rarely, if ever, have the same IP address twice.

     Who can I contact if I have any questions about PCI?   Call 1-877-689-1691 or email your questions to amspcs@juno.com.  You may also contact us at  http://www.merchantservices-help.com/contact.html  We will answer your quesetions and/or refer you to the proper source as quickly as possible. 

    • What other  links should I refer to for additional information and assistance regarding PCI?

    http://www.merchantservices-help.com/PCIcompliance.html contains more valauble information on PCI Data Security as well as a direct link to the PCI Security Standards Council page.

     

    Who

    • Share/Bookmark

    Posted in Accepting Checks Safely, Credit Card Processing, Data security, Debit Card Processing, Healthcare, Merchant Accounts, eCommerce | 7 Comments »

    iPhone Scam Alert

    Tuesday, February 16th, 2010

    Dear Friends and Merchants:
    Just a quick reminder to those of you who use iPhones and Smartphones–and we know there are many of you out there judging from the number of you who use your Smartphone devices for mobile credit card processing.
    Be aware that there is an on-going ‘phishing’ campaign impersonating Apple.com. The scamsters attempt to trick users into submitting sensitive device information, with the intent to use the data in a countless number of fraudulent variations.

    Our thanks to our merchant customer, friend, and service provider, Steve Shelby of Farvision Networks. for passing this tip onto us.  Steve does an excellent job of servicing and maintaining our computer equipment and helping us maintain your
    privacy and the integrity of our database with timely information such as this.  If your computer system could benefit from professional expertise such as this, contact Steve at Farvisoin Networks at 954.272.8267 or email
    www.farvision-networks.com

    • Share/Bookmark

    Posted in Credit Card Processing, Data security, Debit Card Processing, Healthcare, Merchant Accounts, Processing Equipment, Tips & Advise, Useful Business Services, eCommerce | No Comments »

    New Secure Payment Application for Google®’s Android™

    Friday, November 6th, 2009

    Announcing the first secure mobile payment application for Google®’s Android™ smartphones.  This application, available through select distributors including Automated Merchant Solutions, Inc.(amsapcs@juno.com) enables Android™-powered mobile phones to become card payment acceptance devices.  With T-Mobile® offering G1™ and myTouch™ and Sprint® offering HTC Hero™ Android™ smart phones, and Verizon Wireless® entering the market, Android is reshaping the mobile phone industry.GoogleAndroid

    This state-of-the-art payment software and gateway solution is supported by all major credit card processors.  It allows merchants seamless integration with their existing merchant account provider, enabling back-office systems integration to accounting applications such as QuickBooks.  With it’s touch screen interface, this application enables merchants to quickly and easily securely accept credit and debit card transactions at the point-of-sale anytime, anywhere.  The software supports optional hardware such as a Bluetooth printer with integrated card reader, which results in merchants paying the lowest possible ’swiped’ crdit card processing rates.  Receipts can also be printed on the spot, while electronic signature capture available on many processing networks eliminates the requirement for merchants to retain paper copies of signed receipts.

    For details and pricing, email amspcs@juno.com or call 1-877-689-1691.

    • Share/Bookmark

    Posted in Accepting Checks Safely, Credit Card Processing, Data security, Debit Card Processing, Healthcare, Merchant Accounts, Processing Equipment, Tips & Advise, Useful Business Services | No Comments »

    Pin Pad Sale

    Friday, September 18th, 2009

    We have a limted number of new PCI compliant Verifone Pin Pad 1000 SE/180 pin pads available at the special introductory price of  $89.95, while supplies last.  1000SENEWThe PCI PED approved PINpad 1000SE is ergonomically designed for ease of use and handling, plus it provides the added versatility of USB or serial connectivity. It’s a simple upgrade solution for merchants with those devices who need to meet the new PCI PED security standard.  US customers only, please.  Price plus s/h.  Encryption not included.

    To order:  email amspcs@juno.com

    or call 1-877-689-1691

    • Share/Bookmark

    Posted in Credit Card Processing, Data security, Debit Card Processing, Merchant Accounts, Processing Equipment | No Comments »

    « Older Entries

    Tell a friend!

    Know someone who would like to know about this page?

    Email this link!