— Merchant education tool aimed at driving demand for secure mobile payment acceptance options —
Today the PCI Security Standards Council (PCI SSC), an open, global forum for the development of payment card security standards published the PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users. The guidance educates merchants on the factors and risks that need to be addressed in order to protect card data when using mobile devices, such as smart phones and tablets, to accept payments.
Juniper Research predicts mobile transactions will hit $1.3 trillion worldwide by 2015, four times what it is today, as more and more businesses turn to consumer electronic handheld devices (eg; smart phones, tablets or PDAs) for payment acceptance. As these devices are not solely used as point of sale tools but also to carry out other functions, they introduce new security risks. By design, almost any mobile application could access account data stored in or passing through the mobile device.
The new guidance for merchants focuses on these scenarios and specifically the payment software that operates on these devices. The PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users leverages industry best practices to educate merchants on what is needed to isolate and prevent card data from exposure.
―Even with rapid adoption of mobile technology in payments, security still tops concerns for merchants. It comes down to the basic element of trust. Consumers want to have confidence that their information is protected - whether at their favorite restaurant, shopping online or making a purchase using a mobile device in lieu of a traditional POS. Currently, it is challenging to demonstrate a high level of confidence in the security of sensitive financial data in devices that were designed for other consumer purposes. Which is why we encourage merchants to consider encrypting cardholder data securely prior to using mobile devices to process transactions,‖ said Troy Leach, chief technology officer, PCI Security Standards Council.
The guidance goes hand-in-hand with recommendations the Council published in September 2012 for mobile app developers and device vendors on designing appropriate security controls that provide secure mobile payment acceptance solutions for merchants.
Added Leach, ―When considering mobile payment acceptance, merchants need to go in with their eyes open. And that’s what the intent of this guidance is, to help merchants understand the risks so that together with developers and device vendors they can safely implement a solution that will enable mobile commerce to flourish.‖
The PCI Mobile Payment Acceptance Security Guidelines recognize payment security as a shared responsibility. By providing a high level introduction and overview of the mobile payments space and the security risks of mobile devices, the document outlines the unique, complex and evolving mobile environment that underscores the need for all parties in the payment chain to work together to ensure mobile acceptance solutions are deployed securely.
The guidance is organized around the following key areas and objectives:
• Objectives and Guidance for the Security of a Payment Transaction - addresses
The three main risks associated with mobile payment transactions: account data entering the device, account data residing in the device, and account data leaving the device
· Guidelines for Securing the Mobile Device – provides recommended measures for merchants regarding the physical and logical security of mobile devices used for payment acceptance
· Guidelines for Securing the Payment Acceptance Solution – provides guidance for the different components of the payment acceptance solution; including the hardware, software, the use of the payment acceptance solution, and the relationship with the customer
· A glossary of terms, chart to help determine responsibility for each best practice, checklist for choosing a mobile solution provider, and further detail on additional risks associated with mobile devices are included as appendices.
The document underscores that until mobile hardware and software implementations can meet these guidelines, the best options for merchants is the use of a PCI-validated, Point-to-Point Encryption (PCI P2PE) solution, as outlined in the Accepting Mobile Payments with a Smartphone or Tablet fact sheet.
Merchants can download both the PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users and the Accepting Mobile Payments with a Smartphone or Tablet factsheet from the PCI SSC website: https://www.pcisecuritystandards.org/security_standards/documents.php.
The Mobile Wallet and the Tap to Pay System
We all have our mobile phones today, and, like our wallets used to do, the phone holds virtually everything we need: pictures, contacts, email, even bank account information. And now smartphones are trying to take one more thing out of that bulky wallet: payment cards. The mobile phone is on the cusp of becoming a mobile wallet, among all its other functions. The only thing you need to be concerned about is that you’ll never be able to use the I-forgot-my-wallet excuse again!
A mobile wallet is also referred to as a mobile payment. Mobile payments allow you to use your phone to transmit the payment data from you credit card or debit card to the store with just a tap on the processing terminal where you would normally swipe your card.
The technology emerged in 2005, piloted by Nokia, and was different from payment via SMS text or through direct billing. This type of mobile wallet or mobile payment allows you to use Near Field Communication (NFC) technology to allow a special device in the smartphone to send waves to a receiver in the merchant’s payment terminal. This receiver gathers the information and transmits it to the computer to read and process it.
The technology for mobile payments is already in place and being used by some European countries, although their uses include paying for public parking and public transportation. You may also already use this technology if you have an EZPass for your vehicle on toll roads.
The proposed mobile wallets would feed off your bank account or a credit card account, and not off of a cash fund you place on the device. The mobile wallet gained a lot of ground after the initial testing done by Nokia, and now many other phone companies are rolling out smartphones with the capabilities of mobile payments.
Research in Motion, Google Android and LG are some of the first to announce that their upcoming phones would be capable of mobile payments using NFC of merchant to consumer transactions and by using debit or credit card information. Additionally, the manufacturers of the payment processing terminals have begun to catch on to the trend, and are now rolling out terminals that have both NFC capabilities, as well as ordinary swipe card technology. 2012 is expected to be an exciting year for mobile wallets and NFC technology system.
2012 is the year when merchants should begin to get the system in place for the mobile wallet system. Ensure that your payment processor is capable of handling any changes in payment systems, and that your own terminals are up to date so that if a customer comes in and wants to just tap to pay, you are able to serve that person.
Everyone will benefit from this technology, especially after the initial challenges of changing systems. The mobile wallet is infinitely more secure than the credit card for both the consumer and the merchant. The card information stored on the phone can be removed within seconds of the phone being reported lost or stolen. This means less fraudulent purchases for the merchant and less hassle for the consumer. Additionally, the technology ensures security by sometimes requiring a PIN or a password to access the system and also uses waves that are encrypted and generally not readable except from a very short distance.
Another example of how this will help both merchants and consumers is that the smartphone has the capability to not only use the credit card information but also any coupons and loyalty card information to efficiently process the transaction giving the consumer the maximum benefit and the merchant the easiest transaction. Then all information can be stored in the computer and merchants can use loyalty card usage and coupon usage information to help them improve sales and customer satisfaction.
Finally the advent of NFC technology and its use as a mobile wallet will change the credit card industry and the payment systems industry, with most of the changes being something your providers will need to adjust to quickly. Currently the mobile wallet is “operator-centric,” meaning that the phone company and the consumer operating the phone are in control of the use. The credit card system will not face so many changes; it will merely have to be more prepared for use of wireless and internet transactions. Essentially the mobile wallet removes the need for swipe cards, but not the processing fees associated with it. Credit card companies will need to adjust to this change.
While you and your customers ponder the use of the mobile wallet, we offer a mobile payment system which may help you adjust to the idea of phones being a method to convey currency. This handy system allows you to turn your smartphone into a payment processing terminal safely and securely. Contact us today to discuss how you can prepare for the new technology and how it may affect your business.
When all other players in the system are changing, you can bet that your payment processor will need to change too. My POS Depot is watching this emerging technology and is excited about the changes that are occurring. As a processor we understand that the merchant, and the consumer, and the credit card company are all shifting positions, and the payment system processors will need to be prepared to shift too. As the specific use of this technology emerges and the players begin to take their places, My POS Depot will be adding mobile products and solutions for merchants to help them move forward without interrupting business.
The Benefits of Merchant Cash Advances
If you own or run a business, you know that every day is a challenge, and that the unexpected is precisely what you need to expect. When the unexpected does happen, whether it’s potential for growth or unexpected costs, as a business owner you need to be prepared. Merchant cash advances can be the tool your business needs to deal with the unexpected.
What is a merchant cash advance?
A merchant cash advance, or a business cash advance as some call it, is a method of getting working capital for your business. A merchant cash advance is not a loan; instead it is selling your expected credit card receipts to provider in exchange for a lump sum of working capital. Many businesses find that merchant cash advances are a flexible and accessible option to get money for their many business needs.
A merchant cash advance is given based on your business’ future credit card sales. After determining a minimum of average monthly credit card sales and some other requirements, a provider will make an offer of cash in return for a part of the coming month’s credit card receipts. Your business can use the advanced cash for virtually any business need: payroll, repairs, increased inventory, or unexpected costs.
Why use a merchant cash advance?
Merchant cash advances are accessible to small businesses, when other funding is not. Small business loans are increasingly difficult to obtain. Because interest rates are so low right now, many banks are not giving loans under $100,000.00, because of the low return they will receive. Additionally, the loans that are being given out are either backed by the Small Business Administration, which requires a lot of extra paperwork and slows the process tremendously, or are loaned by non-bank institutions which lend at a high rate and require collateral. A loan is therefore either not an option at all, or not a very good one, for many small business owners like you. A merchant cash advance is a simpler and less costly way to get money for your business at the time you need it.
A second reason to use merchant cash advances is for the ease of the process. Providers want to work with you to help your business. Providers such as Pinnacle Merchant Advance work with you to figure out how much cash you need, and how to get it. Your future Visa and MasterCard receivables are easily converted into cash, almost immediately. And a merchant cash advance can be used for virtually anything your business needs.
The flexibility of the merchant cash advance also makes it desirable. If your business does not meet the sales that the average predicted, providers like Pinnacle will allow you to pay the cash advance off over a few months, and if the sales are higher than predicted, you can pay the provider quickly, without any adverse penalties. A loan from a bank, or a line of credit from a bank, will require you to produce collateral for the bank to attach as guarantee for the money they give you, and the bank would never allow the flexibility of payments that a merchant cash advance offers.
Using a merchant cash advance will benefit your business by getting the cash you need to grow and maintain your business, relatively hassle free. And the flexibility of using the cash and funneling future Visa and MasterCard receivables to providers allows you to fund your business without worrying about collateral or missing a loan payment.
Finding Funding Providers
Although My POS Depot does not provide direct funding, with our knowledge of the payment card industry, we can help you to arrange funding. Our affiliate company, Pinnacle Merchant Advance, is a leader in the cash advance industry, with an online application and straightforward business practices.
Requirements for a cash advance from Pinnacle is a minimum of $2,500.00 per month of credit card receivables, a physical location, having been in business for at least one year, and having a year left on your business lease. If you meet these requirements, you may apply for a free and no obligation quote. And when Pinnacle says no cost, they mean it. There is no cost to apply, no cost for a background check, and no cost to get the cash to your account. After verifying other factors and determining the amount of cash you can receive, Pinnacle wires funding within ten business days. For a merchant cash advance from a provider you can trust, we recommend Pinnacle Merchant Advance.
What is PCI Compliance and How Can It Affect Me?
The twentieth century U.S. criminal Willie Sutton was said to rob banks because “that’s where the money is.” The same motivation in our digital age makes merchants the new target for financial fraud. The lack of security by merchants enables criminals to easily steal and use personal consumer financial information from payment card transactions and processing systems.
It’s a serious problem – more than 510 million records with sensitive information have been breached since January 2005, according to PrivacyRights.org. As a merchant, you are at the center of payment card transactions so it is imperative that you use standard security procedures and technologies to thwart theft of cardholder data.
Merchant-based vulnerabilities may appear almost anywhere in the card-processing ecosystem including point-of-sale devices; personal computers or servers; wireless hotspots or Web shopping applications; in paper-based storage systems; and unsecured transmission of cardholder data to service providers.
A survey of businesses in the U.S. reveals activities that may put cardholder data at risk.*
Compliance with the Payment Card Industry (PCI) Data Security Standard (DSS) helps to alleviate these vulnerabilities and protect cardholder data.
Payment Card Industry (PCI) Compliance is a complex system put in place by the five major swipe card brands/associations. These are: Visa, MasterCard, American Express, Discover, and JCB. A merchant who accepts one of these brands is subject to PCI Compliance. Any debit, credit, or pre-paid swipe card is subject to the PCI Compliance rules.
The rules for compliance deal with Data Security Standards (PCI DSS). The official site for the Security Standards Council (SSC) which oversees and enforces PCI compliance can be found here. The SSC mandates compliance standards to be in place prior to the transaction. Further compliance deadlines are set at various times. For most small to medium sized businesses, the deadline and enforcement will come from your merchant bank.
For PCI DSS, a merchant is any entity which accepts payments from one of the five brands. A merchant can also be a service provider if the merchant accepts cards for payments of goods or services on behalf of another entity. A service provider is subject to the same rules as a merchant.
Whether you use internet sales transactions or point of sale transactions, you must comply with PCI DSS. Use of even one swipe card in a merchant’s business in a calendar year, places the merchant under PCI DSS. For merchants, use includes: storage, transmission, or processing of cardholder data. The standards for compliance do vary for the number of transactions per year.
Merchants must complete a quarterly scan from a PCI SSC approved scanning vendor. Alpha Card Services is pleased to announce that upon launch of our new PCI Security website portal, where we will be able to help you evaluate and comply with requirements for PCI DSS. This website will also help you to validate your compliance and complete an Attestation of Compliance. Contact one of our helpful representatives to learn more.
The purpose of these standards is to protect cardholder account data, the account number printed on the card. Merchants and any other service provider involved in the transaction process must never store this sensitive data after the authorization. This includes sensitive data printed on the card, or stored on the magnetic strip or chip- and personal information entered by the cardholder. When merchants comply with PCI DSS, it ensures a number of things:
How Do I know my Customers are Protected?
As a merchant you might wonder how you can comply with the standards and also ensure protection of your customer’s information. By utilizing our PCI Security website portal, and other safety measures, you can achieve maximum security of information.
First, Visa has promulgated a list of best practices for merchants. Although it is not all encompassing, it will help small to medium sized businesses protect themselves and their customers. Some of these practices include using a payment systems provider with a good reputation for updating his or her software for processing, not sharing access information for firewalls or secured networks, and not hiring cyber-criminals.
Second, one can avoid some common downfalls. Perhaps the most common is that small businesses with few transactions believe that an SSL Certificate is sufficient to ensure compliance. This is incorrect. Also, some small businesses that are run from homes are particularly targeted by hackers. This means that those who run small businesses should ensure they have a secure network and a good processing center.
Finally, merchants can ensure they have secure payment gateways. A payment gateway is the method through which a merchant is connected to the actual bank. Often these gateways are facilitated by processors, such as MyPOSDepot, and so finding a secure gateway is as simple as finding a good processor.
Dealing with PCI Compliance does not have to be a painful process, and is helpful to both you, the merchant, and to your customers. As we launch our brand new PCI Security portal, you can be assured that we will help you to comply with PCI DSS and that we will be using state-of-the-art software and security systems to ensure that our services to you will not be compromised. As small to medium sized businesses are the most vulnerable to hacking and are targeted by banks for compliance issues, any Level 4 merchant needs to make sure it has a good partner in swipe card processing. Contact one of our representatives for help today.
*Source: Forrester Consulting: The State of PCI Compliance (commissioned by RSA/EMC)
National Account Executive
P: (866) 480-2433
C: (215) 421-3333
F: (215) 494-0368
Follow MyPOSDepot & Receive Exclusive Offers!
MyPOSDepot.com is the leader in low cost merchant services equipment and credit card processing solutions. Our dedicated staff is knowledgeable on the industry and MPD will lower any merchants credit card processing cost by at least 25%! Contact our sales department at (866) 480-2433 or click the following link and one of our sales representatives will contact you within 24 business hours.
National Account Executive
P: (866) 480-2433
C: (215) 421-3333
F: (215) 494-0368
Tokenization is a process by which the primary account number (PAN) is replaced with a surrogate value called a token.‖ De-tokenization is the reverse process of redeeming a token for its associated PAN value. The security of an individual token relies predominantly on the infeasibility of determining the original PAN knowing only the surrogate value.
Depending on the particular implementation of a tokenization solution, tokens used within merchant systems and applications may not need the same level of security protection associated with the use of PAN. Storing tokens instead of PANs is one alternative that can help to reduce the amount of cardholder data in the environment, potentially reducing the merchant’s effort to implement PCI DSS requirements.
The following key principles relate to the use of tokenization and its relationship to PCI DSS:
One of the primary goals of a tokenization solution should be to replace sensitive PAN values with non-sensitive token values. For a token to be considered non-sensitive, and thus not require any security or protection, the token must have no value to an attacker.
Tokens come in many sizes and formats. Examples of some common token formats are included in the following table.
Tokens can be generally identified as either single-use or multi-use. A single-use token is typically used to represent a specific, single transaction. A multi-use token represents a specific PAN, and may be used to track an individual PAN across multiple transactions. A multi-use token always maps a particular PAN value to the same token value within the tokenization system. Determining whether single-use or multi-use tokens, or a combination of both, are appropriate for a particular merchant environment will depend on the merchant’s specific business need for retaining tokens.
When evaluating a tokenization system, it is important to consider all elements of the overall tokenization solution. These include the technologies and mechanisms used to capture cardholder data and how a transaction progresses through the merchant environment, including transmission to the processor/acquirer. The tokenization solution should also address potential attack vectors against each component and provide the ability to confirm with confidence that associated risks are addressed.
The security and robustness of a particular tokenization system is reliant on many factors, including the configuration of the different components, the overall implementation, and the availability and functionality of security features for each solution.
The Federal Reserve Board on Wednesday issued a final rule establishing standards for debit card interchange fees and prohibiting network exclusivity arrangements and routing restrictions. This rule, Regulation II (Debit Card Interchange Fees and Routing), is required by the Dodd-Frank Wall Street Reform and Consumer Protection Act.
Debit card interchange fees are established by payment card networks and ultimately paid by merchants to debit card issuers for each electronic debit transaction. As required by the statute, the final rule establishes standards for assessing whether debit card interchange fees received by debit card issuers are reasonable and proportional to the costs incurred by issuers for electronic debit transactions. Under the final rule, the maximum permissible interchange fee that an issuer may receive for an electronic debit transaction will be the sum of 21 cents per transaction and 5 basis points multiplied by the value of the transaction. This provision regarding debit card interchange fees is effective on October 1, 2011.
The Board also approved on Wednesday an interim final rule that allows for an upward adjustment of no more than 1 cent to an issuer’s debit card interchange fee if the issuer develops and implements policies and procedures reasonably designed to achieve the fraud-prevention standards set out in the interim final rule. If an issuer meets these standards and wishes to receive the adjustment, it must certify its eligibility to receive the adjustment to the payment card networks in which it participates. Comments on the interim final rule are due by September 30, 2011. The fraud-prevention adjustment is effective on October 1, 2011, concurrent with the debit card interchange fee limits. The Board will re-evaluate this adjustment in light of feedback received during this comment period.
When combined with the maximum permissible interchange fee under the interchange fee standards, acovered issuer eligible for the fraud-prevention adjustment could receive an interchange fee of up to approximately 24 cents for the average debit card transaction, which is valued at $38.
In accordance with the statute, issuers that, together with their affiliates, have assets of less than $10 billion are exempt from the debit card interchange fee standards. To assist payment card networks in determining which of the issuers are subject to the debit card interchange fee standards, the Board plans to publish by mid-July and annually thereafter lists of institutions that are above and below the small issuer exemption asset threshold. Also, the Board plans to annually survey the networks and publish a list of the average interchange transaction fees each network provides to its covered and exempt issuers. This information should enable issuers, including small issuers, to more readily compare the interchange revenue they would receive from each network.
The final rule prohibits all issuers and networks from restricting the number of networks over which electronic debit transactions may be processed to less than two unaffiliated networks. The effective date for the network exclusivity prohibition is April 1, 2012, with respect to issuers, and October 1, 2011, with respect to payment card networks. Issuers of certain health-related and other benefit cards and general-use prepaid cards have a delayed effective date of April 1, 2013, or later in certain circumstances.
Issuers and networks are also prohibited from inhibiting a merchant’s ability to direct the routing of the electronic debit transaction over any network that the issuer has enabled to process them. The merchant routing provisions are effective on October 1, 2011.
This landmark decision will dramatically reduce debt processing cost for all merchants who take advantage of lower processing cost charged to the merchant’s credit card processor.
MPD Merchant Benefits Include:
Additional Products and Services:
If you are currently accepting credit cards, I will conduct a free cost comparison for you to show you the MY POS Depot savings. I will need a current monthly statement from your current processor to complete a comparison. MyPOSDepot may pay your early termination fee if your business qualities.
For more information on how MyPOSDepot can lower your overall processing cost please contact our sales department at (866) 480-2433
Many of us have traveled to Europe on regular occasion – both for business and pleasure. If you’re like me, you notice all the nuances of how Europeans and others throughout the world embrace and utilize technology more voraciously that those in the U.S. For example smartphone technology was being used in Europe in the early 2000s, well before the mass marketing introductions of Android and iPhone phones in the U.S. I remember back in 2000 marveling at my German counterpart’s smartphone device that contained a decent megapixel camera, email and web capability, and application integration that accessed the company enterprise system. At the time, most of us in the United States were burdened with clunky cell phones with limited text messaging plans and dropped calls. Another example of “delayed technology” is that of QR codes, which were widely used in Asia and Europe well before their recent adoption in the U.S.
Another technological “delay” that I am aware of; this one in the payments processing industry, is chip- and-PIN cards. The chip- and-PIN cards, which are referred to as chip-and-PIN cards, because the credit cards have computer chips embedded in them, and the cardholders instead of signing for purchases, must punch four-digit PIN numbers into terminals. Chip-and-PIN has become standard in Europe because of their superior fraud-prevention abilities. In fact, our CEO just returned from Europe and provided first hand details of this payment technology along with pay-at-the-table.
There are essentially two main types of technology in use for credit cards today.
When will the United States go to Chip-and-PIN?
So I’ve pointed out all the advantages of chip-and-PIN card vs. magnetic swipe. What is the hold up in the U.S. to adopt, for all intents and purposes, superior technology?
As of this posting Visa has announced a significant plan to encourage U.S. merchants to support EMV (EuroPay, Mastercard, Visa global standards) chip technology. This includes incentives for accepting contact-less cards and NFC-phone payments. The plan is likely to finally get the huge U.S. payment industry moving toward adoption of the EMV standard to secure point-of-sale transactions. Interestingly, even with the Visa initiative, U.S. banks and merchants have yet to adopt a plan for migrating to EMV, unlike every other developed country.
It appears that the reluctance to change is cost focused… This is understandable in light of current economic conditions. Dozens of countries in Europe and Asia are adopting the new technology or have plans to do so. That could put some pressure on the United States to change with the times. However since economies and transactions are interwoven on a global scale, won’t we forced to adopt this superior payment technology at some point? Personally I tend to think so.
MyPOSDepot plans to assist new and existing merchants in the future (once this technology has become more widely accepted in the U.S.) by offering a no-charge EMV enabled terminal upgrade. This no-charge upgrade is meant to help defray the cost of the new EMV technology with merchants.
In the meantime, whenever one of us goes to Europe, we can enjoy a quick, secure pay-at-the-table payment experience.
National Account Executive
P: (866) 480-2433
Follow MyPOSDepot & Receive Exclusive Offers!
EMV standards define the functional requirements that must be met by a Chip card and Chip-reading terminal. These international Chip card standards, developed by Europay, MasterCard and Visa, ensure that cardholders globally benefit from this security innovation. Thanks to EMV Chip technology, you can expect enhanced security and protection from fraud, greater transaction speed and convenience and ease of use.
More than 483 million Chip & PIN cards have been issued globally, resulting in reduced credit card fraud in 113 countries where Chip & PIN technology has been used.
International experience has shown that Chip & PIN cards offer additional card security. Fraud figures released on 14 March, 2007 by APACS, the UK payments association, show total card fraud losses fell by 3% in the previous year. The introduction of Chip & PIN cards has made it more difficult for fraudsters to commit card fraud in the UK, with losses at UK retailers down by 35% since 2005.
Now, U.S. card issuers have begun a large-scale rollout of Chip & PIN cards to their existing cardholders. To ensure global acceptance of all cards, the Chip & PIN cards will continue to have a magnetic stripe along with a chip. Chip terminals will continue to accept both magnetic stripe and Chip & PIN cards.
National Account Executive
P: (866) 480-2433
Follow MyPOSDepot & Receive Exclusive Offers!