ProPay Announces LenderPay for Credit Unions, Banks, Auto Makers and Mortgage Lenders

Until now borrowers have been quite limited in their ability to make payments to auto and home lenders with their credit or debit card.  Additionally, credit unions and community banks were restricted in their ability to accept payments from credit or debit cards issued by other institutions.  LenderPay is an extension of the powerful ProtectPay suite of services which now allows borrowers to make payments with any piece of “plastic” and allows lenders to accept those payments all without requiring the lender to actually handle borrower payment card information.  By leveraging ProtectPay lenders can accept payment without the additional risk of having third party payment card information or exposing their companies to additional regulatory burdens such as the PCI DSS.

WHY IS THIS GOOD FOR LENDERS?

First, it is important to note that the lenders do NOT incur any transaction fees.  This is the main reason that lenders have not traditionally accepted plastic in the past.  The borrower voluntarily elects to incur the processing fees by paying a flat convenience fee (not a percentage based or tiered fee). This means lenders can accept plastic for FREE.  Accepting credit and debit card payments allows lenders to reduce late payments and provides a convenient method for borrowers to pay. It’s a win-win for both parties. If the borrower is using a card issued by their lending institution it ultimately increases the value of the lender’s entire loan portfolio.

When charging convenience fees, lenders must also consider the issue of “clean bookkeeping”.  In order to accept plastic for FREE, the lender must charge a convenience fee to the cardholder.  Most merchant processors will settle the convenience fee to the lender’s account and subsequently withhold interchange or simply debit interchange monthly.  The amount debited will not equal the total collected convenience fees.  This causes an unnecessary and often labor intensive reconciliation hassle for bookkeepers.  The convenience fee lansdscape opens up new levels of complexity for the lender to navigate. LenderPay removes this level of complexity by never settling convenience fees to the lender’s account to begin with. In addition, LenderPay never debits or withholds any transaction fees from the Lender.  This makes reconciliation very cut and dry.

WHY IS THIS GOOD FOR BORROWERS?

This is a good question and there are many answers.  Most borrowers want to pay with plastic to earn instant loyalty points and travel miles.  Others may want to pay with plastic to extend the payment due date to allow for cash flow reserves. Others may still prefer to use their cards to make payments because of a recent medical or other emergency event that may have exhausted cash or otherwise interrupted the flow of income.  Whatever the reasons, people can and do pay all their bills with their credit and debit cards. In addition, some folks simply don’t want the hassle of hunting down their routing and account number every month for the sake of making that $500 BMW payment.

To learn more about LenderPay please email lenderpay@propay.com or call (801) 341-5642.

Almost daily I find myself speaking with a merchant that is using some 3rd party service provider and is confused about what, if anything they (the merchant) needs to ensure they are compliant with the card brand rules.  Often the 3rd party has said “Yes, we are compliant” but cannot provide any evidence of their PCI DSS compliance.  This puts the merchant in a bad situation.  Here are some tips you want to remember to keep from running afoul of the card brand rules.

1) if a 3rd party is storing, transmitting and/or processing Cardholder Data (ie. credit, debit card data) for a merchant they must comply with the PCI DSS….AND…they must validate compliance by either completing a Self Assessment Qeustionnaire and network scan OR having an onsite assessment conducted by a Qualified Security Assessor (QSA) and a network scan.  There are NO other options…

2) if the 3rd party stores, transmits, and/or processes more than 300,000 transactions per year of Visa or MasterCard then they are a level 1 and must have an onsite assessment by a QSA.  If less than 300k, they are a lvel 2 and can complete a SAQ.

3) all 3rd parties that Store, Transmit, and/or process Cardholder Data MUST be registered with Visa and/or MasterCard (depending upon what type of data they handle) as either a Third Party Agent (visa), VisaNet Processor (VNP), a Data Storage Entity( MasterCard), or a Third Party Processor (MasterCard).  If they are a VNP or TPP they likely owuld have been contacted directly by the card brands.  In the vast majority of cases 3rd parties will need to register as a TPA or DSE.  Registration requires that the 3rd party be validated as compliant, sponsored by a bank, and pays a fee. 

4) if you are using a 3rd party and they have not 1) validated compliance AND 2) registered your company is at risk.  A compromise of this 3rd party’s data will be attributed to your company as you were using a ‘non registered/non compliant’ 3rd party.

So what can a merchant do?  Follow these simple steps.

1) Ask the 3rd party to provide evidence that they have validated compliance.  They should either provide a completed SAQ or an Certificate of Validation (from MasterCard) or their response from Visa.  This iwll provide evidence that they have validated.  If they are a level 1 and have validated and registered you can find their name on Visa’ List of 3rd party service providers.

2) As the company to confirm they have been registered.  If they have not, then you must inform your merchant acquirer and the aqcuirere needs to register the third party with Visa and/or MasterCard.  The bank will know what is required. If you are using an ISO then ask the ISO and they can inquire from the bank.

The important thing to remember is that you must use a cmopliant and validated 3rd party that has been registered with the card brands.  Failure to do so can expose your company to significant risk.

Chris Mark- EVP; Data Security & Compliance

For years security professionals have been telling people to be careful of thumbdrives.  Numerous urban myths have made the rounds about infected thumb drives causing issues.  In my own role as a Visa CISP trainer and PCI SSC Qualified Security Assessor (QSA) trainer, I warn people about the risks of untrusted media such as thumb drives.  More than a few snickers were directed my way.  Well…here is a real world example. 

The Washington Post published a story on August 24th, 2010 that details a cyber attack against US military computers caused by a flash thumb drive.  This was not just a small breach but the most significant breach of US military computers.  According to the article, a foreign military intelligence agency infected the thumb drive with malicious code.  When the drive was inserted into a computer in the Middle East in 2008 it uploaded the malicous software onto the network used by the US Military’s Central Command.  The code spread undetected on both unclassified as well as classified networks.  As stated in the article: “It was a network administrator’s worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary.”

To often companies think of data breaches occurring because of some master hacker breaking into their secure systems and stealing data.  All too often, however, the breaches are a result of complacency or simple mistakes.  Thumb drives, external hard drives, and malicous email are often the vectors that data thieves use to get the proverbial “foot in the door”.  When considering your information security posture it is important to not ignore the threats that are most obvious but often most overlooked.

Recently, a new social networking site came online that provides a new way for people to share with their “circle.”  This site allows people to share their purchases with their friends automatically.  If I want my friends to quickly see what I’m buying, I can log-in to this site and provide them with the log-in credentials for my credit card account or any of my eCommerce accounts, like Amazon or NetFlix. The service will then crawl through the histories and display to my friends my recent purchases.  This can even be integrated with Facebook and Twitter, in order to ensure that all of my friends are notified that I spent $7.99 on cold medicine last weekend.

The company contends that the service encourages transparency among companies and not-for-profit organizations, as well as allowing friends to share the things that are interesting to them.  The things we buy say a lot about who we are, according to the founder.  Why wouldn’t we want to share that with our friends?

Leaving aside, for the moment, the commentary on how much sharing is too much sharing, there are practical reasons for not sharing in this particular way.  Foremost among those is the agreement between the cardholder and the issuing bank.  Whenever a card is issued, it is accompanied by a lengthy document that many of don’t read.  It contains all of the terms and conditions to which the cardholder agrees in order to use the card.  Among those terms and conditions is an agreement not to share your account information.  For example, if I give my card information to my sister I cannot then claim that my sister used my card without my permission.  That means that I would be personally responsible for any purchases she made, even if I didn’t agree to them.

Let’s extend that scenario into the eCommerce world.  The language in my Amazon.com user agreement states, “If you do share your password or PIN with a third party for any reason, the third party may have access to your account and your personal information, and you may be responsible for actions taken using your password and PIN.” This language in common in eCommerce accounts and it coincides with the cardholder agreement sent by issuing banks.  Essentially, if you share your personal information with a third party, and that third party then misuses that information, you may ultimately be responsible for any charges or purchases that third party made.

The CEO of the site, when questioned about a data breach, stated:  “I think the risks in actuality are very small. Similarly, I think we have this engrained thing that we’re taught, which is to not share this [financial] information, and we don’t really know why.”

Come again? Is he suggesting that we really “don’t know why” we should not share personal and financial information with strangers?

There are legitimate purposes for sharing personal information.  Making purchases online, for example, requires that you share your payment information. We expect those companies to protect that information from disclosure and misuse. It is important for us as individuals to realize that it’s not just a responsibility of businesses to protect our information – it is our responsibility, as well.  While this social networking site describes its commitment to security, we as consumers must decide if this level of sharing introduces an element of risk with which we are comfortable.  As for me, I’ll keep my log-in credentials to myself.

The good old days of PC Viruses and malicious software being our only real headaches has now transitioned into a time when even our phones are subject to attacks designed to defraud us and steal our pesonal information.  Smart phones are ubiquitous and as their memory and processing power inceases, people are using their phone for things that previously they had only used their computers for.  A recent advertisement showed a couple on their honeymoon taking pictures of their checks to be immediately deposited into their checking account.  With utility and power like this, it was only a matter of time before criminals started taking a serious look at how to compromise smart phones.

A story on FoxNews.com discusses some of the issues with smart phone attacks.  This blog will summarize some of the findings from the article.   With the increae in mobile payment technology this trend is something that we cannot ignore.  According to GetSafeOnline.org 67% of smartphone users don’t use a password to protect their phones.  While this is troubling enough, even phones protected with passwords may not be ’secure’ from hackers.  Because smart phones use the screen for input commands, looking closely at the ’smudges’ on the screen can often reveal the password.  According to the article, researcers at the University of Pennsylvania said that by taking a picture of the touch screen from a Google-powered phone they were able to discipher the password 68% of the time using what they called “smudge attacks”.  This is certainly discouraging  news.

Another twist on the smart phone attacks appears to be malicious software that runs in the background and secretly sends text messages to premium “pay per text” services.  Some of these services, according to the article, charge up to $5 per text.  Users are typically unaware of the texts being sent until they receive their bill.  By this time the vendors have closed up shop and moved on.

As with personal computers basic security practices will mitigate quite a bit of risk.  Ensuring you don’t open or click on unknown or suspicious attachments will help, as will using a password to protect the  phone.  Probably the most important point is to limit what, if any, personal information you allow on your phone.  Quite simply, if you never use your phone for online banking, there is a low risk of your banking information being stolen from your phone.