Entries tagged with “mastercard”.


Finding the right payment processor for your small business is all about looking for features that match up well with what your business does. Here are some examples of features you should look for depending on your business.

Mobile Card Readers for Local Businesses

One useful feature you can get from a payment processing company is a mobile card reader. This is a device that sits right on top of your phone which can process credit cards securely in-person.

Many of the better ones give you a free app to go with it, and let you plug them right into a convenient area like the audio port. This feature is ideal for local businesses that do a lot of commerce in person and not at a stationary POS system within a store. A mobile card reader will be useful for brick and mortar stores that don’t want to pay extra for the more extensive credit card devices, and also for small businesses that carry product from within their own home and want to be able to process credit cards for local customers.

Multiple Payment Storage Options for Online Businesses

One excellent way to encourage repeat customers for your online business is to make it really easy for them to store payment options. Trivial inconvenience is the great killer of e-Commerce. If customers can store different credit cards and payment options with your site using a payment processing service that allows for this, then they can come back and make additional purchases with much less hassle.

Having to enter payment information over and over again is going to deter repeat business. That’s why the multiple storage feature can be useful for encouraging growth in small businesses that focus on internet transactions.

Regardless of how your small business operates, it can benefit from the right payment processing features. For more information about these features and others, please contact us at ProPay today.

I saw a blog post yesterday that reminded me of complexity and confusion surrounding the relationship between PCI DSS compliance and fraud prevention.  The details of the story are less important than the central idea that the author was communicating –  the notion that merchants should rely on PCI DSS compliance for the prevention of fraud.  The idea behind PCI DSS is of course to reduce the amount of fraud by helping to protect payment data from unauthorized disclosure and use, but it should be noted that the standard is not a fraud prevention program.  It is a data security compliance program.  Understanding the difference between fraud prevention and data security will help to clarify the relationship between the PCI DSS and fraud.

Fraud is the intentional deception for personal gain.  This is a broad definition that includes social engineering as well as the misuse of financial data.  Fraud prevention, then, must be a very broad set of practices and procedures that are put in place to prohibit people from being able to misuse (in this case) payment card data.   All of the major card brands have suggestions and best practices for preventing fraud at the merchant level.  MasterCard Worldwide provides a quick reference guide to help merchants educate their staff on fraud prevention techniques.  Among the suggestions is the notion that staff should be familiar with what a card is supposed to look like.  Valid cards have a number of fraud prevention mechanisms, including embossed numbers and holograms.    (Each of the card brands can also provide a sort of “anatomy of a card” that will keep merchants and their employees current with new card designs and security mechanisms.

Data security is a subset of fraud prevention tools.  Ensuring that the data is adequately protected from unauthorized disclosure (data compromise) helps mitigate the risk of fraudulent transactions.  All of the major card brands require compliance with the PCI DSS with any entity that stores, processes, or transmits cardholder data.  This helps to prevent data thieves from perpetrating fraudulent transactions on a large scale.  Merchants should not rely on the PCI DSS to protect them from fraud schemes.  PCI DSS is designed to help companies protect payment data from thieves, not to protect merchants from fraud schemes.

Dr. Heather Mark, PhD. ; SVP, Market Strategy

ProPay is excited to announce that we received news today that our Zumogo mobile solution was selected as the winner of the 2011 ETA Techology Showcase.  This is a very proud day for ProPay.  As the first Social M-Payment solution in the market, Zumogo is an exciting opportunity for companies to not only accept payments from mobile phones but to directly market to potential customers.  For a video of Zumogo  at the 2011 Sundance Film Festival see below!

Heather Mark and Travis Allen are attending the Visa Global Security Summit this week while our EVP of Risk, Lance Rich is at the MasterCard Risk Symposium.  Based on initial feedback both events are outstanding and packed with valuable information.  ProPay applauds the card brands for hosting such valuable events.  Below is a picture of the ProPay booth at Visa’ summit. 

Recently I found myself in a discussion with a person about a particular feature of payment cards.  When I started discussing the concept of authentication the look on the other persons face told me that I was discussing a completely foreign subject.  While this is not a dissertation on security authentication is a vital component of information security and fraud prevention within the payment card industry.  For this reason, it is important to have an understanding of the concept and how it applies to our daily lives.

Authentication is described on wikipedia as:the act of establishing or confirming something (or someone) as authentic, that is, that claims made by or about the subject are true”.

There are three generally accepted factors of authentication.  1) something you know (like a password), 2) something you are (biometrics like fingerprints or iris scans), and 3) something you have (like a token).  Each of these factors alone have some value and may be sufficient to demonstrate with an appropriate degree of confidence that you are the person who is authorized to access the resource.

Access control is a combination of authorization and authentication.  Authorization is simply the approval to access a particular resource.  Consider a work environment where you are required to use a badge reader to enter the building.  As an employee you are authorized to enter the building.  To ensure that it is truly you (the authorized party) entering the building you need to provide some evidence that you are who you say you are.  In many cases, the authentication mechanism is a proximity card that is waved and the door opens.   The proximity card is a token and would be considerd as a single factor of “something you have.”.

When you get to your desk you need to access your work computer.  As an employee, you are authorized to access your email, and certain applications.  To log into the system you enter a user name (the system knows the person who owns this username is authorized to access certain resources) and then you enter your password.  This password (something you know) is a single factor of authentication that tells the system with some degree of confidence that you are the person that matches the username.

In both of these examples the astute reader has likely identified the vulnerability of single factor authentication.  In the first example a thief may have stolen the badge and may be masquarading as the legitimate user.  In the second example a person may have shared their password with another of the password may have been stolen in which case an ‘unauthorized’ person could also masquarade as a legitimate, authorized user.  When it is necessary to have an increased level of assurance that the authorized person is indeed the one accessing the resource, two factors of authentication can be used.  For the solution to truly be considered two–factor authentication it requires two of the three types of factors to be used simultaneously.  In high security areas it is common to see two factor authentication used.

Consider an example where you bank online.  Due to the sensitive nature of your account (and FFIEC regulations) the bank wants to have assurance that only the authorized account holder is accessing the account.  Since the bank website is accessed over the internet the bank is limited in their ability to confirm the identity of the user.  A password alone is not sufficient as a password can be stolen or shared.  In this scenario a bank would use a second factor of authentication.  While it does not guarantee that the person using the authentication mechanism is the authorized user it provide a much greater level of assurance than a password alone.

Payment cards possess a number of authentication mechanisms.  The objective is to authenticate the transaction or user and reduce the incidence of fraud.  In card not present transactions such as ecommerce purchases the CVV2 number is often used to authenticate the card.  Since the number is only printed on the card and it is against card brand rules (PCI DSS) to store the CVV2, the assumption is that if someone can input the CVV2 they are in possession of a valid card.  Unfortunately, it is this fact that makes CVV2 such a valuable target for data thieves.  More robust authentication mechanisms include 3DSecure (Verified by Visa, MasterCard Secure Code), EMV (Europay, MasterCard, Visa) and the PIN used in debit transactions.  While each of these technologies increase the level of assurnace that the authorized user is making a legitimate transaction it does not guarantee such.

Authorization is a critical component to any information security or fraud prevention system.  Understanding the basics fo authentication can help users better manage the security of their payment cards.

Chris Mark, EVP; Data Security & Compliance