Entries tagged with “visa”.


ProPay has a number of videos posted on YouTube that explain our services and other aspects of the company.  Please visit our YouTube page and check us out!

ProPay is excited to announce that we received news today that our Zumogo mobile solution was selected as the winner of the 2011 ETA Techology Showcase.  This is a very proud day for ProPay.  As the first Social M-Payment solution in the market, Zumogo is an exciting opportunity for companies to not only accept payments from mobile phones but to directly market to potential customers.  For a video of Zumogo  at the 2011 Sundance Film Festival see below!

Visa announced today that it has released their newly developed Mobile Payment Acceptance Best Practices.  You can read more here. As stated by Eduardo Perez; “Mobile devices that can facilitate acceptance of payments are an important advancement in payments that must balance the promise of an enhanced consumer and retailer shopping experience with enhanced security measures to protect sensitive cardholder information,” said Eduardo Perez, head of global payment system risk, Visa Inc. “As a payment technology leader, Visa is well positioned to provide the industry security guidance for emerging acceptance solutions.”  While the best practices do not include any earth shattering new ideas they do include requirements (well they are actually best practices) that data be encrypted at the card reader level.  This means (or should mean) an end to all of the unencrypted readers floating around the industry. Bravo to Visa for once again taking a stand on a difficult subject and jumping into the deep end!

Heather Mark and Travis Allen are attending the Visa Global Security Summit this week while our EVP of Risk, Lance Rich is at the MasterCard Risk Symposium.  Based on initial feedback both events are outstanding and packed with valuable information.  ProPay applauds the card brands for hosting such valuable events.  Below is a picture of the ProPay booth at Visa’ summit. 

Recently, several prominent vendors within the payment card industry have begun to square-off (pun intended) and have lobbed a number of ‘open letters’ to the industry in which they each make claims and accusations.  You can read the letters here 1, 2, 3. While there is likely validity to at least part of each vendor’s letter and/or responses the greatest impact is simply their addition to the confusion within the payment card industry.  Without dissecting each letter it is fair to say that they each revolve around at least one of two concepts:  Encryption and/or Authentication and how each applies to security and/or fraud.  Click each link to read a primer on Authentication and Encryption. This blog post will (hopefully) help shed some light on the concepts as they apply to the payment card industry and allow merchants to choose the correct solution.

Security of Payment Card Data

Without a doubt ensuring the security of payment card data (Credit and debit card data) is critical to every merchant’s ongoing success.  The card brands (Visa, MasterCard, Amex, Discover, JCB) all have rules mandating that merchants protect data.  Each requires compliance with the Payment Card Industry Data Security Standard (PCI DSS).  One of the most effective methods of protecting payment card data is to ensure it is rendered unreadable through encryption or other methods when at rest (ie. stored) and when transmitted.  Encryption is not only effective but is one of the accepted methods required to comply with PCI DSS requirement 3.4.   Encryption applies to both standard PCs as well as mobile devices such as smart phones.  If a vendor is allowing data to be read from a swipe device attached to a smart phone and the device does not encrypt the data 1) it is not secure and 2) it is not compliant with the PCI DSS and other card brand rules.  As a merchant you should never allow a device to transmit unencrypted payment card data from a mobile device.

Fraud Prevention

Fraud is defined as the use of deception for personal gain.  Within the payment card industry we consider fraud the unauthorized use of a payment card for purchases.  This could include data stolen that is used by a thief or could include the use of a card by an unauthorized family member of friend.  Fraud prevention is a complex topic.  While we often hear about data breaches and their resulting fraud, the reality is that fraudulent transactions represent a very small percentage of payment card transactions. Visa’ Head of Global Payment System Security Mr. Eduardo Perez stated in an interview that global fraud was only about 6 basis points.  This represents only about 6 cents of every $100 dollars in transactions.  There exist two basic methods to preventing fraud.  First, is to protect payment card data from being stolen.  The PCI DSS, and various state laws are focused on ensuring that data is not stolen.  One of the most effective methods of ensuring data is not stolen is to ensure that it is protected with appropriate encryption and other security controls. Merchants, and 3rd party service providers (Like ProPay) have an important role to play in the protection of data.  Ensuring that you are in compliance with the relevant rules and are using technology that adequately protects data both at rest and in transit is critical.  Using encrypted swipe devices on mobile terminals is not an option to ensure that data is protected from compromise.

While this works well on data that is at rest or being transmitted, it does not address data that is stolen from ’skimmed’ cards where humans handle the cards and swipe them through magnetic stripe readers that are designed to copy payment card data.  The second, and most effective method of reducing fraud is through advanced authentication.  The card brands currently have a number of authentication programs that are designed to minimize fraud.  These include, AVS, CVV, CVV2, EMV, 3DSecure, and PIN authentication. You can read more about this in Security 101: Authentication.  It should be noted that as a merchant your responsibility is to ensure that you require the appropriate authentication for the appropriate type of transaction.  For example, if you accept card payments from a website, you are well served to require either CVV or AVS or both to ensure you have greater confidence that the card being used is in p0session of the authorized user.  One of the ‘open letters’ to the industry made some very pointed comments related to fraud prevention and authentication being the responsibility of the hardware vendor.    As a merchant your role is to ensure that you require the appropriate authentication for the appropriate transaction.  If you follow the card brand rules for authentication you are protected from fraudulent transactions.  Developing and approving new authentication tools and mechanisms are the domain of the card brands and banks.  It is simply not accurate to suggest that hardware vendors or 3rd party processors have a role in developing or requiring new authentication tools.  The letter is right in that every participant plays a role in fraud prevention.  Consumers should protect their cards, merchants should use technology that supports data security (encrypted swipe devices, for example), 3rd party vendors (like ProPay and others) should continue to develop technologies such as tokenization and encrypted swipe devices that enable merchants to protect data, and banks and card brands should continue to evaluate new authentication technologies which can reduce the incidence of fraud.

The Great Trade-Off

I used to conduct PCI related training for Visa and the PCI SSC throughout the world.  Invariably someone in the US would ask when the US was going to move to Chip and PIN like in the UK.  Their question was usually followed by a statement similar to the following: “If the US moved to Chip and PIN, we would eliminate fraud.  This should be enough to get the merchant onboard” My response was simple.  I would ask them how much they were personally willing to spend to upgrade to Chip and PIN.  Would they be willing to spend $50 for every $25 in fraud they could prevent.  The answer was always a predictable and emphatic ‘No’.  I would also ask if they were willing to reduce their acceptance of payment cards by 25% if they could reduce their fraud by 10%.  Again, the answer was ‘No’.  This is the challenge with fraud prevention and security.  There are many people who will make definitive statements about how to prevent fraud without considering the impact to acceptance and the overall cost.  There is a trade off between security and convenience/cost.  When faced with a belligerent attendee who refused to consider the trade-off, I would state with absolute confidence that I could prevent 100% of their payment card fraud.   When they asked how, I would simply suggest that they not accept payment cards.  This was never an acceptable option as they knew that without payment cards their sales would drop significantly.  Again, this demonstrates the trade-off.  When faced with losing sales, suddenly the prospect of fraud was more palatable.

Summary

Of the three letters referenced previously, Verifone was closest to the mark when they advocated using encrypted swipe devices for mobile phones.  ProPay agrees with this position and our own JAK product ensures that data is encrypted at the devices and employs DUKPT key management as discussed in the Encryption post.  This supports merchant’s PCI DSS compliance and provides significant information security benefits by ensuring that IF the data is ever stolen or intercepted from the device, it is useless to the thieves.  As a mobile merchant ensure you are using an encrypted swipe device.  This supports compliance with PCI DSS and prevents your customer’ data from being stolen.  Also ensure you are accepting the appropriate authentication for the type of transaction.  If you follow the rules you are protected in the instances where there may be fraud.

Chris Mark, EVP; Data Security & Compliance