Revenue Security and Efficiency

Transcription

1 Revenue Security and Efficiency Discussion with the Mid-Atlantic Oracle Applications Users Group

2 CardConnect Solution

3 Oracle EBS Validated Application

4 Oracle EBS Validated Application

5 Securing Payment Card Data PCI P2PE & EMV

6 Payment Security Standards PCI-DSS 3.0 New procedures for malware, passwords, access and POS device security Required by December 31, 2014 PCI 3.0 graphic here (from Transitions in Payments presentation, slide 4, PCI Compliant image) EMV / Chip-and-PIN Protects card-present transactions Merchant Liability Shift : October 1, 2015 EMV graphic here (from Transitions in Payments presentation, slide 7, Magnetic Stripe vs. Chip image) Is this enough?

7 Major Security Breaches

8 The Rise of POS RAM Scraper Malware

9 Learning From The Past

10 CardSecure Scope of Work On Going Encryption and Tokenization With CardSecure all sensitive data is encrypted and stored in CardConnect's PCI compliant hosting center. Intelligent tokens are returned to Oracle E-Business Suite. These tokens will pass the data integrity checks performed by Oracle and are in recognizable formats. ( )

11 Remove your website from PCI scope CardConnect iframe

12 Web Tokenizer Use Case Introducing New Card For the first transaction of a given card, business users will enter the credit card information into the CardSecure Web Application and click Register. This requires no software be installed on the workstation. The CardSecure Web Application returns the token directly into the Credit Card Num field of the Oracle Order form.

13 PANPad Features IDTech SREDKey Used for Card-Not-Present Environments PCI 3.0 Point-to-Point Encryption certified device Key specific to customer and CardConnect PCI-certified software and key injection provider Delivery tracking of all equipment by PCI-certified provider Software on workstation used when a new credit card number is provided, routes transmission of encrypted message to hosted server to retrieve token

14 PANPAD Devices The CardSecure Desktop Tokenizer, an add-on software product to the CardSecure Token, tokenizes clear payment card numbers before entry to an ERP Further Reduce PCI Scope Point of Interaction devices encrypt card numbers at entry removing the business system from PCI scope Introducing the PANPAD CardConnect s own Point of Interaction Device By partnering with Ingenico and IDTech, the PANPAD removes a business system from PCI scope This substantially reduces the labor and expense required to operate a PCI compliant business

15 PCI Requirement P2PE Validated Solution PCI Document: Point-to-Point Encryption (P2PE) Frequently Asked Questions for PCI Point-to-Point Encryption (P2PE) August 2012 Q6 Can merchants use P2PE solutions not listed on the Council s website for PCI DSS scope reduction? A. Only Council-listed solutions are recognized as meeting the requirements necessary for merchants to reduce the scope of their cardholder data environment (CDE) through use of a P2PE solution.

16 PCI Requirement P2PE Validated Application

17 Tokenization for Personal Data Protecting Personally Identifiable Information (PII) CardConnect s Patented Tokenization CardSecure is an easy-to-integrate security solution that tokenizes all types of sensitive information at the point of entry. All tokens are randomly generated, making them impossible to decrypt. Omni-Channel Security Integrate CardSecure into devices and applications that capture and transmit sensitive data. All sensitive data is tokenized at the point of entry and kept secure in CardConnect s vault.

18 Interchange Optimization Save $20,000 a month

19 Interchange Interchange represents the fees paid to or collected from the card-issuing banks that provide Visa, MasterCard and Discover cards. Visa, MasterCard and Discover each have their own interchange programs. Combined, there are approximately 300 levels of interchange

20 Defining Interchange Optimization: Interchange Optimization With so many interchange levels, there are ways to ensure a merchant qualifies for the lowest rate possible. Certain transactions can fall into 5 different categories: With 5 different fees Fees are based on information sent to Card Processing Networks If data points are missing interchange can increase more than 1.00%

21 Level I The Levels of Processing Business to consumer processing this requires the least amount of data Level II B2B processing which includes additional information such as merchant state code, tax ID and customer code Level III Requires the most information including item description, tax rate, invoice number and more. Because it requires the most data, processing rates are lower.

22 Transaction Level Requirements Data Type Level I Level II Level III Merchant Name Y Y Y Transaction Amount (Total) Y Y Y Date Y Y Y Tax Amount Y Y Customer Code Y Y Merchant Postal Code Y Y Tax Identification Y Y Merchant Minority Code Y Y Merchant State Code Y Y Ship from Postal Code Destination Postal Code Invoice Number Order Number Item Product Code Item Commodity Code Item Description Item Quantity Item Unit of Measure Item Extended Amount Freight Amount Duty Amount Y Y Y Y Y Y Y Y Y Y Y Y

23 Another Way to Optimize 3-D Secure 3-D Secure Built into the CardConnect Gateway 3-D Secure Protecting card not present (CNP) transactions Merchants using Developed 3-D Secure by Visa, adopted are by Mastercard, Amex, JCB protected from fraud-related chargebacks How 3-D Secure works How to implement 3-D Saves 5-55 bps Secure per transaction Your bank s logo The name of the retailer that you are shopping with The value of the purchase Today s date The last four digits of your card number The personal message that you set when registering

24 What To Look For The Ideal Solution Security Your customer s sensitive card data should never reside in your system. All encryption and storage should take place outside your ERP. Seamless Integration You want an integration that is accomplished with no modifications to your Oracle e-business Suite. This removes maintenance concerns during patching and upgrading. Interchange Management A vendor should proactively manage your account to ensure your transactions are qualifying for the lowest possible interchange rates. Automated Reporting and Reconciliation Your vendor should be able to help you automate reporting and reconciliation of your ERP data, payment gateway data, payment processor data, and deposit bank data.

25 Next Steps Alex Chapman CardConnect

26 Point-to-Point Encryption Apply to existing sales channels SAP GUI, istore, integrations POS, Mobile, e-commerce, and more SAP-to-Gateway integration

27 Protecting Your Sales Channels 2. Point-to-Point Encryption (P2PE) Image for P2PE (maybe slide 6 in Transitions in Payments presentation) Circle icons of 6 payment methods, from slide #13, that P2PE does/does not protect (orange for yes; gray for no): orange for retail, MOTO/B2B, ½ of mobile