An Introduction To Credit Card Processing

Similar documents
Process of Setting up a New Merchant Account

PCI - Why You Need to be Compliant When Accepting Credit Card Payments. Agenda. Breaches in the Headlines. Breach Events & Commonalities

University of Texas at Dallas Policy for Accepting Credit Card and Electronic Payments

iphone Mobile Application Guide Version 2.2.2

SITE APPLICATIONS USER GUIDE:

VCU Payment Card Policy

Merchant Processes and Procedures

Durango Merchant Services QuickBooks SyncPay

Dates Visa MasterCard Discover American Express. Acquirers, subprocessors. support EMV International ATM liability shift 2

Office Use Only Account # Approved By:

PAYMENT GATEWAY ACCOUNT SETUP FORM

BAMS Third Party Service Providers (TPSPs) FAQs

Data Protection Policy & Procedure

Systems Support - Extended

New Chip Card Technology Released Across the U.S.

Vantiv eprotect iframe Technical Assessment Paper Prepared for:

PROCESSING THROUGH MPS and AVIMARK

First Global Data Corp.

UNT Payment Card Merchant Handbook

Optimal Payments Extension. Supporting Documentation for the Extension Package v1.1

Data Protection Act Data security breach management

Authorize.net Account Setup Instructions

RUTGERS POLICY. Responsible Executive: Vice President for Information Technology and Chief Information Officer

Convenience Fees BEST PRACTICES FOR MERCHANT USE OF CONVENIENCE FEES:

Electronic Data Interchange (EDI) Requirements

Plus500CY Ltd. Statement on Privacy and Cookie Policy

Personal Data Security Breach Management Policy

Considerations for Success in Workflow Automation. Automating Workflows with KwikTag by ImageTag

Key Steps for Organizations in Responding to Privacy Breaches

In-House Counsel Day Priorities for Cloud Computing the benefits, potential risks and security for the future

PAYMENT GATEWAY ACCOUNT SETUP FORM

Using PayPal Website Payments Pro UK with ProductCart

Skrill Merchant Services Application Form

State Bank Virtual Card FAQs

GUIDANCE FOR BUSINESS ASSOCIATES

expertise hp services valupack consulting description security review service for Linux

Using Shift4 with Magento

PAYMENT GATEWAY ACCOUNT SETUP FORMS

TrustED Briefing Series:

Wire Transfer Request

Improved Data Center Power Consumption and Streamlining Management in Windows Server 2008 R2 with SP1

Multi-Year Accessibility Policy and Plan for NSF Canada and NSF International Strategic Registrations Canada Company,

PCI Compliance Merchant User Guide

How To Contact Skrill

Chapter 7 Business Continuity and Risk Management

In addition to assisting with the disaster planning process, it is hoped this document will also::

FINANCIAL OPTIONS. 2. For non-insured patients, payment is due on the day of service.

WEB APPLICATION SECURITY TESTING

CLEARANCE REVIEWS FOR STUDENT RESTRICTION ISSUES OTHER THAN ACADEMIC PROGRESS

Captive outsourcing models

ensure that all users understand how mobile phones supplied by the council should and should not be used.

HIPAA 5010 Implementation FAQs for Health Care Professionals

TITLE: Supplier Contracting Guidelines Process: FIN_PS_PSG_050 Replaces: Manual Sections 6.4, 7.1, 7.5, 7.6, 7.11 Effective Date: 10/1/2014 Contents

Merchant Management System. New User Guide CARDSAVE

IT Help Desk Service Level Expectations Revised: 01/09/2012

THE CITY UNIVERSITY OF NEW YORK IDENTITY THEFT PREVENTION PROGRAM

For students to participate in BYOD please follow these two steps

Montana Acquisition & Contracting System (emacs) emacs Handbook. Vendor Registration and Data Management

Licensing the Core Client Access License (CAL) Suite and Enterprise CAL Suite

FedACH Services via FedLine Web and FedACH Services via FedLine Advantage Participant Role

Database Services - Extended

Information Services Hosting Arrangements

Small Business Fraud Custom Study among Small Business Owners Conducted for SunTrust Banks/National Small Business Association/Edelman

Preventing Identity Theft

Security Services. Service Description Version Effective Date: 07/01/2012. Purpose. Overview

Using McAllister Payment Solutions and Updating to AVImark version

Change Management Process For [Project Name]

Audits of Online and Electronic Business Retailors

What is WebsiteSpark?... 1

To Receive CPE Credit

IN-HOUSE OR OUTSOURCED BILLING

International Services Catalog Navigating the Security Landscape from Takeoff to Landing

BLUE RIDGE COMMUNITY AND TECHNICAL COLLEGE BOARD OF GOVERNORS

HIPAA HITECH ACT Compliance, Review and Training Services

Remote Working (Policy & Procedure)

Internet and Policy User s Guide

FACT SHEET BORROWING THROUGH SUPER. Prepared by Brett Griffiths, Director Superannuation Consulting e bgriffiths@vincents.com.au

We will record and prepare documents based off the information presented

Research Report. Abstract: Security Management and Operations: Changes on the Horizon. July 2012

Using PayPal Website Payments Pro with ProductCart

Treasury Gateway Getting Started Guide

QBT - Making business travel simple

Travel Insurance. Is your insurance company listening to you? Handbook on

Corporate Credit Card Policy

Service Desk Self Service Overview

FAYETTEVILLE STATE UNIVERSITY

Support Services. v1.19 /

Helpdesk Support Tickets & Knowledgebase

HSBC Online Home Loan Application Process

NAIC Replacement Requirements For Certain Life Insurance Policies And Annuity Contracts

Business Marketing Self-Assessment Checklist. The fast and simple way to identify your most critical marketing needs.

Trends and Considerations in Currency Recycle Devices. What is a Currency Recycle Device? November 2003

POLICIES AND PROCEDURES

Osterman Research User Guides

IMT Standards. Standard number A GoA IMT Standards. Effective Date: Scheduled Review: Last Reviewed: Type: Technical

Symantec User Authentication Service Level Agreement

The user authentication process varies from client to client depending on internal resource capabilities, and client processes and procedures.

Software Distribution

Transcription:

An Intrductin T Credit Card Prcessing Davisware 514 Market Lp West Dundee, IL 60118 Phne: (847) 426-6000 Fax: (847) 426-6027 Cntents are the exclusive prperty f Davisware. Cpyright 2011. All Rights Reserved.

2 Merchant e-slutins Cmmn Questins Table f Cntents MeS Prcessing Netwrk - Authrizatin... 3 MeS Prcessing Netwrk - Settlement... 4 What strage is allwed?... 5 What is Tkenizatin?... 5 Accunt Updater Service... 6 Factrs that Affect Interchange... 7 Card Assciatin & Type... 8 Industry Type and Ticket Size... 9 Acceptance Methds... 10 What is a Chargeback?... 11 Sme preventin tls t chargebacks... 12 Pre-authrizatin... 13 Refunding Cardhlder Charges... 13 Declines... 14 EMV & Security... 15 T Begin: A Little Alphabet Sup... 15 The Payments Ecsystem... 16 What is assessed during this PCI -DSS prcess?... 17 Merchant Levels: Wh s included?... 18 The SAQ- PCI is nt easy... 19 Certificate f PCI Cmpliance... 20 Breach Prtectin... 21 Breach Prtectin... 22 Security, EMV and NFC: Why and Why Nw?... 22 Intrductin t EMV... 23 EMV Frm Factrs... 24 Why Small Businesses Shuld Act Nw... 25 Cunterfeit Card Fraud: Fur Scenaris... 26 Summary: EMV Quick Facts... 27

3 Merchant e-slutins Cmmn Questins MeS Prcessing Netwrk - Authrizatin MeS Prcessing Netwrk - Authrizatin Cnsumer Merchant Sftware/website Gateway Slutin Acquirer s Payment Prcessr Card Assciatins Issuer Bank 2 Cnsumer initiates a transactin at pint f sale, ver phne r internet site. Infrmatin is encrypted at pint f sale and is frwarded t the gateway. The gateway is frwarded t the payment prcessr. The transactin is then ruted t the card assciatin whm frwards t the card issuer. The credit card issuer perfrms fraud measures using transactinal infrmatin given at the pint f sale. The issuer respnds with a decline r an authrizatin t the prcessr fr the apprved amunt. The issuer will als respnd t the prcessr with fraud identifiers including address match, zip match, card verificatin match (CVV) and hlds the authrizatin against the cnsumer s card. The prcessr will then frward back with the respnse t the gateway. Depending n fraud cntrls in place, the gateway may use the authrizatin s respnse t decline the card thugh the issuer has given an apprval. Fr instance if the address des nt match, the gateway may be set t give a decline.

4 Merchant e-slutins Cmmn Questins MeS Prcessing Netwrk - Settlement MeS Prcessing Netwrk - Settlement Merchant r Gateway Acquirer s Payment Prcessr Card Assciatins Issuer Bank Merchant Cnsumer 3 Merchant initiates a batch thrugh the sftware r gateway t the prcessr. This may be a cmpletely autmated prcess. All authrizatins that were apprved are submitted in a batch prcess and sent t the card assciatins whm request the funds frm the acquiring banks. The card issuers make settlement payments t the card assciatins whm frward t the acquiring banks. The acquiring banks then frward payments back t the merchant and issuing banks debit the cnsumer.

5 Merchant e-slutins Cmmn Questins What strage is allwed? Card strage nt allwed Encryptin used 491545xxxxxx2067- mre ften nly last fur digits stred (Ggle Wallet) Tkenizatin ppular when recurring billing r stred custmers used (Apple Pay) CVV (card verificatin value) strage nt allwed Expiratin date shuld nt be stred Other Cardhlder Infrmatin allwed Address & Zip Custmer Name Invice Number Other identifying infrmatin such as accunt number What is Tkenizatin? Card numbers replaced by an encrypted unique ID Card number nly used in the initial authrizatin. A tken is returned instead f the actual number that may then be stred by the merchant s system. Tkens may then be used t initiate new transactins including: Pre auth Sales Vids Returns Credits Lwers the ptential fr data breach impact. Accunt Updater Service can be utilized t update the tkenized card infrmatin.

6 Merchant e-slutins Cmmn Questins Accunt Updater Service Prvides updates t card infrmatin fr expired and reissued cards Supprts Visa, MasterCard, and Discver Cmpatible with Payment Gateway stred card tkenizatin t facilitate secure card-n-file prcessing API interface fr request uplad, respnse dwnlad, and status inquiry Web interface available Autmated versin available when using tkenizatin MeS sends tken file fr weekly updates One time enrllment required N recurring cst, nly per-match fee

7 Merchant e-slutins Cmmn Questins Factrs that Affect Interchange Factrs that Affect Interchange Acceptance Methd Card Type Industry Type Best Rate Pssible Card Assciatin Ticket Size 7

8 Merchant e-slutins Cmmn Questins Card Assciatin & Type Card Assciatin & Type Visa MC Discver Cnsumer Cnsumer Cnsumer Rewards Signature Cnsumer Debit Regulated Unregulated Prepaid Cmmercial Card Crprate Business Purchasing GSA Enhanced Wrld Wrld Elite High Value Cnsumer Debit Regulated Unregulated Crprate Card Wrld Wrld Elite Internatinal Cre Rewards Premium Cmmercial

9 Merchant e-slutins Cmmn Questins Industry Type and Ticket Size Travel & Entertainment Determines Rewards Level Emerging Markets Gvernment Utility Insurance Nt Fr Prfit Clleges/schls Fuel Dealer Ticket Size Large Ticket Small Ticket

10 Merchant e-slutins Cmmn Questins Acceptance Methds Swiped Keyed transactins (CNP MO/TO) Mt Ecmm Unmanned Adding Value Detail Fraud Measures Address & Zip Verificatin (AVS) Invice Number Level II Custmer Cde/PO and Tax Level III Line Item Detail, Cmmdity Cde, Thugh card verificatin value (CVV) aids fraud measure it des nt affect price Authrizatin and Settlement Match

11 Merchant e-slutins Cmmn Questins What is a Chargeback? A chargeback ccurs after a buyer cntacts their credit card issuer t dispute a transactin that appears n their credit card statement. There are three main reasns a buyer will d this: 1. The purchased item never arrived. 2. The item was significantly different than advertised. 3. Their credit card was used withut their permissin t purchase the item fraudulently. Chargebacks are initiated and handled by the buyer s credit card issuernt by MeS, therefre, fllw the card assciatin's regulatins and timeframes. Issuers can als chargeback and item with n input frm cardhlder if they feel a card assciatin plicy was nt used.

12 Merchant e-slutins Cmmn Questins Sme preventin tls t chargebacks Merchant name needs t be recgnized Always swipe if pssible and gain a signature If keying, use AVS (address verificatin system) t verify address and zip cde If keying, use CVV (card verificatin value) three digit cde n the back f the card 3D Secure Verified by Visa EMV new chip card standard Charge after cmpletin f service r shipment f gds Use preauthrizatin These d nt stp fraud! Still n guarantees.

13 Merchant e-slutins Cmmn Questins Pre-authrizatin Hld cardhlder s funds until hld has been released thrugh reversal, vid r settlement Gateway rules can change hw pre-auths are released Usually gd fr nly seven business days If adjusted prir t settlement, transactin will dwngrade Reversal releases funds immediately; vid releases at end f night. Validate methd will verify accunt and determine if cardhlder has funds available but will nt hld funds. Refunding Cardhlder Charges Credit transactins represent rughly 40% f emplyee fraud Credit transactin errrs are ften cstly t merchant Decisins are made by gateways t allw credit transactins t run in debit nt matching credits situatin Default is t nt allw until merchant has been cnsulted n risk invlved All gateways allw credit prcessing n prir sales thrugh a transactin ID r quick credit functin.

14 Merchant e-slutins Cmmn Questins Declines Issuing Bank reprts declines back t gateway Depending n gateway settings, transactin may decline still due t AVS settings, IP settings, r card type errrs Mst cmmn decline cdes frm issuing bank: 05 General decline; issuing bank nt passing reasn fr decline 14 Card errr; n such accunt exists 51 NSF insufficient funds N7- CVV mismatch 62 Restricted card Cmmn decline reasns frm gateway AVS Mismatch Zip Match

15 Merchant e-slutins Cmmn Questins EMV & Security T Begin: A Little Alphabet Sup PCI DSS Payment Card Industry Data Security Standard that utlines a series f best practices t prtect cardhlder data EMV Glbal payment standard frmed in 1994 by Eurpay, MasterCard and Visa that uses a chip card instead f magstripe technlgy Chip Card r Smart Card Cmmn names fr cards cntaining an integrated circuit chip In sme cuntries, EMV is referred t as Chip & PIN NFC Near Field Cmmunicatin is a wireless standard that uses a clse prximity radi signal t cmmunicate between devices ( Tap & G )

16 Merchant e-slutins Cmmn Questins The Payments Ecsystem The Payments Ecsystem Everyne Must Wrk Tgether t Prtect Card Data Merchant Cnsumer Prcessr/Acquirer Issuer The Payment Card Industry Data Security Standard (PCI DSS) was develped in 2004 t encurage and enhance cardhlder data security. PCI DSS prvides a baseline f technical and peratinal requirements designed t prtect cardhlder data. 3

17 Merchant e-slutins Cmmn Questins What is assessed during this PCI -DSS prcess? Assessment is t accurately determine the scpe f the review. By identifying all lcatins and flws f cardhlder data and ensuring they are included in the PCI DSS scpe. T cnfirm the accuracy f the PCI DSS scpe, the fllwing needs t be reviewed: Identify and dcument the existence f all cardhlder data, t verify that n cardhlder data exists utside f the currently defined Card Data Envirnment (CDE). Once all lcatins f cardhlder data is identified and dcumented, the entity uses the results t verify that PCI DSS scpe is apprpriate (fr example, the results may be a diagram r an inventry f cardhlder data lcatins). Cnsiders any cardhlder data fund t be in scpe f the PCI DSS assessment and part f the CDE. If the entity identifies data that is nt currently included in the CDE, include this data. Dcumentatin that shws hw PCI DSS scpe was determined. Will need t be retained fr assessr review and/r fr reference during the next annual PCI DSS scpe cnfirmatin activity. External vulnerability scans are required when entities utilize IP cnnectins t prcess CC transactins, in rder t identify any pssible vulnerabilities r weakness.

18 Merchant e-slutins Cmmn Questins Merchant Levels: Wh s included? Merchant Levels: Wh s included Level 1 Merchant Criteria Merchants prcessing ver 6 millin Visa transactins annually (all channels) Level 2 Level 3 Level 4 Merchants prcessing 1 millin t 6 millin Visa transactins annually (all channels) Merchants prcessing 20,000 t 1 millin Visa e-cmmerce transactins annually Merchants prcessing less than 20,000 Visa e- cmmerce transactins annually & all ther merchants prcessing up t 1 millin Visa transactins annually 6

19 Merchant e-slutins Cmmn Questins The SAQ- PCI is nt easy The SAQ- PCI is nt easy SAQ Type Eligibility Number f Questins Quarterly ASV Scan Required Penetratin Test Required A A-EP B B-IP Card-nt-present merchants: All payment prcessing functins fully utsurced, n electrnic cardhlder data strage E-cmmerce merchants re-directing t a 3 rd -party website fr payment prcessing, n electrnic cardhlder data strage Merchants with nly imprint machines r nly standalne dial-ut payment terminals: N e-cmmerce r electrnic cardhlder data strage Merchants with standalne, IP-cnnected payment terminals: N e-cmmerce r electrnic cardhlder data strage 14 N N 139 Yes Yes 41 N N 83 Yes N CntrlScan 2014 Cnfidential

20 Merchant e-slutins Cmmn Questins Certificate f PCI Cmpliance

21 Merchant e-slutins Cmmn Questins Breach Prtectin Prtectin prgram is designed t help yur merchants meet the significant expenses resulting frm a suspected r actual breach f credit card data regardless f the merchant s PCI cmpliance status. The prgram cvers: The mandatry frensic audit required by the Payment Card Industry Data Security Standard (PCI DSS) when a data breach is suspected Card replacement csts and related expenses Assessments and fines levied by card spnsrs fr data breaches Data breaches caused by emplyee dishnesty and/r the physical theft f data, as well as cmputer hacking

22 Merchant e-slutins Cmmn Questins Breach Prtectin Insurance details: Level 4 merchants are cvered regardless f PCI DSS cmpliance Depending n yur prgram, the plicy limits up t $50,000 r $100,000 per MID, per year; up t 10 MIDs and $500,000 per year N deductible N c-pay N underwriting f individual merchants Rest easy. Simple, 3-step claim prcess: Cmplete an nline claim frm by fllwing the easy-t-use link within mycntrlscan.cm. Uplad r fax the apprpriate ntice that stipulates there has been a suspected r actual breach at the merchant s lcatin. When the frensic audit is cmplete, uplad r fax a cpy f the assessr s invice. Security, EMV and NFC: Why and Why Nw?

23 Merchant e-slutins Cmmn Questins Yu can t ignre the headlines abut high prfile data breaches Target has lst $148M t date as a result f the breach Hme Dept s lss is estimated t be larger PCI establishes a framewrk t prtect cardhlder data, yet every majr merchant and prcessr that was breached was PCI cmpliant Banks and merchants must wrk tgether and adpt new standards in rder t keep the gvernment regulatry bdy ut f their business Fraud migrates t the weakest link Mst ther cuntries have adpted EMV s fraudsters are targeting the US Apple made headlines with the iphne 6 and the release f Apple Pay, its digital wallet utilizing NFC technlgy Intrductin t EMV EMVC s primary purpse is t define a glbal standard fr credit and debit payment cards based n chip card technlgy Data is mre secure n a chip-embedded card rather than n a static mag-stripe card

24 Merchant e-slutins Cmmn Questins The micrprcessr chip validates, stres and encrypts data Unlike a mag-stripe card that can be cpied ( skimmed ), chip technlgy cmbats cunterfeiting by assigning a dynamic value fr each transactin EMV is imprtant in the adptin f glbal interperability The U.S. is the last majr market t adpt EMV EMV Frm Factrs Cntact Chip is embedded in a card Card is inserted int a smart card reader Card remains in the reader until the transactin is cmpleted

25 Merchant e-slutins Cmmn Questins NFC Cntactless The chip may be embedded in cards, key fbs, mbile phnes, etc. A cntactless chip requires clse prximity t a reader ( tap and g ) Apple just annunced Apple Pay, which leverages NFC Why Small Businesses Shuld Act Nw As large businesses implement mre secure systems, fraudsters will g dwnstream t attack small business wners The EMV Liability Shift will drive adptin Merchants f any size will be liable fr dmestic and crssbrder cunterfeit fraud cmmitted at the pint f sale if they are nt using a cmpliant EMV POS slutin

26 Merchant e-slutins Cmmn Questins A nn-cmpliant merchant is liable fr fraud that ccurs n any EMV chip card used n a magnetic stripe-nly terminal A nn-cmpliant issuer is liable fr fraud that ccurs n any magnetic stripe card used n an EMV chip cardenabled terminal Cunterfeit Card Fraud: Fur Scenaris

27 Merchant e-slutins Cmmn Questins Cunterfeit Card Fraud: Fur Scenaris Mag-Stripe/Mag-Stripe EMV/EMV Cnsumer has mag-stripe card Cnsumer has EMV chip card Merchant has mag-stripe terminal Merchant has EMV terminal Liability with issuer Liability with issuer Mag-Stripe/EMV EMV/Mag-Stripe Cnsumer has mag-stripe card Merchant has EMV terminal Liability with issuer Cnsumer has EMV chip card Merchant has mag-stripe terminal Liability with merchant 16 Summary: EMV Quick Facts EMV is fr Card Present transactins nly, there is n impact t CNP

28 Merchant e-slutins Cmmn Questins EMV helps prevent cunterfeit card fraud, it des nt prtect against a breach (that requires encryptin and tkenizatin) EMV can be Chip and PIN r Chip and signature depending n the issuer The terminal will prmpt fr apprpriate actin If a clerk r custmer swipes an EMV card n an EMV terminal, he will be prmpted t insert the card New chargeback liability rules take place in Octber 2015 Merchant e-slutins ffers new cuntertp and wireless terminals that supprt the latest EMV and NFC technlgies Fr mre infrmatin cntact: Name: Angela Flyd

29 Merchant e-slutins Cmmn Questins Phne: 803-968-1635 Email: aflyd@merchanteslutins.cm

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information