An Intrductin T Credit Card Prcessing Davisware 514 Market Lp West Dundee, IL 60118 Phne: (847) 426-6000 Fax: (847) 426-6027 Cntents are the exclusive prperty f Davisware. Cpyright 2011. All Rights Reserved.
2 Merchant e-slutins Cmmn Questins Table f Cntents MeS Prcessing Netwrk - Authrizatin... 3 MeS Prcessing Netwrk - Settlement... 4 What strage is allwed?... 5 What is Tkenizatin?... 5 Accunt Updater Service... 6 Factrs that Affect Interchange... 7 Card Assciatin & Type... 8 Industry Type and Ticket Size... 9 Acceptance Methds... 10 What is a Chargeback?... 11 Sme preventin tls t chargebacks... 12 Pre-authrizatin... 13 Refunding Cardhlder Charges... 13 Declines... 14 EMV & Security... 15 T Begin: A Little Alphabet Sup... 15 The Payments Ecsystem... 16 What is assessed during this PCI -DSS prcess?... 17 Merchant Levels: Wh s included?... 18 The SAQ- PCI is nt easy... 19 Certificate f PCI Cmpliance... 20 Breach Prtectin... 21 Breach Prtectin... 22 Security, EMV and NFC: Why and Why Nw?... 22 Intrductin t EMV... 23 EMV Frm Factrs... 24 Why Small Businesses Shuld Act Nw... 25 Cunterfeit Card Fraud: Fur Scenaris... 26 Summary: EMV Quick Facts... 27
3 Merchant e-slutins Cmmn Questins MeS Prcessing Netwrk - Authrizatin MeS Prcessing Netwrk - Authrizatin Cnsumer Merchant Sftware/website Gateway Slutin Acquirer s Payment Prcessr Card Assciatins Issuer Bank 2 Cnsumer initiates a transactin at pint f sale, ver phne r internet site. Infrmatin is encrypted at pint f sale and is frwarded t the gateway. The gateway is frwarded t the payment prcessr. The transactin is then ruted t the card assciatin whm frwards t the card issuer. The credit card issuer perfrms fraud measures using transactinal infrmatin given at the pint f sale. The issuer respnds with a decline r an authrizatin t the prcessr fr the apprved amunt. The issuer will als respnd t the prcessr with fraud identifiers including address match, zip match, card verificatin match (CVV) and hlds the authrizatin against the cnsumer s card. The prcessr will then frward back with the respnse t the gateway. Depending n fraud cntrls in place, the gateway may use the authrizatin s respnse t decline the card thugh the issuer has given an apprval. Fr instance if the address des nt match, the gateway may be set t give a decline.
4 Merchant e-slutins Cmmn Questins MeS Prcessing Netwrk - Settlement MeS Prcessing Netwrk - Settlement Merchant r Gateway Acquirer s Payment Prcessr Card Assciatins Issuer Bank Merchant Cnsumer 3 Merchant initiates a batch thrugh the sftware r gateway t the prcessr. This may be a cmpletely autmated prcess. All authrizatins that were apprved are submitted in a batch prcess and sent t the card assciatins whm request the funds frm the acquiring banks. The card issuers make settlement payments t the card assciatins whm frward t the acquiring banks. The acquiring banks then frward payments back t the merchant and issuing banks debit the cnsumer.
5 Merchant e-slutins Cmmn Questins What strage is allwed? Card strage nt allwed Encryptin used 491545xxxxxx2067- mre ften nly last fur digits stred (Ggle Wallet) Tkenizatin ppular when recurring billing r stred custmers used (Apple Pay) CVV (card verificatin value) strage nt allwed Expiratin date shuld nt be stred Other Cardhlder Infrmatin allwed Address & Zip Custmer Name Invice Number Other identifying infrmatin such as accunt number What is Tkenizatin? Card numbers replaced by an encrypted unique ID Card number nly used in the initial authrizatin. A tken is returned instead f the actual number that may then be stred by the merchant s system. Tkens may then be used t initiate new transactins including: Pre auth Sales Vids Returns Credits Lwers the ptential fr data breach impact. Accunt Updater Service can be utilized t update the tkenized card infrmatin.
6 Merchant e-slutins Cmmn Questins Accunt Updater Service Prvides updates t card infrmatin fr expired and reissued cards Supprts Visa, MasterCard, and Discver Cmpatible with Payment Gateway stred card tkenizatin t facilitate secure card-n-file prcessing API interface fr request uplad, respnse dwnlad, and status inquiry Web interface available Autmated versin available when using tkenizatin MeS sends tken file fr weekly updates One time enrllment required N recurring cst, nly per-match fee
7 Merchant e-slutins Cmmn Questins Factrs that Affect Interchange Factrs that Affect Interchange Acceptance Methd Card Type Industry Type Best Rate Pssible Card Assciatin Ticket Size 7
8 Merchant e-slutins Cmmn Questins Card Assciatin & Type Card Assciatin & Type Visa MC Discver Cnsumer Cnsumer Cnsumer Rewards Signature Cnsumer Debit Regulated Unregulated Prepaid Cmmercial Card Crprate Business Purchasing GSA Enhanced Wrld Wrld Elite High Value Cnsumer Debit Regulated Unregulated Crprate Card Wrld Wrld Elite Internatinal Cre Rewards Premium Cmmercial
9 Merchant e-slutins Cmmn Questins Industry Type and Ticket Size Travel & Entertainment Determines Rewards Level Emerging Markets Gvernment Utility Insurance Nt Fr Prfit Clleges/schls Fuel Dealer Ticket Size Large Ticket Small Ticket
10 Merchant e-slutins Cmmn Questins Acceptance Methds Swiped Keyed transactins (CNP MO/TO) Mt Ecmm Unmanned Adding Value Detail Fraud Measures Address & Zip Verificatin (AVS) Invice Number Level II Custmer Cde/PO and Tax Level III Line Item Detail, Cmmdity Cde, Thugh card verificatin value (CVV) aids fraud measure it des nt affect price Authrizatin and Settlement Match
11 Merchant e-slutins Cmmn Questins What is a Chargeback? A chargeback ccurs after a buyer cntacts their credit card issuer t dispute a transactin that appears n their credit card statement. There are three main reasns a buyer will d this: 1. The purchased item never arrived. 2. The item was significantly different than advertised. 3. Their credit card was used withut their permissin t purchase the item fraudulently. Chargebacks are initiated and handled by the buyer s credit card issuernt by MeS, therefre, fllw the card assciatin's regulatins and timeframes. Issuers can als chargeback and item with n input frm cardhlder if they feel a card assciatin plicy was nt used.
12 Merchant e-slutins Cmmn Questins Sme preventin tls t chargebacks Merchant name needs t be recgnized Always swipe if pssible and gain a signature If keying, use AVS (address verificatin system) t verify address and zip cde If keying, use CVV (card verificatin value) three digit cde n the back f the card 3D Secure Verified by Visa EMV new chip card standard Charge after cmpletin f service r shipment f gds Use preauthrizatin These d nt stp fraud! Still n guarantees.
13 Merchant e-slutins Cmmn Questins Pre-authrizatin Hld cardhlder s funds until hld has been released thrugh reversal, vid r settlement Gateway rules can change hw pre-auths are released Usually gd fr nly seven business days If adjusted prir t settlement, transactin will dwngrade Reversal releases funds immediately; vid releases at end f night. Validate methd will verify accunt and determine if cardhlder has funds available but will nt hld funds. Refunding Cardhlder Charges Credit transactins represent rughly 40% f emplyee fraud Credit transactin errrs are ften cstly t merchant Decisins are made by gateways t allw credit transactins t run in debit nt matching credits situatin Default is t nt allw until merchant has been cnsulted n risk invlved All gateways allw credit prcessing n prir sales thrugh a transactin ID r quick credit functin.
14 Merchant e-slutins Cmmn Questins Declines Issuing Bank reprts declines back t gateway Depending n gateway settings, transactin may decline still due t AVS settings, IP settings, r card type errrs Mst cmmn decline cdes frm issuing bank: 05 General decline; issuing bank nt passing reasn fr decline 14 Card errr; n such accunt exists 51 NSF insufficient funds N7- CVV mismatch 62 Restricted card Cmmn decline reasns frm gateway AVS Mismatch Zip Match
15 Merchant e-slutins Cmmn Questins EMV & Security T Begin: A Little Alphabet Sup PCI DSS Payment Card Industry Data Security Standard that utlines a series f best practices t prtect cardhlder data EMV Glbal payment standard frmed in 1994 by Eurpay, MasterCard and Visa that uses a chip card instead f magstripe technlgy Chip Card r Smart Card Cmmn names fr cards cntaining an integrated circuit chip In sme cuntries, EMV is referred t as Chip & PIN NFC Near Field Cmmunicatin is a wireless standard that uses a clse prximity radi signal t cmmunicate between devices ( Tap & G )
16 Merchant e-slutins Cmmn Questins The Payments Ecsystem The Payments Ecsystem Everyne Must Wrk Tgether t Prtect Card Data Merchant Cnsumer Prcessr/Acquirer Issuer The Payment Card Industry Data Security Standard (PCI DSS) was develped in 2004 t encurage and enhance cardhlder data security. PCI DSS prvides a baseline f technical and peratinal requirements designed t prtect cardhlder data. 3
17 Merchant e-slutins Cmmn Questins What is assessed during this PCI -DSS prcess? Assessment is t accurately determine the scpe f the review. By identifying all lcatins and flws f cardhlder data and ensuring they are included in the PCI DSS scpe. T cnfirm the accuracy f the PCI DSS scpe, the fllwing needs t be reviewed: Identify and dcument the existence f all cardhlder data, t verify that n cardhlder data exists utside f the currently defined Card Data Envirnment (CDE). Once all lcatins f cardhlder data is identified and dcumented, the entity uses the results t verify that PCI DSS scpe is apprpriate (fr example, the results may be a diagram r an inventry f cardhlder data lcatins). Cnsiders any cardhlder data fund t be in scpe f the PCI DSS assessment and part f the CDE. If the entity identifies data that is nt currently included in the CDE, include this data. Dcumentatin that shws hw PCI DSS scpe was determined. Will need t be retained fr assessr review and/r fr reference during the next annual PCI DSS scpe cnfirmatin activity. External vulnerability scans are required when entities utilize IP cnnectins t prcess CC transactins, in rder t identify any pssible vulnerabilities r weakness.
18 Merchant e-slutins Cmmn Questins Merchant Levels: Wh s included? Merchant Levels: Wh s included Level 1 Merchant Criteria Merchants prcessing ver 6 millin Visa transactins annually (all channels) Level 2 Level 3 Level 4 Merchants prcessing 1 millin t 6 millin Visa transactins annually (all channels) Merchants prcessing 20,000 t 1 millin Visa e-cmmerce transactins annually Merchants prcessing less than 20,000 Visa e- cmmerce transactins annually & all ther merchants prcessing up t 1 millin Visa transactins annually 6
19 Merchant e-slutins Cmmn Questins The SAQ- PCI is nt easy The SAQ- PCI is nt easy SAQ Type Eligibility Number f Questins Quarterly ASV Scan Required Penetratin Test Required A A-EP B B-IP Card-nt-present merchants: All payment prcessing functins fully utsurced, n electrnic cardhlder data strage E-cmmerce merchants re-directing t a 3 rd -party website fr payment prcessing, n electrnic cardhlder data strage Merchants with nly imprint machines r nly standalne dial-ut payment terminals: N e-cmmerce r electrnic cardhlder data strage Merchants with standalne, IP-cnnected payment terminals: N e-cmmerce r electrnic cardhlder data strage 14 N N 139 Yes Yes 41 N N 83 Yes N CntrlScan 2014 Cnfidential
20 Merchant e-slutins Cmmn Questins Certificate f PCI Cmpliance
21 Merchant e-slutins Cmmn Questins Breach Prtectin Prtectin prgram is designed t help yur merchants meet the significant expenses resulting frm a suspected r actual breach f credit card data regardless f the merchant s PCI cmpliance status. The prgram cvers: The mandatry frensic audit required by the Payment Card Industry Data Security Standard (PCI DSS) when a data breach is suspected Card replacement csts and related expenses Assessments and fines levied by card spnsrs fr data breaches Data breaches caused by emplyee dishnesty and/r the physical theft f data, as well as cmputer hacking
22 Merchant e-slutins Cmmn Questins Breach Prtectin Insurance details: Level 4 merchants are cvered regardless f PCI DSS cmpliance Depending n yur prgram, the plicy limits up t $50,000 r $100,000 per MID, per year; up t 10 MIDs and $500,000 per year N deductible N c-pay N underwriting f individual merchants Rest easy. Simple, 3-step claim prcess: Cmplete an nline claim frm by fllwing the easy-t-use link within mycntrlscan.cm. Uplad r fax the apprpriate ntice that stipulates there has been a suspected r actual breach at the merchant s lcatin. When the frensic audit is cmplete, uplad r fax a cpy f the assessr s invice. Security, EMV and NFC: Why and Why Nw?
23 Merchant e-slutins Cmmn Questins Yu can t ignre the headlines abut high prfile data breaches Target has lst $148M t date as a result f the breach Hme Dept s lss is estimated t be larger PCI establishes a framewrk t prtect cardhlder data, yet every majr merchant and prcessr that was breached was PCI cmpliant Banks and merchants must wrk tgether and adpt new standards in rder t keep the gvernment regulatry bdy ut f their business Fraud migrates t the weakest link Mst ther cuntries have adpted EMV s fraudsters are targeting the US Apple made headlines with the iphne 6 and the release f Apple Pay, its digital wallet utilizing NFC technlgy Intrductin t EMV EMVC s primary purpse is t define a glbal standard fr credit and debit payment cards based n chip card technlgy Data is mre secure n a chip-embedded card rather than n a static mag-stripe card
24 Merchant e-slutins Cmmn Questins The micrprcessr chip validates, stres and encrypts data Unlike a mag-stripe card that can be cpied ( skimmed ), chip technlgy cmbats cunterfeiting by assigning a dynamic value fr each transactin EMV is imprtant in the adptin f glbal interperability The U.S. is the last majr market t adpt EMV EMV Frm Factrs Cntact Chip is embedded in a card Card is inserted int a smart card reader Card remains in the reader until the transactin is cmpleted
25 Merchant e-slutins Cmmn Questins NFC Cntactless The chip may be embedded in cards, key fbs, mbile phnes, etc. A cntactless chip requires clse prximity t a reader ( tap and g ) Apple just annunced Apple Pay, which leverages NFC Why Small Businesses Shuld Act Nw As large businesses implement mre secure systems, fraudsters will g dwnstream t attack small business wners The EMV Liability Shift will drive adptin Merchants f any size will be liable fr dmestic and crssbrder cunterfeit fraud cmmitted at the pint f sale if they are nt using a cmpliant EMV POS slutin
26 Merchant e-slutins Cmmn Questins A nn-cmpliant merchant is liable fr fraud that ccurs n any EMV chip card used n a magnetic stripe-nly terminal A nn-cmpliant issuer is liable fr fraud that ccurs n any magnetic stripe card used n an EMV chip cardenabled terminal Cunterfeit Card Fraud: Fur Scenaris
27 Merchant e-slutins Cmmn Questins Cunterfeit Card Fraud: Fur Scenaris Mag-Stripe/Mag-Stripe EMV/EMV Cnsumer has mag-stripe card Cnsumer has EMV chip card Merchant has mag-stripe terminal Merchant has EMV terminal Liability with issuer Liability with issuer Mag-Stripe/EMV EMV/Mag-Stripe Cnsumer has mag-stripe card Merchant has EMV terminal Liability with issuer Cnsumer has EMV chip card Merchant has mag-stripe terminal Liability with merchant 16 Summary: EMV Quick Facts EMV is fr Card Present transactins nly, there is n impact t CNP
28 Merchant e-slutins Cmmn Questins EMV helps prevent cunterfeit card fraud, it des nt prtect against a breach (that requires encryptin and tkenizatin) EMV can be Chip and PIN r Chip and signature depending n the issuer The terminal will prmpt fr apprpriate actin If a clerk r custmer swipes an EMV card n an EMV terminal, he will be prmpted t insert the card New chargeback liability rules take place in Octber 2015 Merchant e-slutins ffers new cuntertp and wireless terminals that supprt the latest EMV and NFC technlgies Fr mre infrmatin cntact: Name: Angela Flyd
29 Merchant e-slutins Cmmn Questins Phne: 803-968-1635 Email: aflyd@merchanteslutins.cm