FTC to possibly ban payment methods due to susceptibility of fraud

The FTC has recently called for reforms to the Federal Telemarketing Sales Rule and as a result has issued a Notice of Proposed Rule Making. The proposed amendments would prohibit the use of certain novel payment methods by telemarketers and extend the ban on recovery services. If the amendments are approved remotely created checks and remotely created money orders as well as cash to cash money transfers and cash reloaded mechanisms, would be permanently banned.

After filing several lawsuits against payment card processors for their deceptive practices of accepting payments using remotely created checks or payment orders, the payment processors were forbidden from ever processing payments but other payment processor were free to continue these deceptive practices. As a result the FTC issued a NPRM if enacted would expand the rule making authority of the FTC concerning any deceptive practices by telemarketers and prevent the novel payment method.

The FTC finds payment processors are liable for ensuring the consumer is not subject to fraud and for monitoring merchants responsible for committing frauds against the consumer. If the TSR is amended the FTC would expect all payment card processors to comply with the new changes. The new amendment would only apply to the telemarketing merchant. Other non telemarketing merchants can continue to use these payment methods for legitimate purposes only.

Merchants: Are Your Vendors PCI Compliant?

Visa, who has always been the strictest association regarding PCI compliance, data security, and cardholder protection, has set the pace again. Merchants who accept multiple card types are required to follow the strictest card operating guidelines, which usually come from Visa. They issued series of mandates requiring its acquirers to ensure that their U.S. merchants, VNPs, and agents use only PA-DSS compliant payment applications and that PIN pads connected to Visa’s network use triple DES (triple data encryption standard technology). The final mandate in this series went into effect on July 1.

A Little History

In 2005, Visa established the Payment Application Best Practices (PAPB), “to provide software vendors guidance in developing payment applications that help merchants and agents mitigate compromises, prevent storage of sensitive cardholder data (i.e. full magnetic stripe data, CVV2 or PIN data) and support overall compliance with the PCI Data Security Standard (PCI DSS)”. In 2008, the Security Standards Council (PCI SSC) adopted Visa’s PAPB and released it as the Payment Application Data Security Standard (PA-DSS). The PA-DSS relates to vendors who develop secure payment applications and its goal is to ensure that the applications are PCI compliant and do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data. The standard requires vendor software applications to be validated for compliance on an annual basis.

On January 1, 2008, Visa implemented a series of mandates that requires its acquirers to ensure that its merchants and agents only use third-party payment software that is compliant with the PA-DSS. The mandates, in line with Visa’s Cardholder Information Security Program (CISP), intent is to eliminate “vulnerable payment applications from the Visa payment system”. Failure to do so could result in financial penalties for acquirers. Since the mandates were established over two years ago, and there have been 4 prior checkpoints, acquirers have had plenty of time to get their merchants geared up for this final mandate and July 1 deadline.

Visa’s global merchants have until July 1, 2012. MasterCard has also set a July 1, 2012, global deadline for PA-DSS compliance for its merchants, under their Site Data Protection (SDP) program. According to their SDP update issued in June, MasterCard will also establish new PA-DSS compliance validation requirement for Level 1, 2, and 3 merchants and Level 1 and 2 Service Providers.

However, Visa is not completely rigid on the July 1 date. According to an article in ISO & Agent Weekly, Visa intends to work with merchants who do not meet the July 1 deadline. The exception to this assistance will be for merchants who are purposely avoiding compliance. (Visa welcomes information regarding merchants who are not in compliance.)

What Merchants Need To Do

Merchants need to be proactive from the gate. To avoid non-compliance, and subsequent data security risks, they should not wait to hear the news of new policies from their processors. They need to stay ahead of the pack by checking the PCI SSC site, as well as staying abreast of any pertinent news from the card companies. Most importantly, they should always ensure they are using vendors who are PCI compliant. How can they do that? For starters, and for the purpose of Visa’s security mandates, they should only use vendors who are on the list of PCI SSC validated payment applications, which have been assessed for compliance with the PA-DSS. Merchants should also only use vendors who use Payment Application Qualified Security Assessors (PA-QSAs), who are certified by the PCI SSC. Even if a vendor states their payment application is PA-DSS qualified or have been evaluated by a PA-QSA, merchants should check the PCI SSC site for its validation. Vendors are on the list for one year for only the software version which has been evaluated. If a vendor has released a new version, a merchant should only consider using the compliant version and never use a beta version. The PA-DSS never validates beta versions.

If a merchant discovers that their vendor is non-compliant with the PA-DSS, it should either switch to a compliant vendor (which many not be as easy as it sounds) or assist the vendor in gaining compliance. That’s not to mean that the merchant should assist them financially, but guide them if they can. By working together, they can build a stronger relationship, resulting in secure data protection for their customers and cardholders.

So, what happens if a merchant uses non-compliant vendor? Aside from the risk of compromising cardholder data, if a breach occurs, the merchant can be fined by the card associations and/or forced to undergo a forensic audit, which is not free. Merchants are having a tough enough time in this economy and should not jeopardize their business further by using non-compliant third-party payment processing vendors, nor risk adding costs that can be otherwise avoided.

References:

Information regarding PCI SSC Validated Payment Applications and Payment Application Qualified Security Assessors (PA-QSAs) can be found at http://www.pcisecuritystandards.org

Visa CISP – http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html

MasterCard SDP – http://www.mastercard.com/us/merchant/pdf/SDP_Program_Revisions.pdf

Mobile Contactless Payments

Using your cell phone as a primary method to make contactless payments may finally become a reality in the U.S. AT&T and Verizon are indeed encroaching into the electronic payment space, possibly creating a real threat to Visa and MasterCard. According to Bloomberg, the two wireless carriers have created a new venture with Deutsche Telekom AG, a unit of T-Mobile. The partnership is working with Discover and Barclay’s to test their mobile contactless payment system in four U.S. cities. All payments would be processed through Discover’s network, which is currently fourth in the card market behind Visa, MasterCard, and American Express.

In 2008, Juniper Research forecasted that mobile payments would reach $600 billion globally by 2013. Mobile contactless payments have been in place in other countries (Korea, Japan, Spain) for some time and the demand in the U.S. has been increasing, especially with the growth of the smartphone market. Discover has been trying to increase their market share using reward programs and partnerships, so what better way than to jump on the mobile payment wave? Joining the leading wireless carrier and cell phone provider partnership is a smart move.

About the Technology

Contactless payments have actually been around for a while. Introduced with Mobile (Exxon)’s Speedpass in 1997, the technology has only recently evolved and become more popular for several reasons. Consumers want faster ways to conduct face-to-face transactions. People are constantly on the move and standing in any line to make a purchase is considered an inconvenience. There have been recent advances in Near Field Communications (NFC) technology, a more secure payment method for mobile devices. (Basic RFID was used in the previous contactless cards and devices.) Merchants are trying to find ways to circumvent interchange and association fees from Visa and MasterCard. (Merchants persuaded Congress recently to approve a cap on interchange fees. An antitrust lawsuit filed in 2005 is still pending.)

To enable mobile payments, the mobile phone is equipped with a smartcard which contains payment card data. Merchants would need to have a compatible payment card reader and, to help prevent fraud, a PIN would be required to complete a transaction. For merchants already accepting contactless payments, most existing readers are supposedly compatible with NFC devices.

The Faster, Faster Checkout

Some retailers have already instituted Visa’s No Signature Required program and MasterCard’s Quick Payment Service, both of which do not require signatures for swiped credit card purchases ranging up to $50 at certain merchant categories. Skeptics claim that this business practice can increase fraud, since a cardholder signature is used as proof of purchase at a brick and mortar merchant and most fraudulent transactions start out in small amounts. Gas stations have long employed this practice, but usually require a billing zip code for fraud prevention. In this case, a PIN is not enough protection for one group of consumer advocates. Each country has its own set of government regulations with regards to mobile payments and consumer protection. Nothing currently exists in the U.S. Recently, Consumers Union, the nonprofit publisher of Consumer Reports, has requested that regulators “use their current statutory authority to ensure that existing consumer protections are applied to all new payment methods.” They are also asking that companies providing the payment systems provide consumer rights in their contracts for “zero liability” to the cardholder. With the current government administration’s involvement in financial matters, a lot more work may need to be done before this becomes reality.

Sharing Revenue

One challenge with this new payment channel involves basic business. Right now, the major card networks, issuing banks, and payment processors earn the bulk of the revenue from card transactions. Contactless payments using mobile phones introduces new players – wireless carriers, phone manufacturers, and application providers. Why wouldn’t the players enabling the mobile payments want some of the transaction revenue?

The Privacy Issue

Retailers and consumers both like the idea of mobile payments when it comes to faster checkouts. However, they may differ on the amount of information shared. Retailers would love to gather more information about their customer and the transfer of CRM data wirelessly is the easiest way to do that. Consumers however, may not want to share anything else about themselves. Mobile payment applications could limit the amount of data stored, or allow the customer to control what data they want to share, such as loyalty card information and purchase history.

With fraud being a common concern amongst consumers, it still may be a while before mobile payments using NFC really take off. Sure, there will be the early adopters and people who are tapped to do trials (Discover used employees last year to trial its mobile contactless sticker where Discover Zip payments were accepted). Adoption requires all the pieces be in place – consumers with Discover accounts who are also using mobile phones equipped with the NFC payment technology and merchants who have the equipment and capability to accept contactless payments from Discover.

Social Sharing Networks and Data Protection

Social networking meets the credit card industry – in a new way this time. Although, I’m sure a recent new venture would have preferred a more favorable type of news release.

Blippy, a new social networking site which allows users to share their credit card purchases, unintentionally exposed the financial information of some of its members.

How It Works

The site operates like Twitter, where members can follow other members. Members sign up one of their credit cards to the site and any time a purchase is made with that card, the information is streamed, like a tweet or Facebook post, on the member’s page.

A member gives Blippy access to a card account (i.e. provides Blippy with access to the online bank account). Blippy then obtains the transaction data, or raw data, from the card purchase and cleans it up for the web post. For instance, “Starbucks USA 00075424 04/25 CARD # Purchase # Newport Bch, CA”, would be converted to just “Starbucks”.

Members can also add accounts that Blippy has signed on (i.e., iTunes and Zappos), which can also include more details of the card purchase. With some accounts, a member can choose to show full product details:

Michael purchased 1 app from iTunes (and then a graphic of the app, i.e., the iTunes song, is displayed below the stream)

Or just the amount spent:

Michael spent $3.75 at Starbucks

Members are using Blippy to find hot deals, compare costs (i.e. cable, utilities, cell phone), share restaurant experiences or post their own movie reviews. Like Facebook, members and followers can comment on the post or hide posts from certain people. (Maybe you don’t want a friend to know that you spent $80 golfing when you cancelled previously scheduled lunch meeting during the same time.) Some see the revelation of spending habits as a conscience for shoppers. Others see it as sharing too much information. Certain purchases and excessive spending can be potentially damaging to someone’s reputation. For consumers who want to share everything and have nothing to hide, this is perfect for them.

“Users who share information online are becoming slowly aware of the risks of this new technology.”

Like any social networking site, retailers and manufacturers could use the posted information to get feedback on products, shopping experiences and consumer behavior in general. On the flip side, it could create more competition. If full details of a purchase are posted, a competitor could lower prices to steal future business.

Privacy Concern and Security Risks

Information sharing and web collaboration were made possible with Web 2.0 technologies. Users who share information online are becoming slowly aware of the risks of this new technology. Companies who promote the sharing of information online need to ramp up security and take responsibility to help protect their users.

The exposure of members’ credit card data on Blippy was discovered during the site’s beta phase, when some raw data could be viewed on the HTML source page of a Blippy member’s page. Experienced (and certainly determined) web users could see the raw data, which Blippy claims was mainly harmless (i.e. store numbers, etc.). After that issue was discovered, the glitch was fixed quickly.

According to Blippy cofounder Philip Kaplan, there was a “’technical oversight’ in February which resulted in raw transactional data showing up within the HTML code on some Blippy pages for half a day.” Because of the indexing power of Google, the HTML data, which included full card numbers of four Blippy members, turned up in close to 200 search results. Even though Blippy’s site went through several modifications since then, the Google snapshots of these pages were not updated. Blippy worked with Google immediately to remove the indexed pages.

Blippy then discovered another member’s card number in a web search on Saturday, which turned up in 20,000 pages. The company again worked with Google to remove the data. In both cases, Blippy also contacted – and apologized to – the members affected.

Blippy – and its members – were quite lucky. The damage could have been a lot worse had the site been in a more viral stage, ala Facebook or Twitter.

Who is in Control?

Social networking has given people the power to open up that privacy door – all on their own. At the same time, secure data is at risk when financial information is released into the air.

Amazon was leary of Blippy in the beginning, as it blocked buyers from publishing their purchases. Blippy went around the roadblock by requesting members who used Gmail for access to their accounts to obtain the purchase data that Amazon emailed to them. Other retailers have joined Blippy without as much concern, seeing it more like a promotional tool.

Even though a cardholder would not be responsible for fraudulent charges, it doesn’t help our economy if retailers are left holding debt as a result of credit card fraud. As discussed in a previous two-part blog, when data is compromised, fingers are usually pointed to the merchant receiving the card information. However, all parties involved are responsible for ensuring data security. On the top, merchants need to be extra careful about business relationships which may affect the data protection of their customers. Unfortunately – for banks and retailers – if a cardholder volunteers access to his or her account, and card information is jeopardized, the cardholder is still protected.

While Blippy thought they were on top of security on their site, the recent data exposure has changed their course. In their April 26 blog, they outlined a new security plan which includes hiring a chief security officer and conducting regular security audits to protect members.

On the positive side for Blippy – the company has certainly gained more exposure since the data security issue hit the news. Oh, and Blippy will soon have company in this playing field as Swipely is soon to go live.

Debit or Credit – Do Merchants Have a Choice?

If your merchant account is set up to accept only credit cards (i.e. you are on online merchant or you do not have the ability to accept PIN-based transactions), then the answer is simple – you can only accept credit card transactions at this time. If you accept POS (Point of Sale or in-person) transactions, you can offer your customers the option. That is, if your processing system is set up to accept PIN-based transactions. So, if you have that option – of offering debit or credit – what’s the difference you ask? Merchants have different motivators for their choice, as do cardholders. Each method goes through different transaction processing networks, so varying cost structures exist for merchants and issuing banks. The benefits and risks of each method also vary for all parties involved.

First, the only cards that provide this debit or credit option are debit cards with a credit card company logo – also called check cards or electronic checks. Online (not to be confused with ecommerce) debit transactions require a PIN authentication (like an ATM transaction) and are processed through debit networks (i.e., NYCE, CIRRUS). Offline debit transactions require a signature and are processed through card association networks (i.e. Visa or MasterCard). All transactions from a debit card are tied to the cardholder’s bank account.

The Bank Side

Card issuing banks earn most of the revenue when their cardholders use their cards, whether they are debit or credit. Some banks entice customers to use their check card by offering incentives, such as rewards and cash back. Most rewards programs require the consumer to use the credit/signature option, which enables the bank to collect interchange fees from the merchant, helping to offset the cost of the rewards. Acquiring banks also earn revenue when either the credit or debit option is used.

Overall, card issuing banks prefer PIN-based debit transactions, hands down. Even though they pay debit transaction fees, banks save money by not paying fees to the card associations.

The Consumer Side

Consumers like using debit cards mostly to avoid writing paper checks. Many brick and mortar retailers no longer accept checks and banks are following suit. Banks in the U.K. decided to phase out their check clearing process by 2018, citing cost savings.

As stated above, consumers can be enticed with rewards. With Bank of America’s ‘Keep the Change’ program, check card purchases (using the PIN or credit option) are rounded up to the next dollar and the difference is transferred into the account holder’s savings account. The bank then matches the transfer amounts up to $250 a year.

Using funds that already exist (i.e. in a checking account) for purchases instead of buying on credit also helps keep the cardholder out of future debt. The cash back option is free with debit purchases and the funds are also deducted immediately from the cardholder’s account – instead of a few days later for credit card purchases. For cardholders who monitor their bank accounts closely, this option is best for them. However, banks do charge fees for insufficient funds on debit transactions.

From a fraud perspective, PIN-based transactions are the most secure. However, cardholders are not protected from fraudulent debit transactions as they are with credit card transactions. If a thief uses a cardholder’s debit card and cleans out their bank account, the cardholder will likely not be able to recover those funds (aside from legal action). If a cardholder uses Verified by Visa, an optional service requiring a personal password, the cardholder is protected under the Fair Credit Billing Act when making purchases online.

By choosing the credit option, as with normal credit cards, cardholders also have the right to do a chargeback if there are issues with a return, fulfillment or satisfaction with a purchased product or service.

“…cardholders are protected under the Fair Credit Billing Act”

The Merchant Side

Merchants prefer PIN-based debit transactions for a few reasons. Debit network fees are lower, there is an instant guarantee of funds and funds settle faster into the merchant’s bank account.

Merchants, particularly ecommerce, like offline debit transactions since they are able to tap into consumers who receive prepaid debit cards or payroll cards, or are unable to obtain credit cards. For those consumers, card branded debit cards are the only option for electronic payments. Meanwhile, settlement takes a little longer with offline debit transactions, but usually only by a few days.

While consumers can often make larger purchases with credit, there is always the chance that the customer will do a chargeback. Unfortunately for merchants, chargebacks are allowed with offline debit cards, since transactions are processed through the credit card networks and cardholders are therefore protected under the Fair Credit Billing Act.

The Card Associations and Merchant Processors Side

Offline debit card transactions are processed through the card networks so the card associations, like Visa and MasterCard, prefer this option – for obvious reasons. Merchant processors earn revenue from either option, but there could be more revenue for them with offline debit transactions (depending in the pricing structure). For this reason, some processors fail to offer the PIN-based option to merchants. Sometimes it may be due to an inexperienced salesperson, or the processor not fully understanding the merchant’s processing abilities. While other times, the merchant processor does not even offer the option, hoping the merchant will be none the wiser.

Merchants’ Choice

What merchants do have is the choice to be able to offer PIN-based transactions (again, if their processing system is enabled to accept PIN-based debit) and thereby incurring lower processing fees. Some merchant processors don’t offer this option, so merchants may need to ask. PIN-based debit transaction fees are typically less than for credit card transactions, but PIN pad equipment is required. Hopefully soon, some form of PIN-based option will be available for ecommerce as well.

In the end however, if the option is there, it is still up to the consumer to choose. Even if a POS system defaults to debit or credit, a merchant cannot dictate which option the consumer is to use.

This blog refers to debit and credit transactions in the U.S. at this time. Fees and acceptance rules vary in other countries.

PCI Compliance – Why Merchants Need To Take It Seriously – Part II

In Part I, I discussed the importance of PCI compliance, consequences of non-compliance and the effect of account termination on a merchant. Part II will discuss the basics of PCI compliance responsibility and how merchants can avoid fines and account termination. Who is Responsible for PCI Compliance?

In order to be PCI compliant, all acquirers, merchants and third parties using a card association’s payment system must not only abide by the PCI DSS requirements but also that association’s guidelines. For example, any organization using Visa’s payment system (i.e. any organization which receives, processes or passes Visa branded cardholder information) must abide by Visa’s International Operating Guidelines. Failure to comply can result in monetary fines and possible disqualification or merchant account termination.

Association compliance for merchants is based on levels of validation for each card association. Visa, MasterCard, and Discover each have four levels of validation for merchants. American Express has three levels and JCB has two levels. Each level is based on annual transaction volume with Level 1 being the highest. It is the responsibility of the merchant to check the criteria for each card brand it accepts and adhere to the validation requirements for the appropriate level in which it falls.

NOTE: MasterCard made some changes to their security program recently, whereby a merchant falls into a certain level based on its level with Visa. So, if a merchant processes over 6 million Visa transactions (Level 1), but only 2 milllion with MasterCard (Level 2), it would be a Level 1 merchant with both associations.

Non-Compliant Activities

So, what type of activity can result in a fine or merchant termination? Basically, two words – non-compliance. Credit card compliance covers PCI DSS and card association guidelines. Any activity violating those can result in fines, being put on MATCH or account termination.

Using Visa as an example again, per their operating guidelines, if Visa determines that a member, its agent, or a merchant has been deficient or negligent in securely maintaining the account or transaction information or reporting or investigating the loss of this information as specified in this section, Visa may fine the member, as specified in Section 1.6.D, or require the member to take immediate corrective action. Visa members are financial institutions who issue and maintain account information (i.e. acquirers).

“Repetitive violations can incur heavier fines, possible listing on MATCH or account termination.”

Visa’s operating guidelines define the reason for terminating a merchant account (aka, Revocation of Privileges):

Visa may permanently prohibit a Merchant, IPSP, or any other entity, or one of its principals, from participating in the Visa or Visa Electron Program for any reasons it deems appropriate, such as:

Fraudulent activity
Presenting Transaction Receipts that do not result from an act between the Cardholder and the Merchant (laundering)
Activity that causes the Acquirer to repeatedly violate the Visa International Operating Regulations
Activity that has resulted in a Regional Office prohibiting the Merchant from participating in the Visa or Visa Electron Program
Any other activity that may result in undue economic hardship or damage to the goodwill of the Visa system

Similarly, MasterCard’s rules state that failure by a Merchant or Acquirer or both to comply with any Standard may result in chargebacks, an assessment to the Acquirer, and/or other disciplinary action.

Repetitive violations can incur heavier fines, possible listing on MATCH or account termination. Associations will also continue to levy fines if the merchant does not correct the action deemed as non-compliant. Any fines from the card associations related to merchant activities will be passed down to the merchants. If a merchant does not take correction action or neglects to pay the acquirer, the merchant account is at threat of being terminated and listed on MATCH.

Be Careful Using Third-Party Service Providers

Using third party vendors can certainly streamline your business operations and credit card sales. However, they can also hurt your business if they are not compliant with industry guidelines. Aside from any possible data breach, simply using a non-compliant vendor can result in fines from the associations as well. Third party service providers include payment gateway, web hosting, or backup storage services.

There are many reasons to use a PCI compliant vendor – aside from following PCI compliance guidelines, using a compliant vendor helps to protect your customer records, which should be the number one priority.

According to PCI guidelines, merchants are required to verify service provider compliance. The PCI DSS requirement 12.8 (outlined below) requires a merchant to “manage” any service providers:

12.8.1 Maintain a list of service providers.

12.8.2 Maintain a written agreement that includes an acknowledgement that the service providers are responsible for the security of cardholder data the service providers possess.

12.8.3 Ensure there is an established process for engaging service providers including proper due diligence prior to engagement.

12.8.4 Maintain a program to monitor service providers’ PCI DSS compliance status.

To assist with compliance on this level, the PCI SSC adopted the Payment Application Data Security Standard (PA-DSS), formerly managed by Visa as the Payment Application Best Practices (PABP), for software vendors or other companies who develop secure payment applications. A list of validated payment applications is available on the PCI SSC web site. Each payment application on the list is valid for one year, so application vendors and developers need to go through similar annual reviews and due diligence as required by the PCI DSS for organizations.

Additionally, card companies have put requirements into place regarding service provider compliance. Visa, for example, stipulates that issuers and acquirers must use, and are responsible for ensuring that their merchants use, service providers that are compliant with the PCI Data Security Standard (DSS). Although there may not be a direct contractual relationship between merchant service providers and acquirers, Visa issuers and acquirers are responsible for any liability that may occur as a result of non-compliance.

Service providers must register with Visa in order to be included on their list of PCI DSS-compliant service providers. Visa defines two levels (based on volume) of compliance for service providers. Visa defines service providers as TPAs (Third Party Agents), which are entities that provide payment-related services, directly or indirectly, to a Visa client and / or stores, processes or transmits Visa account numbers. TPAs include Independent Sales Organizations (ISOs), Third Party Servicers (TPSs), Encryption and Support Organizations (ESOs) and Merchant Servicers (MSs). TPAs must be registered in Visa’s Agent Registration Program, mandated by Visa to “ensure that Visa clients are in compliance with Visa Inc. Operating Regulations (“Visa rules”) and policies regarding their use of TPAs.” Only Visa clients (i.e. acquirers) can register TPAs and are thus responsible and liable for their TPAs. POS software providers that provide the payment application only and do not store, process and / or transmit Visa account numbers also need to adhere to the PA-DSS. Fines from Visa include $10,000 for using an unregistered TPA.

Under its SDP program, MasterCard also requires third party service providers to follow compliance guidelines. It defines service providers as a collective term for Third Party Processors (TPPs) and Data Storage Entities (DSEs). It also defines two service provider levels for compliance.

PCI compliance for service providers includes onsite assessments, self-assessment questionnaires, and network security scanning. Summed up by MasterCard, the compliance process for its service providers is a 3 step process:

Review the relevant PCI documentation, validation tools and procedures
Engage an approved vendor, as appropriate, and follow the validation procedures
Once compliant, work with a qualified security assessor to send a Certificate of Validation to MasterCard

In all cases with service provider compliance, PCI SSC Qualified Security Assessors and Approved Scanning Vendors must be used. For a merchant to ensure complete compliance across the board, it is necessary for its service provider(s) to be on all relevant compliance lists.

View Visa’s current list (as of March 6) of PCI DSS Validated Service Providers here.

View MasterCard’s list of compliant service providers here.

Using a third-party vendor or company in the processing of credit cards does not exclude a merchant from PCI compliance responsibility. The merchant is still responsible for data security and abiding by PCI compliance rules and the operating guidelines of the card brands. Issuers and acquirers are also responsible for any liability that may occur as a result of non-compliance.

How Merchants Can Avoid Fines and Account Termination

Before account termination or being put on MATCH, a merchant may be warned and fined for non-compliance for risky activities, such as excessive chargeback ratios or not following PCI DSS. That is a warning which should not be taken lightly by any merchant. Corrections for any non-compliance should be fixed immediately. If a data breach has occurred, it is the merchant’s responsibility to report it as soon as it is discovered.

Using a third-party vendor or company in the processing of credit cards does not exclude a merchant from PCI compliance responsibility. The merchant is still responsible for data security and abiding by PCI compliance rules and the operating guidelines of the card brands. Merchants are responsible for reading and understanding the card association guidelines in their entirety for each card type they accept. Merchants should also use a payment processor who explains compliance and helps avoid fines by keeping an eye on chargeback ratios and understanding their third-party vendors. Of all the parties (with the exception of the customer) involved the payment transaction process, the merchant is the one who loses out the most if data security is compromised or the merchant account is terminated. Merchants can prioritize compliance by assigning a security officer – or other responsible party – to ensure that all necessary compliance requirements are being met. This includes making sure service providers are consistently compliant as well.

Reference documents

Card association operating guidelines

MasterCard

Visa

American Express

Guidelines for Discover and JCB are not available online. Merchants can obtain them from the card associations directly.

Card association requirements for merchant compliance

Visa Cardholder Information Security Program for Merchants

MasterCard Merchant Requirements

Discover Information & Security Compliance

American Express

JCB Data Security Program

Card Association Response to Updated FTC Regulations

In January, MasterCard made an effort to enforce new regulations and best practice guidelines pertaining to online direct marketing – specifically “negative option” marketing, which they consider to be a “brand damaging” practice.  The FTC Negative Option staff report, featuring five key marketing principles, triggered both Visa and MasterCard to make changes to their operating guidelines.

Operating Guideline Changes

Visa and MasterCard both instituted changes in their operating guidelines in response to consumer disputes about card not present transactions and direct response products and services.  MasterCard’s actions followed policy changes from Visa regarding descriptor formats and disclosure of corporate entities related to direct response offers.  While the changes concern online marketers and merchants, they also affect direct mail and telephone marketing businesses.

“Remember the Columbia Record Club?  They are a prime example of negative option marketing, which shows that it has been around a long time.

MasterCard communicated their “Direct Marketing Best Practices” guidelines to their acquirers and direct response marketers to further enforce compliance.  The guidelines focus on terms disclosure,  trial offers, marketing, endorsements and testimonials, affiliate marketing (CPA) networks, billing timeframes, refund policies, back end offers (up-sells, cross-sells), descriptors, order fulfillment, and customer service.

Of course these changes are meant to protect the consumer.  However, any business affected by these changes should think positive.  Consumer complaints can turn into negative publicity (and subsequently, reduced revenue) for any company.  Let’s not forget increased chargeback ratios, which no merchant desires.

A Little History

The Federal Trade Commission (FTC) was created in 1914 to prohibit unfair competition and practices in commerce.  The agency enforces laws targeting specific marketing practices and product promotions, such as environmental claims, free products, mail and telephone orders, and negative option offers.  Section 5 of the FTC Act prohibits unfair and deceptive practices – more specifically, advertising and marketing, in any medium, to consumers.  Section 5 describes a product or service as deceptive if it misleads the consumer or affects consumer behavior.  Additionally, product claims (i.e. “xyz product” prevents illness) must be substantiated, especially if they concern health, safety or performance.  The key marketing principles listed in the Negative Option staff report are meant to guide the industry in compliance with Section 5 of the Act.

“The FTC Act prohibits unfair or deceptive advertising in any medium”

The FTC also implemented changes to its Guides Concerning the Use of Endorsements and Testimonials in Advertising in December, clarifying that “advertisers are subject to liability for false or unsubstantiated statements made through endorsements, and that endorsers also may be liable for statements made in the course of their endorsements.”

California Is Taking Action As Well

On a similar wavelength, a new bill, SB 340, regarding automatic renewal and continuous service offers was signed into law in October in California.  SB 340 came to light following a 2006 lawsuit against Time, Inc., for automatic renewal offers and solicitations.  Twenty three states received complaints from consumers, which resulted in an extensive investigation.  Time was billing or automatically charging consumers’ credit cards for magazine subscriptions without consent.  The company had changed their renewal policy and instead of subscribers actively renewing, they instead required subscribers to actively cancel their subscriptions.  Else, the renewal was automatic. The renewal policy always appeared in fine print and was not clearly stated.

SB 340 requires businesses to state “clearly and conspicuously” the renewal terms and obtain the subscriber’s approval at the time of purchase.  Clear and conspicuous is defined as “in larger type than the surrounding text or in contrasting type, font or color.”  In the case of telephone marketers, the audio disclosure must be “audible and understandable.”  It also requires the inclusion of a cancellation policy with the renewal offer and an easy way for the subscriber to cancel.  The bill goes into effect on December 1, 2010.

Per the FTC Act, sellers are responsible for product and service claims.  Third parties, such as advertising agencies, web site designers and catalog marketers, can also be found liable for product deceptions and unfair competition practices.  Those found to be non-compliant could face enforcement by the FTC as well as civil lawsuits.  Punishment includes cease and desist orders, fines up to $16,000 (per violation), federal injunctions, and consumer refunds.

Additional Resources:

PCI Compliance – Why Merchants Need To Take It Seriously – Part I

Having a merchant account comes with responsibility.  While a merchant may be concerned with revenue and how to grow its business, payment card industry (PCI) compliance should be at the top of the list as well.  The main purpose of PCI compliance is data security, which applies to any party involved in processing credit card transactions.  Not following the rules – or practicing risky activities – can result in card association fines and can also put a merchant account in jeopardy of being terminated – not to mention data breaches that may occur.  A merchant account termination can be detrimental to any business accepting credit cards – especially if they operate purely online.

The Importance of PCI Compliance

According to Privacy Rights Clearinghouse.org, more than 346 million records with sensitive information have been breached since January 2005.  According to the Ponemon Institute’s annual study, the cost of a data breach was $204 per compromised customer record for 2009.  The data, obtained from 45 companies that publicly acknowledged – and were willing to discuss – a breach of sensitive customer information.  The study also revealed that the average total cost of a data breach was $6.75 million in 2009.

Most laws involving credit card fraud and data security breaches target the criminals who conduct the breaches and obtain the card data.  Although, state attorney offices have investigated and filed suits against companies who were found to be non-compliant during a data breach.  In an effort to stay ahead of the curve, the only way the card associations are able to enforce the security standards is to penalize those who do not comply and/or jeopardize data protection.

The Payment Card Industry Data Security Standard (PCI DSS) applies to any organization or merchant that accepts, transmits or stores any cardholder data.  The PCI DSS was created in 2004 by the PCI Security Standards Council (SSC), which include the major card brands – otherwise known as associations – American Express, Discover, JCB, MasterCard, and Visa.  Each card association stipulates that the PCI DSS, in addition to the individual association guidelines, must be followed in order to be fully compliant.  Achieving PCI compliance means that you have met the technical requirements of the PCI DSS.

Consequences of Non-Compliance

Non-compliance can result in fines or other actions by the card associations.  Even though the PCI SSC managed the PCI DSS, any fines levied for non-compliance are done so by the card associations, not by the security council.  The card associations usually fine the acquirer under which the non-compliant merchant processes transactions.  The acquirer then passes the fine onto the merchant, ISO or third-party.  However, a merchant can be fined or terminated directly by the card association.

“T.J. Maxx agreed to pay as much as $40.9 million in a settlement with Visa.”

The amount of the fines and fees are dependent upon the type of activity.  A breach of data would cost a merchant a lot more than if they were discovered to be non-compliant with no data breach.  For example, in the largest data breach thus far, T.J. Maxx (TJX) agreed in November, 2007, to pay as much as $40.9 million in a settlement with Visa and the bank that processes the company’s credit card payments, as a result of a massive data breach, discovered in 2006, of TJX’s customer records.  (TJX admitted to 45.7 million compromised records, but court filings by the banks suing TJX estimate that about 100 million cards were affected.)  The settlement funds were reported to be used to help the U.S. credit card issuers (i.e. banks) recover costs related to the breach.  Last year, they agreed to pay $9.75 million to settle investigations by 41 state attorney generals.  That settlement was the sixth one that TJX announced regarding the breach.  Visa originally fined Fifth Third, TJX’s acquiring bank, close to $900,000 for non-compliance.  $500,000 was assessed “due to the seriousness of this security incident and the impact on the Visa system,” according to aBoston Globe report. $380,000 was assessed for “TJX’s failure to cease storing prohibited data.”

Visa announced, following the TJX breach, that it began fining level one merchants (6M + transactions annually) $25,000 per month if they fail to comply with the PCI DSS.  Although this information is relative to the largest data breach in U.S. history, merchants of every level should take these actions very seriously to avoid risking loss of data, not to mention customer confidence.

How Does Account Termination Affect A Merchant?

So, your processor terminated your account.  You may ask, “What’s the big deal?  I will just get a new merchant account elsewhere.”  Well, it’s not as easy as it sounds.  A merchant who has been terminated is put on MATCH, more or less known as a blacklist in the credit card processing industry.  Formerly known as the TMF (Terminated Match File), the MATCH (Member Alert to Control High-Risk) list is a file of merchants who have been terminated for “cause”.  Reasons include activities such as fraud or excessive chargebacks.  (See a previous blog on this subject here.)  The list is used primarily by acquirers to assess the risk of a business when it applies for a merchant account.  It is tied to MasterCard and Visa, so all acquirers check the MATCH file against any new merchants who apply for an account.  (It’s rare, with the exception of Costco for instance, for a merchant to accept other cards but not MasterCard and Visa.)  A MATCH listing includes the company name and principal names of the company, but a company’s inclusion on the list does not mean it, or its principals, would be prohibited from obtaining a merchant account again.  Acquirers use the MATCH file as an informational tool and will usually base a merchant application approval or denial on a complete investigation.  Once a merchant is on the MATCH list, it is almost impossible for them to removed, but it can be done.

Stay tuned for Part II, which will discuss who is really responsible for PCI compliance, working with third party service providers and how to avoid fines, MATCH and account termination.

More Crackdown on Post-Transaction Marketing

Some recent news and government actions affecting online retailers enrolling consumers in membership clubs warrants a follow up to my blog a few months ago about post transaction marketing.

In late January, NY Attorney General Cuomo made some strong moves in the battle against post-transaction marketing.  His office reached an agreement with Fandango, in which the online movie ticket retailer will no longer engage in any marketing practices that enroll consumers in membership/discount clubs – without the consumer’s approval.   Additionally, Cuomo launched an investigation into 22 well-known online retailers who deceptively enroll consumers in these membership clubs.  Cuomo stated that while the enrollments in the discount clubs weren’t “illegal per se,” they could be considered deceptive practices.  The investigation resulted from monumental consumer complaints who say they were lured by coupons or cash-back offers while buying things such as flowers and movie tickets and then enrolled in clubs which charged their cards monthly without their consent.  Complaints included the difficulty in finding out who to contact to cancel the membership once it is discovered.

Affinion, Vertrue and Webloyalty, the three main discount club sellers (all based in Norwalk, CN), have been accused of improper conduct numerous times before and have even been sued or are currently under investigation by several states over their sales tactics. Last June, a federal judge in Massachusetts approved a settlement agreement to a class action lawsuit against Webloyalty.  Up to 20 million people are eligible for refunds from the company.  In 2006, a multi-state lawsuit against Affinion (formerly Triligiant) resulted in $14.5 million in consumer restitution and penalties. They are now in the hot seat for possible violations of its settlement order.

A report on aggressive sales tactics issued by the U.S. Senate Committee on Commerce in November said the three companies have taken $1.4 billion from customers in a little more than a decade. The billing information is generally passed through to the club sellers without the consumers’ direct consent.  Online retailers linked to the sellers earned revenue as well.  According to the report, 19 online retailers generated more than $10 million and 69 online retailers generated between $1 and $10 million in revenue.  Classmates.com received more than $70 million from these practices.  The report also stated that more than 450 retailers were partnered with the three companies.

In its agreement with the NY Attorney General, Fandango has agreed to suspend contracts with all discount club sellers.  The company also agreed to pay $400,000 into a consumer redress fund. Fandango will also adopt the following reforms:

  • Review and approve all Fandango incentive offers made in connection with online purchases and require any contracted discount club seller to provide the numbers of New York customers enrolled and complaints received from those customers
  • Explicitly warn consumers that the incentive is offered for joining a separate company’s membership club
  • Explicitly notify consumers when they are redirected to a discount club seller’s site that they are leaving Fandango’s Web site
  • Ensure that all cash-back or rebate offers made by contracted membership club sellers comply with New York state rebate laws by providing redemption forms and information at the time of the offer

The subpoenas from Cuomo’s office seek information about each retailers’ practices of sharing consumers’ account information with membership program companies; their knowledge of any deceptive solicitations; and compensation from the membership companies.  The downside to Cuomo’s (or any individual state efforts) is that any resulting legislation will only affect consumers in that state.

In addition to Fandango and Barnes & Noble, retailers being investigated include Orbitz, Buy.com, Ticketmaster, MovieTickets.com, FTD, Shutterfly, 1-800Flowers, Avon, Budget, Staples, Priceline, GMAC Mortgage, Classmates.com, Travelocity, Vistaprint, Intelius, Hotwire, Expedia/Hotels.com, Columbia House, Pizza Hut and Gamestop/EB Games.

Vistaprint, Priceline, Expedia and 1-800-Flowers.com said they severed ties with the companies last fall.  William Lynch, President of Barnes & Noble.com states that they “welcome the NY Attorney General’s review because it will show that Barnes & Noble does not, nor has it ever, shared customer debit or credit card information with discount clubs.”

Some companies are staying with the clubs, despite complaints. Orbitz.com said in a statement that it had “improved its sign-up process with Webloyalty in a way that will ensure consumers know they are consenting to membership in a paid club.”

As part of a continuing investigation by the Commerce Committee, Senator Rockerfeller (D-WV) has sent letters to Visa, American Express, and MasterCard requesting information relating to cardholder inquiries about unauthorized charges stemming from “data pass” and any efforts made by the companies to reduce the number of chargeback requests from cardholders. The letters also requested information regarding continuity programs that trigger a high chargeback percentage.

The club sellers claim their practices are legal but have promised changes.  Following the Commerce Committee report accusing them of acting unethically, all three club sellers began requiring customers to re-enter all 16 digits of their credit card number for enrollment.

Continuity plans, upsells /cross-sells and post transaction marketing can be a BIG benefit to online retailers and club program marketers, as long as they are executed ethically.  Consumers who get burned end up losing trust with all online retailers and marketers using similar sales tactics.  So even if an online retailer is on the up-and-up, sales and conversions can be hurt by the negative experiences customers have had with other online retailers and marketers.

Can You Trust Mobile Phones With Your Money?

Recent reports about the security of mobile phone payments has raised red flags on the next hot payment channel.  Encryption on GSM calls has already been hacked and various researchers have released findings and tools that might encourage cyber crime.  Well, maybe not exactly the motive, but a GSM encryption codebook – a “how-to” guide to break GSM encryption – has been released by a team of German researchers.  Their goal was not to assist cyber criminals, but to encourage stronger security protocols for mobile technology.  A Dutch security firm, XS4AII, discovered a worm that infects iPhone users who conducted banking with ING Group.  Recent news also reported that three researchers from Israel broke an encryption algorithm used to encrypt communications on the (fairly new) 3G wireless networks.  It’s important to note that GSM is employed in over 80% of mobile phone technology and the algorithm used to encrypt GSM phones is over 20 years old.

“….the algorithm used to encrypt GSM phones is over 20 years old.”

Mobile payments are a hot topic, particularly for companies and merchants targeting the unbanked – or underbanked – segment.  Research by Mercator Advisory Group shows that 68% of consumer payments (by dollar volume) will be electronic-based in 2012.  The group estimates that volume to be 75% by 2017.  Electronic payments offer huge cost savings for merchants, as well as financial institutions.  Consumers are demanding more ways to operate remotely as well as easy ways to make payments.  It’s a win-win for both sides.  However, the fraud issue cannot be ignored.  Since smartphone technology is fairly new, few anti-fraud tools have been developed and even fewer have been deployed.

As smartphones provide access to more sensitive data each year, the need for security is of monumental importance.  There is some protection available for mobile phones, such as McAfee’s VirusScan Mobile (for Windows Mobile phones) and the VeriSign(R) Identity Protection Access for Mobile.  While these programs protect the phone against viruses, worms, spyware and malware, they do not encrypt data being sent or received.  However, VeriSign’s application does use a two-factor authentication tool and iPhones are equipped with Remote Wipe, which can erase the phone’s data remotely, should the phone be lost or stolen.

There are varying levels of security issues, depending on the type of mobile payment (mobile web site, contactless, SMS, etc).  Vulnerabilities of standards, infrastructures, platforms, and technologies (i.e. GSM, NFC, SMS, Bluetooth, RFID, mobile applications, etc.) pose a complicated issue for researchers to develop protections against secure data loss.  Mobile malware and spyware, Trojans, phishing attacks and third party applications add even more threats.

The future of mobile payments, tagged sometimes as ‘m-payments’, would have credit card data embedded on the SIM card or on a chip in the phone.  (Fingerprint scanning is envisioned further into the future.)  Remote access to the phone and its payment applications would be necessary should the phone be lost or stolen.  This would require agreements between carriers, equipment manufacturers and financial institutions.  Additionally, organizations that deal with sensitive data (i.e. financial, medical, personal identification) would still have to comply with various regulatory requirements (such as HIPAA and SEC) for protecting data.

A new industry consortium, the Financial Services Technology Consortium (FSTC), formed in 2009, is tasked with developing standards for secure mobile payment transactions, regardless of the device or carrier.  Jim Pitts, managing executive of the FSTC’s Payments Standing Committee (Payments SCOM), stated that the standards may also recommend that individuals be authenticated before making a purchase.  Standards will likely include the use of a SIM card or data chip to authenticate the device and authorize the payment.  Due to various technologies and products in use today, the costs required by all parties will likely cause delays in the standards being accepted as well as compliant products and services being deployed.