My Merchant Account Blog

My Merchant Account Blog

You can now contact us at 888-928-5280 ext 822

New Posts will be coming soon - we are in the process of updating the blog

Cardholder Data and Sensitive Authentication Data Elements

Thursday, December 04, 2008
Cardholder data includes the Primary Account Number (PAN), cardholder name, expiration date, service code, the CAV2 / CVC2 / CID / CVV2, PIN, and other sensitive information that is found on the full magnetic stripe.  There are certain fields that cannot be stored and other fields that can be stored as long as it is encrypted.

Never store the  CAV2 / CVC2 / CID / CVV2 in your database or logs.  This is a direct violation of the requirements.  If you have to store the PAN for any reason, it should always be encrypted.  If it needs to be displayed, it should be masked unless the personnel is authorized with a specific need to see the full account number.  You can display the first six digits and the last four digits if necessary, but that is the maximum number of digits that you should display.  Some websites might show the customer the last four digits just so he can confirm what card number is on file with the merchant.

The cardholder name, service code, and expiration date can be stored, but must be encrypted if this information is stored in conjunction with the PAN.  PCI DSS does not apply if PANs are not stored, processed or transmitted. 

The PAN should be unreadable anywhere it is stored, for example backups, logs, or any other type of media that is used to store the numbers.  Developers can consider using truncation, strong cryptography, index tokens and securely stored pads, or a one-way hash based on strong cryptography.

The PAN should never be sent in unencrypted emails (which almost all emails are just plain text), instant messaging, instant chats, or over any unsecured transmission.  If you are asking customers to send you’re their PAN via a form to email method, you must make sure the email is secure.  Just because they are submitting the form with an https:  in the URL does not mean the email is secure and encrypted.

Card Validation Value or Code

The card association developed a three or four digit code to help prevent fraud on all keyed transactions. This code is uniquely assigned to each card and ties the card account number to the card itself.
  • CVV2: Card Verification Value 2 (Visa)
  • CVC2: Card Validation Code 2 (MasterCard)
  • CID: Card Identification Number (American Express and Discover)
  • CAV2: Card Authentication Value 2 (JCB)


DeliciousDigg This PostNewsvineRedditTechnorati

The Security of Your Customers

Wednesday, March 19, 2008
So I know in the past, we have always talked about credit card security, PCI Compliance, etc.  But I would also like to remind you about your customer's usernames and passwords.  How are these being stored?  A lot of shopping carts will store this information in plain text.  If the passwords are being stored in plain text and you have a server compromised, your users' information might be readily available for the hackers. 

Most shopping will store the information in a database like Microsoft Access, mysql, or MSSQL.  You should be able to view the databases somehow, either though phpMyAdmin, Microsoft Access, or Microsoft SQL Server 2000 Desktop Engine (something similar).  How you access this information is usually established when you choose a web hosting provider.  Some will allow you to access the information also via an Open Database Connectivity (ODBC).

When you are viewing these tables and records, look for the table that stores your user's information, especially the password table.  Are the passwords encrypted?  If not, you should consider getting another shopping cart or contact the vendor for assistance to enable secure passwords.

A lot of consumers use the same password for everything.  While this is a great risk to them, it is the quickest way for consumers to get to their information.   This is the reason you want to protect them as much as possible.

Your Shopping Cart Password

First and foremost, your administrator password should be changed immediately when you start to add your items.  Don't wait until you are going live - you have too much on you mind by then.  Your password should contain letters, numbers and maybe a couple of extra characters like %, !, *, {, etc.  The harder it is for you to remember, the better. 

Did you know that by changing your password from the vendor-supplied password, you have already met one of the requirements for PCI DSS?

Password Strength and Security

When new customers are signing up, your website should ask them for a unique password.  And explain to them why your company is asking for this information.  Password checker is also a great website to have them check their password strength. 

And when asking users to create an account, their session should be in a secure.  This will help to protect them when they are entering their username and password.  Even if you use a third party processor or have one of the electronic payment gateway's web page handle the transaction, if you are asking for a password, the page should be secure.

DeliciousDigg This PostNewsvineRedditTechnorati

Payment Application Best Practices from Visa

Tuesday, March 11, 2008
High profile breaches of cardholder data have garnered a lot of attention in the media.  Most of us have read or heard about the 40 million cards that were compromised at CardSystems, or the 100 million cards compromised at TJX.  As a result of these breaches, the payment industry developed the Payment Card Industry (PCI) Data Security Standard (DSS).  However, complying with the PCI DSS can be complicated and expensive, especially for smaller merchants.  Although we may not read about it in the press, breaches at smaller merchants occur every day because the payment hardware and software they use is not compliant with PCI DSS. 

In an effort to make compliance with the PCI DSS a little easier for merchants who use payment application software, Visa developed the Payment Application Best Practices (PABP).  The PABP applies to software applications that store, process, or transmit cardholder data as part of authorization or settlement.  It does not apply to software developed in-house by merchants since that would be covered under the merchant’s normal PCI DSS compliance. 

Software vendors are required to have their payment applications certified as PABP compliant by a Qualified Application Security Professional that is employed by a Qualified Payment Application Security Company.  Once compliant, Visa will include the software vendor and product version in a list of validated payment applications for one year.  Software vendors must re-validate their payment applications each year to remain on the list. 

The PABP mandates are designed to eliminate the use of non-secure/vulnerable payment applications from the Visa system.  They require that members ensure that merchants do not use applications that retain prohibited data elements and use payment applications that adhere to Visa’s PABP.  If you are using a payment application from a software vendor that is not PABP compliant then you will not be able to comply with the PCI DSS.

As of January 1, 2008 new merchants are not allowed to establish a merchant account using a non-compliant payment application.  Existing merchants should check with their agent or ISO to make sure their payment application is on the list of PABP compliant applications.

DeliciousDigg This PostNewsvineRedditTechnorati

Payment Application Best Practices from Visa

Monday, June 11, 2007
High profile breaches of cardholder data have garnered a lot of attention in the media.  Most of us have read or heard about the 40 million cards that were compromised at CardSystems, or the 100 million cards compromised at TJX.  As a result of these breaches, the payment industry developed the Payment Card Industry (PCI) Data Security Standard (DSS).  However, complying with the PCI DSS can be complicated and expensive, especially for smaller merchants.  Although we may not read about it in the press, breaches at smaller merchants occur every day because the payment hardware and software they use is not compliant with PCI DSS. 

In an effort to make compliance with the PCI DSS a little easier for merchants who use payment application software, Visa developed the Payment Application Best Practices (PABP).  The PABP applies to software applications that store, process, or transmit cardholder data as part of authorization or settlement.  It does not apply to software developed in-house by merchants since that would be covered under the merchant’s normal PCI DSS compliance. 

Software vendors are required to have their payment applications certified as PABP compliant by a Qualified Application Security Professional that is employed by a Qualified Payment Application Security Company.  Once compliant, Visa will include the software vendor and product version in a list of validated payment applications for one year.  Software vendors must re-validate their payment applications each year to remain on the list. 

The PABP mandates are designed to eliminate the use of non-secure/vulnerable payment applications from the Visa system.  They require that members ensure that merchants do not use applications that retain prohibited data elements and use payment applications that adhere to Visa’s PABP.  If you are using a payment application from a software vendor that is not PABP compliant then you will not be able to comply with the PCI DSS.

As of January 1, 2008 new merchants are not allowed to establish a merchant account using a non-compliant payment application.  Existing merchants should check with their agent or ISO to make sure their payment application is on the list of PABP compliant applications.

DeliciousDigg This PostNewsvineRedditTechnorati

MasterCard Security Card Features

Thursday, February 08, 2007

When a consumer gives you his / her MasterCard®credit card to process, you should swipe the credit card and hold on to the credit card.  Every MasterCard® card contains a set of unique design features and security elements developed by MasterCard® to help merchants verify a card's legitimacy.  This will allow you to take a look at the credit card to verify the security features and to compare the signature on the back of the card with the signature on the sales receipt.

MasterCard International has introduced new card design format options and modified several card security features. New card design options offer flexible placement of the MasterCard Hologram (card front or back) and introduce the option to use a new holographic magnetic tape, HoloMag™ (card back only). This quick reference guide will highlight valid card formats, as well as mandated card security features.

Front of the MasterCard®

The "MC" Security Character is no longer permitted on newly issued cards (effective June 1, 2006), but may continue to appear on cards through June 2010. This is the cursive M that you might see near the expiration date.  The MasterCard® log should be on the right hand side, either in the top right or lower right of the card. On the front, you will see a embossed or printed account number. The account number should be even and straight. Right underneath the account number, you will see four digits. This four-digit number must match exactly with the first four digits of the account number.

Requirements

  • Must include full-color MasterCard® Brand Mark
  • MasterCard® account numbers must start with the number 5
  • First four digits of the account number must be the same digits as those printed directly below (pre-printed BIN)
  • 16-digit account number must be clear and uniform in size and spacing and must appear on one line
  • Must include valid expiration date
  • Must include MasterCard® Hologram unless hologram or MasterCard® HoloMag tape appear on card back

Optional

  • MasterCard Hologram may be removed from the card front if the hologram or MasterCard® HoloMag tape appears on card back
  • "MC" Security Character is no longer permitted on newly issued cards (effective June 1, 2006), but may continue to appear on cards through June 2010
  • Card design and MasterCard Brand Mark may be oriented vertically

Back of the MasterCard®

The last four digits of the account number must be printed in reverse italics on the signature panel.  The CVC 2 number is printed in reverse italics to the right of the last four digits of the account number. Instead of the magnetic stripe, you might see the HoloMag™.

Requirements

  • Must include signature panel with the word "MasterCard" printed in multicolors at a 45° angle
  • Last four digits of the account number must be printed in reverse italics on the signature panel
  • CVC 2 number (three-digit validation code) must be printed in reverse italics to the right of the last four digits of the account number
  • Magnetic tape must be present and appear smooth and straight with no signs of tampering
  • Must include MasterCard® Hologram or HoloMag tape unless hologram appears on card front

Optional

  • HoloMag tape may be used in place of the traditional magnetic tape
  • MasterCard Hologram may be placed on the card back if not appearing on card front
If you suspect that the MasterCard is fraudulent, call your Voice Authorization Center and tell them you have a Code 10.

Visa Credit Card Security Features

Wednesday, February 07, 2007

Earlier I wrote about an electronic payment gateway being the start of the transaction. However, if you really drill down, the consumer is the start of the transaction.  They initiate the transaction before it hits the electronic payment gateway.

When the consumer decides to buy your product in a brick and mortar atmosphere, the consumer will hand you his / her Visa credit card.  This card can be described in four different ways:

  • Cards with Visa Mini Dove Design Hologram on Back of Card
  • Cards with Visa Holographic Magnetic Stripe on Back of Card
  • Cards with Dove Design Hologram on Front of Card
  • Visa Flag Cards with Dove Design Hologram on Front of Card

Processing a Visa Transaction

When a consumer gives you his / her Visa credit card to process, you should swipe the credit card and hold on to the credit card.  Every Visa card contains a set of unique design features and security elements developed by Visa to help merchants verify a card's legitimacy.  This will allow you to take a look at the credit card to verify the security features and to compare the signature on the back of the card with the signature on the sales receipt.

Cards with Dove Design Hologram on Front of Card


Front of the Visa Credit Card
On the front, you will see a embossed or printed account number. The account number should be even and straight.  Right underneath the account number, you will see four digits. This four-digit number must match exactly with the first four digits of the account number. Both of these will also begin with a 'four'. You will then see a "Good Thru" or "Valid Thru" date.  This is the expiration date of the card and is usually under the account number.  The Visa Brand Mark appears in blue and gold on a white background. It must appear in either the bottom right, top left, or top right corner. The Flying Dove Hologram should appear to be three-dimensional and appear to move when the card is tilted back and forth.

Back of the Visa Credit Card
The signature panel has a tamper-resistant design.  If someone has tried to erase the signature, the word "VOID" will be displayed.  It may vary in length dependent on card type. There is also the magnetic stripe. The magnetic stripe is encoded with the card’s account number, expiration date, and other identifying information. Card Verification Value (CVV2) is a three-digit code that appears either on the signature panel or on a white box to the right of the signature panel. Portions of the account number may also be present on the signature panel. CVV2 is used primarily in card-not-present transactions to verify that the customer is in possession of a valid Visa card at the time of the sale.

Cards with Visa Mini Dove Design Hologram on Back of Card


Front of the Visa Credit Card
On the front, you will see a embossed or printed account number. The account number should be even and straight.  Right underneath the account number, you will see four digits. This four-digit number must match exactly with the first four digits of the account number. Both of these will also begin with a 'four'. You will then see a "Good Thru" or "Valid Thru" date.  This is the expiration date of the card and is usually under the account number.  The Visa Brand Mark appears in blue and gold on a white background. It must appear in either the bottom right, top left, or top right corner.

Back of the Visa Credit Card
The signature panel has a tamper-resistant design.  If someone has tried to erase the signature, the word "VOID" will be displayed.  It may vary in length dependent on card type. There is also the magnetic stripe. The magnetic stripe is encoded with the card’s account number, expiration date, and other identifying information. Card Verification Value (CVV2) is a three-digit code that appears either on the signature panel or on a white box to the right of the signature panel. Portions of the account number may also be present on the signature panel. CVV2 is used primarily in card-not-present transactions to verify that the customer is in possession of a valid Visa card at the time of the sale.

Cards with Visa Holographic Magnetic Stripe on Back of Card


Front of the Visa Credit Card
On the front, you will see a embossed or printed account number. The account number should be even and straight.  Right underneath the account number, you will see four digits. This four-digit number must match exactly with the first four digits of the account number. Both of these will also begin with a 'four'. You will then see a "Good Thru" or "Valid Thru" date.  This is the expiration date of the card and is usually under the account number.  The Visa Brand Mark appears in blue and gold on a white background. It must appear in either the bottom right, top left, or top right corner.

Back of the Visa Credit Card
The signature panel has a tamper-resistant design.  If someone has tried to erase the signature, the word "VOID" will be displayed.  It may vary in length dependent on card type. There is also the magnetic stripe. The Holographic Magnetic Stripe should have a ring around the sun when the card is moved from side-to-side. The word "VISA" should appear in the center of the sun when the card is tilted.. Card Verification Value (CVV2) is a three-digit code that appears either on the signature panel or on a white box to the right of the signature panel. Portions of the account number may also be present on the signature panel. CVV2 is used primarily in card-not-present transactions to verify that the customer is in possession of a valid Visa card at the time of the sale.

Visa Flag Cards with Dove Design Hologram on Front of Card


Front of the Visa Credit Card
On the front, you will see a embossed or printed account number. The account number should be even and straight.  Right underneath the account number, you will see four digits. This four-digit number must match exactly with the first four digits of the account number. Both of these will also begin with a 'four'. You will then see a "Good Thru" or "Valid Thru" date.  This is the expiration date of the card and is usually under the account number. A Flying “V” is an embossed security character beside the “Good Thru” date. This character is not a required security feature and may or may not appear on the card. Visa Logo should have micro-printing around the border. The fine print is barely readable without magnification. The Flying Dove Hologram should appear to be three-dimensional and appear to move when the card is tilted back and forth. As a general rule of thumb - always check the hologram. It is easier to spot a re-embossed number there.

Back of the Visa Credit Card
The Signature Panel should be white with the word "VISA" repeated in a diagonal pattern in blue and gold print. The card account number should be printed in the panel. The words "Authorized Signature" and "Not Valid Unless Signed" must appear above, below, or beside the signature panel. If someone has tried to erase the signature panel, the word "VOID" will be displayed. There is also the magnetic stripe. The magnetic stripe is encoded with the card’s account number, expiration date, and other identifying information. Card Verification Value (CVV2) is a three-digit code that appears either on the signature panel or on a white box to the right of the signature panel. Portions of the account number may also be present on the signature panel. CVV2 is used primarily in card-not-present transactions to verify that the customer is in possession of a valid Visa card at the time of the sale.

When something does not look right, i.e. the security features look altered or they are missing, keep the card in your possession and make a Code 10 call to your authorization center.  You may be asked to keep the credit card or you might be instructed to return the card.  If your authorization center tells you it is ok, write down the authorization number on the sales receipt.

Fighting Fraud in your E-Commerce Store

Monday, January 01, 2007

Card association payer authentication (e.g. Verified by Visa (VBV), MasterCard SecureCode (MSC)) is becoming increasingly more important in online transactions. Also knowing whether the consumer is near his or her billing address by using Geo-IP. Other merchants would like to know if the consumer has a tendency to do a chargeback, maybe consumer purchasing behavior.

Quantum Gatway

The Quantum Payment Gateway is the only payment gateway in the United States to offer at no extra charges to the merchant:

  • A Virtual Terminal (both for the desktop and your smart phone)
  • MaxMind GeoIP
  • QuantumVault (to safely secure you customers' credit card numbers)
  • Recurring Billing
  • Address Verification Service (AVS)
  • DialVerify
  • Verified By Visa / MasterCard Secure Code (VBV / MSC)

Verified by Visa / MasterCard SecureCode

I wrote some things regarding VBV / MSC a few months ago and it still holds true today. VBV merchants are protected from chargebacks on the Reason Code 83 (I didn't do it). MasterCard users though have to be enrolled in MSC for you, the merchant, to be protected.

Consumer Purchasing Behavior

While a number of electronic payment gateways use First Data's Nashville platform to process the credit card transaction, First Data maintains these transactions per Visa and MasterCard regulations. Using software developed by Fair Isaac Corporation, LinkShield™ is unavailable to LinkPoint merchants. A few gateways that use First Data's Nashville Platform include:
  • LinkPoint Secure Payment Gateway
  • Authorize.net Electronic Payment Gateway
  • Verisign's Payflow Services
  • PC Charge
  • Cybersource
  • Jettis
  • USA ePay
  • Yahoo®

This is just a small percentage of electronic payment gateways that use the First Data Nashville Platform as their transaction processor. First Data takes these transactions and profiles them. When using the LinkShield™ product along with the LinkPoint Secure Payment Gateway, the merchant has the ability to accept or decline the transaction based on the score that First Data provides. First Data also provides another option using the ClearCommerce® FraudAnalyzer

FraudAnalyzer uses neural network technology to score fraud risk in real-time. The model was developed by examining extensive transaction and chargeback data supplied by ClearCommerce's Fraud Data Consortium, which includes millions of e-commerce transactions supplied by thousands of merchants. With the addition of FraudAnalyzer, the ClearCommerce® Engine is the only transaction processing software that integrates merchant rules, neural network risk scoring, service data and human review to minimize credit card fraud costs.

Preventing Online Fraud

Saturday, December 23, 2006

One of the first things you need to do as a merchant is to verify the consumer.  On card-present transactions, this can easily be done by asking for a valid photo identification card, i.e.  a driver's license or state issued ID card.  On card-not-present-transactions, this is much more difficult for the merchant to accomplish. 

Basic Fraud Prevention Techniques - Steps One, Two, and Three

Address Verification

The first step in preventing fraud in a card-not present environment is called address verification.  The consumer will enter their billing address.  The gateway will send this information over to the transaction processor (usually First Data or Nova (Elavon)) for verification.  The transaction processor will send back some codes to let you know that the AVS was a match or not.  Usually this match is done on the street number and ZIP code only.  So if the street address was 1234 Main Street and the ZIP code was 90210, the transaction processor would take a look at 1234 and 90210.  The alpha characters are not verified. 

Once this is completed, you will want to seriously consider sending your product to the billing ZIP code.  This will help to prevent some of the chargebacks but will also cause some problems if the consumer works all day.  The shipping companies have become so inundated with packages from the ever-growing business, that they will drop the package at the door, not waiting for a signature.  Without a signature, you do not have proof of delivery. 

AVS is subject to a significant rate of "false positives" which may lead to rejecting valid orders as well as missing fraudulent orders.  If the cardholder has a new address or a valid alternate address (such as seasonal vacation home), this information may not be up-to-date in the records of the cardholder's issuing bank, so the address would be flagged as invalid.  Merchants typically do not rely solely on the AVS result to accept or reject an order.  Approximately 75% - 80% of online merchants rely on address verification service as a tool to help prevent fraud. 

CVV2 / CVC2 / CID


Card Verification Value 2 / Card Verification Code 2 / Card Identification Number

Visa calls the three digit number a CVV2 (Card Verification Value 2).  MasterCard calls it CVC2.  American Express and Discover call this CID.  This number is found on the back of the of Visa, MasterCard, and Discover cards.  It is a four digit number on the front of American Express.  At first the card associations came out with this number to curb fraud.  The card associations told the merchants - do not store this number.  They thought this would potentially stop most of the fraud.  However, these numbers can be obtained by fraudsters just as credit card numbers are obtained.  The CVV2 / CVC2 / CID usage by online merchants has continued to increase rising from 44% of online merchants using this tool in 2003 to 66% today.  It appears that asking for the CVV2 / CVC2 / CID has become standard practice for many online merchants in 2005. 

The purpose of card verification number in a card-not-present transaction is to attempt to verify that the person placing the order has the card in their possession in order to provide the additional security digits.  Requesting the card verification number during an online purchase can add a measure of security to the transaction.  Approximately 66% - 75% of online merchants rely on this number to help reduce fraud.

Other Measures

There are other products to consider as well: Calling the customer to verify the order, looking at the IP address, Verified by Visa (VBV) / MasterCard Secure Code (MSC).  Some of these products have to be integrated into the electronic payment gateway.  However, check out the Quantum Gateway - it offers all these features at no cost.  They care more about your business than any other provider out there and built this electronic payment gateway to help merchant combat fraud.

Search My Merchant Account Blog


My Merchant Account Blog Categories
My Merchant Account Blog Archives
My Merchant Account Blog Recent Entries


RSS Feed for My Merchant Account Blog

About My Merchant Account Blog



My Merchant Account Blog SiteMap

Submit my blog Startups

Retail Merchant Accounts

Get a Retail Merchant Account with a 1.65% discount rate.  No leases - free terminal.  No monthly minimum and no termination fee!

Twitter - My Merchant BlogFacebook - My Merchant Account BlogLinked In - Merchant Accounts

Merchant Account
Resources Directory

Check out the new
Merchant Account Resources Directory
Feel Free to submit you link!

My Merchant Account Blog SiteMap
Publishers

If you would like to publish a unique article on My Merchant Account Blog, please contact us.

Documents

© 2005 - 2024 - Merchant Account Forums - Contact Us for Permission to Display Our Complete Posts on Your Website

Feeds Available · Merchant Accounts Reviewed · Sitemap · Merchant Account Information