Thieves Jam up Smucker’s Card Processor

Virtual thieves have struck again! As Congress and the major credit card companies race to come up with new, more secure credit card payment solutions, the world-famous jelly and jam maker, Smucker’s, has seen its own infrastructure jammed up, shutting its online store last week amidst the need to rebuild after a security breach jeopardized sensitive credit card data.


Research indicates that the company was only one of several dozen other companies that were hacked in 2013, including Adobe, LexisNexis, Dun & Bradstreet, and others. The latest information about the hit is that the malware in question acts like a banking Trojan, except that rather than targeting a PC, it targets web applications. This makes it potentially even more dangerous, as it won’t be restricted to a single operating system or set of operating systems, but could hit you at any computer that accesses the Web, be it a Windows PC, a Mac, or a Google Chromebox. Even tablets and mobile devices may be vulnerable.


This particular malware, much like other Trojans, tears data from visitor-submitted forms such as names, addresses, phone numbers, credit card numbers, and card verification code, as customers submit data during checkout. This hammers home the idea that security when it comes to credit card payment solutions goes two ways—if either the end user or the company is compromised, the malware can slip in. Both ends need to be secure for any sort of encryption to work. In this case, the issue was that Smucker’s and the other targeted vendors were running outdated (and thus vulnerable) versions of Adobe’s ColdFusion web application.


There is an important and yet very costly lesson to be learned here, which is particularly important to small businesses: if a giant like Smucker’s can be hit, so can you. Never take the cheap route out when it comes to security by running an outmoded, outdated, and vulnerable security package. Make sure that whatever credit card payment solutions you use, that they are of the latest version with up-to-date security standards at both the end-user point and the processing point. This is the only way you can protect your customers’ sensitive data from the legions of hackers just waiting to suck up their personal data for unscrupulous use.

How Debit Card Processing Works

You’re familiar with the basics—you walk up to an automated teller machine, insert your card, punch in your PIN, ask for cash and (provided you have some in your account) you get your money. On the other hand, perhaps you don’t have any cash in your wallet and you want to make a purchase. So long as you’ve got the cash in your account, you’re good to go. You swipe your card at the terminal just like a credit card, maybe enter your PIN, and the purchase is made. It all seems very easy, but what is the debit card payment process? How does the transaction go from point of sale to your bank and back?


There are two forms of debit card payment process. These are the offline, signature-based process, and the online, PIN-based process.


Offline cards have to be branded as VISA or MasterCard, and are processed in a similar manner to credit cards. That is, the vendor’s equipment connects to a payment network, sends the request from the card, and waits while the network performs a series of tests to ensure that the card is not authorized for use, frozen, over the limit (or overdrawn, in the case of the debit card). This whole process generally only takes a few seconds. If the request is approved, you will sign the receipt, at which point the vendor puts the request into a payment batch and goes through a settlement process at the close of the business day to get the money. This can take 48 to 72 hours.


For the online debit card payment process, you will swipe your card and be asked to enter your PIN, which substitutes for your signature. In many cases, you will in this type of transaction have the option to get cash back. Since you have used your PIN, by the time the sales information gets to your financial institution, the transaction itself is already authorized by you, so no authorization check is performed. Similar to the offline method, the connection and communication with the network takes mere seconds to perform. As long as there is enough money to cover the sale in your account, the transaction will be approved. Unlike the offline method, your checking account will immediately be debited—there is no waiting period for processing, and funds are transferred instantly from your account to the vendor’s.

An Overview of Smartphone Processing

Since the earliest days of credit cards, they have represented an easy way to pay for goods and services without the need to carry wads of cash around. However, for a long time, this required bulky credit card processing systems which took up a lot of space and were certainly not portable.


These bulky systems are no longer valid in an era when technology is small, fast, and always plugged in. Since it seems just about everyone has a smartphone, processing credit cards using the handheld device seems not only practical, but a must if you wish to get ahead in business today.


More and more small business owners are turning to smartphone processing for acceptance of credit card payments. There are many varieties and options available to do this, from basic apps which allow the entry and transfer of a patron’s information via a virtual wallet, such as PayPal or Google Wallet, to vendor merchant services which provide an actual swipe card reader with multiple layers of security to accept direct credit card payments.


The options for these systems vary—most charge a fee of some sort, be it a “per transaction” or “per swipe” fee, or a percentage of funds transferred. Many allow emailing of a receipt, and some allow customizability features such as the ability to create customer loyalty programs. You should make sure that whatever system you choose, it doesn’t store customer payment information on your device (though some do store contact and demographic information, allowing you to create a database of contacts for the purposes of targeted marketing and sales promotions). Some offer the ability to process refunds—either full or partial—on the spot. Others allow inventory management and tracking via barcode scanning, and for those merchants who travel from state to state, some offer the ability to automatically calculate sales tax based on your location.


There are many options available for smartphone processing these days, and if you are a business owner, you are doing yourself a disservice by not taking advantage of the ability to take credit card payments on the go. A quick web search will turn up lots of options, making it very easy to do your research and choose the option that is best for your business.

Banks push for tokenization standard to secure credit card payments

Virtual terminals for credit card processing are the wave of the future, but with technology continually evolving to increase both convenience and security, credit cards themselves may be changing. A group of 22 of the largest banking corporations in the world has come together to push for widespread use of a new technology called tokenization.


Currently, the plan is to move to the Europay Mastercard Visa (EMV) smartcard over the next couple of years, which involves implanting a smart chip into credit cards, which will eventually result in phasing out of magnetic strips for card readers (including those readers used with virtual terminals for credit card processing). This represents one downside of EMV, which was pioneered before the widespread adoption of online commerce, smartphones and tablets. This makes EMV problematic for online payments.


Tokenization, on the other hand, is a means of encoding a card’s primary account number (PAN) through the use of a randomly generated sequence of alphanumeric characters the same length and format as the original account number, each time the card is swiped. This makes it very difficult to clone the original card, as the card’s actual numbers are not in any way transmitted to the retailer’s system, though the token can be “reverted” to the original PAN using the proper encryption keys. Tokens can be one-time only, or multi-use.


This method encrypts data before it is sent to the payment processor, and is then decrypted at the processor, who has the encryption key. What this means is that anyone who uses malware to intercept the transmission receives only the token and not the actual PAN. The retailer, on their end, can use the token to track the transaction and handle issues related to the transaction, without ever storing the actual PAN on their system.


The beauty of this system, says the banking group, is that it would not require changing the method of credit card payment, be it point of sale, mobile, or virtual terminals for credit card processing, in any way, since the new security is entirely software-based. Since the process is so centralized, this means that only a minute portion of the network can generate and decode the keys, which vastly increases security and protection of card information.


EMV is also looking at the possibility of tokenization, not as an alternative to the currently-championed smartcard technology, but as a complement to it, thus further increasing the security attached to the smartcard.



Mobile payments once again on the cusp of taking off

The popularity of mobile payments has been steadily on the rise for many years, now. Ever since the first service came online there have been whispers, rumors, and promises that mobile payments would spell the end of traditional and bulky credit card payment terminals, and possibly even of credit cards themselves. This, of course, has yet to happen.


Still, the demand is certainly there with a market flooded by competing platforms, from Google Wallet to PayPal and others, and in the past few years, mobile payment transactions have more than tripled. In 2012, there were $539 million in mobile transactions. Current estimates have these transactions hitting nearly $58 billion within the next three years.


Still, businesses have not yet adopted these platforms in any sort of widespread form, instead opting for merchant services that offer mobile card payment terminals, still an advantage over their bulky, specialized predecessors in many ways, including security, as shown by the recent Target hacking scandal. Why is this?


Part of the reason is that the convenience of mobile transactions isn’t that much greater than simply swiping your credit card. There is basic logic at work: when there’s not a perceived problem, a solution is not quick to be adopted. In short: there’s no incentive for consumer demand, and until there is, businesses will likely stick with card payment terminals.


Value incentives will be needed to fuel this transfer, in terms of customized offers. For example, if your device senses that you are at one of your favorite stores (via its location feature), it could automatically send coupons and special offers for that store. Versatility is also a must—PayPal, for example, allows for multiple forms of payment. It can be done online, as point of sale, via a mobile device, or even through a prepaid debit card.


Finally, as more popular vendors adopt this sort of payment, it will likely gain more traction. For example, as retailers such as Walmart, Target, CVS, Sears, and the like begin to adopt mobile payment functionality, the popularity will increase. Amazon, too, has been experimenting with expanding its Amazon Payments feature, and should this evolve into a mobile wallet, the functionality will certainly represent a big move away from the traditional card payment terminal.



RSPA Announces New CEO And President

The Retail Solutions Providers Association (RSPA) is a professional association that dedicates itself to the retail technology industry. Members of this association include credit card processors, manufactuers, service providers, software developers, consultants, fiannce companies and more. The idea behind the association is to provide advocacy and education as well as establish standards and services for the member companies to help expand business.


The RSPA is currently the only association of its type in existence and has seen significant growth in the past few years. It is also becoming an increasingly important resource in the wake of significant changes that are occurring in the point of sale industry, as credit card processors face the need for expensive new and evolving technologies to replace outdated mag-strips following the data breaches of the past year.


New Leadership for the RSPA

To that end, the RSPA Board of Directors has announced that they have appointed Ms. Kelly Funk as the new CEO and President of the association, as of April 7, 2014. Ms. Funk has held many impressive leadership positions, including serving with the Alzheimer’s Association and GE Financial. She is an adjunct faculty at Georgetown University, from where she also holds a Master’s in Leadership.


In addition, there are other staff shakeups in the association. Joe Finizio is now the Executive Director of Industry Strategies and Relations, where he will continue his services guiding and strengthening the association’s relationship with other professional societies and will be at the helm for developing strategies for the future and improving direct relations with association members.


The association also plans to expand its board of directors by four seats in hopes of bringing new voices and ideas to the leadership of the RSPA. This is a critical time for the association, and it recognizes the need to adapt to changes in the industry for credit card processors and other member organizations.

PCI Compliance a Concern for Small Businesses

Mobile processing capabilities mean a lot to small businesses. They enable the entrepreneur to compete with big corporations on the go, at a small cost with convenient features that enable marketing and data tracking to boot. However, what many small businesses don’t realize is that there are industry regulations in place for mobile processing and static point-of-sale terminals alike. These payment card industry (PCI) regulations are of major concern to small businesses, regardless of whether you have one or thirty employees.


Even if you only conduct a single transaction every month, you are still required to remain PCI compliant, and this process can be intimidating. A recent study showed that over 80 percent of companies are only about 80 percent compliant with PCI regulations, and that several months would be required to reach full compliance.


How to Remain Compliant

There are several things you can do to make sure you are in compliance with regulations. The first is to make sure that you identify all of your data, both business and client-based, and know how critical and sensitive this data is. If you go too broad you will run yourself into bankruptcy with expenses. Too narrow, and you jeopardize data.


Next, you should make sure that your mobile processing service is fully compliant. Any system that touches cardholder data in any way has to follow PCI regulations. If it’s not, you need to switch services. In addition, make sure that any servers that store or transmit data are in compliance with regulations.


Be sure that you have controls in place to protect the integrity of your cardholders’ data, and have a plan in place to respond to any breaches in security quickly and decisively. All of your employees should be fully versed in the security procedures and the response plan, with their responsibilities in case of a compromise clearly defined.


Remember, the minute you touch a credit card or debit card, or the minute a customer enters data in your online store, you are responsible for PCI compliance. Failure to remain compliant with standards could mean that you lose your privileges to accept credit cards for payments, and that can be disastrous.





PayPal releases revamped mobile credit card reader

Merchant credit card processing services leader PayPal seems to be continually evolving, adapting, and pushing technology forward. Now, just two years after the release of their original PayPal Here smartphone credit card swiper, they have released a new, re-done PayPal Here credit card reading device in Australia, and say that the new system will be available worldwide later in 2014.


The merchant credit card processing services field is crowded at best, with many competitors looking for vendor adoption, and innovation is necessary to stay at the top of the field. So what does the new PayPal card reader offer?


How about Bluetooth connectivity? The new card reader does not have to plug into your mobile phone, but connects via Bluetooth signals. As if that weren’t enough, the device also is designed to accept Chip and Pin cards and includes a PIN-entry keypad. While this functionality was specifically designed for the Australian market, where Chip and Pin cards are widely used and will soon be mandatory, it also greatly expands the usability of the device for businesses the world over; as magnetic strip cards are gradually phased out, users of the new card device may not have to upgrade to a new device when the new Chip and Pin cards are issued.


In addition, the device can generate invoices, and log cash payments, and the device will communicate directly with a user’s PayPal account for near instant money transfers.


The cost of the device in Australia is AU$139, and per swipe fees range from 1.95 to 2.9 percent depending on the type of transaction processed. Registration for the device is open now, and devices are scheduled to ship within the first half of the year. It is not a stretch to say that other Merchant credit card processing services will soon follow suit.




Making Waves: The Free Payment Model

In 2012, a popular mobile payment vendor launched a new credit card processing campaign, claiming that the real value of mobile payment processing and low cost credit card processing vendors was in their ability to track customer data to the end of delivering targeted marketing campaigns. This will help merchants, they say, increase traffic and dollars to stores, all the while offering the ability to use mobile devices to enable the process.


In many ways, this doesn’t reflect a low cost credit card processing, but free. All it asks in exchange is the embracing of a new kind of business model, which places value on accrued spending levels for the merchant. The merchant using the vendor only pays when a certain amount of value has been achieved from the use of the service.


This sort of model flies in the face of current accepted trends, which view the low cost credit card processing service itself to be the model, rather than the marketing and leveraging of information gained from the service. Interestingly, it seems to be catching on. For the first few years of the model, companies that use it and similar approaches were in the red for payments processing fees. Now, however, they are for the first time showing profits. A gamble early on appears to be paying off. It took a lot of clever bookkeeping to make it happen—strategies such as bundling swipe fees into a monthly charge instead of a per-swipe one, for example—but the strategy is seeing enough buy-in from new users that it is now generating profit.


Whether or not catches on across the board remains to be seen, but for now, the early risk of merchant-driven campaigns seems to be paying off for early adopters of the business model.





Levi Strauss Hires Wal-Mart Exec to Expand Ecommerce

Popular jeans manufacturer Levi Strauss & Co is looking to expand its ecommerce operations and is looking to a Wal-Mart Executive to help them do so. Ecommerce credit card processing and operations are no longer a luxury for companies, but a necessity to survive and thrive in this day and age, and Levi has hired Marc Rosen, former senior V.P. of global ecommerce at Wal-Mart, to improve their operations.


Strong Credentials

Rosen’s list of credentials is strong. At Wal-Mart he held responsibility for the global design, operation, and expansion of, and it is hoped that he will do the same for Levi, expanding ecommerce credit card processing operations across the board. In addition, Rosen served as the senior vice president of information systems at Wal-Mart, and was responsible for the global supply chain, store system, and merchandising. He has held leadership positions in Ernst & Young as well.


Working for Levi

Rosen will be the new executive vice president and president of global e-commerce operations. He will be directly responsible for the and sites, as well as the high-growth markets for the company in China, France, Germany, Japan, the United Kingdom and the United States.  His services are needed, as while over the past few years, the manufacturer’s ecommerce has seen steady growth, this month it was reported that first quarter profits were down by 53% due to corporate restructuring. Levi’s credentials and savvy when it comes to ecommerce credit card processing and operations will go a very long way towards recovery of these profits, and, Levi hopes, an eventual increase. He will have a challenge ahead as he seeks to drive growth in the company as well as recovering the customer loyalty base and building sustainable profits in the future.