Is Your Small Business Prepared for Credit Card Changes in 2015?

In 2015, the credit card game is going to change. In the United States, we will see the long-awaited adoption of “chip and PIN” credit cards. With this new change, businesses will need to understand the technology behind the switch to better assist their customers. This includes integrating new software as well as purchasing credit card terminals that can accept the new credit cards. Although it may seem like a lot of changes, retailers and businesses that stay up-to-date on the latest technology will be better able to serve their customers. Better customer service means more return customers and a better ROI. From small businesses to large enterprises, it is important for your business to be ready to address these new credit card changes.

What is a chip and PIN card?

A chip and PIN card is different from regular credit card in that a client’s personal information will now be held safe in a microchip rather than contained in the card’s magnetic strip. This new card encodes customer’s information and makes it even harder for thieves to steal valuable information and/or commit fraud. This means that consumers can rest easy knowing that their card information is kept safer than ever before.

Know the Deadline

Merchants must make the switch to upgraded credit card terminals that are chip and PIN compliant by October 1st. Any business experiencing credit card fraud that has not upgraded to the newer software after that point in time could be heal responsible and will be forced to pay the fraudulent charges made on the card.

Making the Switch

While it may seem somewhat difficult to switch your software, you’ll be grateful that you did so. Make sure that you take these three points into consideration when looking to upgrade your equipment.

  • Research. Find out what you can about upgrading your current terminals. Each industry has its own unique set of challenges; make sure that you understand what different options are available to you.
  • Incentives. Credit card companies are offering incentives to make the switch. American Express is extending $100 towards terminal upgrades (for merchants that make less than $3 million in payment volume)
  • Do it now. Don’t wait until the last minute to make sure that your equipment and software is up-to-date. With so many steps in the process, the switch could take longer than anticipated, and you might have to deal with paying fines.

By making the big switch, your business will have access to more advanced security measures and, in the end, will be subject to less credit card fraud.

If you have any questions about making the big switch, contact the professionals at Vision Payment Solutions.

Big credit card changes coming soon to your wallet

Credit cards and card payment terminals are going to undergo a major change in the near future, thanks to a group being formed by Visa and Mastercard aimed at increasing security in the retail and banking industries in light of the recent breaches at Target and other retailers.


This new group will include bankers and retailers, security experts, and makers of card payment terminals, and will focus on increasing security, partially through the embedding of special security chips into credit cards, and a move away from magnetic strips. These chips have been used across the world outside of the United States for many years. For now, the chips are optional, but new liability regulations will impose severe penalties for those who don’t use them next year, a move which it is believed will make them all but compulsory.


The cards themselves are not the only aspect of the new payment structure that is undergoing changes. New card payment terminals, too, are being installed at retailers across the country which will include mobile payment machines at restaurants, which will be brought to the table so that customers can swipe their own cards. Drive Thru stations at fast food restaurants will also see new card readers installed outside the window, so that customers will swipe their own card. All of this is a push to remove the handling of credit cards by anyone but the card’s owner.


It is also possible that in the future, credit cards will require the use of a PIN, similar to ATM or debit transactions.


All of these moves are an intense effort by the new group to increase the security surrounding credit card transactions and it is hoped that the new cards, new card payment terminals, and other new forthcoming security measures will help to prevent future incidents like the retail breaches that happened in 4Q of 2013.



What is a Virtual Terminal?

Tablets and smartphones are ubiquitous in this day and age, but they have yet to completely inch out computers, and laptops still hold many advantages over mobile devices. This is even true in the case of business management, where the computer often has far more storage and power to process databases, inventory tracking, and the like. It only makes sense that one should be able to use a computer to accept credit card payments.


Virtual terminal merchant services are a Web- or cloud-based version of physical credit card point of sale (POS) machines. They allow a vendor to input credit card information into payment forms on a computer, which then can be used to process an electronic transaction such as a mobile payment. It is similar to the types of forms you might see on a mobile commerce site like Ebay or Amazon.


In the past, mobile payments would be processed using a phone to call in to a processor for gaining transaction approval. In the modern era, virtual terminal merchant services are used to instantly approve transactions over the web. Sometimes these services are done via manual entry, exactly like would be done when making an online service. More common, however, are systems that use a credit card reader that plugs into the computer, either via the charger, headphone jack, or via a USB port.


The downside of virtual terminal merchant services is that as of yet many cannot accept signatures from the client. This is in contrast to mobile processing services on a handheld device, which usually take a signature via the touch screen. However, with more and more computers these days featuring touchscreen technology, this may be rectified sooner rather than later. For now, the user simply uses a checkbox or similar functionality to agree to use a typed name as a virtual signature.


The technology is advancing, but with full computers incorporating technology pioneered by handheld devices, it seems likely that virtual terminal merchant services will continue to advance and could become the ideal means of managing one’s business in the near future.

U.S. Lawmakers Call for Data Protection Standards to Avoid Breaches

In light of the recent mass data breaches at retailers across the country, which have resulted in more than 40 million credit cards being stolen, cloned, and sold through the deep web, many lawmakers are demanding that the U.S. Congress stand up and mandate the adoption of card payment solutions and security standards to stop this sort of thing from ever happening in the future.


Among those demanding the new standards is Georgia Democrat representative David Scott, who believes that Congress needs to look at the new security measures that are already being used in other countries, like the smart card payment solutions that do away with a magnetic strip in favor of a chip embedded in the card.


The magnetic strip currently featured on credit cards, he believes, is an easy and open door for unscrupulous hackers, since the technology is, at this point, practically ancient, certainly obsolete, and thereby easy to crack. The EMV smart card payment solutions would not only better encrypt data but would add an additional line of protection in the form of a required PIN entry at the point of sale.


Scott believes that Congress is anxious to take action against future hacks in the future. But others don’t believe that it is Congress’ place to mandate the use of specific technologies.  It has been noted that Visa, MasterCard, and other credit card vendors have already announced plans to shift to smartcards by the end of 2015 without legislation in place. While some lawmakers want to create a new national data breach notification law that would supersede the over 45 state laws currently in place, others have pointed out that Congress shouldn’t have the right to override tougher state laws.


There is a strong voice for private industry to create and implement new security standards for card payment solutions, without further interference from a Congress acting out of fear and panic.

Social Media Gives Insight to Mobile Payment Processing Trend

According to the second annual MasterCard Mobile Payments study, there have been roughly 13 million conversations about mobile payments on social media sites like Facebook, Twitter, and the blogosphere. Virtual terminal credit cards and similar mobile payments carry an 88% positive rating amongst business owners and merchants across the web, with the predominant attitude being that businesses that don’t accept mobile payments are going to find themselves at a distinct disadvantage in the not-too-distant future.


The results reflect a staggering amount of interest in mobile payments not just from business owners, but from consumers as well. Interestingly, the vast majority (90%) of these conversations were initiated and driven by business owners who have already implemented virtual terminal credit cards or other forms of mobile payments answering questions from smaller and newer businesses seeking advice about what they should adopt in the marketplace.


These conversations are indicative not just of a trend or new fad—they are the beginning of a new movement. The patterns of behavior when making purchases are shifting and evolving, and it’s becoming necessary for merchants to be able to accept payments on the go. E-payments, mobile credit card readers, and similar options are cost-effective and easy to use, and don’t tie merchants down to a single location as did the bulky systems of the past.


It’s only natural that this new movement would have begun, and will continue to be reflected, via social media, which is the new language of communication in the modern era. With the ability to transform a basic mobile device like a smartphone, tablet, or laptop computer into a high-powered, portable and secure virtual terminal, credit cards and debit cards are likewise becoming the currency of choice in the modern era. Nobody is asking anymore if using a mobile processing solution is a good idea. Rather, they’re taking to social media sites to ask how they can adopt this technology, and what it can do for their business.

Cybercrime-As-A-Service Led To Credit Card Breaches

Software as a service is on the rise, there’s no doubt about that. This model, in which people purchase software, security, or operating system access from cloud-based provider, using these packages through a Web-based interface rather than downloading the package to a local PC, is becoming increasingly popular among service providers as well as among end-users. Even Microsoft offers a Web-based version of its industry standard Office software, and virtual terminal payments are becoming an increasingly popular option as compared to traditional credit card readers.


It seems, however, that whenever any sort of service becomes popular, it also becomes a target for unscrupulous programmers, or hackers. The always-assumed bulletproof Mac OS has in the past few years seen more and more instances of malware and virus attacks as it gained traction in the market and became a more popular option for home users.


The same holds true for credit cards, and this is one reason why virtual terminal payments are gaining traction..


You see, now we have to deal with cybercrime as a service. The waves of card breaches last year which began at Target were the direct result of cybercrime as a service. The code for the malware was available and sold online at dark web sites, as were the millions of card numbers stolen. One could, in effect, pay another hacker to use the malware to use the software and obtain card numbers for you. This is the very definition of cybercrime as a service.


The software, purchased online, could also be easily modified for the buyer’s own purpose. The service was so efficient with an untrackable virtual currency and a ready-made, efficient black market already in place, that legitimate businesses could almost take a lesson from the model, if not the implementation. If nothing else, the means by which these attacks have been made, the marketplace in which they are germinated, is wildly efficient.


Many retailers have considered, in the face of these attacks, a switch to virtual terminal payments in lieu of credit cards. Traditionally, virtual terminals can offer more security than physical terminals, as well as combining inventory tracking and purchasing trends with card processing. With mobile malware also on the rise, this may not be an ideal solution, but then, in an era where cybercrime is rampant, there may not be a true ideal.

Legalities and standards in the payment card processing environment

The 2013 data breaches that affected many major retailers from Target to Neiman Marcus were high-profile, public, and threw an unsightly and frankly frightening spotlight on the sheer weaknesses of the security standards inherent in the current credit card payment solution model. Indeed, PCWorld magazine labeled 2013 “The Year of the Personal Data Breach.”


The current system, which uses a magnetic stripe on the credit card to store the user’s data, is outmoded, archaic, and in dire need of update and improvement. Of this there is no doubt. It is also likely that these needed updates will come in the form of new technologies and systems that represent a more efficient and secure credit card payment solution than those currently in place. What this means is that there will be a major overhaul of how credit cards work, and even what they look like.


It is also certain that in-house general counsel will have to partner with the latest in IT standards to ensure compliance with any new regulations that result from this overhaul—any major revision in standards like this is going to get complex in a legal sense. The current standards for credit card security are called the Payment Card Industry Data Security Standard (PCI-DSS), and were established in 2004 by the major credit card companies.  The standards are detailed and complex, and break down to broad directives such as building and maintaining secure networks, protecting data, managing vulnerability, implementation of access control measures, regular monitoring and testing of networks, and maintenance of information security policies. These are in addition to specialized requirements based on merchant levels based on sales volume.


In 2006, the credit card companies created the Payment Card Industry Standards Council (PCI-SSC) to manage the complexity of the PCI-DSS, and to enforce the standards in place. This council performs audits, maintains information about credit card payment solution security providers, and establishes criteria to provide certification for the Qualified Security Assessors who are the only recognized officers for compliance of the PCI-DSS.


The general counsel, or advisory attorney who specializes in compliance issues, is needed to interpret the PCI-DSS and recommend to internal IT departments the risks involved, and the consequence of non-compliance. The attorney will also conduct regular reviews of this compliance, collaborate with the company’s credit card payment solution hierarchy, and continually review not only current standards documentation, but contracts with outside institutions to ensure constant regulation.


Whether or not the future sees a revised PCI-DSS standard, or a new standard altogether which will replace the current one, IT departments along will not be able to handle the complex new security standards in place—attorneys will continue to be a vital part of the credit card payment solution infrastructure.

Thieves Jam up Smucker’s Card Processor

Virtual thieves have struck again! As Congress and the major credit card companies race to come up with new, more secure credit card payment solutions, the world-famous jelly and jam maker, Smucker’s, has seen its own infrastructure jammed up, shutting its online store last week amidst the need to rebuild after a security breach jeopardized sensitive credit card data.


Research indicates that the company was only one of several dozen other companies that were hacked in 2013, including Adobe, LexisNexis, Dun & Bradstreet, and others. The latest information about the hit is that the malware in question acts like a banking Trojan, except that rather than targeting a PC, it targets web applications. This makes it potentially even more dangerous, as it won’t be restricted to a single operating system or set of operating systems, but could hit you at any computer that accesses the Web, be it a Windows PC, a Mac, or a Google Chromebox. Even tablets and mobile devices may be vulnerable.


This particular malware, much like other Trojans, tears data from visitor-submitted forms such as names, addresses, phone numbers, credit card numbers, and card verification code, as customers submit data during checkout. This hammers home the idea that security when it comes to credit card payment solutions goes two ways—if either the end user or the company is compromised, the malware can slip in. Both ends need to be secure for any sort of encryption to work. In this case, the issue was that Smucker’s and the other targeted vendors were running outdated (and thus vulnerable) versions of Adobe’s ColdFusion web application.


There is an important and yet very costly lesson to be learned here, which is particularly important to small businesses: if a giant like Smucker’s can be hit, so can you. Never take the cheap route out when it comes to security by running an outmoded, outdated, and vulnerable security package. Make sure that whatever credit card payment solutions you use, that they are of the latest version with up-to-date security standards at both the end-user point and the processing point. This is the only way you can protect your customers’ sensitive data from the legions of hackers just waiting to suck up their personal data for unscrupulous use.

How Debit Card Processing Works

You’re familiar with the basics—you walk up to an automated teller machine, insert your card, punch in your PIN, ask for cash and (provided you have some in your account) you get your money. On the other hand, perhaps you don’t have any cash in your wallet and you want to make a purchase. So long as you’ve got the cash in your account, you’re good to go. You swipe your card at the terminal just like a credit card, maybe enter your PIN, and the purchase is made. It all seems very easy, but what is the debit card payment process? How does the transaction go from point of sale to your bank and back?


There are two forms of debit card payment process. These are the offline, signature-based process, and the online, PIN-based process.


Offline cards have to be branded as VISA or MasterCard, and are processed in a similar manner to credit cards. That is, the vendor’s equipment connects to a payment network, sends the request from the card, and waits while the network performs a series of tests to ensure that the card is not authorized for use, frozen, over the limit (or overdrawn, in the case of the debit card). This whole process generally only takes a few seconds. If the request is approved, you will sign the receipt, at which point the vendor puts the request into a payment batch and goes through a settlement process at the close of the business day to get the money. This can take 48 to 72 hours.


For the online debit card payment process, you will swipe your card and be asked to enter your PIN, which substitutes for your signature. In many cases, you will in this type of transaction have the option to get cash back. Since you have used your PIN, by the time the sales information gets to your financial institution, the transaction itself is already authorized by you, so no authorization check is performed. Similar to the offline method, the connection and communication with the network takes mere seconds to perform. As long as there is enough money to cover the sale in your account, the transaction will be approved. Unlike the offline method, your checking account will immediately be debited—there is no waiting period for processing, and funds are transferred instantly from your account to the vendor’s.

An Overview of Smartphone Processing

Since the earliest days of credit cards, they have represented an easy way to pay for goods and services without the need to carry wads of cash around. However, for a long time, this required bulky credit card processing systems which took up a lot of space and were certainly not portable.


These bulky systems are no longer valid in an era when technology is small, fast, and always plugged in. Since it seems just about everyone has a smartphone, processing credit cards using the handheld device seems not only practical, but a must if you wish to get ahead in business today.


More and more small business owners are turning to smartphone processing for acceptance of credit card payments. There are many varieties and options available to do this, from basic apps which allow the entry and transfer of a patron’s information via a virtual wallet, such as PayPal or Google Wallet, to vendor merchant services which provide an actual swipe card reader with multiple layers of security to accept direct credit card payments.


The options for these systems vary—most charge a fee of some sort, be it a “per transaction” or “per swipe” fee, or a percentage of funds transferred. Many allow emailing of a receipt, and some allow customizability features such as the ability to create customer loyalty programs. You should make sure that whatever system you choose, it doesn’t store customer payment information on your device (though some do store contact and demographic information, allowing you to create a database of contacts for the purposes of targeted marketing and sales promotions). Some offer the ability to process refunds—either full or partial—on the spot. Others allow inventory management and tracking via barcode scanning, and for those merchants who travel from state to state, some offer the ability to automatically calculate sales tax based on your location.


There are many options available for smartphone processing these days, and if you are a business owner, you are doing yourself a disservice by not taking advantage of the ability to take credit card payments on the go. A quick web search will turn up lots of options, making it very easy to do your research and choose the option that is best for your business.