VISA « EPX

Posts Tagged ‘VISA’

EPX Welcomes Third-Party Validations of Tokenization and Payment Processing Outsourcing

Tuesday, July 20th, 2010

Editor’s Note: It’s always encouraging to see EPX competitors follow in our footsteps. Just as competitors are following our lead by touting the benefits of tokenization technology, several competitors are even beginning to issue press releases that mirror ours. I guess imitation is the sincerest form of flattery.

Electronic Payment Exchange (EPX), a full-service payment processing organization, announced today that their organization welcomes the recent third-party validations of cardholder data tokenization and payment processing outsourcing. Newly announced global industry best practices for tokenization from Visa Inc. validate EPX’s long-standing deployment of tokenization technology for securing cardholder data. Additionally, a June 2010 security brief from RSA supports EPX’s approach to tokenized payment processing outsourcing by referencing an EPX client case study that shows how tokenization and payment processing outsourcing reduce merchant costs and other burdens associated with securing cardholder data.

The recent release of Visa’s tokenization best practices provides valuable guidance to merchant organizations seeking to utilize tokenization solutions for securing cardholder data. As the first organization in the payments industry to engineer and deploy tokenization technology, EPX welcomes Visa’s focus on and validation of tokenization solutions.

In version 1.0 of the Visa Best Practices for Tokenization document, Visa establishes best practices related to four critical components of tokenization: token generation, token mapping, card data vault, and cryptographic key management. Visa provides further recommendations regarding tokenization system configuration, implementation, and management, and offers guidance on the management of historical data.

EPX, which has offered merchants tokenization technology since 2001, abides by one hundred percent of the best practices established by Visa and views the best practices as reinforcement of EPX’s approach to tokenization. According to EPX Chief Security Officer Matt Ornce, “Visa is now confirming what we have been saying and practicing for years. Merchants that properly implement a sound tokenization solution are able to limit cardholder data storage in their environments. In turn, this simplifies merchant PCI DSS assessments by reducing the scope of their compliance requirements, associated costs, and implementation. This makes merchants of any size more secure and brings them into compliance easier, faster, and with less expense.”

Further validating EPX’s approach to payment data security, a June 2010 security brief released by RSA provides insight into how tokenization can be combined with payment processing outsourcing to relieve merchants of the burden and potential costs associated with securing cardholder payment data. Using an EPX client who annually processes tens of thousands of ecommerce transactions as an example, RSA pointed out that the merchant organization substantially reduced its PCI compliance burden. The security brief also establishes that, over the next several years, many payment processing organizations will introduce outsourced payment services to manage cardholder data risks on behalf of merchants. The brief provides additional insight by stating that the most effective outsourced payment services will use a combination of tokenization and encryption.

EPX has provided payment card security outsourcing for ten years and was the first payment processor to actually market, sell, and implement a solution that uses both tokenization and encryption for securing card data from the card swipe through the entire transaction lifecycle. By processing through EPX, individual merchants have reduced their initial PCI compliance burden by millions of dollars and continue to realize significant annual savings.

EPX welcomes the third-party validation of payment processing outsourcing and the use of tokenization plus encryption technologies. “It is great to see that leaders in the payments and security industries are recognizing EPX’s accomplishments,” EPX Chief Executive Officer Ray Moyer said.

Tags: BuyerWall, credit card processing, credit card processor, data breach, debit card processing, Electronic Payment Exchange, encryption, end-to-end encryption, EPX, matt ornce, payment processing, PCI compliance, PCI DSS, tokenization, VISA, VISA best practices
Posted in EPX Commentary, EPX News, Payments Industry News | No Comments »

The Surprise Demise of PIN Debit: Debit Networks Have Been Quickly Diminishing The Cost Advantage of PIN vs. Signature Debit

Friday, May 14th, 2010

Most customers could care less whether they enter their 4-digit PIN or sign a sales draft when using their Visa or MasterCard logoed debit card (“check card”) to make a purchase. The price they pay for goods or services is the same either way.

But the customer’s mode of choice has had a material impact on the cost of the transactions to merchants – at least until recently. For those merchants that have “interchange-plus” agreements with their banks, allowing for pass-through debit network costs, PIN-debit transactions historically have cost far less than if the same transaction was processed as Signature-debit – i.e. with no PIN validation. As recently as two years ago, the cost of PIN-debit was as little as half that of a Signature-debit transaction, depending upon the sale amount, merchant type and other factors.

The PIN advantage always was particularly pronounced for merchants selling higher-than-average priced goods and services, i.e. items priced above $40-$50 or so. That was because the debit networks charged more in transaction fees than, say, credit card transactions (about double), but at least they always “capped” the percentage assessed on the sale amount for most transactions. There was a maximum fee for the most common types of transactions no matter what the ticket size. So, an average retail PIN-debit transaction often would cost no more than 60 or 70 cents all-in.

This was not so for a Signature-debit transaction, however. Signature-debit was priced like credit card transactions, with fees more or less proportion to the price of the merchandise or services.

The gradual tectonic shift in debit card pricing strategy over the years turned into a tremor felt throughout the payments industry in 2009 when Discover’s PULSE network (the third largest) removed its fee cap on most types of PIN-debit transactions. The Pulse percentage fee now floats with the ticket size for standard transaction types. Since then, the other major EFT networks – Star (First Data Corp.), NYCE (Metavante), Accel/Exchange (FiServ) and CU-24 – have followed suit and have eliminated or moved-up the caps on the most common PIN-debit transactions.

The final and most influential change just occurred in April 2010. As part of Visa’s semi-annual interchange modifications, Visa raised the Interlink interchange rate for PIN-debit pricing from 75 basis points and $.17 per transaction to 95 basis points and $0.20 for standard transactions. Visa PIN and Signature pricing are now the same. Considering that Visa’s Interlink debit network has a 40%+ share of the debit card market and that it processes an estimated 73% share of all Signature-debit transactions, the practical impact of Visa’s change to merchants is likely to be profound.

Rate strategies vary and the devil is in the comparative pricing details between networks and transaction or industry categories. So, there still can be found certain price advantages for PIN-debit for some industries and in some ticket-size scenarios. However, there no longer is a noticeable safe haven price gap between PIN and Signature to be exploited. That is particularly counter-intuitive considering processing rates traditionally have had some relationship to transaction financial risk; PIN-validated transactions have been viewed as inherently less prone to repudiation, thus less risky to the account holders and banks involved than transactions with signature verification.

Many merchants are resigning themselves to the new reality in which Signature-debit reigns supreme. With little price advantage remaining between PIN and Signature, major industries like pay-at-the-pump fuel operations are seriously are debating whether to make the estimated $20,000 per location investment required to convert current PIN acceptance devices to a new generation of more secure PIN data devices as mandated by the PCI Security Standards Council Data Security Standards . It even remains to be seen whether Cosco, Home Depot, Wal-Mart and other mega-merchants that, due to the price differential of Signature-debit, have not even offered Signature-debit as an option to POS debit customers, will soon do away with PIN-pads.

Major check card issuing banks have been actively promoting Signature-debit in promotional mailings to their cardholders. They have offered incentives on purchases that only apply when a Signature-debit transaction is made. JPMorganChase, according to news reports, has made the inaccurate inference to its cardholders that Signature-validated transactions are somehow more secure than PIN transactions. Presumably they are promoting Signature over PIN debit because they make back more money, as card issuers, from the resulting Interchange fees being paid when a Signature-debit transaction is processed via the credit card networks, rather than when a PIN-debit transaction is processed by one of the Electronic Funds Networks (“EFT”) networks. Now, that difference has been largely negated so there is little need to promote Signature-debit per se.

What is causing the major strategy shift by the EFT networks and Visa? It is all part of the overarching competition between networks to woo financial institutions to issue cards processed by their networks. The networks make money on the transaction processing (“switch”) fees assessed to every transaction that occurs (from about 3¢ to as much as 8¢ for PIN-debit, depending on the network). The majority of the fees charged to the merchant – per transaction and per sales dollar – are paid to the card issuing bank. So what we have been seeing is essentially a bidding war among the networks to get their brand “bugs” printed on the back of the most cards issued.

Having said that, it is not at all obvious yet just how much of a shift in real fee income will come from all this market re-positioning and effective price parity between PIN and Signature-debit. Debit cards have become more and more popular in recent years, especially during the recession. Debit now surpasses credit as the preferred means of POS payment. But debit cards, in whatever format, still are essentially plastic checks, with more or less the same consumer behavior patterns as cash. As such, debit transactions might be more common than credit card transactions, but the dollar volume of debit is far from matching total credit card purchase volumes. Understandably, debit purchases are limited to bank account balances. Higher value goods and services continue to be purchased on credit – although less credit is being extended during the recession. According to a 2009 PULSE study, the average pin debit transaction in 2008 was about $42 for PIN-debit compared to $37 for Signature-debit. PULSE estimated more a quarter of all debit transactions in 2008 were for purchases of less than $10. This compares to average retail credit card purchase amounts that are usually approximated to be about $70-$80.

Processing cost is the paramount issue to most merchants, yet there still are several soft reasons for reasons for a continue acceptance of PIN-debit transactions:

Customers often are more comfortable with the security of PIN validation. After all, the card is accessing their bank account. Presumably, only the card owner knows and uses the PIN.
There are many consumers without credit cards, or who have reached their limits. PIN and Signature-debit let the customer make a cash-less purchase with the funds they have in their bank account but happen not to have in their wallet.
For the merchant, funds process through the EFT networks almost immediately. By contrast, a Signature-debit transaction, run through the credit card networks, might take 2-3 days to be debited from the consumer’s account. This can mean less chance of insufficient funds and sometimes faster credit of sale proceeds to merchants.
PIN transactions typically can be completed faster in the check-out line and require less documentation and storage by the merchant. A PIN-debit transaction has considerably less chance of being repudiated successfully.
A PIN-debit transaction allows for cash-back to the cardholder at the POS; this is not possible with a Signature-debit transaction.

Even so, much the appeal of a PIN transaction is proves to be somewhat illusory:
? While true that PIN-authentication is relatively fool-proof security for a specific transaction, the card remains vulnerable as long there is a Visa or MasterCard logo on the card and the card can be alternatively tendered for a Signature-debit transaction. Signatures or IDs, obviously, are not always verified by store clerks.

Both PIN-debit and Signature-debit cards benefit from consumer protection laws and practices, although the protections come from different laws. If reported lost or stolen in a timely manner, the cards have a maximum of $50 liability to the account holder.
PIN-debit transactions usually do not accrue rewards credits from the issuing banks, whereas Signature-debit cards do. This feature, alone, is accelerating the shift from PIN to Signature.

There is little merchants can do to shape the system to their benefit. Merchants are under contractual obligations by their acquiring bank sponsors to accept all cards with a Visa or MasterCard logo. They are prohibited from attempting to “steer” a customer card transaction from one mode of acceptance to another. Card company rules further require merchants with PIN-processing capability to proactively provide customers the choice of making a PIN-debit or Signature-debit transaction. At best, merchants can only make the threshold decision to either enable acceptance of PIN-debit by making a PIN-pad available at the POS or to accept only Signature-debit transactions at the POS.

Written By: Charles S. Crawford, Executive Vice President for Strategic Development
Electronic Payment Exchange

Tags: charles crawford, credit card processing, credit card processor, debit card processing, debit card processor, Electronic Payment Exchange, interchange, interchange fee, payment processing, payment processor, PIN, PIN debit, PINless debit, VISA
Posted in Uncategorized | No Comments »

Evolving Pragmatic Approaches to Payments Security – Part 1 of 2

Wednesday, April 21st, 2010

In this multi-part article, EPX Chief Security Office Matt Ornce comments on the payments security happenings of 2009 and looks forward to 2010.

Evolving Pragmatic Approaches to Payments Security – Part 1 of 2

Reviewing the trends in 2009 to speculate on the payments landscape in 2010

Several interesting events have shaken the payment card industry from the status quo in 2009, and reactions to these events are influencing the industry’s future. We have witnessed changing views, maturation of guidelines, and security advances related to massive data breaches. Additionally, government legislation, end-to-end encryption, PCI standards, and best practices have been introduced, and we are beginning to see their effects.

Influential payment security events of 2009 – and some forward-looking views for 2010 – are discussed below.

Influential 2009 Payment Security Events

Data Breaches

Credit card and other payment-related data breaches have become widespread in the past decade, and recent technological advances by criminal hackers, identity thieves and terrorist organizations are putting the world–merchants, payment processors, card brands, governments, and consumers–on notice.

One could argue that data breach notification laws have improved incident reporting, artificially creating more news today from smaller breaches that once went unreported. No one can dispute, however, that in the same time hackers have become significantly better organized and their attacks continue to quickly evolve and have become much more sophisticated and effective. In 2009, data breaches continued to occur: from the largest breach ever, announced in January, to the victims whose data is available for sale today, but are still unaware they’ve even been breached.

PCI DSS Effectiveness Questioned

Some concern has been raised that the PCI Data Security Standard (DSS) has not been effective enough in reducing the number and severity of data breaches, especially when entities that appeared to be compliant were breached.

In March, a House subcommittee met to review the state of affairs. Dave Hogan, National Retail Federation CIO and vocal PCI DSS detractor, gave voice to merchant frustration by characterizing PCI as “an elaborate patch”. He further noted that “the ultimate solution is to stop requiring merchants to store card data in the first place.”

At the October 2009 PCI Participating Organization meeting, even Bob Russo, PCI Security Standards Council General Manager, admitted that, “Compliance doesn’t equal security.”

End-to-End Encryption

End-to-end encryption (E2E) was brought to the forefront in mid-2009 as one solution with the potential to significantly help merchants protect their data and even reduce their PCI compliance burdens. Unfortunately, with an overly-ambitious definition of “from the merchant to the issuer,” merchants are no better off today than before the initial hype.

Defining such a broad industry goal is admirable, but if PCI compliance levels are any indication, the effort will take years to develop the standards and re-tool the entire industry to pass encrypted card data from end to end. In the meantime, merchants still need protection against continuously evolving threats, and need solutions that don’t make them individually responsible for saving the entire payment industry.

PCI / PricewaterhouseCoopers Technology Review

During August 2009, the PCI Council directed PricewaterhouseCoopers (PWC) to perform market research on emerging technologies that can improve merchant compliance rates and reduce risks and costs associated with PCI compliance. PWC focused on E2E and tokenization, tacitly validating each approach by recognizing that “These solutions are designed to address some of the inherent risks in the current payment card processes and infrastructure.”

The PCI Council is currently reviewing the PWC data and is likely to incorporate guidance into future PCI DSS revisions, but probably not until late in 2010.

Visa Data Field Encryption Best Practice (DFE-BP)

In October, Visa quickly followed up PWC’s technology review with several key best practices for E2E, effectively filling the gap before the scheduled PCI DSS updates. Most notably, Visa defined in their best practices document the initial “ends” as “from the swipe to the acquirer processor,” which minimizes their own remediation requirements by reducing the proposed industry-wide E2E goals, but increases the immediacy in which merchants can benefit.

The document also recommends using, “an alternate account or transaction identifier [aka token] for business processes that requires the primary account number to be utilized after authorization, such as processing of recurring payments, customer loyalty programs or fraud management.” This guidance further validates E2E and tokenization technology implementations, especially those aligned with the best practices.

Tags: credit card processing, credit card processor, data breach, data field encryption, Electronic Payment Exchange, end-to-end encryption, EPX, matt ornce, payment processing, PCI compliance, tokenization, VISA
Posted in Uncategorized | No Comments »

More Merchants Taking Advantage of “Pin-Less” Debit Transactions to Lower Transaction Costs

Wednesday, December 30th, 2009

Increasing numbers of merchants now are allowed to process bank-issued debit cards online or over the phone without PIN validation. Those merchants qualified to accept PIN-less debit payment can take advantage of all-in costs, which can be far below the expense of a credit card or a debit card transaction processed through the credit card networks.

Electronic Payment Exchange (EPX) is one of a very few payment processors technically set-up and certified to submit “PIN-less” debit transactions directly to the three electronic funds transaction (EFT) networks that currently waive PIN validation for certain card-not-present transactions: STAR, Pulse and NYCE.

In a PIN-less debit transaction, a customer supplies his/her bank ATM card information to make a web or phone payment to an eligible merchant. The debit is linked to the customer’s bank account, but normally includes a Visa or MasterCard logo. Before the transaction, the cardholder is given the choice of using the card as a “signature debit” transaction, or a PIN-less debit payment. If it is a signature debit transaction, the transaction is processed through the Visa and MasterCard networks without PIN entry, just like an online credit card transaction except that the funds are deducted directly from the cardholder’s depository account, not billed to the customer by the bank. If the customer chooses to make a PIN-less debit transaction, the transaction is routed by EPX directly to the EFT network with which the card issuing bank has a processing agreement. As with any ATM or debit transaction, PIN-less card transactions result in funds deducted in near real-time from the cardholder’s posted bank account balance.

Since there is greater inherent risk of loss from a transaction without PIN validation, the EFT networks limit the privilege of PIN-less debit transaction processing to a range of merchants within authorized industry sub-sectors. The transactions from permitted sectors are assumed to be safer because these businesses commonly take payments from known customers for routine billings.

The list of permitted industry sectors varies by EFT network. At a minimum, the list includes:

Utilities (electric power, natural gas, telephone, cable, cellular, satellite, etc.)
Government agency payments (taxes, fees, fines and penalties, etc.)
Education providers (tuition payments)
Insurance providers (property, casualty, health and life)
Closed-end loan payments (mortgage and motor vehicle)
Rent/lease payments

STAR and NYCE allow a somewhat broader range of merchant types to submit PIN-less debit transactions than does the Pulse network. The list of allowed merchant types is expanding steadily as the EFT networks gain experience from PIN-less transactions.

Each EFT network has a distinct schedule of fees and policies for PIN-less debit transactions. The fee calculations are a bit complicated because they can vary by the specific SIC code, whether the merchant is in an “emerging” market, and because of the differences in pricing strategies among the networks. The greatest comparative advantage over credit card rates comes when a customer chooses to make payment with a STAR- or NYCE-affiliated debit card and the billing amount is higher than $100.00 (as often is the case for utilities, insurance companies, property manager and other favored business segments).

For comparison, consider a $200.00 online or phone credit card or “signature debit” transaction versus a PIN-less debit payment. Processed as a credit card, the merchant’s rate for a non-face-to-face transaction might typically be 2.10% or more of the face amount, plus $0.20 per transaction. The total cost to the merchant would therefore be $4.40. If the PIN-debit were accepted by the STAR network, the highest fees would be 14.5 cents for the transaction plus 0.65% on the dollar amount – but the total is capped at $1.00 in percentage fees. Therefore, the total cost of that PIN-less debit transaction would be $1.45 – a savings of about two-thirds over a credit card or signature debit transaction in this scenario.

The savings realized from PIN-less debit quite case-specific to the network, merchant type and transaction size. For instance, if the transaction were run on the NYCE network, the cost would be fairly comparable to STAR for that size of transaction. However, if the card happened to be Pulse-affiliated, the overall fees would compare more closely to the cost of credit card or signature debit processing. In 2009, Pulse (owned by Discover) removed its ceiling on the percentage rate charged for PIN-less debit transactions, and the percentage fee is about a third greater than STAR or NYCE.

The network to which each transaction is routed is determined by the bank that issued the debit card. Each debit card issuer has a processing agreement in place with one or another EFT network. Most issuing banks are affiliated with one of the big three independent networks (STAR, Pulse or NYCE). If the card tendered is not one of their own, these EFT networks route transactions to the correct network.

PIN-less debit transactions differ from credit card, signature debit, or ACH transactions in several other ways, including:

EFT rules require that the customer with a branded debit card be given the choice of processing their debit card as a PIN-less transaction or a “signature debit;”
PIN-less transactions post against the customer’s depository account in near-real-time through the EFT networks, whereas an ACH payment may take 2 or more days to post.
Authorization codes are not always received for PIN-less transactions, but such codes – unlike with credit card transactions – are not required for funding of the PIN-less debit transactions.
Account solvency is immediately determinable. However, merchants assume the risk of non-sufficient funds (“NSF”), stop payment, or fraudulent transactions — just as would be the case if they processed a check or ACH transaction.
It is unnecessary to request a capture of the transaction since the transaction is authorized by, and the funds moved by, the EFT networks
For a credit card transaction, you can typically process an authorization reversal. This is not the case with a PIN-less debit transaction
There is no credit feature for PIN-less debit. Refunds are possible only by issuing the customer cash, check, store credit or other forms of reimbursement
PIN-less cards do not a accrue rewards benefits as often

Some PIN-less debit can provide significant cost savings and other advantages for authorized merchants, if those merchants have the sophistication and discipline to proactively encourage consumers to pay with EFT debit cards that offer the greatest marginal transaction savings.

Merchants can learn more about PIN-less debit transaction from EPX by contacting sales@epx.com or an EPX account manager.

– Charles Crawford, EPX EVP for Strategic Development

Tags: charles crawford, credit card processing, credit card processor, debit card processor, EFT, Electronic Payment Exchange, EPX, Mastercard, NYCE, payment processing, payment processor, PIN-less debit, PINless debit, Pulse, signature debit, Star, VISA
Posted in EPX Commentary, Payments Industry News | 1 Comment »

Electronic Payment Exchange Welcomes New Visa Best Practices for Data Field Encryption

Thursday, October 22nd, 2009

EPX BuyerWall uses data field encryption to protect card information from the swipe to the acquirer processor

Electronic Payment Exchange (EPX), a leading merchant acquirer and payment processor, said today that the recent Visa release of data field encryption best practices provides welcome leadership to merchants, technology professionals, and vendors looking for practical ways to reduce the risk of data breach. EPX is the first payment processor to offer a true end-to-end solution that endorses and incorporates both tokenization and encryption for securing cardholder data from the card reader through the entire transaction lifecycle, and believes the Visa best practices validate their approach.

The best practices for data field encryption (also known as end-to-end encryption or point-to-point encryption) announced by Visa on October 5, 2009 work toward developing a standard approach while offering guidance to payment solution providers. Visa establishes five key implementation objectives for payment providers who deploy end-to-end encryption: limiting the availability of cleartext cardholder and authentication data; using robust key management solutions that are consistent with international standards; using key lengths and cryptographic algorithms that are consistent with international standards; protecting cryptographic devices from physical/logical compromises; and using alternate identifiers for business processes that require the account number after authorization.

“The technologies built into EPX BuyerWall go hand-in-hand with the data field encryption objectives established in the Visa best practices document,” says EPX Chief Security Officer Matt Ornce. “Using encrypted card readers with our EPX BuyerWall solution satisfies Visa’s objectives and provides strong protection for merchants against potential data breaches.”

According to the Visa data field encryption best practices document, “no single technology can completely solve for fraud.”

Ornce wholeheartedly agrees. “EPX’s solution uses both end-to-end encryption to encrypt card data from the point of sale, and tokenization on the back end of the transaction,” he says. “Encryption at the card reader protects merchants against potential breaches before card numbers even leave the swipe for authorization. EPX BuyerWall tokenization replaces account numbers with values that are meaningless to would-be thieves and cannot be reverse-engineered to reveal the card numbers. Combined, they provide unparalleled fraud protection for a merchant’s customers.”

Tags: credit card processing, data field encryption, Electronic Payment Exchange, encryption, end-to-end encryption, EPX, payment processing, PCI compliance, tokenization, transaction lifecycle, VISA, VISA best practices
Posted in EPX Commentary, EPX News, Payments Industry News | No Comments »

EPX