Innovative Retail Technologies

JAN-FEB 2017

Innovative Retail Technologies (formerly Integrated Solutions For Retailers) is the premier source for innovative yet pragmatic technology solutions in the retail industry.

Issue link:

Contents of this Issue


Page 28 of 39

plains Cole. "It has raised significant concerns in that market as the process to upgrade the payments module in a fuel pump is much more complicated and costly than replacing a retail POS terminal." He says a fuel-dispenser payments module upgrade alone can cost as much as $5,000, and some pumps will require a complete replacement. Raftice points to other upcoming requirements, most notably the migration from SSL (secure socket layer) and early TLS (transport layer security) v1.0 to a secure version of TLS. "While all process- ing and third-party entities were required to provide a TLS 1.1 or greater service offering by June 2016, the PCI (Payment Card Industry) Security Standards Council extended the cutover date for existing merchants to June 2018," he says. "The new date provides additional time to migrate to more secure protocols, but waiting is not recommended – particularly for online and e-commerce merchants who are most susceptible to SSL exploits and attacks." Raftice also says merchants need to be aware of the MasterCard BIN (bank identification number) expansion. In addi- tion to the familiar 5-series BINs currently provided, MasterCard is implementing an additional range of 2-series BINs. "Acquir- ers were required to upgrade their systems to be compatible with the new 2-series BINs by October 2016," explains Raftice. "Beginning in 2017, cards with the new 2-series BINs are expected to be issued, meaning all merchant POS terminals and related systems must be ready to accept and support the new 2-series BIN range cards." Finally, Raftice points to the new QIR mandate for Level 4 merchants. "In an ef- fort to mitigate small merchant breaches, Visa has established new data security requirements to ensure small merchants take steps to secure their POS environ- ments," he says. "According to Visa, forensic investigators have identified links between improperly installed POS applications and merchant payment data environ- ment breaches." As a result, beginning in January, all existing Level 4 merchants are required to use PCI-certified QIR (qualified integrator and reseller) professionals from a list of approved companies for servicing POS applications and terminals. Has EMV Pushed Fraud To CNP? Raftice and Cole have differing takes on the impact of EMV on CNP fraud. While Cole cites a CreditUnionTimes report that the quarter-over-quarter fraud rate jumped by over 60 percent in the first half of 2015, Raftice says the most dra- matic shift to CNP fraud has yet to come. "Based on what we've seen occur in our European markets following the shift to EMV, we do expect to see a migration in attempted fraud toward card-not-present [CNP] transactions," says Raftice. "However, current tracking in the U.S., including chargeback monitoring and fraud report- ing, indicates this simply hasn't happened yet due to slower adoption of EMV." In response to — and anticipation of — these attacks, Cole says he's seeing increased merchant interest in a number of authentication and fraud prevention strategies to detect and prevent online fraud. "On the authentication side, tools like device authentication, one-time passwords, and biometrics are being researched and employed," he says. "Fraud prevention uses the merchant's propri- etary data and transactional data to score transactions from a risk perspective, and validation services like AVS [address verifi- cation service] and card security codes to validate the legitimate cardholder is using the card." He says merchants are also employing point-to-point encryption and tokenization to prevent the theft of card data from the start. At EVO, Raftice says the implementa- tion of new global security products like 3D-secure enhanced security surrounding recurring and subscription-based pay- ments, and the introduction of new online risk prevention and data protection tools can help merchants reduce the time, cost, and complexity of PCI compliance. Mitigating EMV's Extended Processing Time One of the biggest early complaints around EMV has been the extended time it takes to complete a transaction. In a way, it feels like a step back into the age of dial-up. But Cole says there are a number of steps merchants can take to reduce the customer's time-in-lane. " The four major card brands have all introduced specifications for faster EMV processing," he says. These specs include "Quick Chip" (American Express, Discover and Visa) and "M/Chip Fast" (MasterCard). " The objective of these solutions is to improve the speed of the transaction — or at least, the perception of the speed of the transaction — while maintaining the counterfeit fraud protection of EMV," explains Cole. This is accomplished by allowing earlier card insertion and reduc- ing the actual time the card stays in the payment terminal. "In order to allow the cardholder to insert their card earlier, the merchant uses a placeholder, or pseudo, transaction amount to create the transaction cryptogram, which is the key to preventing counterfeit fraud. Because the cardholder doesn't have to wait for the final amount to be known before Jan-Feb 2017 26 Based on what we've seen occur in our European markets following the shift to EMV, we do expect to see a migration in attempted fraud toward card-not- present (CNP) transactions. Jim Raftice, president of U.S. & Canada, EVO

Articles in this issue

Archives of this issue

view archives of Innovative Retail Technologies - JAN-FEB 2017