ONE YEAR LATER: CHIP WITHOUT PIN

October 3, 2016

Since the October 2015 liability shift, EMV remains frustrating for retailers and confusing for consumers—not a good proposition leading up to the next liability shift in October 2017.

October 3, 2016

ALEXANDRIA, Va. – One year after the October 2015 liability shift took effect for retailers to accept Europay MasterCard Visa (EMV) chip cards inside the store, thousands of chip readers have yet to be activated. To make matters more frustrating, the next liability shift—for fuels dispensers—is one year away.

Convenience retailer investments in EMV are not preventing fraud because chip cards in the U.S. are not enabled for PIN authentication, which is the most effective way to combat fraud, ensuring the customer using the card is the owner of that card. In the United States, the convenience store industry processes 160 million transactions each day and invests billions to reduce fraud at the point of sale. For example, many retailers pay to use customers’ ZIP codes to verify a transaction to protect their customers and their business. Retailers have real incentives to eliminate payment card fraud because they, according to the Kansas City Federal Reserve, absorb 80% to 90% of all fraud losses on credit and debit card transactions.

Convenience retailers will spend more than $7 billion on EMV—or just under 70% of industry pre-tax income for 2015—to upgrade and replace software and equipment to accept chip cards, but the card companies prevent retailers from requiring the use of PINs to verify the cardholder and protect against fraud. Without the protection of a PIN number on transactions, consumers and retailers are vulnerable to fraud.

Leading up to the October 2015 deadline, the card networks were late providing the necessary software specifications to accept EMV transactions. Retailers then needed certification from each card network before they could activate EMV. There were bottlenecks for both, compounded by the fact that the card networks set a liability shift timeframe without regard to the ability of equipment manufacturers and software providers to actually meet the deadline—a problem that will undoubtedly turn out to be even worse at fuel dispensers.

Nearly a year ago, NACS Board member Jared Scheeler, managing director of The Hub Convenience Stores Inc., testified before Congress that his chain of four North Dakota convenience stores had spent roughly $134,500 to install POS and pump card readers that accept EMV chip transactions. At that time, NACS estimated that the average transition cost would be more than $26,000 per store, compared with an average profit of $47,000 per year.

Since the October 2015 EMV liability shift, many retailers have also been experiencing an outrageous increase in chargebacks, mostly erroneous. Counterfeit chargeback liability is unknown, and has not been divulged by Visa and MasterCard, despite industry efforts for clarification.

Last week the Merchant Advisory Group (MAG) sent a letter to Visa and MasterCard regarding ongoing challenges with the EMV transition for in-store deployments, and highlighted concerns regarding the feasibility of the payments industry being ready for the October 1, 2017, liability shift for fuel dispensers.

“Compounding the financial burden for small merchants is the liability shift already in place for in-store EMV transactions under which chargebacks have far exceeded expectations. And for larger retailers with many stores and multiple pumps at each location, the expense is staggering,” MAG wrote in the letter.

The NACS Show is just two weeks away, so if you want to learn everything you can about EMV, its hurdles and how to prepare for the next October 2017 liability shift, do not miss out on the education, guidance and discussions that will take place during the event.

Here’s how you can maximize your time at the NACS Show learning more about EMV:

  1. Participate in Technology Edge.
  2. Attend EMV-focused education sessions, such as “Are You Prepared for EMV?”
  3. Meet with vendors at the expo.
  4. Talk to members of Conexxus and industry experts at the Technology Edge Solutions Center.
  5. Talk to NACS government relations staff and general counsel in the NACSPAC Lounge.

On Capitol Hill, most of the efforts have so far focused on the aftermath of a data breach and notification requirements. NACS is urging policymakers to consider not only what happens after a data breach occurs, but also how to prevent breaches and fraud from happening in the first place. Protecting against fraud should be a top priority for all forms of payment, including mobile payments, and the best way to authenticate transactions is through a PIN or more advanced means.

NACS is advocating that retailers should have the option to require PIN on credit and debit card transactions and those that occur on a mobile device—the same protection banks require at ATMs.

PIN is the most secure authentication technology currently available and can be implemented now. All EMV chip-card readers are PIN-enabled with encryption security. When PIN is required, whether a card number or the card itself is stolen, a PIN protects consumers against fraud.

http://www.nacsonline.com/Media/Daily/Pages/ND1003161.aspx#.V_KCGvArK70

 

Advertisements

Visa Security Alert Threat Landscape: Pin Pad/POS Skimming

June 3, 2016

Incident Details

Visa Global Payment System Risk is aware of increasing incidents involving suspects placing skimming devices on point-of–sale (POS) terminals for the purpose of collecting payment card information, including PIN numbers. Perpetrators use this information to create counterfeit cards re-encoded with the stolen card information and make unauthorized ATM withdrawals. The primary targets for these recent skimming events are self-checkout terminals in supermarkets. However, any POS terminal may be at risk, including those that are often unattended, such as terminals near deli counters, coffee stands, etc. The perpetrators are mobile and will target multiple stores within a geographic area for a period of time before moving on to a new location. Most entities targeted are using payment devices that have not yet been upgraded to accept EMV cards.

Placement of Skimming Devices

Skimming devices can be placed at any time of the day but placement usually occurs during slower times of business when the perpetrators can go undetected by employees or other customers. The perpetrators will usually work in teams of two or more with one person being a lookout, one person placing the skimming device on the POS terminal and another creating a barrier so that no one can observe the skimming device being placed. Perpetrators have been known to use large items such as packs of paper towels to block the view of POS terminals. In some instances, it was reported that the suspects created a distraction in the store by faking a medical incident or causing commotion that distracted the attention of store personnel away from the POS terminals. The skimming devices will mimic the look of the front of the POS terminal.

Recommended Inspection & Response Actions

1. Prevention Through Device Inventory Management

  • In accordance with PCI DSS Requirement 9.9, ensure implementation of security controls to protect POS devices from tampering and substitution. Examples include:

Maintain a list of devices including the device serial number or other method of unique identification. 

Keep a list of device location either by store or physical location within the store itself (i.e., self-checkout, deli counter, manned checkout). 

Train personnel to be aware of suspicious behavior and to report tampering or substitution of devices.

 Verify the identity of any third-party persons claiming to be repair or maintenance personnel, prior to granting them access to modify or troubleshoot devices.  

2. Physical Inspection of POS Devices

  • Implement security procedures to inspect POS devices at least twice each day and at random times.
  • Physically examine the device. Skimming devices are typically attached with minimal adhesive allowing them to be place and removed with ease, so devices may be detected by giving the front of the POS/PED a good grab-and-pull. Weighing the devices may also identify tampering.
  • Please note some skimming devices are Bluetooth enabled and data can be captured without the device needing to be recovered.
  • When inspecting devices, use backup security personnel to monitor from a distance as suspects may watch compromised terminals and suspects are trained in counter surveillance to avoid detection/arrest.

3. Device Recovery Response

  • If a skimming device is discovered on a POS terminal, do not handle it, as evidence may be damaged.
  • Notify local law enforcement and the FBI or USSS office so they can recover the skimming device.
  • Protect any video surveillance that may be used to identify any perpetrators and confirm timing of when the device was placed on the POS terminal.
  • Initiate incident response procedures and notify your Acquirer so that Visa can assist with the investigation.

 

Information from VISA April 2016

For other questions, please contact Cyber Intelligence & Investigations via email at USFraudControl@visa.com

Additional Resources:

What To Do If Compromised

insightRS_blkblu

 


Support for older versions of Internet Explorer Ended

May 31, 2016

What is end of support?

Beginning January 12, 2016, only the most current version of Internet Explorer available for a supported operating system will receive technical support and security updates. Internet Explorer 11 is the last version of Internet Explorer, and will continue to receive security updates, compatibility fixes, and technical support on Windows 7, Windows 8.1, and Windows 10.

Internet Explorer 11 offers improved security, increased performance, better backward compatibility, and support for the web standards that power today’s websites and services. Microsoft encourages customers to upgrade and stay up-to-date on the latest browser for a faster, more secure browsing experience.

What does this mean?

It means you should take action. After January 12, 2016, Microsoft will no longer provide security updates or technical support for older versions of Internet Explorer. Security updates patch vulnerabilities that may be exploited by malware, helping to keep users and their data safer. Regular security updates help protect computers from malicious attacks, so upgrading and staying current is important.


Potential risk of using older versions of Internet Explorer:

Security

Without critical browser security updates, your PC may become vulnerable to harmful viruses, spyware, and other malicious software which can steal or damage your business data and information.

Compliance

Businesses that are governed by regulatory obligations such as HIPAA should conduct due diligence to assess whether they are still able to satisfy compliance requirements using unsupported software.

Lack of ISV Support

Many Independent Software Vendors(ISVs) no longer support older versions of Internet Explorer. For example, Office 365 takes advantage of modern web standards and runs best with the latest browser.

Click here to read more

 


Chargebacks on Credit Cards Happening NOW! #EMV

May 10, 2016

RETAILERS ON THE HOOK FOR COUNTERFEIT TRANSACTIONS

Chargebacks are on the rise following the October 2015 EMV liability shift, and convenience retailers are fighting back.
May 10, 2016

NEW YORK – Beginning with the October 2015 EMV liability shift, retailers that have not upgraded their payment terminals to accept EMV chip-card transactions are

on the hook

for counterfeit transactions, writes the Wall Street Journal, and this particular cost of fraudchargebacks—is adding up.

The news source reports that chargebacks among small and medium-size merchants increased 15% in Q4 of 2015 from a year earlier, according to a Strawhecker Group survey, adding that the volume of chargebacks has likely increased even more since then. Although the group didn’t put a dollar figure on the chargebacks, other experts put the total around the tens-of-millions of dollars mark.

Since the October 2015 EMV liability shift, many retailers are experiencing an outrageous increase in chargebacks that are mostly erroneous. Mike Lindberg, payment solutions manager at CHS Inc., commented during the Conexxus Annual Conference last week that some smaller retailers have reported a $10,000 to $15,000 increase in chargebacks per week, while larger retailers are experiencing $1 million in chargebacks per week.

I can’t imagine what will happen at the pump come October 2017,” Lindberg warned.

The No. 1 chargeback reason code since October 2015 is

merchandise not received,”

he said, which in theory makes no sense for the big box retailers. Some retailers are even seeing multiple chargebacks on the same credit card, and indicating that there is very little interest from card issuers or acquirers to help solve this costly problem.

Due diligence, however, can pay off. Convenience retailers experiencing a higher volume of chargebacks can successfully reverse the charges on challenge because convenience retailers aren’t within the October 2015 liability shift specification for type and applicability (i.e., the fuel dispenser).

“The banks will hopefully learn from the first October 2015 liability shift what is chargeable, because right now it’s a

‘charge it all back and see what gets challenged’

approach,” said Gray Taylor, executive director of Conexxus. He previously told NACS Daily that this approach to chargebacks “will have dire consequences for small to mid-size retailers, who can scarcely afford dedicated chargeback staff.”

NACS Online article found here


MAKING PEOPLE SMILE in Seattle

March 28, 2016

A Chevron gas station in Seattle uses its sign to entertain customers, rather than inform.
March 28, 2016

​SEATTLE – Usually signs are in the business of letting potential—and current—customers know about sales, special events and other information related to the company. Most convenience stores use outdoor signage to highlight specials and products, but the Wallingford Chevron gasoline station and convenience store has taken a different tack: humor.

For more than a decade, this station’s sign has posted amusing sayings to the delight of customers and residents. The genesis of the humorous postings is traced back to when the owners replaced an auto repair shop with a convenience store. To get the word out about the change, the owners hit on the idea of entertaining signage, the News Republic reports.

Popular messages include:

  • Ban pre-shredded cheese—make America grate again.
  • If attacked by a mob of clowns, go for the juggler.
  • When it’s raining cats & dogs, don’t step in a poodle.
  • A clear conscience is the sign of a fuzzy memory.
  • Hold the door open for a clown. It’s a nice jester.
  • Ever stop to think and forget to start again?
  • The past, present & future walk into a bar. It was tense.
  • I child-proofed my house but the kids still get in.
  • If pride comes before a fall, humility should come by winter.
  • I checked into the hokey-pokey clinic & I turned myself around.

The station has a dedicated Facebook page for the Wallingford Sign with photos of its most popular ones.

Full article found here:

NACS online


CHIP CARD DELAY FRUSTRATES RETAILERS

March 24, 2016

Delays in POS equipment certification have many retailers frustrated and worried about huge spikes in chargebacks.

March 24, 2016

​NEW YORK – Avi Kaner, a co-owner of the Morton Williams supermarket chain in New York, has spent about $700,000 to update the payment terminals at his stores to accept EMV chip cards. However, he can’t turn them on, writes The New York Times, a bottleneck in offering a more secure payment process that is frustrating retailers—both large and small—across the United States.

Since the EMV liability shift took place on October 1, 2015, retailers have been essentially put on hold to get their payment terminals certified to accept chip cards.

The Times reports the cost of waiting is piling up. “It’s been very frustrating,” Kaner told the news source, noting that he purchased most of the upgraded POS equipment before the Oct. 1 deadline, and he’s still waiting for certification. The delay, he says, has cost him thousands of dollars in payments for fraudulent purchases. “There’s no recourse,” he said.

“The long delays are just the latest black eye for the deployment of the new systems,” writes the Times, noting that some consumers haven’t even received new credit and debit cards with the embedded EMV chip.

First Data, one of the largest payment processors, told the Times that about 20% of the four million American merchants it works with are in the process of being certified, a procedure than can take weeks to months.

Mallory Duncan, general counsel at the National Retail Federation, told the Times that the payments industry was unprepared to handle the flood of certification requests around the Oct. 1 liability shift deadline. “They didn’t allow for enough time or people to perform this certification,” he said. “Merchants have gotten slammed because they weren’t able to get certified, because the networks failed to provide the necessary resources to do that.”

Kaner commented that since Oct. 1, customers who have contested charges made with their EMV-enabled cards have been successful in reversing transactions, and he’s worried that some customers will use the Oct. 1 liability shift to get out of paying for legitimate purchases. Chargebacks, he said, have increased significantly. “It started out as a trickle, and now it’s turning into a flood,” he told the Times. “In the first couple months, it might have been a few hundred dollars a month. Now, it’s thousands a month.”

“The convenience and fuel channel has numerous retailers in the same situation, having invested upwards of $30,000 per site to be hardware-ready for EMV, only to be put on perpetual hold with approved software,” said Gray Taylor, executive director of Conexxus. “These retailers are trying to avoid the inevitable manufacturing and installation bottlenecks to do the right thing and get ahead of the curve, only to be on perpetual hold by an over-burdened vendor community trying to navigate late specifications and complex certifications. This is what happens when you simply choose a deadline, like the card brands did, without diligence. The premium retailers will pay for this ‘hurry up and wait’ situation and it will result in higher consumer prices.”

=====================================

Thanks NACS for this article. Retailers aren’t the only ones frustrated, resellers share equally in the frustration.

http://www.nacsonline.com/Media/Daily/Pages/ND0324161.aspx?utm_content=NACS%20Daily%20032416:%20newsarticle1%20(Chip%20Card%20Delay%20Frustrates%20Retailers)&utm_source=NACS%20Daily&utm_campaign=NACS%20Daily%20032416&utm_medium=email&utm_term=343490#.VvQaOOIrK70

 

 


11 Strategies for Market-Basket Growth

March 2, 2016

Opportunities abound in wine, chocolate and … newspapers?

Published in CSP Daily News

By Jennifer Bulat, Group Director of Editorial Production, CSP 18

DALLAS — Did you know that people buy chocolate with just about anything else in the store? That people have had $700 more in their accounts since last year? And that customers shop a convenience store in the evening the way they do a small grocery store?

In the session “Boosting the Convenience Market Basket” at CSP’s Convenience Retailing University, Don Burke, senior vice president of Management Science Associates Inc., Pittsburgh, analyzed data compiled from three convenience-store retailers and offered these tips:

  1. That $700 extra consumers have comes from lower gas prices. While in-store sales are up 3% as a result of customers spending less on fuel, “You have to work a little harder to get that money now,” Burke said.
  2. Revenue from fuel sales is down, but dollars from those sales aren’t down as much because people have been “buying up”—purchasing higher-octane gasoline instead of regular. However, 85% of fuel customers don’t buy anything in the store. How can you get them inside? With signage promoting the top in-store categories. (See No. 9.)
  3. Speaking of those categories, some of the fastest growing (in the latest 13 weeks of data vs. the same time a year ago) are wine (up 12%), beer (10%), cold vault/energy drinks (9%) and ice cream (8%). Many of these are up as a result of consumers wanting to treat themselves via the extra cash they have, Burke said.
  4. And more on wine: The “sweet spot” price for wine in the c-store is $8 to $12, and the wine market basket is $18.62 on average. However, Burke says some folks are willing to spend $24.99 for a good bottle. Make sure customers know you have high-quality items and some may bite. Even better: Many of those who purchase wine buy hard liquor with it, so make sure the displays are close together.
  5. Two other complementary liquids: water and carbonated soft drinks. “Always leverage and market your cold case together” for bundling opportunities, Burke said.
  6. Who knew? People tend to buy a newspaper when they buy a lottery ticket, according to MSA data. “If you want to sell more newspapers, put it near the lottery machine,” he said.
  7. Most beer is purchased between 3 and 11 p.m., usually when folks are on the way home from work. “Put a six-pack on your (checkout) countertop just to remind them,” Burke said.
  8. Total store sales peak between 4 and 5 p.m. And sales of milk spike in the later hours. “People shop c-stores in the evenings the same way they do a small grocery,” he said.
  9. In a market-basket analysis of the top categories, chocolate always pops up as something customers will buy with another product. Those fuel customers who don’t come into the store (see No. 2) might be lured inside by a promo on chocolate candy.
  10. Thirty-six percent of customers who buy beer make that their sole purchase. The category purchased second most often with beer? Family planning. Safety first!
  11. Finally, it’s not just hype: MSA numbers show stores that offer foodservice have 2% higher sales than those without. And when people purchase foodservice, they buy something else 82% of the time. 

 

insightRS_blkblu


%d bloggers like this: