credit card mess

8/9/2019 Credit Card Mess

1/27


2/27

Todays Roadmap

Defining the MessAlphabet Soup

Operational Options and RiskAlternative Payments


3/27

Motivation

Credit Cardassociations are

concerned! Fraud

Identity Theft

Business Model

In 2005

Fees collected frommerchants: $48.6 billion

Average fee 2.2% persale for Visa andMasterCard


4/27

An Unprecedented Event

December 2006: Visaholds a Payment

Application VendorConference

83 companies attended

11 companies from the

parking biz

John Van Horn arrangedmeetings before and afterthe VISA conference for

the parking industryattendees

Complus Data Innovations

Digital Payment Technologies

Federal APD

Hamilton Manufacturing

IntegraPark

Parkeon

Scheidt & Bachmann

SKIDATA

T2 Systems

VenTek

Zeag USA


5/27

Whos Who in the Zoo?

Card Association

Cardholder Merchant

AcquirerIssuer


6/27

Transaction Authentication

Card Association

Cardholder Merchant

AcquirerIssuer


7/27

How the Benjamins Move

Card Association

Cardholder Merchant

AcquirerIssuer


8/27

Todays Roadmap




9/27

Most Common Acronyms

CISP, SDP, DSOP, DISC

Individual security programs from Visa,MasterCard, American Express, and Discover.These have mostly been replaced by PCI DSS,however the terms are still floating around.

PCI DSS Payment Card Industry The association created

by Visa, MasterCard, American Express, JCB, andDiscover to set industry standards.

Data Security Standard. The digital dozenitems associated with providing data security.


10/27

YAA (Yet Another Acronym)

CVV2

Card Verification Value This is a 3 or 4 digitnumber used for fraud prevention. Its printedon the card, but not found in the mag-stripe.


11/27

More Acronyms (Payment)

ACH

Automated Clearinghouse An inter-branchbanking standard for handling large batches ofsmall transactions.

HTTPS

Hypertext Transfer Protocol (Secure) Thetechnology used to ensure web page data cantbe snooped.

Gateway Not an acronym, but a common term. It is the

software or application that talks to a processor.


12/27

Even More Acronyms (Security)

AVS

Address Verification System A system to ensurethat the cardholders provided address matchesthe one on file.

PABP

Payment Application Best Practices Guidelinesto assist software developers and vendors tocreate secure payment applications.

QSA Qualified Security Assessor Any company

approved to provide certification of PCI DSScompliance.


13/27

Todays Roadmap




14/27

PCI DSS Compliance

PCI DSS (Payment Card Industry DataSecurity Standard) is a combination of twothings:

Softwareused for

transaction

processing

Merchantssupporting

network and

environment

PCI DSS

Compliance


15/27

PCI Compliance Elements

1. Build and maintain a securenetwork

2. Protect card holder data

3. Maintain a vulnerabilitymanagement program

4. Implement strong accesscontrol measures

5. Regularly monitor and test

networks6. Maintain an information

security policy


16/27

Your Payment Gateway

What is a Gateway?

Merchant chooses gatewaysoftware to connect one (ormore) Acquirers

Authentication Options:

Dial-up (phone)

Dedicated line (phone)

Cellular data (wireless)

Internet (agnostic)

Merchant

Acquirer

Gateway


17/27

Payments

Card Present versus Card NotPresent

Card-not-present is consideredat higher risk of fraud, so itcarries higher fees

Signature Requirement New rules allow transactions

under $25 (and card present) tobe processed without asignature.


18/27

Three Elements of Authentication

Any one ofthesealone isthought ofas weak

security. Two (or

more) areconsideredto strongsecurity.

Something you

HAVE

Something you

KNOW

Something you

ARE


19/27

CVV2: the Good, the Bad, and the Ugly

Good

A CVV2 code is a way of trying to ensuresomething you know in addition to somethingyou have.

Bad

You only have the something you know whenyou have the something you have. So is itreally a second security element?

Ugly Fraudulent web sites collect and save this data

anyway, sell it on the open market.


20/27

Biometrics? No thank you!

Biometrics

Using finger and palm prints, retina and voicescanning, facial and gait recognition

Problems:

Not all biometrics are unique (example: twinshave the same fingerprints)

If compromised your biometric is invalid forever and you cant change it!


21/27

Todays Roadmap




22/27

Credit Card Competition

The weakness of credit cards are creatingopportunities for competitors:

Micropayment Aggregators

Pay-by-cell

PayPal

Smart Cards, RFID, and e-Wallet


23/27

Micro-payment Aggregators

Aggregators attempt togroup payments

together to reducetransaction fees.

Advantages

Reduced transaction fees

Parker access topayment history

Loyalty program

Disadvantages Only provides value

when there are multipletransactions on the samecard within a given time

Slight delay insettlement


24/27

Pay-by-Cell (PbC)

Advantages:

Augments usage of existing single-spacemeters (and other metering devices)

No additional cost to the parking office toimplement this offering (PbC company

usually provides the signage andadvertising).

Works with multiple zones, rates and tariffs.

Disadvantages Completely dependent on real-time wireless

handheld enforcement.


25/27

PayPal

PayPal is the standardfor Internet money.

End of 2006 there were133 million accounts(most active)

PayPal processes moretransactions annually

than American Express!

How PayPal works: Online customer creates

an account, puts moneyin the account using acredit card.

Money is drawn from theaccount as the customermakes purchases online(or can draw off a creditcard).

Recent expandedofferings:

Send money online Text to Buy

Online debit card


26/27

Smart Cards, RFID, and e-Wallet

Smart Cards

Though capable of so

much more, these areprimarily being used aselectronic wallets.

Money is loaded ontothe card electronicallyand debited with eachuse.

RFID tags are uniqueidentifiers associated

to a users account PayPass

SpeedPass

E-Z Pass


27/27

Questions

Thank You!

credit card mess

Documents