The Upcoming Changes to PCI-DSS and Timeline for v4.0

The Upcoming Changes to PCI-DSS and Timeline for v4.0

The PCI Data Security Standard (PCI-DSS) is a global standard that provides a baseline of technical and operational requirements designed to protect account data and information.

Recently, the PCI Security Standards Council (PCI-SSC) announced changes coming to the Data Security Standard. It includes vital information every ISV, VAR, and business accepting credit cards should be aware of in order to remain compliant and avoid compliance fees.  

The beginning stages of v4.0 started in 2017 with changes to v3.2.1. These changes were adopted in the latest version of PCI-DSS and initiated in Q1 of 2020 during the global pandemic. The switch from v3.2.1 to v4.0 happened in a time of uncertainty. With the completion of v4.0, supporting documents (linked below), programs, and updates to training material were completed and rolled out in Q4 of last year (2021). 

The development of PCI-DSS v4.0 was driven by industry feedback and furthers the protection of payment data with new controls and flexibility for the merchant. As the payment card industry evolves, so does the technology and attacks against it. Version 4.0 allows the PCI-SSC to adopt a system of being ahead of the curve and create avenues to help businesses upgrade from v3.2.1. 

The 4 Main Changes for PCI-DSS v4.0

1. Increased requirements for Yearly Diligence for Merchants and Service Providers

      • Every 12 months and upon a significant change, businesses must document and confirm the PCI DSS.
      • For any merchant that uses the customized approach (info found here), a target risk analysis must be performed and approved by senior management
      • An annual review of hardware and software must be completed with a plan to remediate outdated technologies

2. New Customized Approach (info found here)

      • This customized approach still retains the requirement to evaluate risk, but it allows for a more strategic pathway for businesses with robust security processes and strong risk management practices 

3. Expanded Risk Analysis Guidance

      • PCI DSS 4.0 has also provided expanded guidance on conducting risk analysis. Risk analysis has always been a part of PCI DSS, significantly used as part of the compensating control worksheet. In this new version, there is a Sample Targeted Risk Analysis Template (PCI DSS Appendix E2). The template provides more information on how the PCI-SSC expects a risk analysis to be carried out. 

4. Clarifications to “Significant Change” Standard 

      • PCI DSS v4.0 has also provided clarity for some of the key concepts of PCI-DSS, especially what signifies a “significant change”. While the description is more complex in v4.0 than it has been in the past, older versions were not specifically defined. V4.0 offers clarity and examples of the term “significant changes” and processes to stay compliant during changes. 

Projected PCI v4.0 Implementation Timeline

PCI DSS v3.2.1 will remain active for two years after v4.0 is published. However, it is never too early for ISVs, VARs, and merchants to become familiar with the latest version and build a plan for implementing changes as needed.

PCI DSS v4.0 provides clarity on common issues related to PCI DSS and offers significant levels of flexibility for the merchant who has their own security standards in place. As changes are announced, BOLD will continue to update this article with the latest information provided by the PCI-SSC.

Sources:
https://blog.pcisecuritystandards.org/countdown-to-pci-dss-v4.0
https://listings.pcisecuritystandards.org/documents/PCI-DSS-Summary-of-Changes-v3_2_1-to-v4_0.pdf
https://www.mwe.com/insights/pci-dss-4-0-introduces-transformational-change/

Looking to learn how to get started on PCI-DSS v4.0?

Fill out the information below and a BOLD representative will contact you shortly.

=
Covering the Upcoming Regulations to Cash Discounting

Covering the Upcoming Regulations to Cash Discounting

The industry and what we consider “cash discounting” is changing. As regulations from the card brands begin to mount, many merchant processors are looking to offer a variety of compliant fee-based programs for their merchants. As BOLD continues to uncover details, the direction of the card brands is becoming apparent. To understand where we might be headed, it is important to understand where it all began.

History of Cash Discounting

“Cash Discounting” found its niche in liquor stores and gas stations in the early 2000s as business owners looked for cost-cutting measures. Before card brand regulations in 2011, companies were charging card paying customers excessive fees in order to cover the cost of merchant processing, and then some. However, since the introduction of the Durbin Amendment Act, rules were put in place to protect card-paying customers and business owners while opening the doors for businesses to run a “compliant” Cash Discounting program. 

In § 920 Section 4 of the Durbin Amendment (Reasonable Fees and Rules for Payment Card Transactions), the term “discount” is defined and makes abundantly clear that any program adding a fee to the regular price is not a “cash discount” as defined by the Durbin Amendment.  This is the rationale for using terms such as “non-cash adjustment” rather than “cash discount” and is a large reason as to why we are in the current situation.

Current State of Cash Discounting

In terms of Cash Discounting, perhaps the biggest takeaway from the Durbin Amendment is that business owners MUST treat their program as a DISCOUNT on their regular price rather than a FEE. Many merchants began promoting their regular pricing to include a non-cash adjustment allowing customers who pay with cash to avoid the NCA (non-cash adjustment). “Cash Discounting” programs were quickly branded as in-kind incentives and or non-cash adjustments with this pricing model in place.

However, card brands have recently faced difficulties regulating merchants running these types of programs. Cardholder complaints have drastically increased over excessive and inconspicuous fees as merchants implemented unregulated programs which were NOT forthcoming in the difference in pricing (violating  § 920 Section 3).

Looking to talk to a Feeless Payments Expert? Let’s Talk…

=

Possible Future of Cash Discounting/Fee-Based Programs

The Card Brands (Visa, Mastercard, Amex, Discover) regulation on terminology and how the program is presented has ignited software vendors and merchant processors to make changes to their software and practices in order to adopt the current updates. 

Terminologies such as “in-kind incentive” and  “non-cash adjustment” are being phased out and replaced with a “Dual-Pricing” structure. As of the day this blog was originally posted, Dual Pricing is the safest method of running a fee-based program without the need to register with the card brands. Dual Pricing will vary from state to state based on state and local laws but here are some of the high level bullet points of this type of program :

    • The credit card receipt will no longer contain a separate line item informing the customer that they will be charged for using a credit card (i.e.- non-cash adjustment). 
    • Cash pricing and credit card pricing will more than likely need to be displayed separately on menus, shelves, and promotions.
    • All cardholders must be notified of the charges of the final total BEFORE running the credit card. (more than likely the terminal/POS system will need to be able to distinguish and provide a cash receipt and a credit card receipt)
    • Signage will still need to be highly visible throughout the establishment informing the card holders of the varying prices.

BOLD will continue to monitor and update this blog as changes arise. In the meantime, should you have questions, please contact us by filling out the form below or emailing us at info@boldpay.io.

Disclaimer- The information provided does not, and is not intended to, constitute legal advice; instead, all information, content, and materials are for general informational purposes only.

Looking to Offer Dual Pricing for Your Merchants?

Need more info? Let’s talk…

Fill out the form below and a BOLD representative will contact you shortly.

=

TIN Validation: Defined, Preventing, and Resolving

TIN Validation: Defined, Preventing, and Resolving

Tax season has arrived and has, once again, proven to be one of the most arduous times of the year. As millions of citizens scramble to seek resourceful and legitimate guidance from tax accounts, merchants heavily rely on the attentiveness of their ISO principals and processor officials to take precursive actions to prevent complications that can result from invalid TIN’s.

TIN Validation Defined

In accordance with the Internal Revenue Service (IRS), “A taxpayer identification number (TIN) is an identification number used by the IRS in the administration of tax laws” (although TINs are also issued by the Social Security Administration (SSA).

BOLD Integrated Payment’s own Client Service’s Specialist Brian McPherson was gracious enough to share his guidance regarding TIN validations. McPherson’s knowledge on this topic has expanded plenty, after having completed even the most arduous of TIN cases. In short, TIN validation is a process in which legal officials validate a taxpayer’s’/business’s tax filing status by ensuring that the following three parameters of the entity profile matches those listed on the IRS profile:

  • Corporate/Legal Title
  • Identification Number
  • Business Type (A few of the most common types include Sole Proprietorship,
    Partnership, LLC, Corporation, and S Corporation)

Preventing Invalid TINs

All partners are highly advised to take preventative measures to maintain the validity of merchant’s’ TINs. To do so, partners should be proactive to cross-check their merchant’s’ legal entity titles, identification numbers, and business types between the merchant profiles and their respective IRS profiles.

Should any discrepancies be identified, the TIN status will be declared invalid. An outstandingly common discrepancy that can be avoided during the merchant boarding process involves Legal Title acronym, character, special, or punctuation differences. It is critical that the tax filing name is completely identical to the application corporate title.

Risks of Invalid TINs

Ramifications of invalid TIN include a monthly penalty fee of $49 until TIN is validated. Should the merchant neglect this beyond 365 calendar days, the taxpayer profile will go into backup withholding at the end of the fiscal year – a serious consequence that typically impairs affected business’ operational integrities, as 24% of their business revenue should then be withheld by the government for one calendar year, or until the merchant files taxes for the following calendar year, during which the TIN gets resubmitted into the validation process for review.

How to Resolve Invalid TINs

To validate an invalid TIN, there are 3 steps that a partner/processor can take:

  • Submit a W-9 form completed with information that is identical to the IRS
    profile.
  • Obtain a copy of the merchant’s driver’s license for security verification
    purposes.
  • Obtain a copy of the merchant’s tax return from the previous year for
    identification review.

BOLD partners may submit the above documentation to Priority Payment Systems via their online portal https://www.pps.io/ or support line at 1-800-935-5961.

Agents should consult the Secretary of State webpage with accordance to individual merchant’s’ business locations.

For more information regarding TIN matching, visit IRS.gov | TIN Matching

 

Questions About TIN Matching?

Contact BOLD by filling out the form below and a representative will contact you shortly.

=
Part II: History and Future of Contactless Payments

Part II: History and Future of Contactless Payments

 

Read Part 1: The History and Future of Contactless Payments Here

WHAT MAKES CONTACTLESS UNTOUCHABLE?

Formerly known as “card machines,” terminals have provided the general public with a reliable payment system that is both undervalued and overlooked. History’s first card machine revolutionized the payment system shortly after AMEX developed the first plastic payment card in 1959. Although it was not of the electronic variation, the machine “enabled merchants to produce an imprint on carbon paper slips intended for the bank, merchant and customer as proof of purchase” (Sorenson, 2019) for the first time in human history.

TRIED AND TRUE CREDIT CARD TERMINAL

The same year in which Americans celebrated their first Earth Day, the first electronic card machine was presented to the general public, in promoting the ideology of conservation. Thanks to tech giant IBM, the magnetic-striped payment card, otherwise known as credit cards, was revealed under IBM 360. (Sorenson, 2019) The use of the magnetic-stripe proved not only to be more efficient, but it was also more secure in comparison to its manual-entry predecessor, as the swipe strip was a brilliant form of encryption of personal data, as the strip contained the “name of the cardholder, card number, authorization code and expiry date of the card.” (Sorenson, 2019)

THE EVOLUTION TO EMV

In recent years, the world has been introduced to a new method of encrypted payment known as the EMV chip. Formerly known as “the smart card” (as dubbed by its inventor, Roland Moreno), the popularity of chip-use increased exponentially within the same decade, following its invention in 1975. As a matter of fact, chip-use became mandatory in France as of 1992. However, as with much of which pertaining to technological/societal advancements, the US fell behind, as EMV technology failed to fully integrate into the American payment sector until early 2015. Priority I.S.’ Vice President of Client Services Robert Copeland seems to welcome EMV technology with open arms.

“When looking at security of payments, it is important to look at how we got here. During my lifetime, mag-stripe had long been the conventional method of payment,” Copeland reminisces. “Most Americans will think that EMV is a relatively new concept, but the usage of chip cards really began in the mid-90’s.” Going into detail, Copeland explains that there are 2 types of EMV: chip and pin versus chip and signature, and, as with the encryption capabilities of the mag stripe, addresses general security concerns with the added protection of PIN or signature.

THE CONTACTLESS ERA

Two decades and two global pandemics later, the modern generation has come to adopt contactless technology as a necessity. While convenience defines the modern way of life, a newfound fear of deathly germs had become the centerpiece of 2020. Perhaps interpersonal trading was destined to integrate with an untouchable payment system known as contactless payments. Turns out, mobile payments are not always contactless, as any device capable of making payments using radio-frequency identification (RFID) technology is using contactless payment technology (NFC, 2017), wherein near field communication plays a vital role in making contactless – contactless. As cited from NearFieldCommunications.Org, “the first example of contactless payment came in the form of Speed-Pass in 1997. Mobil gas stations offered contactless payment devices that clipped onto a key ring. The customer waved the device over a labeled square at the gas pump and paid instantly.” (NFC, 2017)

Having experiences countless trials and tribulations within the payment industry, President/CEO of Priority I.S., Gary Liu, can attest to the rising of contactless payment.

“In my opinion, I do see contactless payments continue to grow in popularity here in the U.S.,” Liu attests. “Especially over the past 12-15 months during Covid, contactless payments have increased; especially in the early stages of the pandemic, during which many avoided surface contacts in fear of virus transmission.” Liu also expresses that contactless payment is not only the safer decision, but the sounder decision as well. “It’s become much easier to make a payment at Publix, etc., by simply pulling out your mobile phone.” With human-to-human contact going out of trend, Liu believes that QR codes hits a home run in the restaurant industry, as it is not only “contactless, but it is more convenient and a quicker method for consumers to make their payments without having to interact with their servers.”

Even Priority I.S. CS VP Robert Copeland, long-time EMV advocate, endorses the potential of contactless that is bound to win over even the least technology-savvy. “When you carry RFID credit cards, you need to make sure that you carry them in an RFID-protected device, and we never were told to do that with magnetic swipe or EMV. Security concerns only become more prominent with virus-laden emails and mobile links. Hackers can then steal the personal data on your device(s), which poses as more of a privacy concern in itself,” Copeland explains, “However, I will take my chances with that over having to worry the guy behind me stealing data from my physical card. The reliability of contactless is mostly dependent on how you use it.”

WANT TO LEARN HOW CONTACTLESS PAYMENTS CAN FIT INTO YOUR BUSINESS?

Contact Us Below and a Representative will Reach out to You Shortly.

=
Part 1: The History and Future of Contactless Payments

Part 1: The History and Future of Contactless Payments

contactless payments_317416583 [Converted]-01.png

TRANSPARENT TRANSACTIONS YOU CAN’T TOUCH.

As with all elements in this evergreen society of progression, every evolutionary idea eventually runs its course. Within the financial sector, the 21st generation is spectating as paper currency hits the iceberg and sinks into the depths of the Atlantic. Prior to the devastating impact of a global pandemic, the use of cash had been on a steady decline, with cash transaction rates having declined from 40% in 2009 to 30% in 2019.

COVID’S EFFECT

In plain text, Covid-19 nailed the coffin on the significance of cash. With deadly germs running rampant, countless cash users turned to digital payments in fear of virus transference due to the recycled nature of cash.

Furthermore, the rise of technological advancements is disengaging the general public from traditional notary. As referenced from Barry McCarthy of Forbes Magazine, Visa’s Back to Business study found that 54% of consumers opted for retailers that provided contactless payment as an option. (McCarthy, 2020) At the mention of contactless payments, Apple/Google/Samsung Pay often come to mind. However, payment methods have expanded to the likes of QR codes on pre-pay apps such as Klarna and Afterpay, through which consumers can make purchases with advancements of the exact tender in the form of a temporary credit card, after which the user can pay off the total in increments of 4 weeks (or longer – at the expense of additional interest).

ADAPTATION

As a result of the quarantine mandate taking effect across the world, many became reliant on contactless delivery services such as Instacart, Uber Eats, DoorDash, and newer meal-kit services like Hello Fresh & Blue Apron. Even before the pandemic hit, corporate giants were slowly catching onto the public’s inherent disinterest in interpersonal interactional transactions. In 2007, Amazon launched the Amazon Fresh grocery delivery service, and the pandemic proved to be the determinant of its delayed success in 2020. On January 22nd of 2018, Amazon went a step further in launching its first Amazon Go, a store that incentivizes customers with the added convenience of a grab and go model, by which shoppers access the storefront via QR code, grab the desired products, and go.

Now more than ever, quick-pay options are in high demand. Payment methods are ever changing, and now, we’ve come home to one that our generation can call our own – one that cash or card can’t touch.

Having explored the various contactless payment methods on the market, it is vital that more consumers understand the mechanics behind these seamless transactions. Millions of people joyfully bask in the convenience of using features such as QR codes or Apple/Google/Samsung Pay without understanding the mechanical features that make them possible. Join in for “Part II: What Makes Contactless Untouchable?” in which we explore the mechanical inventions of PAX’s A920/A80, Dejavoo’s Z series, and the newest Clover terminals, that make in-store contactless processing possible.

Read Part II: History and Future of Contactless Payments Here

Want to Learn More?

Contact us below and a Priority I.S. member will reach out to you.

=
COVID’s Effect on PAX and Dejavoo Terminal Shortage

COVID’s Effect on PAX and Dejavoo Terminal Shortage

mark-oflynn-I7d7mbQBtjo-unsplash.jpg

COVID’S EFFECT ON TERMINAL PROCUREMENT 

PAXS300.jpg

Due to the effects of COVID-19, the shipments for the PAX S300 and several Dejavoo devices appear to be on hold until May 1st, if not later. In this blog, we shed some light on the situation at hand, and share insight on terminals that could effectively be alternative options.

THE 2020 STRUGGLE WAS NO TOILET PAPER… NOW IT’S TERMINALS?

Remember that one time stores couldn’t seem to keep toilet paper on the shelves? Oddly enough, terminals seem to be the next hot topic for unnecessary deficiencies… Or at least for the merchant processing industry.

Are You Struggling with Receiving Shipments from Manufacturing Companies?

Perhaps some of you are aware of the growing battle between high demand and low supply in terms of POS terminals. PAX devices, along with Dejavoo pieces, have been largely impacted by the disconnect of shipments making it from Point A to Point B. We are here to give you the 411 on how this situation may impact your business as well as share possible solutions.

PAX Terminals

In this tug of war for terminals, the PAX S300 has taken the biggest hit. It currently holds the number one spot for POS and EMV semi-integrated solutions. After connecting with several of our vendors, it appears that every ounce of their stock is now depleted. It’s possible the inventory won’t be available until May 1st, if not later. So what’s the next step?

SP30.png

Below are some alternatives that are currently high in stock:

  • PAX SP30

This device is the closest you will come to a S300. Their functions almost mirror each other completely, and come with the exact same cords. The benefits for choosing to use the SP30 is its lower price and its potential to be a permanent alternative for the S300.

  • PAX A80

Pax A80.png

The unique feature that the A80 offers is its ability to perform in two modes: a stand-alone mode and a semi-integrated mode. These devices are in high supply and will be an effective aid for the S300 shortage.

Dejavoo Terminals

This week, Dejavoo released an announcement that there will be an increase in their prices as a result of the device shortage. This inflation is set to initiate on May 1st, however Dejavoo is offering a discount for those who are able to use a device without a dial up connection.

dejavoo_z11.png

On top of that, they announced that the cheaper Z8 model is out of stock and are unsure when the next shipment will arrive in the US. The Z11 is an available option, although recent issues with software have caused the company to send out additional replacement. That said, the stock numbers for that device may decrease quickly.

Why Cash Discounting is Important

This shortage issue has the potential to negatively impact businesses in multiple ways. However, Cash Discounting presents an important opportunity for these cases. There is an expected influx toward third party applications for cash discount opportunities. If and when this arises, it is vital that your relationship managers are willing and able to provide a cash discount option for various devices.

Click here to learn more.

Ready to Learn More?

=
Email Us
LinkedIn
Facebook
ajax-loader