View
3
Download
0
Category
Preview:
Citation preview
An Overview of Paymentsfor the Bikeshare MarketProvided by North American Bikeshare Association
Presented by Mantrana Partners
February 18, 2015 1
Boulder B-cycle
Presenters
February 18, 2015 2
Lora Vigil brings over 15 years of technology experience ranging from
software development to enterprise architecture, a decade of that was
spent in the retail space focusing on order management, payment
acceptance, and card issuance. Lora received her MS in Computer
Science & Engineering from the University of Washington and a BS in
Mechanical Engineering from the University of Kansas. Lora is a member
of the Women’s Network in Electronic Transactions and co-organizer of
the Denver Payments Meetup.
Mark Ericksen has two decades of technology experience where he
has architected complex e-commerce, payment systems, and
computational solutions. He is also a practitioner in credit card and
payment processing, EMV migration strategies, and vendor technology
selection. Mark received his BS in Computer Science from Pacific
Lutheran University. Mark is an active member of the ETA Professional
Development Council, ETA Technology Council, and co-organizer of
Denver Payments Meetup.
Mantrana Partners
800.844.8240
partners@mantranapartners.com
Objectives
Gain insight on the payment process from
transaction authorization to the receipt
of funds
Be equipped with knowledge surrounding
payments and merchant processing to help
grow your organization as payments
evolve
February 18, 2015 3
Agenda
Overview of the Payment Process
Security and the Payment Card Industry (PCI)
EMV Chip Cards
Mobile and Other Forms of Payment
Interchange, Fees, & Chargebacks
Summary
February 18, 2015 4
OVERVIEW OF THE PAYMENT PROCESS
February 18, 2015 5
BIXI
The Big Scary Payment Picture
6https://www.payfirma.com/wp-content/uploads/2014/09/Payfirma-PaymentsEcosystem2014.jpg
A Simplified Payment Flow
February 18, 2015 7
Merchant
Payment
Gateway
Issuing
Banks
Card
Brands
Merchant
Banks
Merchant Accepts Payment
February 18, 2015 8
Customer Interacts with Merchant
Minimize Friction
Usability Builds Customer Confidence
Balance Fraud & Customer Experience
Merchant
Payment
GatewayMerchant
Banks
Issuing
Banks
Card
Brands
Payment Gateway
February 18, 2015 9
Connects Merchants with Banks
Buffers Merchant from direct Bank
connections
Can Provide Security(encryption,
tokenization) and Certification Services
Merchant
Payment
GatewayMerchant
Banks
Issuing
Banks
Card
Brands
Merchant Bank (Acquirer)
February 18, 2015 10
Processing
Services
Routes Transactions to Card Brands
Where Payments Are Deposited
Processing Services Outsourced or
In-House Merchant Bank
Merchant
Payment
GatewayMerchant
Banks
Issuing
Banks
Card
BrandsBIN Number
Identifies Card Brand
Card Brands
Routes to Issuing Banks
Open Loop vs. Closed Loop
Credit and Debit Networks
Signature vs. PIN Debit
February 18, 2015 11
Merchant
Payment
GatewayMerchant
Banks
Issuing
Banks
Card
Brands
Issuing Banks
Makes Approval Decisions
Liable for Consumer Fraud
Processing Services Outsourced
or In-House
February 18, 2015 12
Merchant
Payment
GatewayMerchant
Banks
Issuing
Banks
Card
Brands
Processing
Services
Issuing Bank
Authorization Response
February 18, 2015 13
Approve Transaction Complete
Decline Request Alternate Tender
Referral Voice Authorization Candidate
for Attended Terminals
MerchantPayment
Gateway Merchant
Banks
Issuing Banks
Card Brands
Clearing and Settlement
Terminal Capture
◦ Merchant Sends Capture Request at End of Day
Host Capture
◦ Processor or Gateway Manage Capture Request
Captured Authorizations and Refunds are
Cleared and Settled Each Day
Funds Paid from Issuing Banks to Merchant
Banks
February 18, 2015 14
Merchant Bank
Issuing Bank
SECURITY AND THE PAYMENT CARD INDUSTRY (PCI)
February 18, 2015 15
Sobi Social Bike
Breach Avoidance
Cannot Fully Prevent Data Breaches
Data Has Value
◦ PAN + Expiration Date can be used
for online purchases
◦ Magstripe data can be used to
create counterfeit bankcards
Useless Data is Worthless Data
◦ Hackers move on if they cannot
profit from the stolen data
February 18, 2015 16
Primary
Account
Number(PAN)
Expiration
Date
Encryption & Tokenization Common Encryption Algorithms
◦ Triple-DES
◦ AES – Advanced Encryption Standard
◦ DUKPT – Derived Unique Key Per Transaction
◦ PKI – Public Key Infrastructure
Common Encryption Uses
◦ Debit PIN
◦ Digital Certificate Verification
◦ NEW: PAN (and discretionary data)
Tokenization
◦ Substitute for sensitive data
◦ Managed by Token Service Provider
February 18, 2015 17
Merchant
Payment
GatewayMerchant
Banks
Issuing
Banks
Card
Brands
Example Token Service Provider
and Decryption Endpoint
Clear PAN
Encrypted PAN
Token
(could also be the Acquirer
or Card Brand)
Payment Card Industry (PCI)
Created by Card Brands
◦ American Express, Discover, JCB, MasterCard, Visa
Current Version: PCI DSS 3.0
Objectives
1. Build and Maintain a Secure Network
2. Protect Cardholder Data
3. Maintain a Vulnerability Management Program
4. Implement Strong Access Control Measures
5. Regularly Monitor and Test Networks
6. Maintain an Information Security Policy
February 18, 2015 18
PCI Scope PCI Protects Data
◦ In Transit – traversing a network
◦ At Rest – stored in a database
◦ Processed – captured at terminal
Understand your Cardholder Data Environment (CDE)◦ Know What is In Scope
◦ Know What is Out of Scope
CDE May Include Your Employees and Vendors
19
Kiosk
Payment
Terminal
Payment
Gateway
Admin
PortalWebsite
Office
PC
Office
Database
Office
PC
Example CDE Scope Boundary
In Scope
Out of Scope
Customer
Service PCCustomer
Service Agent
Operator
BikeshareVendor
Payment Vendor
February 18, 2015
February 18, 2015
PCI Scope Reduction Understand CDE Boundary
◦ Flow of Payment Data
◦ Who Can Access Payment Data
◦ Storage of Payment Data
◦ Vendors & Partners Handling Your Payment Data
20
KioskPayment
Terminal
Payment
Software
Payment
Gateway
Before: Example CDE Scope Boundary
Vendor
Database
Payment
Terminal
Payment
Gateway
After: Example CDE Scope Boundary
Reduction Techniques
◦ Network Isolation
◦ Encryption & Tokens
◦ Smart Terminals
Clear PAN
Encrypted PAN
Token
Vendor
Database
Kiosk
Bankcard
PCI Scope Reduction (continued)
21
Browser
◦ Downloads JavaScript to Encrypt PAN
◦ Downloads JavaScript to request one-time token from Gateway
Web Server
◦ Performs Authorization with one-time token
Web
Server
Payment
Gateway
After: Example CDE Scope Boundary
Clear PAN
Encrypted PAN
Token
Customer
Browser
Bankcard
Web
Server
Payment
Gateway
Before: Example CDE Scope Boundary
Customer
Browser
1
1
1
One-Time Use Token1
February 18, 2015
Changes in PCI DSS 3.0 Increasingly Restrictive
Notable Changes in DSS 3.0
◦ Penetration Testing
◦ Component Inventory
◦ Vendor Relationships
◦ Anti-malware
◦ Physical Access
PA-DSS for Software Applications
Look for PCI Pre-Certified Solutions
February 18, 2015 22
PCI Audits
Qualified Security Assessor (QSA)
Methods of Compliance Reporting
◦ Self Assessment Questionnaire (SAQ)
◦ Report on Compliance (ROC)
Guidance from your Merchant Bank
February 18, 2015 23
EMV CHIP CARDS(EUROPAY, MASTERCARD, VISA)
February 18, 2015 24
capital bikeshare
EMV Around the World
February 18, 2015 25
First Chip Card
1986 Carte Bancaire
Counterfeit Liability Shift
February 18, 2015 26
2012 2013 2014 2015 2016 2017
October
Merchant PCI
Relief for
early POS
conversion
October
Liability shift
for automated
fuel dispensers
October
Liability shift for
most merchants
April
Acquirers and
processors deadline
to process EMV
payments
October
Liability shift for
ATM owners,
domestic cards
EMV Cards Contact
Contactless
Dual Interface Contact & Contactless
February 18, 2015 27
Contactless Logo
Microprocessor
Chip
How to Use EMV Cards
Contact Dip Card into Terminal, “Insert”
Contactless Hold Card near Terminal, “Tap”
February 18, 2015 28
Contactless Logo
Chip & PIN vs. Chip & Signature
CVM Cardholder Verification Method
Chip Cards can Support Multiple CVMs
Merchants Should Accept All(where applicable)
February 18, 2015 29
Preference CVM(Simplified)
1 PIN
2 Signature
3 No CVM
Debit, Fallback, and Certification
U.S. EMV Debit Still
Rolling Out
Fallback to Magstripe
EMV Pre-Certified
Software and
Hardware
February 18, 2015 30
MOBILE AND OTHER FORMS OF PAYMENT
February 18, 2015 31
Hubway
Near Field Communication (NFC)
Subset of RFID
Terminal
◦ Initiator
◦ Requires Antenna
Card or Phone
◦ Target
◦ Requires Antenna
Proximity Enables Functionality
February 18, 2015 32
Mobile Wallet Acceptance NFC
◦ Apple Pay
◦ Google Wallet
◦ SoftCard
◦ Requires NFC Terminals
QR Codes
◦ Popularized by Starbucks
◦ CurrentC (MCX)
◦ Requires Scanner at POS
Changes to Kiosk Terminals
◦ NFC antenna for wallets
◦ Scanner for CurrentC
February 18, 2015 33
In-App Acceptance
February 18, 2015 34
Card Not Present (CNP)
◦ Card on File
◦ Cloud Payment Service
Automatic In-App Payments
for Better Customer
Experience
PayPal Acceptance
Popular for Online
Payments
Expanding into Retail
Consider Customer
Demographics and
Demand
February 18, 2015 35
Virtual Currency Acceptance
Popular Virtual Currencies
◦ Bitcoin, Litecoin, Peercoin, Ripple
Online Wallets
◦ CoinBase, Circle, Coin.mx
◦ Associate bank or card account
◦ Purchase and sell Bitcoins
Retail Acceptance
◦ CoinBase, BitPay, Revel
February 18, 2015 36
INTERCHANGE, FEES & CHARGEBACKS
February 18, 2015 37
Divvy
Interchange
February 18, 2015 38
Set by Card Brands
From Merchant to Issuing Banks
◦ Offsets Fraud Management Costs
◦ Cardholder Benefits
Transaction % + flat fee e.g. 1.65% + $0.10
◦ Merchant Category Code (MCC)
◦ Card Type (Card Brand, Prepaid, Rewards)
◦ How Accepted (Swiped, Handkey, E-Commerce)
Debit & Durbin 0.05% + $0.22
To Issuing Banks
Qualified vs Downgraded
February 18, 2015 39
Transaction is “Qualified” when it meets
requirements (qualifications) for the published
interchange rate. Examples:◦ Card was Swiped
◦ Settlement Batch Closed Same Day as Auth
◦ Settlement Information Contains an Auth Code
◦ Auth Amount = Settlement Amount
Transaction is “Downgraded” when
requirements are not met and receives a higher
interchange rate.
Downgrade Visibility Statements
Acquirer Statements
February 18, 2015 40
Pricing Models ◦ Interchange Plus / Interchange Pass-Through
Detailed Interchange & Fees
◦ Bundled / Tiered
Buckets interchange & fees into a small number of categories Qualified or QUAL; Mid-Qualified or MQUAL; Non-Qualified or NQUAL
Track your Effective Rate◦ Total Interchange & Fees / Card Sales Volume
Fees
Assessments, Network Fees
◦ Volume
◦ MCC
◦ Transaction Type
Processing, Markup
◦ Volume
◦ Transaction
◦ Chargebacks, Reporting, Verifications
February 18, 2015 41
To Card Brands
To Merchant Bank (Acquirer)
Fees (continued)
Gateway Fees
◦ Routing
◦ Connectivity
Security Fees
◦ Encryption/Decryption
◦ Tokens
February 18, 2015 42
To Gateway Services Provider
To Security Provider
Issuing
Bank
Interchange & Fees Example
February 18, 2015 43
Bikeshare
Operator Payment
Gateway &
Security
Card Brand
Cardholder
$0.17*
* Representative values only
$1.90* (CNP, 1.80% + $0.10)
Merchant
Bank
$0.05*
$0.03*
Receives
$97.85*
$$$
$$$
$$$
$$$
$100
E-Commerce
Bikeshare
Transaction
Chargebacks
A transaction is disputed by cardholder or their bank
◦ True Fraud
◦ Unrecognized Charge
◦ Dissatisfied Buyer
◦ Delivery Issue
◦ Friendly Fraud
Merchants must prove the transaction aligns with card brand rules, pay chargeback fees
Chargeback Monitoring Programs
Chargeback Management Guidelines
February 18, 2015 44
Chargeback Steps & Key Terms
1. First Presentment Transaction to the issuer
2. Retrieval / First Chargeback / Copy Request Seeking proof for disputed transaction
3. Re-Presentment / Second Presentation Transaction documentation to the issuer
4. Second Chargeback / Pre-Arbitration Documentation didn’t satisfy customer dispute
5. Arbitration Card brands decide financial liability
February 18, 2015 45
Cost Reduction Considerations
Speak with your Acquirer
◦ MCC
◦ CP vs CNP
◦ DBA Fields – Name, Phone
Get to Know Your Statements
◦ Monitor Downgrades
◦ Know your Effective Rate
◦ Interchange Plus vs. Bundled/Tiered
February 18, 2015 46
Cost Reduction Considerations Card Present
Minimize Handkeys, but when necessary…
◦ Security Code - CVV/CVC/CID
◦ Postal Code - Address Verification (AVS)
PIN Debit, Least Cost Routing
Level II & III for Corporate Cards
EMV Acceptance (October 2015)
February 18, 2015 47
Cost Reduction Considerations Card Not Present / E-Commerce
Fraud Detection ◦ Geolocation, Device Fingerprint, Patterns
Consumer Authentication◦ 3-D Secure Verified by Visa, MasterCard SecureCode, American
Express SafeKey, Discover Protectbuy
Cardholder Enrollment
EMVCo Taken Ownership of Specifications
Send More Data to the Issuing Bank◦ Address Verification (AVS)
◦ Security Code - CVV/CVC/CID
◦ Level II & III for Corporate Cards
February 18, 2015 48
SUMMARY
February 18, 2015 49
Nice Ride Minnesota
Key Takeaways
Payments is complex with many solutions
for acceptance that impact customer
experience
Bankcard processing involves the Acquiring
Bank, Card Brand, and Issuing Bank
PCI DSS is a requirement for all businesses
accepting bankcards for payment
Encryption and Tokenization are emerging
security practices to prevent data theft
February 18, 2015 50
Key Takeaways (continued)
EMV liability shift begins October 2015
Accepting EMV and NFC may require
upgrades to kiosk payment terminals
Monitor your Downgrades
Monitor your Effective Rate
Thoughtful selection of vendors and
payment partners helps contain costs
February 18, 2015 51
For More Information
North American Bikeshare Association
www.nabsa.net
Bill Dossett
612.436.2074
bdossett@niceridemn.org
Mantrana Partners
www.mantranapartners.com
Lora Vigil, Mark Ericksen
800.844.8240
partners@mantranapartners.com
February 18, 2015 52
Resources Payment Industry Glossary (provided by First Data)
◦ http://www.firstdata.com/downloads/thought-leadership/Payments-Glossary.pdf
Payments Dictionary (provided by Vantiv)
◦ http://info.vantiv.com/rs/vantiv/images/payments-dictionary.pdf
PCI Security Standards Council
◦ https://www.pcisecuritystandards.org/
EMVCo
◦ http://www.emvco.com/
Visa TIP Program
◦ http://usa.visa.com/merchants/protect-your-business/cisp/merchant-pci-dss-compliance.jsp
Near Field Communication
◦ http://standards.iso.org/ittf/PubliclyAvailableStandards/c056692_ISO_IEC_18092_2013.zip
Interchange Rates
◦ http://usa.visa.com/merchants/merchant-support/interchange-reimbursement-fees.jsp
◦ http://www.mastercard.us/merchants/support/interchange-rates.html
Chargeback Guidelines
◦ http://usa.visa.com/download/merchants/chargeback-management-guidelines-for-visa-merchants.pdf
◦ http://www.mastercard.com/us/merchant/pdf/TB_CB_Manual.pdf
February 18, 2015 53
THANK YOU!
Questions?
February 18, 2015 54
citi bike NYC Bike Share
Recommended