Tag Archives: visa

Payment Cards are Dead. Long Live Payment Cards.

payments, , , , , , ,

Any payment technology analyst will tell you that the payments market has exploded over the last few years. An explosion sounds great, but it also suggest fragmentation. Which is another way of saying that the customer has a confusing array of choices.

Not that confusion is anything new.

Everyone has, at some point, fumbled through a stack of payment cards stuffed in to a wallet or purse in a vain attempt to extract the right one for the purchase in hand.

“Do you accept Diners Card?  No?  How about Access? Oh. Hang on, I’ve got an Amex card in here somewhere…”

So much for taking the waiting out of wanting.

The last few years has seen the emergence of a variety of eWallet services. These on-line services enable the customer to register bank or payment card details just once with the eWallet provider. Once done, the customer does not have to share card data with the merchant as the eWallet provider handles all interactions with the account holders bank or card issuer.

But payment card brands are, just as the name suggests, brands. Vast amounts of money are expended to ensure that merchants and consumers alike are visibly reminded of the brand identity of the product embodied in that plastic card. eWallets obscure that brand, or indeed replace it altogether.

A curious but perhaps inevitable effect of this has been the appearance of “brands” such as PayPal in high street stores. No longer just an on-line entity, PayPal has a growing presence at the retail point of sale too, cleverly insinuating it’s own brand presence where previously only Visa, Mastercard, Amex et al had a footprint.

But just as on-line payments companies like PayPal are moving in to the face-to-face environment, it would be wrong to assume that the traditional card brands are simply watching this happen. eWallet offerings from Visa (V.me), Mastercard (Masterpass) and Amex (Serve) are all competing too, and in exactly the space that companies like PayPal have defined for themselves.

“The analytic possibilities presented by mobile payments data will make current loyalty card schemes look positively quaint by comparison.”

However, the major card brands are not the only competition to the likes of PayPal. Let’s not forget Google Wallet, for example.  Or Square, or Isis. There’s a lot of competition out there, and the stakes are high with the US mobile payments market alone expected to be worth over $90 billion over the next few years.

The key driver behind the growth of these services has been Internet-connected smartphones. All of the major eWallet services include a smartphone app component that effectively sees the phone not just as an eWallet, but as the payment device too, bridging the gap between on-line and face-to-face payments. These apps are able to implement their own security features too, including voiceprint, fingerprint or pin authentication.

Android phones have been available for some time equipped with NFC hardware, enabling the phone to act just like a physical payment card, and there are rumours that Apple’s next iPhone could also be NFC-equipped with Apple releasing a so-called “killer” eWallet app.

So it seems that anyone who’s anyone now has a stake in the future of mobile payments. The convergence and adoption of key technologies continues, and although no clear winners have emerged as yet, the future of payments will surely be mobile.

Smartphone platforms provide an unprecedented opportunity for retailers and payment providers to profile customers, to push individually customised offers and to analyse sales patterns based upon location, historical data and any of the wealth of information our smartphones reveal about us. This data will be hugely valuable. The analytic possibilities presented by mobile payments data will make current loyalty card schemes look positively quaint by comparison.

The winners will combine simplicity and sophistication to create a ubiquitous payment process, and will reap rich rewards in the process.  For now, it’s the simplicity that’s proving elusive from the customer’s perspective. Until that changes, we think most people will prefer to reach for the plastic.

Barclaycard Risk Reduction Programme Position Statement

risk, , , , , ,

Barclaycard has issued the following positioning statement regarding the Barclaycard Risk Reduction Programme and it’s relationship with the PCI DSS and participating card schemes (Visa, Mastercard, Amex).

If you’re a Barclaycard merchant participating in the BRRP, this positioning statement may be of interest to you. If you’d like to find our more about the BRRP, you should contact Barclaycard directly. Further information from www.barclaycard.co.uk/pcidss

Here’s the statement in full.

The Barclaycard Risk Reduction Programme (BRRP) is a prioritised risk-based based methodology designed to assist merchants in attaining or maintaining PCI DSS compliance within the context of their wider risk mitigation and governance requirements. All Card Scheme requirements and reporting needs with regard to PCI DSS compliance remain a stipulated requirement of all merchants participating in the programme.

The BRRP enforces the full intent of each PCI DSS requirements as there is a desired goal to have consistent implementation of PCI standards across the globe. The BRRP is aimed at merchants as a means of reducing risk in the quickest manner when on their journey towards full compliance. This approach can be used to aid the completion of the PCI SSC Prioritized Approach, as required by the Card Schemes and relevant mandates and continues to require quarterly progress according to existing card scheme requirements.

The BRRP does not remove the obligation of merchants to ensure that particular PCI DSS requirements will be eventually “in place”. In addition, the BRRP methodology is in line with the recent PCI SSC guidelines on Risk Assessment https://www.pcisecuritystandards.org/documents/PCI_DSS_Risk_Assmt_Guidelines_v1.pdf.

Therefore merchants on the BRRP that are multi-acquired/ multi-scheme will continue to report according to existing requirements (milestone approach, as delivered by the GRC tool), and in addition, for Barclaycard only, will also report quarterly on risk reduction activities.

As ever, please contact us if you have any questions regarding the above.

Which Visa Europe Agent Are You?

pci dss, , ,

Or, where do I register with Visa Europe once I’ve received my completed ROC?

So you’re a service provider, you’ve been assessed by a QSA, and now you want some recognition in the form of a public listing on Visa Europe’s list of compliant service providers, or on the new Visa merchant agent listing web site.

But which route is appropriate?

The first thing to know is that Visa Europe classifies service providers as “agents”. An agent is further classified as follows:

  1. A member agent, providing services directly to a Visa Europe Member (who would be an acquiring bank or other payment processor, for example). Such services might include statement printing, card personalisation, or payment acquiring.
  2. A merchant agent, providing services directly to merchants. These services might include payment page hosting, web hosting or call centre services.

Most service providers will fit broadly in to one of the above categories. However, if you’re offering both member and merchant services, then you’re both a member agent and a merchant agent. All of your services will have been assessed, and you can therefore register as both a member and a merchant agent.

A reminder too, that this discussion relates to Visa Europe only. The same may apply to other Visa organisations, but I can’t confirm that. Secondly, other card brands such as Mastercard have different terminology and registration processes.

Now you know what kind of agent you are, how do you register?

  1. Member agents. To register, speak with your client and get in touch with the person responsible for card brand liaison. Your client should be able to sponsor you as a member agent by submittring a form to Visa Europe. Once sponsorship is in place, ask your QSA to submit your ROC, AOC and Attestation of Scope (the QSA will have this) to Visa Europe. Once the documents are accepted, you’ll be included within the PDF on the Visa Europe web site.
  2. Merchant agents. Register your details at the merchant agents registration web site. You’ll need your ROC, your signed AOC and a signed Attestation of Scope document from your QSA. Complete the on-line registration details, accept the T & C’s, and upload your documents. All being well, your details will appear on the merchant agent listing web site shortly thereafter. Note that Visa Europe may charge you for listing.

I hope that’s clarified things for you as a service provider. In the past, with only one way for service providers to be listed (on the Visa Europe PDF document), there was confusion when attempting to find a Visa Member to sponsor merchant agent service providers. In these cases, no member/agent relationship was in place, making it difficult if not impossible for many organisations to make themselves known to Visa Europe.

Credit Cards

Cut-off dates for Visa Europe web listing

pci dss, , ,

This update concerns Level 1 Service Providers (member agents).

We just had an update from Visa Europe regarding the final cut-off dates for the December web listing. Normally, this is the 15th of the month (for listing during the same month).

However, to accommodate the Christmas holidays, the cut-off for December will be Friday 7th December. So, you’ll need to ensure that your QSA  has submitted your documentation on or before the 7th December.

Terminology & Mastercard Service Provider Registration

pci dss, , , ,

If you’re a service provider, you’ll want to read this information from Mastercard about registering with them as a PCI compliant service provider. But before you read it, it’s worth having a brief tour around some relevant terminology.

If you’re a Merchant, you may find this interesting anyway, especially if the PCI compliance and registration of your service providers is something you need to know more about.

Note that this is information from Mastercard, which is a single global brand, as distinct from Visa, which has numerous regional organisations. Visa has it’s own registration process, which I’ve talked about previously.

Terminology between card brands differs too. For example, when we say “Service Provider”, Visa Europe says “Agent” and Mastercard says “Member Service Provider”. Furthermore, Mastercard MSPs fall in to two categories: Third Party Processors (TPPs) and Data Storage Entities (DSEs).

Just to round things off, you should also know that both Mastercard and Visa have different names for their card data security programmes. Visa Inc. has the “Cardholder Information Security Program” (CIS), Visa Europe has the “Account Information Security Program” (AIS). Mastercard has the “Site Data Protection” program (SDP).

Fortunately, all of these programmes are aligned with the PCI DSS.

One last point before you read the message below; a “member bank” refers to a bank that is a member of a card scheme such as Visa or Mastercard. The bank will often be a card acquirer (“acquiring bank”) or card issuer (“issuing bank”), or both. Other organisations can be scheme members too, but that’s a subject for another day.

I think that’s enough terminology for now.

To summarise, if you’re a service provider, you’ve been assessed by a QSA, and you now want to be listed on the Mastercard list of compliant service providers, here’s what you need to know. This is quoted directly from our conversations with the Mastercard compliance team.

“MasterCard requires that the newly identified entity first register as an MSP (Member Service Provider) with the MSP registration team here at MasterCard (member_service_provider@mastercard.com). Note that only one or more of our member banks can enter them into our system. If they have a direct relationship with one or more of our member banks, they should contact each one for separate registration. If they do not have a direct relationship with one or more of our members, they would need to get sponsorship from their customer’s bank to get set up (this may be either a merchant or another processor, such as a Third Party Processor – many of which have direct relationships with our banks).

Note that the Attestation of Compliance (or Certificate of Validation) is submitted only once annually to satisfy the PCI Compliance side of the process. The team which runs MSP registration is separate from the Site Data Protection Program / PCI Compliance group. They can be contacted at the address noted above. Service Providers fall into one of two categories with MasterCard (TPPs and DSEs). More information can be found here:

Please note: As of October 1, 2010, MasterCard will only list those Service Providers that are also registered and approved as a MSP (Member Service Provider) with the MasterCard Registration Program (MRP) and who have also successfully completed an annual onsite assessment and submitted the AOC.”

Note that Ambersail cannot register you with a member bank – you’re most likely to achieve this by speaking with one of your service customers, and asking them to contact their acquiring bank concerning service provider/agent registration purposes.