VeriFone EMV Software
EMV software for the VeriFone Ruby CI and Commander was released in February 2017. For those of you who have already upgraded your Point-of-Sale (POS) but have yet to update your software for EMV, please contact your POS vendor as soon as possible. For those of you who are still operating the Ruby as your POS, a hardware upgrade is required. We strongly suggest that you contact your vendor to schedule your upgrade. Remember, before you can move forward with EMV at the forecourt, upgrades must first be completed at the POS.
EMV Liability Shift
October 1, 2017, marked two years since the October 1, 2015, EMV liability shift took place at the POS. Hardware and software upgrades should have already been made to your POS, allowing you to accept EMV cards and providing you with protection from counterfeit transaction liability.
Dealers did get a slight reprieve when the liability shift for outdoor EMV was pushed back from October 1, 2017, to October 1, 2020. Despite the extension, some reasons you may want to consider upgrading sooner rather than later are technician and equipment availability, equipment price trends, consumer payment security awareness, tax code changes, bonus depreciation, increased interest rates, and the availability of new features.
It is also important to note that the first EMV pumps are already processing EMV transactions. Gilbarco announced their first “live EMV site” in June of this year. Both Gilbarco and Wayne are on target to widely release EMV software at the beginning of 2018. It is probable that more than 50% of pumps will be accepting EMV in the next two years.
Gilbarco Passport PX52 Hardware
The Gilbarco Passport PX52 (PX51) hardware set was released in 2005 and has served thousands of Gilbarco customers with fourteen major Passport releases and millions of hours of store operation. The PX60 Passport All-In-One hardware was introduced as the next evolution in April 2014 and sold across all petroleum/convenience networks and markets over the past three years.
Support for the PX52 (PX51) hardware set will be discontinued starting with Version 11.02 (Release 4) and all subsequent releases. This release is currently scheduled for production release starting March 2018.
MasterCard 2-Series BIN
MasterCard introduced a new 2-series to their Bank Identification Number (BINs). In June 2017, MasterCard announced that all businesses that accept credit or debit cards must be equipped to accept a 2-series BIN. A BIN is the initial six numbers that appear on a credit card and can be used to identify the card issuing institution. Adding the new BIN will not only affect cardholders but everyone using integrated POS systems and/or stand-alone payment terminals. Merchants must be able to accept and support the new 2-series BIN range in card-present and card-not-present payment acceptance channels. If your terminal is not set-up to accept the new 2-series BIN, you will not be able to process the transaction resulting in a loss of sale. MasterCard expects all merchants to accept the 2-series BIN, as they will be issuing the cards beginning in 2018. MasterCard began conducting field testing on June 30, 2017 to validate 2-series BIN acceptance and enforce compliance.
In August 2017, Ewing Oil and Liberty Petroleum launched the new Liberty PAY App using P97 Networks’ PetroZone mobile commerce platform, allowing Liberty distributors to access the platform at more than 400 locations in 23 states. Liberty PAY is available for download for both Apple and Android devices. Through the Liberty PAY App consumers are able to locate and navigate to Liberty gas stations and initiate fuel purchases from their smartphone. The loyalty portal allows you to create and push personalized digital offers to your customers.
Check out the Liberty PAY video on YouTube https://www.youtube.com/watch?v=K116AQnBwTo&feature=youtu.be.
Wright Express (WEX) Automated Fuel Dispenser (AFD) Fraud Monitoring Program
For sites accepting WEX, WEX is actively working with its merchants to mitigate AFD counterfeit fraud, along with planning for the upcoming release of the WEX Chip (EMV) technology. To further assist in this effort, WEX is introducing the AFD Fraud Monitoring Program. This program is meant to identify and address only the most serious levels of AFD counterfeit fraud.
The AFD Fraud Monitoring Program goes into effect on January 1, 2018, with details as follows:
Significant: Sites with AFD counterfeit fraud of at least 1% of WEX sales in a given month.
- WEX will notify legal entity associated with site in Month 1.
- Site will be given Months 2-4 to reduce Automated Fuel Dispenser counterfeit fraud below 1%.
- If Automated Fuel Dispenser counterfeit fraud is not reduced below 1% in Months 2-4, WEX will chargeback:
- In 2018, 25% of total AFD counterfeit fraud for month in question (example: Month 4).
- In 2019, 50% of total AFD counterfeit fraud for month in question (example: Month 4).
- In 2020, 100% of total AFD counterfeit fraud for month in question (example: Month 4).
Excessive: Sites with AFD counterfeit fraud at or above 2% of WEX sales AND $10,000 in a given month.
WEX will notify legal entity associated with site and charge back 100% of counterfeit fraud for as long as the “Excessive” threshold applies.
Both Gilbarco and Wayne are on target to widely release EMV software at the dispenser at the beginning of 2018.
The Payment Card Industry Security Standards Council (PCI SSC) published a new version of the industry standard in April 2016. Version 3.2 noted several requirements as Best Practices (you may view the document here http://www.ewingoil.com/sites/ewingoil.com/files/PCI_DSS_v3-2.pdf). Effective February 1, 2018, these Best Practices will become Requirements.
Version 3.2 includes five new sub-requirements within the 12 core requirements for PCI DSS for service providers affecting requirements 3, 10, 11 and 12. New sub-requirements have also been added to requirement 8 to ensure multi-factor authentication is used for all non-console administrative access and all remote access in the cardholder environment. Additionally, there are two new appendices. (A summary of the changes may be found here http://www.ewingoil.com/sites/ewingoil.com/files/PCI_DSS_v3-2_Summary_of_Changes.pdf.)
The documentation supported in PCI DSS 3.2 include updated Self-Assessment Questionnaires, Attestation or Compliance forms, Report on Compliance templates, Frequently asked Questions and Glossary. All of these forms may be found on the PCI SSC website in the documents library (www.pcisecuritystandards.org).
As it relates to the latest PCI scanning standard, PCI scans that have passed previously may begin to fail due to changes in the scan assessment requirements. Scans may fail if a scanner cannot reach the scan targets identified in your scan setup. In order to prevent this from occurring, here are some suggestions to ensure that the scan targets can be reached during the scan:
Check that an IP Address or Domain Name is correct in the scan setup and has not changed since you originally setup your scan.
Check your firewall configuration and ensure the scanner’s IPs are whitelisted.
The next PCI DSS deadline for disabling SSL/early TLS protocols to safeguard payment data will take place on July 1, 2018.
Beginning in April 2018 MasterCard, Discover, and American will no longer require a signature at the time of the transaction. Visa is expected to follow suit.
Visa Claims Resolution
Effective April 2018, Visa will make changes to the chargeback program Visa Claims Resolution (VCR). Changes will include consolidation of reason codes into four categories (fraud, authorization, processing errors, and consumer disputes), elimination of pre-notifications for chargeback debits, and the Acquirer response timeframe for disputes received will be reduced from 45 days to 30 days in April 2018 and 30 days to 20 days in October 2018. Merchants are now required to respond to all disputes received within 15 calendar days.