UCP-Inc

Unattended Card Payments Inc. (UCP Inc.) is dedicated to providing EMV compliant Hardware and Payment Gateway solutions for Unattended card payment terminals in the North American market.

  • Home
    Home This is where you can find all the blog posts throughout the site.
  • Categories
    Categories Displays a list of categories from this blog.
  • Tags
    Tags Displays a list of tags that have been used in the blog.
  • Bloggers
    Bloggers Search for your favorite blogger from this site.
  • Team Blogs
    Team Blogs Find your favorite team blogs here.
  • Login
    Login Login form

Uncategorised

20
May
0

Fully-integrated or Semi-integrated? What is the difference?

Posted by on in Uncategorised

b2ap3_thumbnail_UCP-logo.png

I found myself writing this rather lengthy answer to a question posed by a potential client and thought I should share it.

Because this was originally written as an email, please accept it as more of a discussion, and less of a formal piece of writing. Nevertheless, I hope you find it informative. 

Fully integrated - In this scenario the entire payment system is within the merchants owned and maintained infrastructure. The POS machines, the terminals, the servers, the firewalls, everything. In this scenario the entire system is also within PCI scope. Any change in a part of the system affects the other parts. They are all connected and communicating with each other as a whole point of sale and payment processing environment. Encrypted card holder data and transactional data is being stored on the system, and being sent for processing through their internet connection. Historically to build a fully integrated EMV payment system from scratch you are looking at 12 to 18 months of a qualified person’s time, and likely a few hundred thousand dollars in software development and hardware. If you are a tier one retailer, and you are processing millions of transactions a minute, escaping middleware/gateway fees which are usually assessed on a cents per transaction basis one can see the benefit of building and maintaining a fully integrated system in the long run. So once you have invested all this time and money in building this system, you need to get it certified with a processor. Which will also cost well into the tens of thousands when its all said and done. Furthermore, you are now married to the system you have built, and any changes, even down to the manufacturer and model of the terminal will cause a ripple effect, and the system will have to be re-evaluated and re-certified. Independent of changes to the initial architecture you built the system on, it is a full time job to maintain the system and keep it up to date with never ending PCI mandates. An example of that would be the POODLE vulnerability that was recently discovered with SSL connections. Consequently SSL connections were replaced with TLS connections to eliminate that vulnerability. You can see how maintaining a fully integrated system would be a full time job.
 
Semi-integrated - In this scenario you have partitioned the POS or kiosk application in a way. By using a gateway/middleware allowing the terminal to talk directly to the gateway switch through either an isolated software agent on the host PC, or through a dedicated secure connection, the only real surface area that is in PCI scope is the SDK you have integrated with your application. We are talking about something like .001% PCI security exposure, compared to 100% of a fully integrated solution being in PCI scope. Furthermore, the SDK and its associated gateway switch comply with PCI-DSS standards. So in a semi-integrated scenario you can do a self assessment questionnaire for your attestation of PCI compliance and be done with it in most cases. No encrypted card holder data ever passes through the POS application or is stored anywhere on the system locally. Your application never “sees” any card holder data. Most gateway software also supports tokenization. Tokenization has many uses, but the simplest to understand is recurring billing. The terminal can send the encrypted card data to the gateway which then generates and returns a unique token to the POS/kiosk application. That token can then be used again and again to bill that card. The beauty of tokenization is that a token is worthless to anyone except the gateway that generated it. So even if someone was able to hack into the POS/kiosk application and steal the token, you couldn’t turn it into a fake credit card. It is a totally useless string of numbers that can only be matched up to the card data associated with it at the payment gateway data centers. Data centers which are the gateway partner's responsibility to protect from hackers or physical security threats. Also maintaining and updating the system is their responsibility, so for example when the POODLE vulnerability was identified, Creditcall discontinued support for SSL connections and went to what is now the industry standard (TLS) in a matter of a week or so to let current customers also update to the new more secure connection type on their side. It is their job to maintain and re-certify the system, and run security checks regularly to ensure their customers that card data is protected. A partner like Creditcall also puts a disaster recovery system in place. They have four data centers (two in the US, and two in Europe) that are all set up for system redundancy, ensuring that if a fire breaks out at one data center the other three are there to pick up the slack. This allows them to ensure their customers 99.996% system uptime, and that they can continue processing thousands of transactions a second all around the world. 

 

Unattended Card Payments Inc.

Las Vegas, NV

This email address is being protected from spambots. You need JavaScript enabled to view it.

www.ucp-inc.com

"EMV kiosk hardware"

 

Continue reading
Last modified on
Hits: 7408
0
18
May
0

Why You Need To Talk To SMB Merchants About EMV

Posted by on in Uncategorised

With just four months left until the October 1 liability shift, it’s imperative to help your clients make informed decisions about EMV technology now.

To give VARs some perspective on SMBs’ progress in the transition to EMV-enabled payment technology before the Oct. 1, 2015, liability shift date, BSMinfo.com reported the results of the survey, SMB Preparedness for the Transition to Chip-Based Credit Cards, by Software Advice, a research and reviews website for IT security software. The survey revealed that as of late last year, only 11 percent of SMB merchants had terminals capable of accepting EMV payments made with integrated circuit or “chip” cards to authenticate transactions. The report also included the reasons SMBs hadn’t yet installed EMV terminals: 30 percent said they are unnecessary, 17 percent said they are too expensive, 16 percent said they had no time to research or implement them — and 26 percent said they didn’t know what they are.

At the time the survey was released, there were about 10 months until the October 1 liability shift — when liability for fraudulent payment card transactions shifts to the party with the least EMV-compliant technology. Now, with only a little more than 100 days until that date, your SMB merchant clients might still be in the dark about this impending change.

Business Solutions asked VARs if they’ve seen progress among their SMB clients since the survey — or if 26 percent are still unaware of EMV.

“It’s worse. It’s more like 80 percent here,” says Bob Medina, the owner of Aztec Eagle Systems, a Lawton, OK, VAR. To help change that, Medina provides his SMB clients and prospects with informational handouts and lists of online resources related to EMV. He explains, “If they don’t make the transition, they leave themselves open to fraud with noncompliant devices. Merchants do not understand that the onus is on them if they continue to use noncompliant devices.”

Paul Leduc, president of Globe POS Systems, based in Brampton, Ontario, says he executed a similar strategy prior to the liability shift in Canada in 2011. Of all of the information available to merchants, he boiled it down to two basic points: the liability shift and the security aspects of EMV. “I had a two-page synopsis. I carried it with me, and I left it behind. It’s really all the merchant cared about: the liability shift and security.”

When your conversations with SMBs progress from the liability shift and security to purchasing EMV technology, it’s beneficial to continue to educate your clients. Rob Chilcoat, president of North American operations for Unattended Card Payments, a hardware and payment gateway solutions provider, says, “I find the best way to present value is to explain that these sophisticated pieces of hardware have processors and intelligence of their own, unlike the simple mag stripe readers most automated retailers are used to — which typically just do simple keyboard emulation of the data on the magnetic stripe. EMV terminals, using an application hosted locally on the devices along with encryption keys, secure data at the point of interaction, and send it to the gateway/processor through a secure connection, which is why we call them terminals and not just ‘readers.’”

With merchants aiming to provide the best customer experience to stay competitive, you can also explain to SMBs Subscribe to Business Solutions magazinehow EMV technology can contribute to a positive experience by protecting consumers’ payment cards — and their accounts. Chip cards create a unique transaction code — so if data were stolen, a payment attempted with that one-time code would be denied, and the cards can’t be duplicated.

In addition, says Chilcoat, “With a chip card, the issuing bank can send updates to the card through any EMV-capable terminal. So if a potential breach of that card’s account number had occurred elsewhere, the next time the card is put into a terminal, it can have security updates sent to the chip. The card becomes an active part of monitoring the account for suspicious activity.” For example, if a chip card is used repeatedly in a short period of time at a kiosk that doesn’t require online authorization, the chip can tell the terminal not to accept the next transaction without online approval.

For merchants, having EMV-enabled systems protects them from chargebacks for fraudulent card transactions. Your conversation with an SMB merchant could evolve into a math exercise of how many fraudulent transactions they experience now and how that compares to the cost of upgrading their payment systems. That calculation, however, might not be a good predictor of ROI for some merchants who could see an uptick in fraud after October 1 if they don’t install EMV-compliant solutions.

Patty Walters, SVP of EMV corporate strategy for Vantiv and vice chair of the 2015-16 EMV Migration Forum Steering Committee, urges, “If you serve retail, supermarket, fuel, or drugstore merchants, understand that EMV integration is absolutely critical to protect them.” She explains those merchants — selling gift cards, electronics, or jewelry — will be targets of fraud if they do not have EMV-enabled systems after the transition.

Chris Martyniuk, CTO of etixnow, a provider of e-ticketing solutions, based in Edmonton, Alberta, Canada, adds that beyond saving the cost of chargebacks, you should discuss the other ways EMV can protect your merchant clients. “You cannot put a price on the ability to escape being blamed for fraudulent purchases. The returns are immediate. Reputations are fragile — no merchant can afford to be in that position,” he says.

“When the landscape is split between merchants who accept EMV and those who don’t, customers will gravitate toward those that are perceived to be more secure,” Martyniuk comments. He says, for example, now that Canadian consumers are accustomed to EMV transactions at restaurants with wireless tableside terminals, they “are loath to let their Visas out of their hands in American restaurants, when the server takes the card to swipe.”

“Losing sight of your card feels instantly like, ‘It will be stolen. I will be defrauded.’ The same trend will take hold in the U.S., and merchants without EMV upgrades will be left on the side of mistrust,” Martyniuk says.

Walters stresses that however you want to carry out the EMV conversation with your SMB clients and prospects, definitely and with urgency, start it. “There is absolutely a real need for merchants to protect themselves, and time is of the essence.”

She adds you might not only be helping your clients protect their businesses, but you could be protecting your own: “If a merchant’s legacy solutions provider doesn’t provide EMV solutions, they could reach out to someone else — and that could be a risk to your business.”

 

LINK TO ORIGINAL CONTENT: http://www.bsminfo.com/doc/why-you-need-to-talk-to-smb-merchants-about-emv-today-0001?atc~c=771%20s%3D773%20r%3D001%20l%3Da

Continue reading
Last modified on
Hits: 2533
0
07
May
0

Point to point encryption explained in short video. P2PE and identifying points of vulnerability.

Posted by on in Uncategorised

Watch this short video to understand how point to point encryption (P2PE) safeguards your customer's card data. 

Continue reading
Last modified on
Hits: 1704
0
20
Apr
0

UCP and Creditcall at the NAMA OneShow

Posted by on in Uncategorised

UCP and Creditcall will be in booth #1945 at the NAMA OneShow. The show will be held at the Las Vegas Convention Center April 22nd through April 24th. Stop by to learn more about the payment solutions we can offer your self-service company.  Be ready for the future and the coming EMV liability shift. You can email us at This email address is being protected from spambots. You need JavaScript enabled to view it. or call us at 702-802-3504. We look forward to seeing you there! 

b2ap3_thumbnail_nama_logo.jpg

Continue reading
Last modified on
Hits: 1663
0
23
Mar
0

UCP to attend PIE 2015

Posted by on in Uncategorised
b2ap3_thumbnail_PIE-logo.png
UCP Inc. will be attending the Parking Industry Exhibition (PIE) 2015 in Chicago. Contact us if you will be at the show or in the Chicago area March 29th - 30th and would like to learn more about EMV hardware. We would welcome the opportunity to discuss what the coming EMV liability shift means for your company. Email us at This email address is being protected from spambots. You need JavaScript enabled to view it. or call (702) 802-3504 www.ucp-inc.com
“Chip and PIN kiosk hardware”
Continue reading
Last modified on
Hits: 1667
0

Our Partners


Hemisphere West Europe Ltd are specialists in attended and unattended payment solutions for the UK and European markets.

Visit website www.hweurope.com

Contact Us

6655 South Tenaya Way Suite #180
    Las Vegas, Nevada 89113

Tel: 702 – 802 – 3504

E-mail: Send Inquiry