Page 43 - GS180402
P. 43
Views
to be tied to the original transaction that the consumer NACHA ‒ The Electronic Payments Association's rules.
authorized. Payment Account Reference (PAR) allows the Recently, I was trying to figure out whether a transaction
linkage of the cardholder's token with the corresponding over the Internet should have an Internet-Initiated/Mobile
PAN without needing the underlying card number. Entry (WEB) or Corporate Credit or Debit (CCD) standard
entry class code. I had to call WesPay, our local experts,
When a token is created, a PAR value is also created and for a ruling, because neither I nor our attorney could
must be supplied with all future authorization requests. figure it out.
Last year, EMVCo added a new field for PAR, which must
be used by acquirers, issuers and merchants. This means I suggest that, for the time being, ISOs, merchant level
potential changes to terminals, gateways, processing salespeople and other merchant service providers focus
systems, and potentially enterprise resource planning and on the changes in the card processing world and let your
other integrated solutions. merchants leave the ACH processing to their banks or
to qualified third-party processors that specialize in the
It is projected that a chargeback could be initiated on a ACH system. As you can see, it is almost a full-time job
transaction without a PAR value because proof of customer just keeping up with all the changes mandated by the card
authorization is lacking. Merchants whose payment brands.
processors cannot support PAR are at risk of chargeback
fees, loss of sale proceeds and ending up in an excessive Brandes Elitch, Director of Partner Acquisition for CrossCheck Inc., has
chargeback category – pretty scary.
been a cash management practitioner for several Fortune 500 com-
Qualified Integrator and Reseller panies, sold cash management services for major banks and served
as a consultant to bankcard acquirers. A Certified Cash Manager
The Qualified Integrator and Reseller (QIR) certification and Accredited ACH Professional, Brandes has a Master's in Business
is a Visa mandate for small businesses to use only vetted Administration from New York University and a Juris Doctor from Santa
companies or individuals to support PCI DSS compliance. Clara University. He can be reached at brandese@cross-check.com.
It calls for secure installation and maintenance
of validated payment applications that process,
store or transmit sensitive cardholder data. The
professionals who install, support and maintain
payment applications should be certified so as to
not introduce vulnerability in the cardholder data
environment. This mandate went into effect on Jan.
31, 2017, and as of then, all Level 4 merchants must
use solutions providers with this certification.
The issue here involves remote access solutions
(RAS), such as Microsoft Remote Access Desktop,
which are typically used to provide remote support
for small merchants. If an RAS is not securely
installed, it creates an access road for a cybercriminal
or fraudster, who can then log in, install malware,
record keystrokes, capture audio and video from
the device, and steal payment card track data.
Some independent software vendors and POS
resellers are still not prepared to meet the QIR
requirement. The key here is that the installer must
use a validated application, compliant with the
Payment Application DSS. A directory of qualified
providers is available on the PCI Security Standards
Council's website, www.pcisecuritystandards.org.
ACH changes
In addition, changes are coming in the world of
automated clearing house (ACH) payments. ISOs
typically focus on card-related payments, and
merchants typically look to their banks for ACH
processing. I have an Accredited ACH Professional
certificate, and I have a pretty hard time interpreting
43
