This proverbial wrench comes in the form of three major changes to MasterCard’s bank identification number, data encryption and QIR certification.
1. MasterCard expands to 2-series BINs
After exhausting most of the 5-series combinations MasterCard could muster, the card network is starting to roll out additional 2-series BINs. While MasterCard has already made changes to their internal systems to accommodate the new numbers, merchants have until June 2017 to get their systems ready.
How it affects developers: All of the POS terminals, e-commerce checkout applications and other systems that accept MasterCard cards must be ready for the 2-series BINs by the aforementioned date. Specifically, you must ensure the devices across your merchants’ operations have the ability to accept 2-series BINs. If you’re a little late to the game, consider using an integrated payments partner to handle these on-going updates on your behalf. It may be helpful to set up a reporting and reconciliation process to guarantee all of the systems under your purview are compatible with the new numbers.
How it affects POS resellers: MasterCard advised dealers to work with their payments partners to upgrade their systems. Review any code modules that your PC-based and mobile-based POS applications may depend on. Speak with developers to verify if they’ve been applying external code, and confirm that those changes include updates to accommodate 2-series BINs.
2. Acquirers must ensure Level 4 merchants use PCI QIR professionals
In October 2015, Visa Payment System Risk rolled out a new security program that requires U.S. and Canadian acquirers to ensure that merchants are only using PCI-certified Qualified Integrators and Reseller professionals to install and integrate POS applications into their operations as of January 31 of this year. As of this writing, acquirers must also confirm that Level 4 merchants are validating their PCI DSS compliance efforts on a yearly basis or participating in the council’s Technology Innovation Program (TIP).
How it affects developers: First, when working with dealers, ask them to provide their QIR credentials. Second, ensure your company qualifies for Visa TIP by procuring EMV technology (if you haven’t already). Also, confirm that all payment card authentication data isn’t stored after transaction authorization occurs.
How it affects POS resellers: Chances are you’ve probably obtained a QIR certification. If you haven’t, check out the PCI SSC’s qualification requirements to learn how to become a QIR. That document provides a detailed review of how to execute quality assurance processes, submit a QIR application and the manner in which your organization should protect confidential and sensitive information. Because the card brands are messaging to merchants that they should only use an installer with a QIR certification, it’s in the best interest of the reseller to take advantage and get certified.
3. Companies must transition to SHA-2 and TLS 1.2
If your company’s using TLS 1.0 or SSL 3.0, you’re currently utilizing an insecure encryption protocol, according to the PCI SSC. The council announced that all companies handling payment card transactions must disable all SSL protocols and switch to TLS 1.2 by June 30, 2018.
What’s wrong with SSL 3.0? Researchers have identified several vulnerabilities with the protocol since its release. For example, in late 2014, security specialists discovered a flaw that could enable attackers’ data to extract information from encrypted connection. In addition, SSL 3.0 is susceptible to the POODLE vulnerability, which allows hackers to execute man-in-the-middle attacks that decrypt encrypted messages.
How it affects developers: Review all the POS technology across the organization and ensure they’re using TLS 1.2 encryption. New POS devices should enable this protocol. Be cognizant that e-commerce websites have the highest susceptibility to early TLS and current SSL vulnerabilities.
How it affects POS resellers: Seek payments solutions that provide TLS 1.2 encryption. Manufacturers should already be working on integrating those capabilities into their hardware (if they haven’t already).
You have some time to transition to the new encryption protocol, given the PCI SSC deadline. If you haven’t commenced assisting merchants with the transition yet, initiate your efforts now.
As a whole, look for payments integration systems that support point-to-point encryption and tokenization systems.