The Visa acceptance ecosystem covers all commerce types, including the face-to-face, unattended, mobile and e-commerce environments; it helps to increase electronic payment acceptance for sellers, allowing a variety of ways to connect to Visa either directly, through an acquirer or via a third-party.
To foster growth in the card-absent environment and help merchants meet their evolving business needs, Visa continues to provide strategic merchant solutions that support greater processing efficiencies.
Customers enjoy the increased options--the opportunity to shop and order anytime and anywhere (in-store, ecommerce, telephone, mobile web, or mobile app) and to select how they receive the merchandise (pick-up or delivery).
Starting in October 2018, merchants who meet specific volume thresholds for purchase returns on Visa accounts will be required to process a purchase return authorization for each return. All other merchants are required to process purchase return authorizations beginning in April 2019.
This flyer provides clarification of the rules which detail how a merchant should identify the proper location for all transactions processed through the Visa system. Providing the proper information helps prevent unnecessary cardholder disputes and reduces additional risk to the Visa system.
As the payment system has evolved, instances in which a transaction is initiated with a stored credential based on a cardholder’s consent for future use have increased to significant levels. To help merchants and acquirers understand the Stored Credential and Merchant Initiated Transaction framework, Visa is summarizing the requirements and implications through this supplemental document. Please refer to October 2016 VisaNet Business Enhancement Global Technical Letter and Implementation Guide for full details.
For merchants, acquirers, payment facilitators, and staged digital wallet operators that process stored credential transactions, and for all issuers. The information provided in this guide allows all stakeholders to comply with the mandatory requirements and take advantage of the benefits of the Stored Credential Transaction framework.
The information contained in the Visa Payment Acceptance Best Practices for U.S. Quick-Service Restaurants guide is geared toward the actions and decisions most pertinent to quick-service restaurants and operators in the U.S. It also includes best practices and on-the-job support tools for managers and employees.
Visa provides a Partial Authorization service that provides an alternative to declining a transaction when the card’s available balance is not sufficient to approve a transaction in full. This flyer provides information about the benefits realized, how to use the service, and answers to frequently asked questions.
Webinar deck highlights tools and resources that are available to clients and merchants to mitigate risks when selecting a service provider partner. Additional highlights include Third Party Agent Risk Program initiatives, including unregistered agent campaigns and multiple tool enhancements.
This document is designed to help merchants properly handle transactions that have been charged back to their business by their acquiring bank. Here you will find best practices targeted to the needs of both card-present and card-absent merchants.
Visa Claims Resolution, a new global initiative will replace Visa’s existing dispute resolution process. VCR will simplify dispute processing by migrating from a litigation-based approach to a liability-assignment-based approach. This flyer describes the new process, consolidation of reason codes, and merchant benefits.
This report utilizes Visa Payment Fraud Disruption (PFD) team’s first-hand operational experience to describe the most significant developments in the payments threat landscape over the past six months, as well as the adapted tactics employed by threat actors.
PFD incorporates a fast-paced, multi-faceted approach in the fight against attacks targeting the global payment ecosystem. Compromised of five primary functions, the team utilizes best-in-class cyber and fraud capabilities and personnel to preserve the integrity of Visa’s payment system and support global growth.
Throughout 2020, Visa Payment Fraud Disruption (PFD) identified a trend whereby many eSkimming attacks used web shells to establish a command and control (C2) during the attacks. Web shells are tools used by threat actors to establish and maintain access to compromised servers, deploy additional malicious files/payloads, facilitate lateral movement within a victims network, and remotely execute commands. Actors employ numerous methods to deploy web shells, but often use application plugins and PHP code.
Throughout the second half of 2020, the payments threat landscape was largely influenced by the ongoing COVID-19 pandemic. The global pandemic forced the world into an uncertain and constantly adapting environment and fundamentally changed the way the world conducts business. Threat actors similarly adapted to the new environment and remained immensely active in carrying out cyber and fraud threat campaigns. This report utilizes Visa Payment Fraud Disruption (PFD) team’s first-hand operational experience to describe the most significant developments in the payments threat landscape, as well as the adapted tactics employed by threat actors.
Account Enumeration is a prolific problem that affects issuers, merchants, and acquirers globally. Cybercriminals are taking advantage of big data and artificial intelligence to find and exploit new vulnerabilities. To conduct fraudulent eCommerce transactions, cybercriminals use scalable and programmatic automated testing of common payment fields, a method also known as account enumeration. This guide will provide an overview for merchants on implementing mitigation techniques to help bolster their merchant website and ensure they are not susceptible to these enumeration attacks.
In May and June 2020, respectively, Visa Payment Fraud Disruption (PFD) analyzed malware samples recovered from the independent compromises of two North American merchants. The recent attacks exemplify threat actors’ continued interest in targeting merchant POS systems to harvest card present payment account data. PFD is providing the analysis of these malware variants and the corresponding indicators of compromise (IOCs) to assist in the identification, prevention, and mitigation of attacks using the malware.
With the recent Magento 1 'end-of-life' support, merchants with online stores deployed on Magento 1 will lose all access to new features, functionality updates, bug fixes, and support from Adobe/Magento. Most importantly, any future vulnerabilities will no longer be addressed with new security patches from the company, leaving the unsupported versions of Magento exposed to security or data compromise incidents.
However, Magento is not the only targeted website platform and so the purpose of this guide is to provide ecommerce merchants with recommendations to keep their websites secure in order to avoid a security or data compromise incident.
In February 2020, Visa Payment Fraud Disruption (PFD), using the eCommerce Threat Disruption (eTD) capability, identified a previously unknown ecommerce skimmer, and named the skimmer 'Baka.' PFD identified this unique skimmer on several merchant websites across multiple global regions using Visa’s eTD capability, which analyzes and detects threats targeting eCommerce merchants.
Pandemic unemployment assistance (PUA) fraud is a significant consequence of the ongoing COVID-19 pandemic and remains prolific as the pandemic persists. Visa Payment Fraud Disruption (PFD) previously identified the use of mobile payment applications to facilitate PUA fraud. Throughout July 2020, PUA fraud continued, and PFD identified new tactics used by threat actors to conduct this fraud.
Visa Payment Fraud Disruption (PFD) analyzed malware samples recovered from the compromise of a North American merchant. The malware variants were identified as Alina POS, Dexter POS, and TinyLoader. These malware variants were deployed on the merchant network in an effort to harvest track 1 and track 2 magstripe payment card data from the merchant’s point-of-sale (POS) environment. However, the targeted merchant had EMV® Chip enabled point-of-sale terminals. The implementation of secure acceptance technology, such as EMV® Chip, significantly reduced the usability of the payment account data by threat actors as the available data only included personal account number (PAN), integrated circuit card verification value (iCVV) and expiration date. PFD is providing the indicators of compromise for merchant network security purposes.
Visa is committed to enhancing both the security and quality of payment services available in both card-present and card-not-present environments. This fact sheet provides useful information related to the upcoming end of life for all Magento 1 websites.
In summer 2019, Visa Payment Fraud Disruption (PFD) identified three unique attacks targeting merchant point-of-sale (POS) systems that were likely carried out by sophisticated cybercrime groups. PFD recently reported on the observed increase of POS attacks against fuel dispenser merchants, and it is likely these merchants are an increasingly attractive target for cybercrime groups. Track 1 and track 2 payment card data was at risk in the merchant’s POS environments due to the lack of secure acceptance technology, (e.g. EMV® Chip, Point-to-Point Encryption, Tokenization, etc.) and non-compliance with PCI DSS. The activity detailed in this alert highlights continued targeting of POS systems, as well as targeted interest in compromising fuel dispenser merchants to obtain track data.
In August and September 2019, Visa Payment Fraud Disruption (PFD) investigated two separate breaches at North American fuel dispenser merchants. The attacks involved the use of point-of-sale (POS) malware to harvest payment card data from fuel dispenser merchant POS systems. It is important to note that this attack vector differs significantly from skimming at fuel pumps, as the targeting of POS systems requires the threat actors to access the merchant’s internal network.
Visa hosted a webinar to review requirements, procedures and timelines for reporting and responding to a suspected or confirmed account data compromise event. In addition, the webinar will explore compromise trends and fraud schemes and the suite of Visa security capabilities designed to prevent and disrupt payment fraud.
In June 2019, Visa’s Payment Fraud Disruption (PFD) analyzed a malware sample from the recent compromise of a North American hospitality merchant and identified the malware as a variant of the Alina Point-of-Sale (POS) malware family. Alina dates back to at least 2013, and is one of many malware strains that possesses a Random Access Memory (RAM) scraper, which is specifically designed to steal payment account information from the memory, or RAM, of the targeted system. Given the upload and compile dates, and recently observed operations leveraging Alina, PFD assesses Alina POS is in active use and remains a popular malware variant for POS targeting.
Based on Visa Payment Fraud Disruption’s (PFD) analysis of eCommerce compromises throughout 2018, FIN6’s focus on the CNP environment has only amplified, suggesting that the cybercrime group has fully incorporated targeting CNP environments into their criminal methodology.
Visa’s Payment Fraud Disruption (PFD) team was the first to link the exact same PwnPOS malware file hash across seven recent point-of-sale breaches reported since March 2018 in North America. It was also found that each of the PwnPOS malware files recovered from the 2018 breaches were the same across all compromises, rendering PwnPOS an easily identifiable malware family.
Visa hosted a webinar on September 20, 2018 to cover a brief introduction to Security Standards Council (PCI SSC) and PCI DSS, as well as a discussion on best practice to review PCI DSS validation documents, including samples and examples of PCI DSS documents.
Visa is aware of recent incidents in the U.S. in which criminals are committing fraud through processing fraudulent purchase return transactions. The fraud scheme involves cloned POS devices and funds are cashed out at ATMs after the purchase returns have been posted to the cards. The purpose of this Visa Security Alert is to provide clients with an understanding of the threat landscape and best practices for securing the environment.
Visa hosted a webinar covering the threats from website add-ons and e-commerce breach trends. The webinar reviewed the common attack vectors and methods, malware injection techniques and overall e-commerce security trends and best practices.
Visa hosted a webinar focusing on ATM cash out trends and issuer preventive measures. The session reviewed ATM cash out fraud and how the attacks are carried out. This is to provide an understanding of how to protect and defend against these schemes, as well as how Visa can help.
A growing industry trend to deploy online chat and non-voice channel services within call centers and merchant online environments may introduce potential risks to the users of these services. Visa Payment Systems Intelligence (PSI) identified increasing instances of criminals targeting these online services to obtain payment data. The purpose of the attached Visa Security Alert is to provide clients with an understanding of the threat landscape and best practices for securing this environment.
Visa hosted a webinar providing an overview of machine learning—specifically, how machine learning is applied in the payment industry, decision making with machine learning, threats from machine learning based attacks, and managing and monitoring of machine learning.
Visa hosted a webinar to highlight new data security resources available to small merchants through the Payment Card Industry Security Standards Council (PCI SSC). The webinar reviewed recent updates to the Qualified Integrator and Reseller Program and other educational resources designed to help small merchants better understand how to protect their acceptance environment and the Visa payment system.
eCommerce malware infections are a continued contributor to global fraud in the Card-Not-Present space. To help merchants combat fraud resulting from these global and persistent attacks, Visa is providing guidance and best practices for merchants to help secure their online stores.
Visa has become aware of the rise in phishing campaigns throughout the payments ecosystem. The primary cybercriminal exploitation method begins with a phishing e-mail and relies on the Dynamic Data Exchange (DDE) protocol for infection instead of malicious macros or an exploit kit. Visa is providing this alert to ensure awareness of the cyber threats actively exploiting this Microsoft Windows feature.
Visa hosted a webinar for clients to present an overview of Visa's new monthly client data security communication. To assist clients in managing their sponsored merchant and third party agent compliance with Visa’s data security validation requirements, effective November 2017, Visa will provide clients with a monthly report listing all merchants and third party agents due to revalidate compliance against the Payment Card Industry Data Security Standard and/or PCI PIN Security Requirements.
As counterfeit fraud becomes more challenging for fraudsters globally, they have shifted their focus to the card-not-present channel. Cybercriminals are targeting e-commerce transactions to exploit common vulnerabilities and compromise static payment data. In particular, the e-commerce space has seen developments in malware, modified source codes and database triggers.
Visa hosted a webinar to discuss the topics and key take-aways from the 2017 Visa Security Symposium. This webinar highlighted the importance of securing a connected world. In today’s digital age, proper checks on data security and risk management are essential to defending the payments ecosystem.
Do you know who handles your data? Working with the right partners is crucial to protecting the cardholder environment. Ensuring that players prioritize security can help you score a security home run this summer.
Visa has observed an increase in network intrusions involving service providers, re-breaches of merchant payment environments and skimming incidents involving Point of Sale (POS) device overlays. Visa is issuing this alert to make Members and entities aware of their obligations to investigate and immediately report all data compromise events.
Visa hosted a webinar providing an overview of the trends in the global payment system – from protection to authentication. This webinar highlights the effects more players and digitization have on the payments ecosystem and what that might mean for data security, fraud management and cyber intelligence in the future.
Multiple information security firms have reported on the emerging threat of a new malware variant identified as “Flokibot.” While Flokibot attacks have focused on the LAC region to date, this malware may represent a broader threat to the payments ecosystem. Visa is publishing this alert in order to provide clients and stakeholders with technical information, including background on the malware, indicators of compromise and suggested mitigation activities to protect the payments ecosystem.
It is always a great opportunity to set goals and make plans to achieve them. While motivation is at an all-time high, consider taking the following actions to help secure the payments ecosystem at the merchant level.
Tapping to pay is quickly becoming the standard way to pay at checkouts around the world. Driven by a continued focus on improving their member experience, Costco, a global retail leader, implemented contactless technology at the point-of-sale across more than 525 warehouses in the U.S. This case study provides an overview of their decision to make the transition to contactless, key steps they took and the impact they have seen as a result of implementation.
Visa hosted a webinar on September 20, 2018 to cover a brief introduction to PCI SSC and PCI DSS, as well as a discussion on best practice to review PCI DSS validation documents, including samples and examples of PCI DSS documents.
Visa has been working with merchants, acquirers, and fuel-industry providers to support migration to the more secure EMV technology. The EMV liability shift is designed to better protect all parties. With the new rules, the party that is the cause of a chip transaction not occurring, either the issuer or acquirer, will be held financially responsible for any resulting card-present counterfeit fraud losses. However, due to challenges with EMV Automated Fuel Dispensers (AFD) solution readiness, Visa is delaying the U.S. domestic AFD EMV liability shift date to 1 October 2020.
New options for merchants in the U.S. & Canada From 14 April 2018, EMV-enabled merchants in the U.S. and Canada have the option to stop capturing signatures as a method of cardholder verification. Those same merchants will also no longer be required to retain and store transaction receipts.
Fuel dispenser chip card acceptance is the more secure way to accept Visa cards at your fuel dispensers, and the best way to avoid liability for counterfeit fraud. The sooner it is done the better for a number of reasons.