Executive Insight: Winning the War for Payment Card Data

thumb By Steve Sommers – Senior Vice President of Applications Development, Shift4 Corporation

Last year, the United States experienced what has been dubbed “the year of the data breach.” Now, we’re nearing the end of 2015, and data breaches continue to plague merchants.

2015: Year In Review


At Shift4, 2015 was filled end-to-end with highpoints and milestones. We’d like to share the top 4 reasons why 2015 was so memorable for us.

‘Tis The Season For Secure Mobile Payments!

mobile payments

It’s beginning to look a lot like the holiday season – and for millions of holiday shoppers that means purchasing decorations, food, and gifts that make the season bright. According to the National Retail Federation, “Despite the challenges that still exist in our economy, it looks as if consumers are eager to celebrate the holidays with friends and family this year.

Dara Security Assesses True P2PE™

dara security

At Shift4, we value our customers’ payment data security above all else. Every product and technology we provide was created knowing that data breaches and fraud are real threats that can happen to anyone at any time. With that in mind, we want to make sure that all of our payment solutions are as secure as possible.

EMV: Your Questions Answered

emv You’ve got questions, and we’ve got answers! We’re sharing our answers to merchants’ most commonly asked questions about EMV.

Executive Insight: EMV Requires Tokenization and Encryption to Work

image Shift4’s CTO and Senior Vice President of Research and Development, J.D. Oder II, outlines how to implement a secure EMV strategy.

EMV: Your Questions Answered

emv You’ve got questions, and we’ve got answers! We’re sharing our answers to merchants’ most commonly asked questions about EMV.

New Enhancements to Our VT4® Mobile Payment Solution


In September, we were pleased to announce the general availability of our VT4® mobile payment solution designed for merchants of any size in industries like food and beverage, retail, and hospitality. Early adopters of VT4, including PGA TOUR, appreciated the industry-leading security features, ease of use, bank and processor neutrality, and the host of other features that make VT4 such a forceful competitor in the mobile payment space.

Customer Case Study: Darien Lake Amusement Park

lake Learn about their experience with Shift4 in this case study.

The Road to EMV Completion: Processor Certification Status

image Find out how close we are to the EMV finish line with your processor!

Shift4 Fall Events Preview


Fall is here and with it comes the excitement of a busy conference season! The Shift4 team is hitting the road to educate merchants about the latest and greatest happenings in the payments industry.

If you’re attending any of the following events, please stop by and say hello!

Mobile Payments Designed With Enterprise In Mind


Shift4 recently announced the general availability of VT4®, the most secure, flexible, and feature-rich mobile point-of-sale (mPOS) solution on the market. VT4 allows merchants to quickly and securely accept payments on any smartphone, tablet, or laptop.

Customer Case Study: Darien Lake Amusement Park

lake Last year, Shift4 successfully integrated our DOLLARS ON THE NET® payment gateway into the lodging facilities at Darien Lake Amusement Park, located just outside Buffalo, NY. Learn about their experience with Shift4 in this case study.

All Things EMV

image Visit Shift4’s EMV Microsite Today!

EMV for Small Businesses


A survey by Newtek Business Services, Inc., shows that 71% of small businesses do not know about EMV and how it applies to them. Are you included? If you run a small business, then we have a primer on what the October 2015 fraud liability shift means for you and how Shift4 is helping you reduce your fraud liability with EMV, and reduce your breach risk and PCI scope with True P2PE™ and TrueTokenization®.

How to Get the Most Out of a Gift Card Program


Consumers don’t just love giving gift cards – they also love receiving them. According to the National Retail Federation, gift cards have been at the top of consumers’ wish lists for the past eight years in a row.

Support for Windows Server 2003 Is Over


In March, we warned merchants that Microsoft’s extended support for Windows Server 2003 would be ending. In July, this extended support period expired. On August 20, 2015, Visa issued a Security Bulletin about the Windows Server 2003 end of life for acquirers, issuers, processors, merchants, and agents. We’re sharing that bulletin below for your reference. Please share it with anyone in your organization who may need to be made aware of its contents.

Get in Gear for EMV


The U.S. EMV migration liability shift date, October 1, 2015, is almost here. Are you on the road to EMV chip card acceptance? Earlier this year, we shared a road map to give merchants and independent software vendors (ISVs) a quick look at how to get ready for EMV. Now, we’re sharing the steps merchants, ISVs, banks, and processors need to follow on the home stretch to EMV. Click here to learn what to do to accept EMV cards.

Executive Insight: Why PCI Needs to Add a Third P2PE Standard

image Shift4 President and CEO Dave Oder explains why the PCI Security Standards Council (PCI SSC) shouldn’t require hardware security modules (HSMs) in P2PE environments.

Don’t Fall Victim to Malware


Malware attacks have become increasingly common for merchants who process payments using remote-access systems, according to a recent alert from the Financial Services Information Sharing and Analysis Center (FS-ISAC).

Top 4 EMV Topics


It’s safe to say that the topic of the U.S. migration to EMV has captured the attention of many. From the consumers who are starting to receive new payment cards with chips on them to the merchants themselves, EMV will have an impact on every individual and organization that is a part of the payments cycle (hint: that means pretty much everyone in the U.S.).

EMV: What You Need To Know

image Shift4 is helping our merchant customers and valued partners prepare for EMV.

Executive Insight: Take the Time to Do EMV Right (Part 2)

thumb By Steve Sommers – Senior Vice President of Applications Development, Shift4 Corporation

Last month, we talked about how some organizations are pressuring merchants to rush into EMV solutions instead of urging merchants to take the time to adopt a strategic approach to EMV.

Shift4 Celebrates 10th Anniversary of Tokenization!


Tokenization has become more of a household name as of late, as more companies adopt the technology and as sister technologies like the consumer-based “payment tokens” of mobile wallets take shape. Shift4, on the other hand, has been using tokenization long before anyone else.

12 Hospitality Touchpoints Secured by Shift4


From a payments point of view, hospitality environments are particularly complex. Typically, hotels keep payment card information on file for booking guarantees, advanced deposits, refunds, incremental authorizations, and more.

Visa® Warns of New Malware Threats


Visa® recently sent out a security alert to inform merchants of an increase in malware attacks targeting point-of-sale (POS) integrators. We encourage our merchant customers to take note of the following information, and to review the Visa security alert and pass it along to the appropriate departments or individuals.

Play Video: Tokenization for Beginners

image Watch our video to learn how tokenization works.

WEBINAR: How to Use eSignatures with Sertifi & Shift4’s DOTN

webinar How to Use eSignatures with Sertifi & Shift4's DOLLARS ON THE NET®
Tuesday, Jun 23, 2015, 11:00-11:30 a.m. PST
View the Recording

Shift4 Response to MalumPOS Malware

malware image

Recently, Trend Micro published a brief on their blog about malware named MalumPOS. This blog post is based on a 2014 report and is most likely referencing 2013 or prior data in order to refer clients to their own endpoint-monitoring software.

Executive Insight: Take the Time to Do EMV Right (Part 1)

thumb By Steve Sommers – Senior Vice President of Applications Development, Shift4 Corporation

U.S. a Unique EMV Market
Four years ago, when the major issuing banks announced their timeline for transitioning to EMV in the U.S., payments industry insiders knew that the U.S. EMV migration would be more complicated than previous implementations around the globe had been.

Innovative Solutions to Prevent Hospitality Breaches


The hospitality environment is unique in its handling of the payment card data of their guests. Large hotels and resorts generally involve hundreds, sometimes thousands, of touchpoints where payment card data can enter their systems – from reservations, retail stores, and valets to the front desk, restaurants, and snack stands.

EMV: Swipe Ahead Gets Left Behind

emv Update 10/4/16: Shift4 has been around long enough to predict how most things will shake out in the payments industry. With the below article, we knew EMV was going to cause headaches for merchants, consumers, and just about everyone else who deals with payments. Well, it turns out we were right. Most major card brands brought the concept of “swipe ahead” back. Read about its comeback.

Google Chrome Security Message


Shift4 supports a large set of the most secure cipher suites available along with a few legacy cipher suites that are still needed by a large portion of our customers.

Play Video: Shift4’s EMV Road Map

image Watch our video to learn how we’re getting merchants and independent software vendors ready for EMV.

Executive Insight: The Cost of Vigilance Versus Compliance

thumb By Steve Sommers – Senior Vice President of Applications Development, Shift4 Corporation

If there’s one word we hear too often in the payments industry, it’s “compliance.” Too many security officers, IT directors, and other business leaders hold to the term like Linus from the Peanuts gang clings to his blanket.

When Your Acquirer Comes to Call About EMV


Merchant acquirers (e.g., merchant banks, merchant services providers, and independent sales organizations) are waking up to the fact that the merchants they support need to be ready to accept EMV transactions by October 2015.

EMV for Small Businesses


A survey by Newtek Business Services, Inc., shows that 71% of small businesses do not know about EMV and how it applies to them. Are you included? If you run a small business, then we have a primer on what the October 2015 fraud liability shift means for you and how Shift4 is helping you reduce your fraud liability with EMV, and reduce your breach risk and PCI scope with True P2PE™ and TrueTokenization®.

Cyber Security Tips for Smartphone Usage

Cyber Security

Connecting mobile devices to your company network can introduce security risks to the environment if you aren’t careful. However, if you follow these simple rules for smartphone usage, provided by the Financial Services Information Sharing and Analysis Center (FS-ISAC), your environment will be much better off for it.

All Things EMV

image Visit Shift4’s EMV Microsite Today!

EMV: What It Is and What It’s Not

EMV: What It Is and What It’s Not

U.S. EMV is coming. Are you prepared? In the simplest terms, EMV is a special chip embedded on a credit or debit card that helps to prevent card-present fraud. The EMV chip prevents counterfeiting, skimming, and the use of lost or stolen credit or debit cards.

EMV Made Simple

Shift4, provider of the world’s largest independent payment gateway, DOLLARS ON THE NET®, already processes EMV transactions in Canada and has the unique capability to be a force multiplier the independent software vendors (ISVs) that supply point-of-sale (POS) and property management system (PMS) solutions, as well as payment device manufacturers and processors as they transition to EMV in the U.S. We can also simplify the process for merchants who are implementing new solutions or planning to change devices or processors.

Shift4's flexibility and unique infrastructure allow us to reduce the time, expense, and stress of the EMV transition for everyone involved.

Click on one of the menu options below to learn how we can help you:

divider Merchants ISVs Devices Processors Card Brands divider

Shift4 Makes EMV Easy for Merchants

Shift4 makes getting ready for U.S. EMV easy for merchants. Here’s how:

  • Shift4’s support for EMV is complemented by our True P2PE™ (point-to-point encryption) and TrueTokenization® solutions, ensuring our merchant customers get the strongest payment data security available.
  • Merchants using DOLLARS ON THE NET can choose from premier payment devices that are both EMV capable and that come with Shift4’s encryption keys for True P2PE already injected.
  • Since Shift4 is completely bank and processor neutral, merchants can quickly and safely switch banks or processors as needed.
  • Shift4 features 350+ integrations with the leading POS and PMS solutions, so merchants can be assured that their POS or PMS will be supported to accept EMV transactions.

Are You Ready for EMV?

Check for regular updates on our EMV microsite. For more detailed information, contact Shift4 today.

Shift4 Makes EMV Easy for ISVs

Shift4 makes getting ready for U.S. EMV easy for ISVs with a simple certification for EMV. Here’s how:

  • Shift4’s Universal Transaction Gateway® (UTG®) controls the payment devices connected to it, so ISVs who are currently certified with Shift4 for debit will be able to offer U.S. EMV without making any significant changes to their existing software.
  • Because of the UTG’s device control, ISVs certified with Shift4 will automatically receive EMV certifications for each device and processor we support, so there is no need for them to do a separate certification for each device. This saves ISVs about six months of development time (approximately $250,000 or more) plus certification fees (which can vary from $4,000 to $15,000 per pass) for each device and processor.
  • The UTG also offers no-cost, no-hassle system updates, including updates to stay compliant with the industry’s regulations, resulting in approximately $100,000 cost savings or more in ongoing development costs.
  • In Canada – and now in the U.S. – Shift4’s PA-DSS-validated UTG stands in the place of the POS or PMS solution in the certification process as the payment application of record. This means ISVs can focus their time and money (and development cycles) on other features.
  • Our full suite of technologies allows vendors to often entirely remove their application from PCI DSS scope – meaning costly PA-DSS validations may no longer be required.

Are You Certified With Shift4 for EMV?

Contact Shift4 today to ensure you are certified with Shift4 for U.S. EMV and check our EMV microsite for regular updates.

Shift4 Makes EMV Easy for Payment Device Manufacturers

Shift4 makes getting ready for U.S. EMV easy for payment device manufacturers. Here’s how:

  • Because Shift4’s integrations to the various POS and PMS solutions allow us to stand in for them as the payment application of record, we have the ability to also stand in for the POS and PMS solution in EMV certifications. This means that after we’ve certified a device to a given processor, it is certified no matter which POS or PMS solution a merchant uses (so long as they are integrated to DOLLARS ON THE NET). This can save payment device manufacturers months of work and tens of thousands of dollars. Also, it gets certified devices to market faster.
  • Shift4 satisfies the 600+ flows required by the processors for EMV certification with a simplified, "one-and-done" approach. When device manufacturers certify a device with us – once – they’re good to go.
  • Certifying a payment device with Shift4 will increase exposure to merchants across every industry in North America. We work with more than 24,000 merchants across over 100,000 locations throughout the U.S., Canada, and the Caribbean.
  • Shift4 provides payment device manufacturers with freedom for innovation when adding new features and capabilities. Because our unique technologies allow us to stand in for POS and PMS solutions and control the payment devices, all of our integrated POS and PMS solutions will support new device upgrades with no development required from the POS or PMS solution vendor, so long as Shift4 supports the new features. This means innovations can reach more locations, more quickly.

Are Your Payment Devices Certified With Shift4 for EMV?

Contact Shift4 today to ensure your payment device is certified with Shift4 for U.S. EMV. And, check our EMV microsite for regular updates as we continue to prepare our merchant customers and business partners for the migration to U.S. EMV.

Shift4 Makes EMV Easy for Processors

Shift4 makes getting ready for U.S. EMV easy for processors. Here’s how:

  • Shift4 will do the legwork of certifying payment devices and ISVs for EMV so processors won't have to, saving you time and money. This means that if you certify with Shift4, we will help you reach tens of thousands of merchants who are looking for an EMV-ready solution that works with their POS or PMS solution. (We can also make it simple for merchants to switch to EMV-ready processors who have certified with Shift4.)
  • Because Shift4 replaces the POS or PMS solution as the payment application of record, a certification to us gives a processor access to our full network of integrated POS and PMS solutions (350+ and growing), payment devices from all the leading manufacturers, and merchants who are looking for a certified, secure EMV solution.

Are You Ready for EMV?

Processors, make sure you put Shift4 at the top of your list for EMV certification. Certifying Shift4 for EMV will save you time and money on EMV certifications and help connect you to Shift4’s integration partners and merchant customers. Contact Shift4 today.

Shift4 Makes EMV Easy for the Credit Card Brands

Shift4 makes the process of preparing for U.S. EMV easier for the credit card brands. Here’s how:

  • If card brands (e.g., Visa, MasterCard, etc.) encourage their vendors to partner with a payment gateway like Shift4’s, it will help to get the U.S. market ready for EMV faster. This is because Shift4 provides processors and payment device manufacturers the help that they need to prepare for EMV and connects them with merchants who desire EMV readiness, as well as the best payment and security solutions.
  • We understand that EMVCo wants global interoperability of chip-based payment cards. Shift4 offers the best solution since we are proudly bank and processor neutral and are dedicated to reducing the complexities of the U.S. EMV migration for everyone involved.

Connect With Shift4

Check our EMV microsite for regular updates as we continue to prepare our merchant customers and business partners for the migration to U.S. EMV. And, if you have any questions, you can contact Shift4 today.

3 Things Every Merchant Should Know About EMV


Shift4’s SVP of Applications Development, Steve Sommers, was recently invited to San Antonio to speak at the Hotel Technology Next Generation (HTNG) North American Conference. The session he was asked to join, entitled “Securing Payment Data: Tales From the Front,” featured Sommers alongside Rob Martin, the VP of Security Solutions for device manufacturer Ingenico, and Merchant Link’s Director of Product, Christian McMahon.

Which EMV Device Is Right for You?


Many of our merchant customers are looking into purchasing new payment devices to begin accepting EMV chip cards. In this article, we highlight the payment devices we support for processing EMV and a few of their features that may help you determine which one(s) will work best for your business.

Don’t Get Lured Away From Shift4


We can only assume that at one time or another, you may be contacted by our competition and pressured to move to another payment gateway. If this is the case and you’re considering a move, don’t make the mistake of believing everything you hear. There are a lot of things that you get with Shift4 that you can’t get anywhere else.

Shift4 Is Ending Support for a Few Payment Devices


Every now and then, older model payment devices are replaced with more advanced, secure, and better performing models. This is the case with a few payment devices that have reached their end-of-life, which means the manufacturer will no longer support or sell them.

EMV 101 FAQs


Last month, Shift4 was approached by Retail Realm, one of our long-time partners with a request to put together an EMV 101 webinar for their resellers. The event was a great success and we were able to share the expertise of Shift4’s VP of Business Development, Bob Lowe, who has been part of EMV migration projects in Australasia, Europe, Canada, and now the U.S.

Since the webinar, we have been contacted by dozens of payments industry professionals who are looking for answers and assistance as they work with merchants to prepare for the October 1, 2015 EMV liability shift date. Based on what we’ve heard so far, we’ve put together a Shift4 EMV Q&A of the most common questions from resellers, VARS, and other potential partners.

Which U.S. Processors work today with EMV?
All processors are adding support for EMV, and are in various stages of readiness. While the exact order is subject to change due to customer demand, processor responsiveness, and a number of other potential factors, Shift4’s current plan is to support U.S. processors in the following order:
  • 1-Global/AMEX
  • 2-TSYS
  • 3-First Data
  • 4-Chase
  • 5-Elavon
  • 6-Vantiv
  • 7-RBS WorldPay
  • 8-Heartland
  • 9-First Caribbean International Bank
  • 10-First Hawaiian Bank
How does EMV work for a customer using a virtual terminal?
EMV requires transactions to be entered through an approved payment device. If the virtual terminal solution can work with an EMV device, it can be used. Shift4 is working with device manufacturer ID TECH to ensure our VT4 mobile payments solution (which includes virtual terminal functionality – and much more) will be EMV capable before October. However, most other virtual terminal solutions have the card data entered through the virtual terminal application and would then be considered manual-entry or swiped transactions, which would not qualify as EMV transactions.
Does Shift4 handle settling or batching transactions or is it still done by Microsoft Dynamics RMS ?
Shift4 handles the batching and settling of transactions, relieving RMS from those responsibilities. RMS simply marks the transaction as ready to settle and Shift4 takes care of everything else.
With the U.S. not mandating PIN as part of EMV, will we see EMV devices without the keypad?
Yes, these are coming. The terminals that we will initially see from companies like Ingenico and Verifone are devices that have been used in Europe and Canada where PIN is a requirement. Based on the U.S. PIN-less flow, we are now starting to see plans for devices that have no keyboard. Some are calling them “three-in-one” devices because they accept chip, swipe, and contactless transactions. We expect these devices will be commonly used on mobile devices where the three-in-one device is plugged into the audio jack (or in the future, lightning/micro-USB port) of a phone or tablet.
Does Shift4 operate in the Caribbean?
Yes. Shift4 supports both First Data South and First Caribbean International Bank as processors in the region.
Is Shift4 a gateway and then the customer signs up for a processor separately?
Is there any change in the end-user customer’s liability when they receive an EMV card?
The cardholder’s liability is unchanged with EMV. The EMV liability shift applies to merchants, card issuing banks, and processors, and basically states that whichever entity breaks the EMV chain (i.e., is not ready to accept the EMV transaction), becomes financially liable for any fraud committed in that transaction.
Which payment devices are approved by Microsoft RMS that support EMV and NFC?
Shift4’s proprietary Universal Transaction Gateway® (UTG®) controls the EMV devices. Therefore, it is Shift4’s certification – and not Microsoft’s – that determines whether or not a specific device will be supported. Currently, Shift4 is seeking certifications for the Ingenico iPP320 and iPP350, along with the iSC Touch 250, iSC Touch 350, and iSC Touch 480. Shift4 is also certifying the Verifone MX915 and MX925 devices. All of these devices support EMV, NFC, and P2PE. Additional devices may be considered and added as needs arise.
What is the cost of DOLLARS ON THE NET?
Shift4 charges on a pennies per transaction basis with discounts for significant volume.
Would any credit card transactions be stored on the POS?
With Shift4’s solutions in place, the POS would continue to store transactions, but the transaction would no longer contain sensitive cardholder data. In fact, when used with Shift4, RMS, Retail Realm Essentials, and AX for Retail never store, process, or transmit sensitive credit card data.
How do we protect our customers’ investment in these devices in terms of future-proofing? Will these devices be capable of receiving remote updates to keep up with new rules or new capabilities?
All of the devices we are currently certifying support remote updates. Shift4’s UTG can push these updates as necessary.
How does EMV affect card-not-present transactions?
The EMV changes only impact card-present transactions; card-not-present transactions will work exactly as they do now.
Is the signature collection process going to be different with EMV? There are rumors that EMVco is going to require signatures to be collected on paper.
We are not aware of any paper signature requirements for EMV. With EMV, the cardholder signature will be used exactly as it is now – for chargeback defense. While PIN has been required in most countries that have implemented EMV (hence the nickname “chip and PIN”) in the U.S. it appears that most issuing banks are opting to only support signature authentication. Logic within the card will prompt the terminal to display either a PIN entry or a signature capture. If a signature-capture-capable device is in use, Shift4 will trigger the device to display a signature line. If the cardholder declines to enter it electronically, or the terminal doesn’t support signature capture, the printed receipt will automatically include a signature line for the customer to sign on. The transaction will go through regardless of whether the signature is actually captured, but in the event that the cardholder contests the transaction and the merchant cannot show a signature (physical or digital) the chargeback will fail.
Does Shift4 support tokenization for recurring transactions?
Yes. Shift4’s TrueTokens® may be securely stored within the POS application for use in recurring transactions.

Shift4 Doesn’t Use SSL (And You Shouldn’t, Either!)

ssl image

You may remember that back in November, we released an alert about protecting yourself from the POODLE SSL vulnerability. For those of you who are less familiar with SSL, it refers to a type of encryption that was once used to secure communications between a user’s Web browser and a website in order to protect transmitted data from eavesdropping or tampering.

Shift4 Supports EMV to a T

emv image

We’re now 7 months away from the EMV liability shift. But, don’t worry. Shift4 is hard at work behind the scenes to make sure your EMV migration is a breeze.

There are three easy steps that you can do today to start preparing for EMV.