May 2019


Crossing the Elavon Bridge

For partners who aren’t directly integrated with an acquirer, the Elavon Bridge could be an option.

The Bridge links Elavon with your customer’s point of sale systems, allowing us to use our Simplify™ card-present solution to process payments through the customer’s POS.

Simplify encrypts the information and sends it on for processing through Fusebox™, our proprietary gateway. On Fusebox, your customer will be able to choose from a host of different acquirers, including Elavon. Once the payment data reaches the acquirer and the transaction is either approved or declined, Simplify will tokenize the data, giving it a unique identification number for the return trip back to the point of sale.

Tokenized card data is worthless to fraudsters and can also be safely stored in your point-of-sale system and used for other transactions later. Elavon offers your customers gateway services, acquiring services or both.

Please contact your relationship manager for more information about how your customers can cross the Elavon Bridge.


Prioritizing Security on Your Behalf

At Elavon, we take payment security seriously. Maintaining the standard of security you expect from us is an ongoing priority and true commitment. For that reason, we place a great deal of importance on third party validation of our systems and controls.

Most recently notable is the ISO27001:2013 certification we earned for our information security management system (ISMS) by the ANSI-ASQ National Accreditation Board (ANAB), the official U.S. accreditation body for this International Standard. This certification provides a model for establishing, implementing and operating a framework of policies and procedures that includes legal, physical and technical controls involved in an organization’s information risk management processes.

What Does This Mean for You?

With today’s ever-present data security threats, this certification provides you with the assurance and peace of mind that we continue to invest in and implement the latest security measures. Adhering to best practices and international security standards, our certification proves we have the procedures in place to protect your customers’ payment data we receive from you.

Why is a certification like this so important?

Given the ever-present and dynamic threats to data security today, customers are constantly looking for assurance their vendors have implemented reasonable and defensible security measures. This certification validates that Elavon has been tested against a venerated international security standard, as well as good business practices, and has proven to have proper security procedures in place. What does it take to pass a certification standard like this? Let’s break down the assessment into three sections:

Define a security policy

An organization’s security policy addresses specific constraints on members and technology in order to keep data safe. It outlines the risk appetite of the company and the actions that must be taken in the event of a security compromise or breach. Customers need assurance that their information is safe within a company that employs reasonable and defensible security measures. Internationally, the ISO 27001:2013 is highly regarded as the reasonable bar for basic security. In fact, it is against the law in Japan to conduct business without having this certification.

Define the scope of the ISMS

While there are currently no rules in the United States regarding the ISO 27001:2013 certification, it is vital to have validation from an external source to keep your customers’ data secure.

Defining a security policy allows you to state how the company will behave in the event of a compromise or breach, defining the scope of the ISMS identifies the information that the ISMS intends to protect.

Conduct a risk assessment and manage the identified risks

Conducting a risk assessment of information security system validates that the company is acting as planned per the security policy. It allows you to assess the areas in which you need to place the most focus, and prioritize the company’s time and monetary investments.

For example, our primary business at Elavon is payment processing and transaction acquiring, so we placed the most focus on those areas during our risk assessment. This shows that our main business has reasonable security practices, and enables us to take proactive action if any weak areas were to appear.

While the preparation of enforcing proper security practices is essential, it is also extremely beneficial to apply for certifications in which our company can be awarded with external validation. All of us in the payments industry must remember that security of our customer’s payment data is of the highest priority, and we must do everything in our power to ensure that it is protected.

The ISO 27001:2013 is one more way we can provide an added level of assurance to our customers.


Are You Ready for Card Brand Changes?

Major changes to the acceptance of contactless payments are now in effect, with more to come.

Visa has mandated that all applications accepting contactless payments be capable of using qVSDC (EMV Contactless). In addition, by Oct. 18, 2019, your customers will need to update devices with Contactless MSD processing as an option by removing the Magstripe Mode contactless method. Otherwise, your customers could face network fines and assessments from Visa.

MasterCard already requires that EMV contact-capable devices that also offer contactless entry to also be capable of processing EMV contactless. The brand is revising that standard to include the following:

  • Effective Oct. 18, 2019, newly deployed devices can only support EMV Mode Contactless and must not have Contactless MSD (Magstripe mode contactless.)

  • Effective Oct. 18, 2019, any POS device (new or existing) that accepts MasterCard and Maestro transactions using EMV Contact, as well as supporting contactless for competing brands, must also enable EMV Mode Contactless for MasterCard and Maestro. This means that turning off EMV contactless for MasterCard, when there is still Contactless MSD available for another brand, will be considered non-compliant.

  • Effective April 1, 2023, all POS devices in the field supporting contactless must have EMV mode contactless enabled. The Magstripe mode must not be supported.

Also effective October 2019, Visa will mandate that your customers obtain refund authorizations. Processing a purchase return with its own authorization allows the cardholder to see the refund in real-time online, just like their purchases. It improves the buying experience and saves your customers time by reducing calls from buyers asking, “Where’s my refund?” When buyers can see their refunds instantly, it also minimizes potential chargebacks.

Contact your Elavon representative for more details about EMV contactless processing, refund authorizations or other card brand changes.


Car Sharing: A New Frontier for Payments

Car sharing, a service in which individual car owners rent their vehicles to other drivers, is a promising opportunity for the payments industry, according to a study by Deloitte.

“No one has yet put into place payment solutions for a universal rental system,” the study said. “A payment provider could look to capture this opportunity by creating a simple plug-and-play solution to enable this growing market.”

The development of self-driving cars will further fuel the market. It would be much easier to deliver a car to the renter. Just enter their address, and off the car goes on its own. The renter could also send it back to the owner just as easily.

“Indeed, Tesla and other automakers have explicitly discussed this model as a way to drive growth,” Deloitte said. “This opportunity seems particularly promising in suburban and rural areas where density is insufficient to support rail transit or fleets of shared autonomous vehicles.”

A note about external links

By selecting this link, you will leave Elavon content and enter a third-party Web site. Elavon is not responsible for the content of, or products and services provided by this third-party, nor does it guarantee the system availability or accuracy of information contained in the site. This Web site is not controlled by Elavon. Please note that the third-party Web site may have privacy and information security policies that differ from those of Elavon.

©2019 Elavon Inc. Elavon is a trademark in the United States and other countries. All rights reserved. This document is prepared by Elavon as a service for its IPS partners. The information discussed is general in nature and may not apply to any specific situation.