Bin Management – Shift4 vs CardSense vs CenPOS

What is bin management software, or bin spinning? How does bin management differ from interchange optimization with least cost routing? Shift4’s Universal Transaction Gateway® (UTG®), Element’s CardSense™, and CenPOS’s end to end payment engine have different approaches to helping merchants reduce credit card processing fees. Bin management requires a hosted, server-based payment gateway.

Identifying BIN numbers is a challenge due to multiple resources to obtain and maintain the data, which is in a constant state of flux. Card issuers refer to the leading six digits on the card as an “issuer identification number (IIN)”, or “bank identification number (BIN)”. All BIN’s have a sponsor bank. Interchange fees, the bulk of credit card processing fees are related to the BIN. The BIN number identifies the card brand (Visa, MasterCard etc), card issuing bank, type of card (debit or credit), category of card (business, purchasing, prepaid, etc), and country of origin, in addition to other data. 

Is pin debit or signature debit cheaper? Cashiers were trained to ask “will that be credit or debit?” years ago when there was a significant cost differential between signature debit and pin debit. After the Durbin Amendment became law, about 70% of debit cards now carry the same cost of .05% and $.22 per transaction, but there’s still advantages to routing transactions:

  • Pin debit has a 14 day dispute period vs 120 days for signature debit
  • Dues and association fees are not applicable for pin debit
  • For cards that don’t fall under the big bank rules of fixed .05%, fees vary depending on the transaction routing; there’s a threshold where it’s cheaper to process as signature vs pin debit.

All three gateways enable merchants to manage the threshold and can communicate with a terminal to prompt the customer in the optimal way for the merchant.

Shift4 vs CardSense vs CenPOS retail debit card bin management

Element PS CardSense BIN management service allows merchants to differentiate between credit, PIN-debit, prepaid, and FSA/HSA cards, and then business management software then allows the merchant to decide how to process the transaction: as a PIN debit, prepaid debit or a healthcare card; merchants are directed to the API for POS integration. To use CardSense, merchants must have an Element PS merchant account, and an API is available to integrate to their POS.

Shift4 identifies card type as debit or credit, then based on merchant defined threshold, prompts the customer the preferred way – signature or pin- to process the debit transaction. To use Shift4 for retail, merchants can use the virtual terminal with any merchant account, or integrate with a POS system.

CenPOS identifies card type as debit or credit, then based on merchant defined threshold, prompts the customer the preferred way – signature or pin- to process the debit transaction; additionally, using proprietary least cost routing technology, CenPOS dynamically routes the transaction to the lowest cost debit network (Star, Pulse, Internlink etc), if applicable. To use CenPOS for retail, merchants use the virtual terminal with any merchant account, or integrated with a POS system.

Shift4 vs CardSense vs CenPOS retail credit card bin management

There’s no public information that Shift4 or CardSense offer additional bin management beyond debit. CenPOS retail bin management also supports all commercial cards, including corporate, purchasing, and business cards. CenPOS has uniquely certified their gateway for retail level III processing, significantly reducing interchange fees for eligible cards.  For example, a $7,500 building supply sale could be reduced from 2.65% + $.10 to 1.20% + $40.00. Unlike pin debit, which prompts customers for action, level III prompts cashiers for action, and dependent upon merchant rules, cannot be bypassed.

Cash management optimization

CenPOS’s patented optimization of payment processing encompasses many elements to help merchants mitigate risk and increase profit margins. CenPOS products use merchant preferences and transaction profiles to manage the expense of payment interchange and provide a method for electronically delivering coupons. Using this technology, businesses can accept any form of payment via websites, store fronts, call centers, and mobile applications to improve customer engagement and simplify reconciliation. The intelligent system closely manages the full lifecycle of each transaction and utilizes advanced risk management and proprietary transaction routing to reduce the total cost of payment acceptance.

In summary, bin management is a host-based solution to help merchants reduce merchant fees and mitigate dispute or ‘chargeback’ risk. It’s a step above countertop terminal capabilities, but limited in impact since debit fees became regulated. CenPOS’s cash management optimization of payment processing is a powerful system empowering merchants to control profit margins across all sales channels.

Disclaimer: Shift4 and Element PS information is based upon publicly available information as of this date. The CenPOS information herein is not all inclusive.

3D Merchant Services Powered by CenPOS
2633 NE 26th Ave Metro South FloridaFL33064 USA 
 • 954-942-0483

Windows Internet Explorer critical security update

This security update resolves a vulnerability in Internet Explorer. The vulnerability could allow remote code execution if a user views a specially crafted webpage using Internet Explorer. An attacker who successfully exploited this vulnerability could gain the same user rights as the current user. Customers whose accounts are configured to have fewer user rights on the system could be less impacted than those who operate with administrative user rights.

Visit the Microsoft support center for more details and download the update.

For PCI Compliance, merchants must have the most current software installed that addresses any security threat. There isn’t an XP update, because that product is end of life; merchants are not PCI compliant is using XP or older software.

EMV chip terminal for Microsoft Dynamics RMS

What are RMS user options for EMV terminals? Here’s four options for merchants to choose from while waiting for RMS integrated EMV terminal; as of August 24, 2015, there are no gateways driving US EMV certified terminals yet.

Which is best EMV terminal for RMS users to accept chip cards today?

emv smart card

EMV chip smart card.

Which option would you choose?

  1. Choose CenPOS virtual terminal* and US EMV Verifone MX915 certified terminal with signature capture, hoping the gateway gets integrated into RMS later?  Or use it short term, and switch later if another option is integrated first? (The  Ingenico ISC250, is currently certified on First Data only, with others pending.)
  2. Choose a payment gateway that’s working on EMV certification and RMS integration with unknown ready date? hopefully will add 3-D Secure?
  3. Wait and see? The challenge is time. The closer it gets to Ocober 1, the harder it may be to procure terminals (shortages have been common all year), implement & train etc. Additionally, merchants may have stability challenges with gateways that are integrating terminals for the first time.
  4. Buy a countertop terminal with EMV certified pinpad, and use non-integrated? The units certified will vary by payment processor. This is probably the last choice, because it can never be integrated later.

Today, card issuers bear the fraud loss if they give merchants authorization to accept the payment for a counterfeit card at the point of sale. Merchants never know about this fraud because the processor/acquirer automatically manages the response. Starting October 1, this process no longer applies. If merchant doesn’t support EMV, but the card issuer does, the acquirer is liable and can immediately chargeback the merchant’s bank account via ACH. What’s the financial risk? Nobody knows, but an estimated 63% of card present fraud losses were covered by issuers in 2012.

* CenPOS also supports 3-D Secure for ecommerce, to help combat expected increase in online fraud; it’s also supports level III data for business to business companies.

Can you recommend a PCI Compliant policy for storing credit cards?

Distributors and manufacturers can overcome PCI Compliance issues with better awareness of rules, and cost efficient solutions to ease PCI burden. A review of key problems and solutions will help companies with internal credit card authorization and storage policies. For credit card processing, a virtual terminal or integrated gateway, is the only cost efficient and secure option for these business types.

It’s never Ok to store credit card forms that have the CVV2, or security code, on them. It’s also never Ok to store CVV2 electronically in any format, encrypted or not. This is both a card acceptance and PCI Compliance 3.0, section 3 Protect Cardholder Data, problem. For any recurring charges, including variable, merchants only need to validate the CVV one time for a fraud check, and then never again. This is easily accomplished with a zero dollar authorization, however not all gateways support this feature.

The best paper credit card authorization form, is one that doesn’t have full card data, or better yet, doesn’t exist at all. If sales reps in the field are getting card numbers to be charged later, consider a mobile payment app that let’s them swipe and create a token, using a P2P encrypted reader. That way card data is never exposed at any point in time. Instead of getting card numbers over the phone, empower customers to self pay or store card data using online payment solutions, including either a hosted online pay page or electronic bill presentment and payment (EBPP). Use this to also eliminate credit card data in emails, which is another PCI Compliance problem.

Need to keep a card stored on file that you initiate charges on? It’s indefensible with today’s technology to have credit card data on paper, and it’s risky to use your own encrypted media. Tokenization, a payment gateway service for merchants to remove sensitive data from their environments, is the best practice for security and PCI Compliance.

Some businesses want a signature on file. A sales receipt is generated with almost any online payment solution and merchants can require a customer to print and sign it, or to simply forward the email receipt from company email address with typed name approving it. For recurring billing, choose a payment gateway that generates a PCI Compliant recurring billing authorization form. They’re useless if stolen, and contain all the right language for credit card authorization. It should be supplemented by a signed document with your own custom business terms and conditions, and limitations for duration and maximum charge amounts allowed. Merchants might also get a signed sales order with all terms and conditions, plus the token ID the customer has agreed you’ll charge to.

Third-party credit card authorization doesn’t exist as far as card issuers are concerned. It’s specifically written in the cardholder terms that they cannot allow any third party to use their card. Any form a merchant creates authorizing other parties is at risk for future disputes. The merchant can eliminate the risk by having the company issue purchasing cards for each buyer, or mitigate risk by sending the sales receipt automatically to the cardholder and asking the buyer to confirm receipt per T’s & C’s.

A huge problem is managing old stored data created prior to new PCI Compliance rules. The reality is, the merchant is not PCI Compliant as long as the old stuff exists. That likely means someone will need to be assigned to identify all the past ways that credit card numbers were captured. For electronic, IT will need to get involved to securely remove old data. There are tools to search emails and servers for card data as well.

PCI 3.0, in effect now, requires merchants not only are PCI compliant at a point in time, but that there’s a plan in place for monitoring and inspecting. Whoever is cleaning up the old problems should document who, what, where, how and when activities were identified and or completed, and continually add this to the master PCI file.

References:

Payment Card Industry (PCI) Data Security Standard, v3.1, pg 36 CVV
Visa Core Rules, October 2014 page 266, Merchant Must Not Request the Card Verification Value 2 data on any paper Order Form

 

PCCharge Replacement With EMV Certified Terminals

What can merchants replace PCCharge with? How would it impact your business if PCCharge suddenly stopped working? October 1, 2015 is end of life and end of support, so planning replacement is critical. Because it’s also the same date as EMV liability shift, merchants will want to update to EMV and NFC compatible solutions to optimally serve customers.

Verifone PCCharge is Windows based software program which uses an internet connection to process transactions. It’s compatible with all acquirers (credit card processors), and the ‘wedge’ card reader is the most common retail set up. magtek mini card swiperThere are no similar EMV certified card readers certified to any processor currently.  Because EMV transactions require customers to hold onto their card for the transaction, no change is anticipated.

Option one is a cloud based solution called a virtual terminal. Unlike PC software, the gateway is always up to date; merchants login to a secure web page or to integrated POS software. All virtual terminals use an internet or cloud based payment gateway.

Payment Gateways quick facts:

  • Certified to each processor
  • Certified for functionality, including card brand, transaction type, level III processing, contactless (Applepay for example) and even industry (retail, restaurant)
  • EMV requires a special certification: each credit card terminal is certified to each processor
  • Functions vary widely. Some are very much like desktop terminals but with data now web accessible, and others are intelligent platforms with a variety of merchant efficiency, security, and profit optimization benefits.

Payment gateway overview:

Each processor has their own gateway. For example, First Data Global GatewaySM  e4 or Paymentech Orbital® Payment Gateway. There’s also independent or third party gateways. For example, CenPOS or Authorize.net. Third party gateways provide flexibility to change processors at will without disrupting operations, among other benefits. For all non-integrated solutions, the payment gateway manages the consumer facing terminal.

EMV Certified Terminal Confusion:

Semantics is a big problem surrounding EMV today. The hardware is first EMV level 1 and level 2 approved. Then the hardware has to be EMV certified to work with each processor. If there’s a gateway, the gateway has to certify each terminal to each processor. Marketing messages like ‘get you EMV ready’ and ‘EMV capable’ make it very unclear which solutions merchants can actually turn on and process an EMV transaction today vs get you capable to process in the future when certifications are complete. For this reason, merchants must be very specific in asking whether they can accept EMV transactions immediately for any solution purchased.

Payment gateways with certified US EMV terminals:

verifone MX915 EMV terminal

Verifone MX915 multilane signature capture terminal

  • CenPOS: Verifone MX 915, certified First Data, certified TSYS*, live now. Ingenico iSC 250 First Data soon.

* TSYS provides flexible connectivity options for all the big acquirers. By certifying to TSYS, merchants can use the certified solution with First Data, Paymentech, Moneris, Global, Heartland, Elavon and others.

Option two is a countertop or desktop terminal:

Verifone VX520 VX805 EMV terminal

Verifone VX520 with VX805 EMV terminal

Because the EMV transaction requires more memory than in the past, older countertop terminals cannot support EMV, even with an added pinpad. First Data has their own proprietary equipment; Verifone is one of the most popular brands for use with all acquirers, including First Data. Countertop terminals, and most gateways, do not support level III processing, critical for business to business merchants to lower merchant fees.

In summary, merchants can replace PCCharge with a universal payment gateway with certified EMV terminal, with a proprietary payment gateway that has certified EMV terminal, or with a countertop terminal, often with a separate EMV peripheral. It’s very important to ask any equipment supplier if they unit is certified for use today vs in the future.