Credit Card Expiration Updater & Recurring Billing

Are automated recurring billing transactions declining due to expired credit cards? This article identifies methods to automate credit card expiration updating for installment, fixed recurring, and variable recurring token billing transactions.

All credit cards on file are managed at the payment gateway level for PCI Compliance. The ‘token’ is the alpha numeric character set that replaces sensitive card data. Businesses have access to the token, but not the sensitive cardholder data, after it’s stored. With token management, users can update the credit card expiration date manually. No other fields can be modified. If the CVV – CID security code or card number changes, a new token is created for the new card.

Per rules of card acceptance, the actual expiration date must be used. There have been recurring billing software solutions on the market that simply change the expiration date for recurring transactions with expired cards, for example by changing the date by one year. This enabled transactions to go through with an authorization in some cases because the expiration date was not validated by the issuer. However, for chargeback rights, the expiration date must be provided by the Cardholder and must be correct.

Credit Card Expiration Date Updater Methods

  1. Self credit card updating. An email is generated by the recurring billing platform and or payment gateway alerting the cardholder of an upcoming expiration. The cardholder then self-updates their payment method via a web portal. While effective at reducing phone calls for updating, it still requires action by the busy cardholder, thus, many still go unattended until the point that a transaction fails. This impacts profits with attempted transaction fees, the time to manually reach out to customers, and cancellations; We all know that sometimes a customer pays for a service they do not use effectively, but don’t bother to cancel. Once they have to update their card… the revenue stream can be lost.
  2. Automated credit card updating via the card brands. Merchants must register for the service with their merchant services provider, and must have a payment gateway that supports the updater service. Visa and MasterCard charge a one time fee for registration. There’s also a fee per card updated, which varies by merchant services provider; typically, the provider will mark up for profit.

Credit Card Expiration Date Updater Costs

One-time Visa Account Updater (VAU) Setup fee $250, MasterCard Automatic Billing Updater Setup fee $350 per merchant account. The fee per update varies. For example, we charge $.09 as of this writing and clients have been quoted $.30 by other companies.

Recurring Billing Compliance Alert

Significant changes are coming to recurring billing. After the first authorization, all subsequent recurring billing transactions are to include a unique reference to the initial authorization. This must be managed seamlessly in the background at the payment gateway level. Adding a new field to the transaction process is significant and the challenges are likely on par with the launch of US EMV. Expect problems in the next 12-24 months as gateways struggle to comply with these requirements.

Refer to Visa Public Rules, and search for “recurring”, including section 5.9.9 Prepayments, Repeated Payments, and Deferred Payments, for more details.

CenPOS and Credit Card Expiration Date Updater

CenPOS, an enterprise payment gateway and merchant centric processing platform, supports the account updater services. As your CenPOS representative, I can activate the service on CenPOS for you, however, if your merchant services resides with a third party, you’ll still need to register through them. Before proceeding, contact Christine Speedy at 954-942-0483 for more information.

EBPP Improves Dealer Marketshare

Enhancing your customer experience involves many factors, and what happens when it’s time to pay is one of them, whether it’s online, in store or over the phone. The automotive and trucking industries have made significant investments to improve and measure their customer experiences, but failure to change payment technology creates differentiation for consumer choice. Electronic Bill Presentment and Payment, EBPP or EIPP, can create a more pleasant and secure consumer experience and can win dealers more marketshare.

eipp payment request

Body of email containing prefilled payment info, and link to securely pay online.

Let’s explore some examples. A dealer recently installed EMV chip card terminals. When a commercial account calls to order parts here are possible scenarios and repercussions:

  • The card number is key entered on the EMV chip terminal. Since the transaction is RETAIL, and the transaction was not swipe or chip, the dealer has no recourse if it’s fraud. Additionally, it will downgrade to the worst interchange rate, possibly doubling the cost to process the transaction. Some customers don’t like to spend the time going through the phone process, so the last touch with them is less than stellar.
  • The card number is key entered on a separate virtual terminal. If the transaction is MOTO, dependent upon merchant account configuration, the dealer has some fraud protection. Some customers don’t like to spend the time going through the phone process, so the last touch with them is less than stellar.
  • The customer gets a text message, or email, with a click to pay option. This is ideal because the customer is now in control of how and where they want to pay. Additional automated fraud controls like 3-D Secure Verified by Visa (VbyV) can be used. VbyV can mitigate risk, shifting fraud liability to the issuer, and sometimes also reduces the qualified interchange rate, depending on the card type.

If customers have multiple dealers to choose from, which will they go to? Millennial research shows they’ll switch for a better experience, and for them, that includes non-face-to-face interaction. Any dealer that wants to maximize customer satisfaction, and profits, must address the growing millennial demographic; they prefer to minimize personal interaction and use more digital technology as part of their purchasing experience. According to a Board of Governors of the Federal Reserve System March 2016 report, purchasing an item on their phone (42%) was one of the top three common mobile payment activities among mobile payments users with smartphones.

Christine Speedy is an authorized reseller of CenPOS, creating efficiencies through payment innovation. The CenPOS EBPP solution is available both integrated to ERP and other software, as well as standalone via a web browser.

Visa Partial Authorization Service

Visa merchant library update on December 13, 2016. Visa provides a Partial Authorization service that provides an alternative to declining a transaction when the card’s available balance is not sufficient to approve a transaction in full. This flyer provides information about the benefits realized, how to use the service, and answers to frequently asked questions.

PDF 326 KB Visa Partial Authorization Service – Improve the Customer Experience and Increase Sales

“Partial authorization improves the customer experience by preventing embarrassment from a decline at the point of sale and enabling a seamless checkout with split tender transaction using multiple payment methods.” Christine Speedy

To accept partial authorizations for your business, a few items are needed:

  • Technology that supports it. Payment gateways certify partial authorization for each acquirer. Not all gateways certify.  The receipt must also show each payment amount.
  • The merchant must enable it. For example, this could be a checkbox in the ERP or shopping cart software payments module, or it might be turned on at the gateway administration level. It’s possible a gateway is certified, but the related software using the gateway does not support it.

If partial authorization is not supported, and there’s a decline due to insufficient funds, there’s still an open authorization for the funds that were in the account. An authorization reversal should be completed to remove hold on any cardholder funds. If you don’t want screaming customers, this is a must! Intelligent technology can automate this process.

Compliance with credit card processing rules can be extremely complicated. Relying upon employee training is futile. To improve your customer experience and automate rules compliance, contact Christine today at 954-942-0483.

 

PCI SECURITY STANDARDS COUNCIL PUBLISHES SUPPLEMENTAL PCI DSS SCOPING GUIDANCE

Guidance Clarifies Scoping Principles Outlined in the PCI Data Security Standard —
WAKEFIELD, Mass., 9 December 2016 — Incorrectly identifying where and how payment data is at risk in an organization’s systems continues to lead to data breaches. Today, the PCI Security Standards Council (PCI SSC) published Guidance for PCI DSS Scoping and Network Segmentation to help businesses address this challenge.

PCI Data Security Standard (PCI DSS) Requirement 1.1 states that organizations need to maintain a cardholder data flow diagram to help identify which systems are in scope and need protection. Yet data breach investigation reports continue to find that companies suffering compromises were unaware that cardholder data was present on their compromised systems. This guidance provides a method to help organizations identify systems that, at a minimum, need to be included in scope for PCI DSS. It includes guidance on how segmentation can be used to help reduce the number of systems that require PCI DSS controls and illustrative examples of some common segmentation approaches.

“For years, we have preached the need to simplify and minimize the footprint of cardholder data,” said PCI SSC Chief Technology Officer Troy Leach. “One way to accomplish this is through good segmentation. It allows an organization to focus their attention on a limited number of assets and more readily address security issues as they arise. As a result, it should also reduce the level of effort to comply with PCI DSS.”

While segmentation is not a PCI DSS requirement, it is a strongly recommended practice. Segmentation of networks included in or connected to the cardholder data environment is important for organizations as it can limit the exposure of payment data in a system, simplify PCI DSS compliance efforts and reduce the chance of being targeted by a criminal. However, as improper segmentation can put cardholder data at risk, it’s critical that organizations understand and implement segmentation properly.

The guidance was developed with industry input and collaboration in order to address common questions from PCI SSC stakeholders on scoping and segmentation. Christian Janoff, PCI SSC Board of Advisor member and Security Solutions Architect for Cisco, works regularly with merchants using scoping and segmentation products and was a leading contributor to the guidance. “Knowing the scope of your cardholder data environment and properly segmenting to protect it has been a challenge for many organizations. By providing guidance, we hope this will help to simplify the process, making it easier to secure payment card data,” he said. “We at Cisco are proud to partner with the Council and industry peers to bring additional scoping and segmentation guidance to the industry.”

Guidance for PCI DSS Scoping and Network Segmentation is intended for organizations looking to understand scoping and segmentation principles when applying PCI DSS to their environments. It also provides a method for facilitating effective scoping discussions between entities and is useful for:

  • • Merchants, acquirers, issuers, service providers (issuer processors, token service providers, and others) responsible for meeting PCI DSS requirements for their enterprises;
    • Assessors responsible for performing PCI DSS assessments;
    • Acquirers evaluating merchants’ or service providers’ PCI DSS compliance documentation;
    • PCI Forensic Investigators (PFI) responsible for determining PCI DSS scope as part of an investigation.

It is important to note each organization is responsible for making its own scoping decisions and that following this guidance does not guarantee that effective segmentation has been implemented, nor does it guarantee compliance with PCI DSS. The guidance is available on the PCI SSC website. Chief Technology Officer Troy Leach provides additional insights on the topic on the PCI Perspectives blog.

About the PCI Security Standards Council
The PCI Security Standards Council is a global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security.

Bluebird Auto Rental Systems Enters Business Partnership with CenPOS

Bluebird Auto Rental Systems announced that they have entered into a
business partnership agreement with CenPOS, a Miami-based firm specializing in credit
card platform solutions.

Founded by Jorge Fernandez in 2008, CenPOS is a “super gateway”, allowing Bluebird’s
customers around the world to use any one of the various processors available in their
region. It is EMV Certified and uses Bluebird’s latest credit card platform: tokenization.
“We are excited about our partnership with Bluebird. With our deep connection to the
automotive market, working with a partner like Bluebird is a natural fit” commented Joey
Orozco, Director of Sales. “We look forward to bringing our mutual customers an EMV
ready solution that is easy to use and ready to meet demands of the rapidly evolving
payment space.”

Current and prospective customers of Bluebird will have the services of CenPOS made
available to them. “Through this partnership with CenPOS, we can jointly offer our
customers an alternative to how they process credit cards now. Some use a separate
standalone machine, and some use other gateways and processors” stated Angela
Margolit, President of Bluebird. “Our goal is to give our customers a choice.”

About Bluebird Auto Rental Systems

Bluebird Auto Rental Systems is a leading provider of software for the vehicle rental and
dealership service loaner industry since 1982. Bluebird’s Auto Rental Application,
RentWorks, is used around the world to effectively manage the efficiency and
profitability of any size vehicle rental operation.

About CenPOS

CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class
solutions for businesses, saving them time and money, while improving their customer
engagement. CenPOS’ secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.