ERP and Payments: PCI Compliance Nightmare

A PCI Compliant ERP solution doesn’t make a merchant PCI Compliant. The features of the payment integration drive customer decisions to use or not use the an ERP payment module. When payment vendor choices are restricted artificially by using technology to control merchant services options, merchants often enter ERP relationships with a level of dissatisfaction right from the start.

Severely restricted payment gateway options, especially for business to business, results in either the merchant using an alternative non-integrated payment solution, thus sacrificing efficiency, or using the integrated solution, and failing to meet PCI 3.0 requirements or other payment needs. How can I make this statement? B2B companies that accept credit cards  typically have a portion of their sales via the telephone. To mitigate risk of fraud, they use paper credit card authorization forms. However, the forms are inherently risky in many ways.

  • Sensitive authentication data, which includes the security code (CVV/CID), can never be stored.
  • Forms offer option to send via email. Unprotected data cannot be sent via messaging technologies such as e-mail, instant messaging, chat, etc. (PCI section 4.2). Even if the form doesn’t offer it, customers sometimes ignore instructions and send via email.

In the absence of a best practice, employees will revert to whatever is necessary to get their job done and reduce the risk of looking bad (fraud losses). If the ERP payment module doesn’t help merchants eliminate credit card authorization forms, the entire operation may be at risk of a potential data breach.

For retail, data breaches have become commonplace. Few ERP Point of Sale (POS) solutions are using Point to Point (P2P) encryption and other best practices to reduce data breach risk. They raced to bring mobile to market, and many now have neither EMV chip terminals nor P2P, both increasing financial risk to merchants.

Why does an ERP restrict options for merchant services? Because it’s part of their revenue stream. When competition is eliminated, there’s almost no chance of having the best solution in the marketplace. The proof is a long string of failures to meet business needs. Failure to offer electronic bill presentment and payment, which would increase cash flow and efficiency. Failure to offer US EMV chip card acceptance solution prior to liability shift. Failure to offer level 3 processing for all sales channels. Failures reduce cash flow, profits, and security as companies attempt to work with the ERP limitations, or find ways to work around them.

The argument that it’s to protect merchants from data breaches is only partially true. For any modern payment gateway integration, the payment activity is usually outside the ERP to reduce PCI scope. That won’t change from one gateway to another, so the risk doesn’t change, provided the third party gateway is level 1 PCI Compliant.

Examples of ERP’s that restrict payment gateway and merchant services choices are Netsuite and Sage. Additionally, consultants are often compensated for payment gateway recommendations. Consulting with an independent payment specialist, like blog author Christine Speedy, can expose pros and cons of different options.

ERP’s holding onto merchant services and gateway revenue streams are short sighted, as these business practices that anger customers. Can you imagine if an ERP wouldn’t communicate with any other software, for example, Magento? ERP’s focused on delivering the best business software for all facets of a business, and enabling the merchant to follow best practices for PCI Compliance must give users the flexibility needed to run their business with their own financial partners.

If an ERP relies so much on their revenue stream from merchant services revenue share that they won’t let you choose your own financial partners, I’d think seriously about whether it’s the best ERP for your business.

Dynamics AX Retail EMV certified terminals

What EMV chip card terminals can be used with Microsoft Dynamics AX Retail POS? We support Verifone MX 915, Ingenico ISC250 multilane terminals and the Ingenico ICMP mobile terminal and have a variety of certifications so that you can process EMV chip transactions today with all the major US processors, including First Data, Chase Paymentech, Tsys, Vantiv, Moneris and others.

verifone MX915 EMV terminal

Verifone MX915 EMV chip card accepted terminal.

Microsoft Dynamics AX EMV for Retail key purchasing questions related to EMV certifications:

Does POS solution support EMV chip with pin debit?
Does POS solution support EMV chip with pin credit?
Can customers bypass chip and just use mag swipe?
Can customers bypass entering pin?
Does EMV certification include partial authorization? If not, what happens when account doesn’t have enough for transaction?
Are terminals injected with P2P encryption?
Do you have mobile EMV with chip and pin?
If business to business, does the EMV certification include level 3 processing?

Are all of the above working right now in a live environment, or are there still bugs to be worked out? If any answers are no, merchants need to understand the impact before choosing a solution.

How will the gateway help with my other sales channels?
How will the solution reduce PCI Compliance burden?

“My clients have been processing EMV chip transactions with multilane terminals successfully since January 2015. It’s dizzying even for me to keep up with what which terminals are certified for which solutions. Since that information changes constantly, it’s best to call for a consultation to assess short and long term needs to achieve the best outcome while minimizing business disruption,” Christine Speedy.

Is it integrated to Retail Hero? No, that’s a separate integration that Retail Realm would need to do since the product is exclusive to them.

How much do terminals cost? It depends on the terminal. They’re reasonably priced. Please be aware, merchants must acquire terminals only through us or our approved distributor to ensure security and reliability of EMV and payment ecosystem. You cannot bring your own device.

How much does it cost? The Dynamics AX ERP and POS payment module is included free with purchase of our payment gateway services, which are very reasonably priced.

Where can I buy the Dynamics Ax POS EMV payments module? Contact us.

Can I use with my merchant account? Yes.

 

Volusion for B2B? No way!

Volusion for B2B ecommerce shopping cart is unacceptable. B2B companies are going omnichannel, yet Volusion lacks critical tools distribution companies need to maximize profits, security, and efficiency.

  1. Payment gateways and level III data– Wholesalers average 30% premium in merchant fees because NO Volusion payment gateways help businesses properly qualify for level 3 interchange rates across ALL sales channels, from ecommerce to retail. They have continually ignored requests to support, instead adding dozens and dozens of ‘me too’  gateways that are pretty much all alike.
  2. Retail – B2B retailers need US EMV options that support their needs. Whether it’s signature capture terminals like the Verifone MX915, or mobile terminals. None of their gateways has ever supported level 3 processing for retail, and is there even an US EMV terminal with P2P encryption certified for any processor today that works with Volusion?
  3. Omnichannel flexibility and PCI Compliance – How many business to business companies have a sales force taking phone orders? What is Volusion doing to help secure that transaction and help prevent fraud? Not nearly enough.

Over the decade that I owned a Volusion B2B ecommerce store, I recommended them over and over again. So much that their product development reached out to me to ask if there was anything I needed. It’s been seven years and the one thing I wanted, a modern payment gateway that meets business to business needs, they still haven’t done, even though the work is minimal. Why not? Well I’m tired of waiting and if someone finds my positive reviews online, I want everyone to know, there are many compelling reasons why I do not recommend Volusion for B2B ecommerce.

Microsoft Dynamics AX EMV terminals certified today

EMV chip certified solutions are now available for Microsoft Dynamics AX. As they’re still fairly new, it’s important to ask questions about functionality. EMV chip card acceptance certification is complicated, which is why many companies did not complete their certifications by the October 2015 liability shift.

Dynamics AX EMV for Retail tips to compare solutions:

  • How is pin-debit managed? Is EMV chip and pin supported? Can customers bypass entering pin? This is important because whoever supports the highest level of security determines liability for fraud.
  • Is level III data supported? This is important if the customer base includes business to business. For example, building materials distributors have retail and wholesale customers, and qualifying transactions for level 3 interchange rates can significantly improve profits.
  • What are the acquirer options? Can you choose your own, or are you required to use a specific processor?
  • Is P2P supported? Point to point encryption is an extra layer of security to prevent data breaches from malware and other criminal activities.
  • What is the audit trail? Identifying who did what and when is a part of PCI Compliance.
  • Can user functions be limited by job role, required for PCI Compliance?
  • If omnichannel, how will the solution help with all sales channel needs?
verifone MX915 EMV terminal

Verifone MX915 multilane signature capture terminal

ingenico mobile emv icmp

Christine Speedy, 3D Merchant Services owner,  can help guide you through the complexity of choosing the best solution for your business. Which terminal is certified with which processor? From mobile to multilane, Christine’s knowledge and experience will help you implement faster, and take the pain out of consulting with multiple vendors that come up short on solutions.

EBill payments via text or email improve PCI Compliance video

Ebill and einvoice systems send invoices vs Electronic Bill Presentment and Payment or EBPP gets you paid from that request via text or email. This critical difference has a major impact on security and PCI Compliance. This  video demo is for a standalone solution to accept online payments, including credit card. ACH and wire. Integrated solutions for Quickbooks, ERP, or other, are also available.

Video CenPOS EBPP Lite demo shows the simplicity of sending an einvoice with request for payment via email to an existing customer, that has previously made a purchase and stored their credit card. Customers can self-update their payment methods, store multiple methods. Ask for any feature, and yes, we probably support it.

A layered approach to card not present fraud protection is critical with increasing financial industry changes. In addition to the traditional address and CVV verification, cardholder authentication, IP blocking and other tools can be used to guarantee payment against fraud globally (some restrictions apply).

Eliminate credit card authorization forms with sensitive cardholder data. No one likes them, they’re time wasters for both parties, cards get expired etc. At best, they offer flimsy protection against fraud. Worse, they’re a PCI Compliance nightmare.  In the event of a data breach, it’s likely impossible to prove compliance if you use them. Regardless of how secure and loyal you think your employees are, stuff happens and when identity theft related to credit cards occurs, your business has a 50% chance of survival.

Contact Christine Speedy, 954-942-0483, 3D Merchant Services, 9-5 ET. Your merchant account, our cloud hosted payment gateway solutions.