— PCI Special Interest Group offers guidance to merchants to help secure payments accepted over the Internet—

WAKEFIELD, Mass., January 31, 2013 — Today the PCI Security Standards Council (PCI SSC), an open, global forum for the development of payment card security standards published the PCI DSS E-commerce Guidelines Information Supplement, a product of the E-commerce Security Special Interest Group (SIG). Businesses selling goods and services over the Internet can use this resource as a guide for choosing e-commerce technologies and third-party service providers that will help them secure customer payment data and support PCI DSS compliance efforts.
PCI Special Interest Groups (SIGs) are community-driven initiatives that provide additional guidance and clarifications or improvements to the PCI Standards and supporting programs.
In 2012, PCI Participating Organizations selected e-commerce security as a key area to address via the SIG process. More than 60 global organizations representing banks, merchants, security assessors and technology vendors collaborated to produce guidance that will help organizations better understand their responsibilities when it comes to PCI DSS; the risks they need to evaluate when considering ecommerce solutions; and how to determine their PCI DSS scope.
“Take SQL injections as an example. This is not a new attack, and something we’ve known about in the industry for years. Yet it continues to be one of the most common methods by which e-commerce websites are compromised, said Bob Russo, general manager, PCI Security Standards Council. “This can be addressed through simple, prudent coding practices, but merchants often don’t know where to start. These guidelines will help them better understand their responsibilities and the kinds of questions they need to ask of their service providers. In the case of SQL injections, one of the most important items to request of an e-commerce service provider is a description of the security controls and methods it has in place to protect websites against these vulnerabilities.”
The PCI DSS E-commerce Guidelines Information Supplement provides an introduction to e- commerce security and guidance around the following primary areas and objectives:

•  E-commerce Overview – provides merchants and third parties with explanation of typical e-commerce components and common implementations and outlines high-level PCI DSS scoping guidance to be considered for each.
• Common Vulnerabilities in E-commerce Environments – educates merchants on vulnerabilities often found in web applications (such as e-commerce shopping carts) so they can emphasize security when developing or choosing e-commerce software and services.
• Recommendations – provides merchants with best practices to secure their e- commerce environments, as well as list of recommended industry and PCI SSC resources to leverage in e-commerce security efforts.

The document also includes two appendices to address specific PCI DSS requirements and implementation scenarios:

•  PCI DSS Guidance for E-commerce Environments – provides high-level e-commerce guidance that corresponds to the main categories of PCI DSS requirements; includes chart to help organizations identify and document which PCI DSS responsibilities are those of the merchant and which are the responsibility of any e-commerce payment processor.
• Merchant and Third-Party PCI DSS Responsibilities – for outsourced or “hybrid” e- commerce environments, includes sample checklist that merchants can use to identify which party is responsible for compliance and specify the details on the evidence of compliance.

The information supplement can be downloaded from the documents library on the PCI SSC website at https://www.pcisecuritystandards.org/security_standards/documents.php.
Merchants who use or are considering use of e-commerce technologies in their cardholder data environment, and any third-party service providers that provide e-commerce services, e- commerce products, or hosting/cloud services for merchants can benefit from this guidance. This document may also be of value for assessors reviewing e-commerce environments as part of a PCI DSS assessment.
As with all PCI Council information supplements, the guidance provided in this document is supplemental and does not supersede or replace any PCI DSS requirements.
“E-commerce continues to be a target for attacks on card data, especially with EMV technology helping drive so much of the face-to-face fraud down in Europe and other parts of the world, said Jeremy King, European director, PCI Security Standards Council. “We are pleased with this guidance that will help merchants and others better understand how to secure this critical environment using the PCI Standards.”
Those interested in learning more about this guidance and how to use it are invited to join the PCI Council for a webinar on February 7 and 14, 2013. Visit the PCI SSC website for more information and to register: https://www.pcisecuritystandards.org/training/webinars.php.
About the PCI Security Standards Council
The PCI Security Standards Council is an open global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security. Founded in 2006 by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., the Council has over 600 Participating Organizations representing merchants, banks, processors and vendors worldwide. To learn more about playing a part in securing payment card data globally, please visit: pcisecuritystandards.org.
Connect with the PCI Council on LinkedIn: http://www.linkedin.com/company/pci-security- standards-council Join the conversation on Twitter: http://twitter.com/#!/PCISSC

The PCI Compliant CenPOS gateway can be used with virtually any shopping cart, including Magento, Prestashop and others, without any special integration by using emulators of many popular gateways. CenPOS is a multi-channel payment SaaS that works with merchants existing credit card processors and financial partners.

Payment gateways convert data to acceptable message formats for payment processors. With the emulator, CenPOS takes the merchants existing gateway message and automatically translates it to a CenPOS format which is then sent to the processor. When the transaction is complete, CenPOS converts the response back to the native gateway format. The emulator enables a merchant to change their gateways without any integration.

What are the benefits of the gateway emulators?

• No integration required.
• PCI Compliant

What payment gateway emulations are available?

• Authorize.net
• Payflow Pro
• Mercury
• IC Verify
• contact us for others

How do I get started with the CenPOS emulator?

• Ask your relationship manager for the emulator you’d like or contact us for a new account.
• In your shopping cart administration, go to SETTINGS>PAYMENT>PAYMENT GATEWAY. The gateway name will remain the same. The API or account ID, Password or transaction key, and return URL will be replaced with CenPOS information provided to you. If your shopping cart does not let you provide a return URL, the emulator cannot be used.

Why would I want to change my gateway to CenPOS?

• Multi-channel availability with one reporting system for all.
• Extended capabilities. For example, securely storing payment data (check/credit card) with automated reminders to customers to update credit cards; accept mobile payments,  electronic bill presentment & payment.
• CenPOS solves many business problems, particularly for mid-size or business to business, automotive, non-profit and health-care industries. Call for a consultation.
• If you have a small business that sells items to consumers that are immediately delivered, online shopping is the only method you use to sell, and your system works for you, there may be no compelling reason to change. Free Magento and PrestaShop community editions are not PCI Compliant, but with our free version with native CenPOS integration. CenPOS does not provide shopping cart hosting, consulting, or support other than as it relates to payments.

For Paypal Virtual Terminal and Paypal Payments Pro users it may be time to change vendors. According to Paypal, key entered fees will be increasing to 3.5% April 15. Ecommerce fees will be the same. The only time 2.7% applies is for swiped transactions.

I stand by my earlier comments here http://tinyurl.com/6np9tac . ACH, check, credit all good. So here are some of the negatives regarding the Paypal here release for non-SOHO.
1. Fees. Anyone with sizable volume (let’s just use $1M annually for convenient $ amt) has an effective rate far less than 2.7% all in, even for card NOT present, and we’re talking about retail swipe with this.
2. It’s not actually ready yet. Get on the list.
3. Funding- Paypal transfer to your bank account is currently an inconvenient manual process that takes 3 business days, plus fees are netted per transaction; up to 6 days for checks. Compare to standard merchant account with 1-2 days automatic ACH deposit and fees paid monthly.

No information yet on how this will impact non-profits.

For businesses over $1M in annual processing, contact us for alternative solutions.

Formerly known as Sell Simply, Chirpify Introduces Transactional Tweets for Brand Commerce, Direct Payments and Donations

PORTLAND, Oregon — February 15, 2012 — Chirpify, the easy way to exchange money via Twitter, today announced the launch of its Twitter Commerce platform, allowing brands and merchants to buy, sell, donate and transact on Twitter. Formerly known as Sell Simply, Chirpify enables direct, or person-to-person, payments and donations in addition to its retail sales platform.

For the first time ever, brands and retailers are able to use Twitter as a direct sales channel. By offering organizations a simple way to turn Tweets into transactions, Chirpify opens up a meaningful new channel that combines social marketing with commerce and offers an easy way for consumers to make purchases.

“Brands, retailers, politicians, celebrities and individuals have spent the past six years using Twitter to build communities and brand affinity, so why not allow them to sell on Twitter directly?” says Chris Teso, founder of Chirpify. “Customers don’t have to leave Twitter to make a purchase or donation. Chirpify removes the frictions of traditional e-commerce check-out processes.”

How it works:
Chirpify integrates directly with PayPal to offer secure transactions on Twitter. Purchases and donations are as simple as replying to a Tweet: “@favoritebrand Buy,“ or “@politician Donate,” for example.

Additionally, Chirpify offers deep integration with existing e-commerce storefronts, including Magento, for back-end fulfillment, listing and transaction management. To use Chirpify, merchants simply click the “list on Twitter” button when drafting an item listing for sale in their e-commerce dashboard. Inbound sales information appears as either an email or as part of the retailer’s back-end system, as well as via a DM on Twitter.

Because it works anywhere Twitter does, Chirpify is device agnostic, allowing any user on any mobile device, tablet or desktop computer to access Chirpify for seamless transactions.

“We identified Chirpify as solving a huge problem in the market: how to monetize social-media efforts,” says Greg Rau, founder and CEO at Upstart Labs. “Chris built an effective and elegant platform to deliver actual ROI based on revenue.  Chirpify offers individuals, companies, organizations—anyone—the ability to monetize their Tweets.”

Chirpify received seed funding from Portland-based incubator Upstart Labs, which invests in early-stage companies with a combination of capital and product-development support. Chirpify is one of the first ventures to receive seed funding from Upstart Labs, which launched its program last year.

About Chirpify
Chirpify (www.chirpify.com) is a seamless payment system for Twitter commerce. With full integration to PayPal, Chirpify enables businesses to buy, sell, donate and exchange funds on Twitter, turning Tweets into immediate transactions. Based in Portland, Oregon, the Chirpify platform is the first social commerce system to offer direct monetization through Twitter. To learn more about Chirpify and begin sending or receiving payments today, visit www.chirpify.com.

About Upstart Labs
Portland, OR-based startup accelerator Upstart Labs (www.upstartlabs.com) invests in early-stage technology companies with a combination of capital and product-development support. Upstart Labs focuses on developing new businesses, and providing emerging companies with support in design, development and go-to-market strategy.

###

Accept payments via mobile, internet, and at fundraising events all with a single gateway solution that provides optimum security and cost containment. Fundraising solutions for any candidate must include a variety of payment methods, cost controls, reporting tools, and be simple to implement. This article explores how our solution achieves this.

Just like a business, accepting funds via credit card can be expensive when running for Congress, Senate, President or other offices. However, thanks to debit legislation under the Durbin Amendment that went into effect October 2011,  it’s not nearly as much as it used to be. With a wholesale cost of .05% and $.21 per transaction for non-exempt debit cards, the overall cost of credit card processing has been greatly reduced. With a wholesale merchant account, you’ll pay interchange fees at all levels plus a small merchant discount.

Understanding merchant accounts.

1. You can apply for an ecommerce merchant account, MOTO (mail order/phone order), or Retail (card present /swipe). It’s against card association rules to process ecommerce transactions on a MOTO or Retail merchant account. But if you have an ecommerce merchant account, you’ll pay higher card not present rates on swiped transactions. The solution? Our CenPOS gateway  automatically identifies the transaction method and sends the appropriate data so that the transaction will qualify for retail. The CenPOS patent pending switching technology is not available from other vendors and saves big money. For example, save .3% on Visa Rewards cards- the difference between retail and card not present.
2.  Fees are made up of fixed non-negotiable interchange fees, network fees, card association fees, fees that vary by vendor (some hard costs vendors incur may vary), and negotiable merchant discount fees. Altogether when you divide your total fees by the net transactions we call this your effective rate. With a wholesale merchant account, an estimated effective rate for political fundraising campaigns is 2.2%, or 3.5% for very small campaigns. If you’re not paying any where near that, contact us for alternatives.
3. Different payment acceptance points can result in disparate reporting, which is never a problem until you’re trying to research something and then it becomes a nightmare.
4. A gateway is required to accept payments online. You need both a merchant account and a gateway. CenPOS is a universal gateway, compatible with all major processors.

Campaign Fundraising Concerns and how we solve them with the CenPOS gateway:

• Need to accept payments via many methods:  At the core of CenPOS is a Virtual Terminal for card swipe, online payments, mobile payments and any other method. CenPOS automatically switches payment routing for least cost.
• Need to accept multiple payment types: Check and credit/debit cards are currently accepted, and more options will be available in 2012.
• Large volunteer base may assist in payment collection. This creates potential liability for data security, but also a need for simple solution. Have you ever handed out donation cards at a fundraising event that requests credit card information to be written down? Identity theft is a major threat. Instead, use smart phones with the free CenPOS app and get cards swiped at the table or door, or add a card reader to any laptop. Micro manage user permissions and shut them down on demand. CenPOS prompts both the user and the donor for the appropriate actions. “Dummy proof” your payment collection to reduce costs and improve record keeping.
• Donor Management: An API (application interface) is available to exchange data with your donor management software. CenPOS supports recurring billing and can send the appropriate secure token to your software as well. CenPOS stores 7 years of data storage vs the typical 18 months of merchant services providers and gateways.
• Finance scrutiny and Fraud protection: CenPOS mitigates risk of fraudulent cards and also offers advanced protection to block certain payment types including anonymous and foreign issued cards. You’re in control of how tight you want to control donations.

“My client is currently using CenPos as their virtual terminal and I honestly have not heard of them before. I am wondering if this can be integrated with the Ecommerce Template without too much trouble.”

The CenPOS API can be integrated with Ecommerce Templates and many other shopping carts.  There are multiple implementation options so the amount of time depends on your specific needs and your skill level. We can provide a payment object that you can apply in 10 minutes. Or you can use our API. Integration can be done in 1-8 hours in most cases, usually less than 4.

The current API can only be obtained from authorized personnel.  Do not attempt to use any file from any other source as there is no guarantee of file reliability, accuracy, or security.

Why haven’t you heard of CenPOS? Quite simply, we’ve been quietly building market-share without any promotion as part of our marketing strategy. CenPOS users now include:

• 5 of the top 30 Auto Dealers in the US (2010 Wards)
• 1 of the top 10 cellular providers
• Clients at 5 of the top 5 US Acquirers

CenPOS has been built from the ground up to be multi-platform and processor agnostic. There has been nothing on this level in the marketplace before for the mid-size business, our core target market.

Key differentiators from the other well known gateways, including authorize.net, Payflow Pro and Orbital:

• Interchange optimization automatically optimizes for lowest cost to process any credit card type. This is crucial and entirely unique.
• Payment acceptance flexibility: Payments accepted via retail, ecommerce, MOTO, mobile, web page, EBPP, batch and just about any way you can imagine.
• Mitigates risk of internal and external fraud with built-in micro management tools and alerts.

So we can focus on our core business of continually developing the worlds most advanced payment processing gateway, we’re actively seeking developers and VARS to create integrations. With our exploding growth, your experience as a CenPOS integrator will help you attract new customers.

Please contact us for the current API, integration questions, or for more information. Please note, we offer both a referral program and an reseller program.

Ecommerce receipts must include the Authorization Code and Transaction Type,  Purchase or Credit to protect merchants from chargebacks as a result of customer disputes, per the 2011 chargeback management guidelines for Visa merchants.

Please see page 23 in the 2011 chargeback-management-guidelines-for-visa-merchants PDF

When a merchant cannot produce a receipt per the guidelines, the consumer will normally automatically win any dispute*, resulting in a chargeback to the merchant. This presents significant risk to ecommerce store owners. 

Receipt requirements are different for card present, thus the requirement to state the URL where the transaction occured. If a merchant submits an ecommerce transaction on a merchant account without the ECI indicator (ie a retail or MOTO account) this is another way merchants can automatically lose disputes.

Search “ECI” in the PDF for related ecommerce items. Customers cannot reverse transactions, they can only dispute them and the bank can reverse pending investigation.

Because the auth code is dynamically generated, this is a function of the shopping cart application and gateway.

* Although the Visa document contains “guidelines” merchants affirm that in their experience, it’s hard to win any dispute that does not meet all guidelines.

Effective November 1st 2011, the MasterCard Processing Integrity fee will increase by $0.01 to an amount of $0.055. Unless your merchant account is on a special type of bundled pricing, all merchants will see this on their November 2011 merchant statement, delivered in early December.

WHAT IS THE FEE FOR? This fee is applied to authorized transactions that are not followed by a matching MasterCard cleared (settled) transaction (or in the case of a canceled transaction, not properly reversed). The fee can be avoided by clearing (settling) your transactions. If an authorization is not needed, the authorization must be electronically reversed within 24 hours for face to face authorizations and reversed within 72 hours for Card absent authorizations.

WHO PAYS IT? All merchants pay the fee if triggered by the fee rule.

HOW WILL I KNOW IF I RECEIVE THE CHARGE? All merchants on “interchange pass through” or “interchange plus” pricing will see these charges listed as a separate line item, when the fee applies. If you are not on this type of pricing, then it’s up to the processor how your fees are bundled, though in most cases, I think merchants will see this fee regardless of the type of pricing.

HOW CAN I CANCEL OR REVERSE AN AUTHORIZATION AND AVOID THE FEE? This varies by many factors, including how you are processing.

• Yahoo stores now have a Reverse Authorization button on the Order Details page.
• Authorize.net has issued an API. Shopping cart engines are integrating the API, but it is not yet widespread.
• Check with your processor or POS software provider.

Can you give me an example of when this fee would be applied? An ecommerce store receives an order for an item. The item is backordered and will be back in stock in 3 weeks. The merchant does not want to cancel the order and does nothing. The authorization will be automatically dropped because it exceeds the 7 calendar day maximum. The merchant will also incur the MasterCard Processing Integrity fee.

The fee does NOT apply to:

MCCs 3351-3441 (Car Rental Agencies)
MCCs 3501-3999 (Lodging-Hotels, Motels, Resorts)
MCC 4411 (Cruise Lines)
MCC 7011 (Lodging-Hotels, Motels, Resorts –not elsewhere classified)
MCC 7512 (Car Rental Agencies – not elsewhere classified)

NOTE: The penalty for failure to reverse authorization is $.055 but the merchant per transaction fee is likely even higher. Unfortunately merchants will be hit with two fees in order to reverse an authorization for the benefit of the customer. Here’s a better idea to improve consumer satisfaction. Why not require card issuing banks to fund  consumer accounts faster when merchants issue refunds?  The money comes out of the merchant account per the merchant termsn, usually upon settlement, but the consumer doesn’t see there money usually for 3-5 days, sometimes longer.