Compliance with credit card processing rules maximizes profits while mitigating risk. This is especially true for business to business companies. But it’s getting harder and harder with the onslaught of new rules, and virtually impossible if not using a sophisticated cloud solution to help manage compliance.
If your B2B company stores credit cards, there’s a pretty good chance you’re not compliant. For example, Visa’s 2017 Stored Credential Transaction framework outlines merchant responsibilities to obtain customer consent as well as storing credit cards, using stored credentials (token), and managing stored tokens. Failure to comply with Authorization rules, for example preauthorization and final settlement do not match, has far-reaching consequences including higher interchange rates (the bulk of credit card processing fees), penalty fees and new chargeback risks. With so many new rules across multiple card brands that vary based on business and transaction type how can a business quickly ascertain if they’re compliant?
Most processing details occur seamlessly behind the scenes so merchants have not had a simple way of knowing whether they’re compliant. Until now.
Quick tips to validate compliance:
Is a transaction receipt delivered to customer when a stored credit card credential (token) is created? Compliant answer is yes.
Is cardholder authentication with a zero dollar authorization or a purchase transaction performed at the time token is created? (A small charge is not an acceptable practice.) Compliant answer is yes.
Does the receipt include “RECURRING” or “REPEAT SALE” for token transactions? Compliant answer is yes.
Review merchant statements, usually the last 1-2 pages with the heading “pending interchange” or “fees” section. Do you see EIRF, STANDARD (STD), or DATA RATE I? Compliant answer is no.
Can you produce documentation of customer consent to store their card (including with 3rd party service) and how it will be used?
If you’re not in compliance, your payment gateway is the most likely culprit, followed by ERP or other software integration limitation. For a Microsoft Dynamics AX, Dynamics 365, and other ERP integrated solutions, call 954-942-0483 9-5 ET.
Christine Speedy, CenPOS Sales 954-942-0483. CenPOS is a cloud business solutions provider with end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement.
From the Visa Merchant Business News Digest, October 17, 2017.
In the 1 September 2016 edition of the Visa Business News, Visa introduced new rules related to credential-on-file transactions, including merchant disclosure requirements and transaction identifier requirements went into effect for merchants and acquirers on 14 October 2017.
However, based on stakeholder feedback, and after assessing market readiness and taking into account the holiday season system freeze, Visa will extend the time to make the necessary system changes until 30 April 2018.
While the rule is still effective as of 14 October 2017, Visa will not take any compliance action or assess non-compliance assessments to non-compliant entities prior to 30 April 2018. Entities that comply with the rule by 30 April 2018 will not be required to submit a waiver request to Visa.
The stored credential framework applies to all merchants that store credit cards. Note, while some stakeholders were not ready as per the above statements, CenPOS was. CenPOS replaces other payment gateways, for example authorize.net, as well as solutions such as BillTrust, while enabling customers to keep their acquirers and other partners.
Christine Speedy, CenPOS authorized reseller, 954-942-0483. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.
To keep your data safe, the Payment Card Industry Security Standards Council (PCI SSC) has mandated a security upgrade impacting all merchants where web browsers can be used in the payment process. Acquirers and payment gateways have set various deadlines in advance of the required PCI TLS v1.2 Security Protocol Upgrade by 2018. Either hardware may need to be replaced or software updated.
Recently, multiple vulnerabilities have been uncovered. Criminals are using the vulnerabilities at massive levels over prior years. Security company Zscaler blocked an average of 8.4 million SSL/TLS-based malicious activities per day in the first half of 2017 for its customers on its Zscaler cloud platform. That’s why all merchants need to upgrade to the most current version of TLS (Version 1.2) and should do so as soon as possible. Because this is an absolute necessity, merchants are getting emails about hard stop dates; if not fixed, merchants will not be able to process transactions after the deadline.
TLS Deadlines vary by acquirer and payment gateway. Dates have been changing due to non-compliance so check with your partners.
First Data varies by solution. Datawire will remove SSL v3, TLS v1.0, and TLS v1.1 on February 15th 2018.
TLS 1.0 and TLS 1.1 need to be disabled from browsers, servers and related applications. SSL 3.0 should have been disabled years ago.
Do not rely on server host companies or consultants to do this for you. It’s up to merchants to maintain PCI Compliance. If you get a notice of non-compliance from your acquirer and use a virtual terminal, test your browser below.
FREE Test SSL/TLS for Browser and Servers and updating TLS for card not present transactions:
Try updating your browser and then run the test again. If the browser is current, go to your web browser settings or preferences and disable SSL and TLS 1.0. Run the same test on your web site. If you get a yes, go to your host administration and disable in security settings.
What is TLS Security Protocol?
Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL) are both frequently referred to as “SSL”. When you go to a web page and the URL is “https”, the S stands for secure, and the domain host has a security certificate installed and enabled on the web host. Websites use TLS to secure all communications between their servers and web browsers. For example, when a merchant logs into a virtual terminal using a web browser, or a customer makes a payment online via a hosted pay page or ecommerce shopping cart.
Christine Speedy, CenPOS authorized reseller, 954-942-0483. B2B cloud payments solutions and CenPOS enterprise cloud payment solutions expert. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.
Biometrics and other authentication technologies help thepayment industry create seamless and secure commerce experiences
SAN FRANCISCO–(BUSINESS WIRE)–Oct. 19, 2017– Visa (NYSE:V) today announced Visa ID Intelligence, a platform that allows issuers, acquirers and merchants to quickly adopt emerging authentication technologies and create more secure and convenient ways for consumers to shop, pay and bank on their connected devices. Available through Visa Developer Platform, Visa ID Intelligence offers a curated selection of leading third-party authentication technologies with simple integration using Visa APIs and SDKs—allowing clients to create, test and adopt new authentication solutions.
The Internet of Things is expected to grow to 20 billion connected devices by 2020, exponentially expanding the devices and environments in which commerce can take place—from wearables, such as rings and watches, to home personal assistants and connected cars. Many of these devices are voice activated and not designed for typical passwords—requiring a new approach to authentication, such as face, fingerprint or voice recognition, document verification, or device and user identification. A 2017 Visa survey showed that 69 percent of US consumers believe that biometric authentication will make payments easier than using passwords.
“A consumer encounters many authentication moments during the course of a day, whether making a payment, checking a balance, or sending money to family and friends,” said Mark Nelsen, senior vice president of risk and authentication products, Visa. “But traditional methods for authenticating a customer can create frustration or are simply not designed for the new ways people are shopping and paying. We built Visa ID Intelligence to help accelerate smarter and easy-to-use authentication solutions for any commerce environment—to better protect against fraud and to move closer to a world without passwords.”
Recent Aite Group research found that, as the speed and complexity of fraud and cyberattacks increases, institutions and companies must look to nimble technology solutions that provide consumers with security as well as convenience. While many competitors offer solutions, not all of them are ideal for the payments industry and the high level of privacy, security and regulatory oversight that are required for financial transactions. Financial institutions and merchants can adopt effective and secure solutions and accelerate time-to-market with streamlined onboarding and implementation through Visa as a single trusted source. Visa has vetted technology providers to ensure they meet industry expectations for security and consumer privacy, including onsite Visa security assessments, penetration testing, and ongoing compliance audits. The platform also enables simplified contracting, saving clients potentially months of negotiations.
“Financial institutions and merchants are working hard to create streamlined and delightful digital experiences,” said Julie Conroy, research director, retail banking practice, Aite Group. “At the same time effective consumer authentication is critically important, given the escalating cyber threat landscape. The good news is that a variety of technologies can help businesses find the win-win, providing superior security while at the same time removing unnecessary friction.”
Today, Visa ID Intelligence features include:
Identity Documents –evaluates identification documents and matches selfies to photo IDs (e.g., driver’s license, passport, military ID), while extracting and converting document information into digital form. This authentication process can help financial institutions or merchants make smarter decisions and instantly provision banking services. Uses include creating new accounts, and as an alternative to customer service calls to perform password reset and lost or stolen card replacement. Au10tix provides identity document services through the Visa ID Intelligence platform.
Biometrics – allows clients to use biometrics such as face, fingerprint and voice to create simpler authentication experiences that meet consumer needs for convenience, security and speed. Applications include app login, payments, step-up authentication, and more. Daon, a global authentication and identity assurance solutions provider, will offer Visa ID Intelligence biometric authentication services.
Visa ID Intelligence offerings will expand in 2018 to user data and device data to improve digital identity decisioning, working with Neustar and ThreatMetrix. More information about Visa ID Intelligence can be found at www.visaidintelligence.com.
About Visa Inc.
Visa Inc. (NYSE: V) is the world’s leader in digital payments. Our mission is to connect the world through the most innovative, reliable and secure payment network—enabling individuals, businesses and economies to thrive. Our advanced global processing network, VisaNet, provides secure and reliable payments around the world, and is capable of handling more than 65,000 transaction messages a second. The company’s relentless focus on innovation is a catalyst for the rapid growth of connected commerce on any device, and a driving force behind the dream of a cashless future for everyone, everywhere. As the world moves from analog to digital, Visa is applying our brand, products, people, network and scale to reshape the future of commerce. For more information, visit usa.visa.com/aboutvisa, visacorporate.tumblr.com and @VisaNews.
How can merchants get compliant with the Visa Stored Credential Transaction framework and mandates effective October 14, 2017?
Step by step getting started guide for B2B merchants:
Plan how you’ll comply with consent record requirements. See Improving Authorization Management for Transactions with Stored Credentialshttps://usa.visa.com/dam/VCOM/global/support-legal/documents/stored-credential-transaction-framework-vbs-10-may-17.pdf . Are you going to manage documenting everything or are you going to use technology to help you manage it? Ask your gateway if they’re going to provide a checkbox for consent and if you’ll be able to pull the opt-in records on demand. CenPOS, a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement will provide an automated solution for clients.
Update workflow and documents. Ensure your sales order or associated credit documents include sale, refund and cancellation policies. Add a checkbox for customer opt-in to terms, including online payments. CenPOS has an opt-in box and you can customize the text.
Verify if you have a system to manage authorization validity. What the heck does that mean? Many B2B companies have complex needs including pre-authorizations, incremental authorizations, delayed shipping etc. While you may get issuer approvals, that doesn’t mean the authorization is valid. The two most common rules B2B businesses struggle with are Settlement within timeframe for card not present sales, and Authorization amount and settlement amount must be equal. Per Visa Core Rules October 2017, for typical distributor and manufacturer card not present transactions, the authorization must settle no later than 7 calendar days from the date of the initial Approval Response. CenPOS automates compliance. Other payment gateways are incapable or may leave it up to developers to create a solution. Are you compliant now? Look at your merchant statement ‘pending interchange fees. If you see EIRF or STD, that’s a red flag there’s a problem.
Replace paper credit card authorization forms, and any digital form that you can decrypt and view sensitive card data. Offer your customers a way to self-manage their own wallet with either a hosted online pay page or Electronic Bill Presentment & Payment. CenPOS offers both options, including a lite ‘request a payment’ option, and lets your customers choose both text and email. For those not ready to give up paper, CenPOS creates a printable PCI Compliant credit card authorization form for every stored card.
New to online payments? See Visa best practices to prevent brute force attacks. https://usa.visa.com/support/merchant/library/visa-merchant-business-news-digest.html. CenPOS includes recaptcha and client managed velocity and other rules as part of a layered security approach.Verify your gateway is ready or will be ready to send correct transaction data for the initial transaction and subsequent transactions for both customer initiated and merchant initiated use of the stored credential. You’ll want the payment gateway to perform a zero dollar authorization and authenticate the cardholder with 3-D Secure. Ask your gateway if it will automatically flag a transaction as customer initiated stored credential or merchant initiated stored credential, or if they’ll require you to have multiple gateway accounts, one for each type. CenPOS does all this for you now in a single account.
Get an ecommerce merchant account. This is needed for online payments. Don’t run mail order telephone order (MOTO) transactions on the ecommerce account unless you know your payment gateway can alter the flag sent with transaction to change the transaction type. Many cannot. CenPOS manages all compliance seamlessly in the background; whether you need multiple merchant accounts varies by acquirer/processor.
Register for 3-D Secure, including Verified by Visa, with your acquirer. Don’t do this until you know which payment gateway will be used and get their instructions if applicable.
Communicate with customers. Advise any upcoming changes will increase efficiency and security for everyone.
Why comply? With full compliance, merchants can expect better qualified interchange rates, increased approvals (avoid declines based on issuer risk averse algorithms), reduced PCI Compliance burden, and increased efficiency for both buyer and seller. The cost of non-compliance is hefty, including higher interchange rates, penalty fees, and risk of both issuer and cardholder chargebacks.
The same transaction can process at different rates as shown above, depending on which rules you follow. CenPOS Smart Rate Selector automates compliance to qualify transactions at the lowest rate possible. Which rates are on your merchant statement now?
Why should developers choose CenPOS for their integrated payment gateway? CenPOS has native modules for ERP, shopping cart, accounting and other software.
Increase profits faster
More efficient, quicker reconciliation
More secure- from Encrypted Virtual Keypad to elimination of credit card auth forms
More robust- Wire, ACH, check, Paypal, credit card and more; text and email payments supported. No 3rd party Electronic Invoice solution needed such as BillTrust; CenPOS invoice portal and automated collections included.
Where can I buy CenPOS or learn more? You’ve already found one of the top salespeople, Christine Speedy. All agreements are direct with CenPOS, no middle man.
DISCLAIMER: condensed and incomplete information! Information may be quickly outdated.
With the fast pace of changing rules, companies need a technology partner to automate compliance. Did you know?
CenPOS has a suite of solutions for companies just like yours, solving common problems and increasing profits virtually overnight.
For those not ready to give up paper, CenPOS creates a printable PCI Compliant credit card authorization form for every stored card.
CenPOS has ERP, ecommerce shopping cart, accounting and other plug-in modules available for quick and easy implementation.
I’ve been selling for CenPOS since day 1. Though I have other payment gateways available in my arsenal, nothing else compares for meeting business to business needs.
Christine Speedy, CenPOS authorized reseller, 954-942-0483 is based out of South Florida and NY. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.