No, not if the goal is to defend against future disputes. Merchants can never store the security code on paper or electronically. It’s a violation of the both merchant card acceptance and PCI Compliance* rules. The penalties can be especially stiff, even reaching over one million dollars in fines and jail time, for merchants in industries covered by special identity theft rules. For example, automotive dealers and health care providers also collect sensitive personal data, increasing regulatory obligations for protecting consumers from identity theft.

First Data, a leading credit card processor, has this language in their PCI Rapid Comply 2013 questionairre:  “Do you make sure that you NEVER, EVER store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions after authorization (even if encrypted)?”

If it’s never OK, how can card not present merchants protect against fraud and disputes?

1. Increase capabilities to accept card present transactions. For example, a local business might add mobile card readers for delivery personnel to swipe credit cards.
2. Require remote buyers to print the sales receipt, sign and send back. A signed sales receipt containing the authorization code and correct authorization language enhances the trail of evidence.
3. Same as above, except for commercial accounts, require the cardholder forward the email receipt with their electronic signature from a company email address.
4. Require cardholders to specifically approve any 3rd party delivery address or personnel. Maintain all email communication records related to the sales process.
5. Switch to self-serve payments such as an online pay page or electronic bill presentment and payment, both of which create opportunities for trails of electronic evidence. Use a third party provider to reduce PCI Compliance burden.
6. Use a third party service to electronically store sensitive payment information in a ‘vault’ for recurring customers. Ensure that no one can access the full card or ACH information.
7. Have a set of policies that can be remotely managed, monitored and enforced. This is critical in a multi location environment.

* PCI Compliance: short for Payment Card Industry Data Security Standards, or PCI DSS. All merchants are subject to PCI Compliance and the requirements vary by a number of factors including how payments are accepted and business size.

About the author: Christine specializes in providing innovative card not present payment processing solutions for manufacturers, wholesale distributors and new car dealers to improve PCI Compliance and streamline the payment experience for both merchants and customers. It’s fast, easy to use, and requires no capital investment to implement. For CenPOS sales call Christine at 954-942-0483 or click here for more information.

Dealerships that try CenPOS payment technology stay customers for life. Here’s three features CenPOS users will never give up, and that competitors can’t duplicate:

1. Interchange optimization- CenPOS removes people and outdated terminals from impacting the cost of accepting credit cards. Other cloud solutions have the same intelligence as old dial up terminals- NONE. CenPOS dynamically makes decisions in seconds based on risk and other merchant defined rules.
2. Token billing with online payments- CenPOS replaces fax credit card authorization forms and telephone orders. I don’t care what HQ policies are, every dealer has this going on whether upper management knows it or not; sometimes only accounting has permission to accept them but that’s stiil too many people. In either case, it’s a poor business practice. Making it easier for your customers to pay, while mitigating risks, can make all the difference whether a customer chooses to do business with you or not. CenPOS offers two secure online payment solutions. No employees ever have access to payment data- no one, ever. No payment data touches your servers, ever.
3. Reporting- whether one location or many, CenPOS creates numerous back office efficiencies, including reconciliation, transaction research, electronic receipt retrieval, and audit trails are just a few.
4. Bonus- Mobile payments- not quite a necessity for everyone yet, but there has been growing demand, especially in service departments. Why is CenPOS different? There is no additional effort needed to implement or for reconciliation. User permissions carry across all points of payment acceptance per rules merchants set up, and all the other benefits of CenPOS extend to mobile.

Dealer Brochure- CenPOS  overview

CenPOS products include:

• Virtual Terminal
• Online payments
• Pre-filled Request for Payment (electronic bill presentment & payment or EBPP)
• Dashboard- exeuctive insights
• Recurring Billing- installment and scheduled payments
• Token billing- charge any amount to stored payment method
• Mobile apps – Droid, iPad, iPhone

About CenPOS: CenPOS is an innovative payment processing network that streamlines the payment experience for both merchants and customers. It’s multi-channel support and SaaS model, has catapulted a shift in payment technology adoption in a variety of industries. CenPOS is fast, easy to use, and requires no capital investment to implement. For CenPOS sales call Christine at 954-942-0483 or click here for more information.

In this training video, I show how to securely store credit card data so that no one can ever see it again. It’s virtually impossible to prove Payment Card Industry Data Security Standards (PCI DSS) Compliance if storing credit card authorization forms with full card data. This solution can significantly increase boost PCI Compliance and reduce losses due to disputes and resulting chargebacks.

The positive card verification checkbox is used to submit a zero dollar authorization transaction. This validates all rules in the merchant administration and on a user basis. For example, if rules require an address, zip code, and cvv security code verification, the items will be validated with the card issuer. The receipt is the merchant record of proof that the card issuer passed the verification.

Optionally send the repeat sale credit card charge form to your customer. Have the customer sign and send it back. This replaces credit card authorization forms that have full card data.

TIP: Include a cancellation and refund policy on all invoices, as required for all card not present transactions per card acceptance guidelines.

CenPOS works with your existing processor, and is fast, easy, and requires no capital investment to implement. Call Christine Speedy in sales 954-942-0483 or click here for more information.

To convert a paper sales order form, with credit card authorization, from paper to electronic, including securely collecting an online payment, there are multiple options. This article addresses the business to business need for a quick solution to become PCI Compliant. PCI is short for PCI DSS or Payment Card Industry Data Security Standards, the mandatory standards for all merchants accepting credit cards.

How critical is the security of the data being collected? What will be done with the information after? The simplest solution is to create a quick script that collects the data and sends it to an email address. After the form is submitted, the return URL (the page that appears after the form data is submitted)  contains a link to secure pay page hosted by a third party. I like having a link on the return URL instead of immediately redirecting because it provides an opportunity to assure the payer the link is to a trusted web page.  Because the form data is not in a spreadsheet that can be imported into a database, or collected automatically in a database, some manual work will be needed after. However, don’t get hung up on this! If the current process is faxing back and forth credit card authorization forms, the entire process is already manual. At a minimum, staff will save time key entering credit card data, plus this process is more secure for business owners and their customers. Additionally, the back office for the pay page will have an export feature making it possible to import transaction information into accounting programs.

All of the above can be done with no html programming experience. There’s plenty of free and low cost options to create custom forms. I’ve personally used wufuu, jotform, Logiforms, SugarCRM forms, and custom made forms over the years. Here’s a link to form reviews.  It’s a bit dated, however, the table may help to identify what’s important to look for when choosing a form builder.

With a little bit of html work, elements of the information filled into the order form, can be transferred automatically to the matching payment fields. For budgeting outsourced help, plan on an hour for the programmer to review what to do, what URL’s to link to, and reviewing the API. Budget another hour to implement and test.

In summary, payments can be securely accepted online with an update to your web site navigation, and single line of html linked to a secure hosted pay page. This process is more secure than credit card information exposed on paper, and provides an easily retrievable record in the event of a dispute, that can occur up to 120 days later. To convert a sales order form to electronic, an online form builder is a low cost option that saves both merchants and customers time.

Disclaimer: The information above does not replace a merchants obligation to follow all rules associated with their merchant account, card acceptance guidelines and payment card industry data security standards. Many additional options

For more information about this and other solutions to streamline payment acceptance for your business to business company with card not present customer transactions, contact us.

 

Is your credit card authorization template worthless? Card absent transactions have a heavier burden of proof to prevent charge-backs, and the methods businesses use often create other risks, such as identity theft.  Here are steps to protect your business to business company.

1. Never store CVV security code data; it’s against card association rules. Stored forms containing CVV, represent substantial financial risk in the event of identity theft, and potentially even jail time for failing to protect sensitive data.
2. Fax or email the sales invoice, which must include the merchant name (matching the merchant account either as company name or dba), merchant address, merchant phone, customer bill to, customer ship to, product or service details with quantity, price and description. Add a checkbox for customer to acknowledge refund and cancellation policies. Add a fill-in line with title “Cardholder Authorization”.
3. Do not ask customers to fax back a credit card authorization form. That’s right, chuck the credit card authorization fax form into the trash can. Tell customers that for security reasons, payment must made on a secure online pay page. The pay page form should include fields for the cardholder name, address, email, phone, and invoice number. Additionally, have a checkbox for the cardholder to acknowledge receipt and acceptance of refund/cancellation policy and of the invoice terms. For example, I use this: “I accept the return policy and all other terms as stated on my invoice.”
   

   Image shows example of a custom secure payment page on a law firm web site. Fully configurable for your specific needs,

4. Request customers print the receipt from the online payment and the invoice. Fill in fields, sign both, and fax them back. Store the proof of delivery with the signed papers.
5. If the Cardholder address and ship to address are different, and this is not indicated on specifically on the invoice, have the cardholder send a supplemental document on letterhead (of the cardholder) that specifically states they’re authorizing shipping to a different address. For business to business, different addresses are common. Be aware that without acknowledged authorization of some sort, there is virtually no defense for sending product to an address different than the cardholder.

In lieu of signed papers via fax, customer replies via company email that acknowledge receipt of the invoice, and of the sales receipt with authorization code, can be used as proof to defend against charge-backs in future disputes.

Another solution which facilitates future dispute protection is electronic bill presentment & payment. In this case, the merchant invoice is delivered to a customer’s company email address, and the customer clicks and pays the specific invoice securely online. This creates a paper trail of proof that terms were presented and the customer received them since they self-initiated payment tagged specifically to the invoice. Merchants may also want to create rules that transactions over a certain amount are reviewed by an internal audit team to verify if cardholder address matches the invoice.

According to a recent survey, the second highest identity theft concern of customers is credit card information on paper. Eliminate the paper to reduce risk, improve customer relations, and create efficiencies for both customers and merchants. All above are guidelines which can be modified dependent upon the risk associated with the customer. For example, new customers and recurring customers may carry different risks. Domestic customers with verifiable AVS (address verification) have lower risk than international with no AVS verification capability.

Disclaimer: The information above does not replace a merchants obligation to follow all rules associated with their merchant account, card acceptance guidelines and payment card industry data security standards.

For more information about solutions to streamline payment acceptance for your business to business company with card not present customer transactions, contact us.

Genesco, a sports apparel retailer,  is fighting back against the arbitrary multi-million-dollar penalties that credit card companies impose on banks and merchants for data breaches by filing a first-of-its-kind $13 million lawsuit against Visa. While specifics are not fully public, the company maintains that it found packet-sniffing software on its network but never uncovered forensic evidence that the hackers actually stole any card data.

http://www.wired.com/threatlevel/2013/03/genesco-sues-visa/

###

CenPOS, a private cloud, hosted-payment processing network, can reduce PCI burden for retailers. Contact us for more information.

 

The financial viability of your business is at risk if you are using the common credit card authorization form and faxing to your customers. More than 80% of businesses that suffer a data breach will go out of business within one year.

PROBLEM 1: Security.

Whenever payment information is on paper and handled by people, there is risk of appropriation for identity theft. It used to be you could buy your way out of trouble if there was a breach, but now business owners can be held criminally liable, facing felony charges with one year in jail. Reputation damages will carry on for eternity on the Internet as well.  It’s virtually impossible to maintain required PCI Compliance (data security) standards with paper credit card authorization forms that contain sensitive payment information.

SOLUTION:

As a best practice, authorization form design should include the capability to save signatures, but tear off and destroy sensitive credit card information. Better, accept payments via a secure online pay page, eliminating employee access to payment information.

 

PROBLEM 2: Inefficiencies

All payments sent on paper or made over the phone require human resources for both parties.

SOLUTION: Accept payments via secure online web page instead.

 

PROBLEM 3: Cash Flow

Some customers pay late because of inconveniences related to making payments.

SOLUTION: Online pay pages and or electronic invoicing with automated collection management are proven methods to significantly reduce receivables.

 

PROBLEM 4: Excessive processing fees

Business to business merchants are most at risk for overpaying fees due to ‘non-qualified’ transactions.

SOLUTION:

Due to complexities, using technology that automatically optimizes payments for lower qualified interchange rates is the ONLY way to manage credit card processing fees.

 

CenPOS offers a cost effective solution to solve the above problems and others.

All payments, including checks arriving in the mail, use the same web based hub. The central reporting solution makes reconciliation faster and reduces audit costs. There’s no capital investment and your company can be operational in about a week. CenPOS is a private cloud solution so there is never anything to update.

CenPOS Products

• Virtual Terminal (card swipe and key enter)
• Online pay page FREE
• Mobile app FREE
• Tokenization- securely store sensitive payment information on CenPOS servers, replacing with random alpha numeric characters for repeat sale customers. A PCI Compliant repeat sale form is automatically generated for signature, which you can keep in a file drawer and is useless if stolen.
• Electronic Bill Presentment & Payment
  • Customer portal to view and pay invoices, update payment methods
  • Merchant portal to view unpaid invoices or add offline payments
  • No login needed to pay a bill- significantly increases likelihood for faster payment and easy to pass to other family members to pay
• Recurring billing- store multiple check and credit card payment methods
  • Automated reminders for expiring credit cards and self updating
• Dashboard- Real time cash flow and hierarchal reporting by department, region or any other grouping
• Custom Reporting:  Automate report creation and distribution on any schedule.
• PCI DSS compliant- reduces scope

If you’d like to improve efficiencies, cash flow, and security, our private cloud payment technology delivers. CenPOS works with your existing processor, and is fast, easy, and requires no capital investment to implement.

Call 954-942-0483 for more information.

 

Interestingly, it’s 2013 and yet a 2010 document related to cardholder data breaches affecting franchise locations is a top 5 rated download at Visa.com. The definition of Corporate Franchise Servicer (CFS) , the new Visa third party servicer category, links related to the subject, and commentary are shared below.

Visa determined that data breaches quickly spread among franchises that use a system owned or operated by a corporate franchise organization. Particularly when the franchisor has no role or say in the system used to process, store or transmit payments,  they cannot manage PCI DSS (Payment Card Industry Data Security Standards) compliance.

As a result Visa created a new third party category. From Visa, “A Corporate Franchise Servicer is defined as a corporate entity or franchisor that provides or controls a centralized or hosted network environment irrespective of whether Visa cardholder data is being stored, transmitted or processed through it.” Further, “If PCI DSS-compliant segmentation exists between these assets and the franchisee cardholder data environment, the corporate franchise may be excluded from this requirement.”

Is Your Data Secure? – Published by Multi-Unit Franchise, Issue 2 2011

Visa Classifies Corporate Franchisors As Third-Party Agents - Storefront Backtalk November 11th, 2010

BLOG AUTHOR COMMENTS:

CenPOS is an intelligent payment processing network that streamlines the payment experience for businesses and consumers by using state-of-the-art technology to replace inefficient, outdated payment systems.  CenPOS products include a virtual terminal, electronic bill presentment and payment, secure online pay page, and mobile payment applications. Additionally, the Dashboard provides executives insights with hierarchy based organization.

CenPOS reduces the burden of PCI DSS compliance, while also providing transparency and scalability in the franchise environment.  Special markets include business to business, automotive, fitness, moving and storage, retail and medical.