Dealer Cloud Payment Solution- 3 features users will never give up

Dealerships that try CenPOS payment technology stay customers for life. Here’s three features CenPOS users will never give up, and that competitors can’t duplicate:

  1. Interchange optimization– CenPOS removes people and outdated terminals from impacting the cost of accepting credit cards. Other cloud solutions have the same intelligence as old dial up terminals- NONE. CenPOS dynamically makes decisions in seconds based on risk and other merchant defined rules.
  2. Token billing with online payments– CenPOS replaces fax credit card authorization forms and telephone orders. I don’t care what HQ policies are, every dealer has this going on whether upper management knows it or not; sometimes only accounting has permission to accept them but that’s stiil too many people. In either case, it’s a poor business practice. Making it easier for your customers to pay, while mitigating risks, can make all the difference whether a customer chooses to do business with you or not. CenPOS offers two secure online payment solutions. No employees ever have access to payment data- no one, ever. No payment data touches your servers, ever.
  3. Reporting– whether one location or many, CenPOS creates numerous back office efficiencies, including reconciliation, transaction research, electronic receipt retrieval, and audit trails are just a few.
  4. Bonus- Mobile payments- not quite a necessity for everyone yet, but there has been growing demand, especially in service departments. Why is CenPOS different? There is no additional effort needed to implement or for reconciliation. User permissions carry across all points of payment acceptance per rules merchants set up, and all the other benefits of CenPOS extend to mobile.

Dealer Brochure- CenPOS  overview

automotive dealer case study infographic cloud payments

automotive dealer case study infographic

CenPOS products include:

  • Virtual Terminal
  • Online payments
  • Pre-filled Request for Payment (electronic bill presentment & payment or EBPP)
  • Dashboard- exeuctive insights
  • Recurring Billing- installment and scheduled payments
  • Token billing- charge any amount to stored payment method
  • Mobile apps – Droid, iPad, iPhone

About CenPOS: CenPOS is an innovative payment processing network that streamlines the payment experience for both merchants and customers. It’s multi-channel support and SaaS model, has catapulted a shift in payment technology adoption in a variety of industries. CenPOS is fast, easy to use, and requires no capital investment to implement. For CenPOS sales call Christine at 954-942-0483 or click here for more information.

Video Training: How to replace credit card authorization forms

In this training video, I show how to securely store credit card data so that no one can ever see it again. It’s virtually impossible to prove Payment Card Industry Data Security Standards (PCI DSS) Compliance if storing credit card authorization forms with full card data. This solution can significantly increase boost PCI Compliance and reduce losses due to disputes and resulting chargebacks.


The positive card verification checkbox is used to submit a zero dollar authorization transaction. This validates all rules in the merchant administration and on a user basis. For example, if rules require an address, zip code, and cvv security code verification, the items will be validated with the card issuer. The receipt is the merchant record of proof that the card issuer passed the verification.

Optionally send the repeat sale credit card charge form to your customer. Have the customer sign and send it back. This replaces credit card authorization forms that have full card data.

TIP: Include a cancellation and refund policy on all invoices, as required for all card not present transactions per card acceptance guidelines.

CenPOS works with your existing processor, and is fast, easy, and requires no capital investment to implement. Call Christine Speedy in sales 954-942-0483 or click here for more information.

Fraud Risks and methods to identify and prevent credit card fraud

Results from the 2010 LexisNexis True Cost of Fraud study show that 20% of merchant fraud losses are attributed to friendly fraud, 42% to lost or stolen merchandise, 18% to identity fraud, and 20% to  fraudulent requests for a return/refund. Friendly fraud occurs when a consumer purchases an item online and receives the product but claims not to have received it, requesting a refund
or chargeback from the merchant or delivery of a duplicate item.

Prevention holds the greatest impact in minimizing fraud losses.

Fraud Loss by Company Size, Product Type, Channel and Industry, 2010 Company Size

Small Company avg <$1M revenues Medium Company Avg $5M revenues Large Company Avg >$50M revenues
Average annual fraud 

amount ($)

$2,145 $104,000 $6,767,000

For the complete study, get it free by registering at the Lexis Nexus web site:  2010 LexisNexis True Cost of Fraud.

Comments:

Friendly fraud– A small business owner was able to successfully defend against consumer claim that box was delivered empty by showing Fedex records of the weight. The difficulty with this going forward is that new rules have a 180 day chargeback period. Make sure your shipping company keeps those records for as long as you need them.

Identity fraud– Unless there is an issue of verifying ownership, such as when a customer is picking up a car left for repair, merchants cannot ask for a drivers license or other identification for a standard transaction. However, there are many other ways to prevent this type of crime. In the brick and mortar world, a mandatory check for the last 4 digits is a simple and effective way to block cloned credit cards. Due to the global nature of our society, requiring the zip code would frequently result in too many declines. However, you can add additional filters with our payment processing platform that sits in front of your existing processor. Essentially it is your fraud protection dashboard where you control in real-time the level of risk you’re will to accept either by blocking specific transactions entirely, or by sending automated email alerts to managers who then can assess the situation. This works very similar for online transactions.

 

2011 Data Breach report insider theft credit card processing

In this first article of a series we explore insider theft, related to data breaches,  based on key elements of the Verizon 2011 data breach report.  The number of 2010 data breaches exploded in companies with 11 to 100 employees. A key commonality is simply the opportunity was there.

The 2011 Data Breach Investigations Report (DBIR) is a study conducted by the Verizon RISK team in cooperation with the U.S. Secret Service and the Dutch High Tech Crime Unit.

Who is behind the data breaches?

  • 92% external agents
  • 17% implicated insiders
  • < 1% business partners
  • 9% involved multiple parties

How do breaches occur? ?

  • 50% involved some sort of hacking
  • 49% incorporated malware
  • 29% physical attacks
  • 17% from privilege misuse
  • 11% employe social tactics

What commonalities exist?

  • 83% were victims of opportunity
  • 92% were not difficult
  • 76% of all data was compromised from servers
  • 86% discovered by a third party
  • 96% were avoidable through simple or intermediate controls
  • 89% of victims subject to PCI-DSS had not achieved compliance

End of excerpt. Continue reading for blog author comments.

healthcare company stores credit card data on servers, unencrpyted. Their excuse? It’s not connected to the actual credit card processing and access is restricted so it’s not a PCI Compliance problem.  See related article Shocking lack of payment processing security in healthcare industry. No data breach yet, but statistically, the company is at great financial risk, including up to  $1.5 million fine for violating the HITECH ACT.

Employees at a car dealer tape passwords next to their computer and in the first unlocked drawer of their desk. Their excuse?  It’s too hard to remember the password and they don’t acknowledge it’s a security issue.

Employees at a retail rental shop have a file folder in plain view of anyone entering the shop containing copies of drivers licenses and the front and back of credit cards. Their excuse? They didn’t know they couldn’t do it and didn’t know of an alternative method that would meet their needs to bill customers if they never returned with the goods.

Think these are exceptions? Businesses everywhere have these problems in some fashion. As each of these examples illustrate,  employee training is essential. Industry wide, merchants are completing  PCI Compliance Security Standards data worksheets. At that point in time, the merchant can be certified PCI Compliant. But without internal enforcement and training, the merchant is generally not compliant when a data breach occurs and thus is fully liable for all the associated fines, fees and damages.

In conclusion, the establishment of training procedures and distribution of data security expectations to employees is essential. Most employees are honest, right? But when companies have lax security policies, it presents an OPPORTUNITY for good employees to break the law.

Here’s three things you can do to mitigate internal employee risk:

  1. Create a data security training checklist for all employees handling sensitive data. Update the training and content quarterly or at least once per year. The employee cannot accept credit cards or any sensitive data until they’ve completed training, plus sign and date the checklist.
  2. Make data security a formal part of employee performance reviews. Require annual checklist review and signature at the time of performance reviews.
  3. Implement a reward system for identifying vulnerabilities of real life practices- whether people, software, or hardware.

Bonus: Implement a hosted payment processing solution with extensive tools to prevent internal fraud. Call for information.

Shocking lack of payment processing security in healthcare industry

There’s room for improvement in medical billing for card not present transactions. The lack of security in the healthcare industry with respect to payment processing is evident in nearly every business I’ve interviewed in the last two years. With all the effort put into HIPAA, you’d think they’d be more likely to be PCI Compliant than other industries, but in my experience talking to and interacting with healthcare  companies, I think 50% PCI DSS  (Payment Card Industry Data Security Standards) Compliance would be extremely optimistic.

So what’s got my gander up today? A widespread lack of security by healthcare suppliers with my HSA debit card data. Before giving out my credit card information, I always ask what they are going to do with it.  As a cardholder, I have a right to know. Like many Americans, I have an HSA account and funds for payments are accessible only via a debit card. That means any misuse could wipe out the account.  Under Visa’s Zero Liability policy  consumers are not held responsible for fraudulent charges made with the card or account information, but identity theft is another matter the consumer is left to deal with.

I talked to three different personnel for the story that follows. The last one said the first two didn’t entirely follow normal protocol, which does nothing to spare them from the liabilities associated with identity theft.

This article is about a medical industry merchant storing credit card data in a database and the misunderstanding of potential  liability exposure as a result. Storing card data even for 24 hours poses a huge risk both financially and criminally. In this article we’ll review their processes and solutions to mitigate risk.

First, let’s review the payments process.  Consumers receive invoices in the mail. They can mail a check or pay by Visa or MasterCard by returning a form, or call on the phone. The merchant then uses a multi-step process to collect the information and process it.

PAY INVOICE BY MAIL

credit card payment form

This invoice format is quite common for medical billing.

RISK: Merchant collects the CVV code, listed as signature code above, and bills are sent to a their corporate office. Collecting and storing CVV codes is always a bad idea. The mail could be stolen by internal employees familiar with the billing process. Someone could copy or even quickly photo each billing form. It’s doubtful they could prove PCI Compliance and would likely have no safe harbor in the event of a data breach.

SOLUTION: Remove the security code from the form. Have all bills sent to a lockbox. Reduce mail payments by enabling customers to pay their bills online.

PAY INVOICE BY PHONE

The first person to take my payment was covering for someone who was on vacation or otherwise out of the office.

  • She took down my invoice number and credit card information on a piece of paper. She entered something into their billing system so there was  a record of my call and payment.
  • The paper went into an “in box”. It was Friday.
  • The person emptying the “in box” and posting payments would be in Monday to complete the transaction.
  • Monday the posting person key entered the transaction into a desktop terminal.
  • Tuesday, presumably,  paper was shredded. The paper is held for a day to ensure the payment went through properly so the customer does not need to be called.

RISK:  The paper with full card data was exposed for up to 5 days. Was the ‘in box’ emptied and put in a locked drawer when not being worked on, including breaks? Do cleaning personnel have access to the facility on evenings and weekends?

SOLUTION: Enter the card information directly into our smart virtual terminal. Some flexible options include:

  • Entering the card and customer data and instantly charging the account. In this case, you can enter the CVV for extra fraud protection.
  • Creating a customer and entering the card information for later billing. Using a process called tokenization, the card data is stored encrypted on PCI Compliant servers, never at the merchant location.  CVV is NEVER stored, not even encrypted, since it’s against card association rules.
  • Entering the card and customer information and obtaining an authorization only, for other personnel to charge later.

The seccond person to take my payment on a future date was the actual representative for my account.

  • She entered information in the billing system so there was  a record of my call and payment.
  • My card data, including CVV,  was entered into a ‘notes’ section of the billing database.
  • The customer service representative has no access to see the card data after it is entered.
  • An accounting person retrieves the card data for payment in bulk with others within 1 business day.
  • The posting person key enters the transaction into a dial-up desktop terminal.
  • The next business day, presumably,  the computer notes are deleted.

RISK:  Full card data is exposed on a computer network. It doesn’t matter that access is restricted to certain personnel. This data storage is certainly a violation of FACTA and PCI Compliance standards, and probably HIPAA too. The merchant is open to both criminal and financial penalties in the event of a data breach. Additionally, the merchant would need to securely wipe or destroy every associated hard drive removed from service in the future to eliminate data theft potential.

SOLUTION: Enter the card information directly into our smart virtual terminal, same as above.

What are the financial risks with this data exposure?

  • Replacement cost per card compromised, $25.
  • Mandatory consumer credit report service for one year, $12/mth per card holder.
  • Reimburse all claims from card associations.
  • Fines from FACTA, HIPAA, and PCI Compliance violations
  • Your business could come to a screeching halt while a forensics team investigates.
  • Bad PR could result in loss of business.

What are the criminal risks associated with card data exposure? Felony.

FINAL NOTES: There is some use of an online gateway within the organization, but those details are unknown. I spoke to staff that believes since the payment processing is via a dial up terminal and is not connected to the card data in the database, that there is no risk. That is completely untrue. The company would not only save time by reducing steps, but would tremendously reduce risk by key entering card data directly into a virtual terminal. Moreover, an intelligent VT would provide a boatload of other benefits.

Ignorance is not an excuse. PCI Compliance standards were established nearly a decade ago. A critical first step to compliance and mitigating risk is a solution that supports all your payment processing needs. We offer that solution.

See also related article, How to reduce time and money for outpatient procedure billing.

On a side note, based on the invoice billing form, the merchant is not accepting American Express cards, probably because they don’t want to pay the high fees associated with Amex. If managing costs to improve EBITDA is important, our hosted payment processing platform with intelligent switch is critical.