Dealership Post-Acquisition Standardization Cash Flow & Profits

Car, truck, and ag equipment dealership acquisitions by mega dealers are on a torrid pace. Cash-flow and profits are directly linked to standardization among locales. The right payment processing technology creates instant receivables financial transparency at headquarters regardless of varying dealer management software. heavy duty equipment credit card processingCloud-based payment processing is critical to financial transparency. For example, credit card processing terminals batched out individually means management has to wait for reports. A cloud solution, including payment gateway, can provide real-time insights by dealer location or any other number of data points.

Key payment gateway differences for dealership evaluation:

  • Real-time dashboard with drill down vs export reports to view (additional payment types not shown)dashboard net sales payment gateway report
  • Compliance with complex rules for rentals, preauthorizations, retail and card not present. How many merchant accounts needed to comply?
  • Compliance with Visa October 2017 stored credentials mandates
  • Level 3 processing capabilities for commercial cards
  • EMV chip or EMV chip and pin
  • Push payment requests (collect remote payments before delivery) via text or email
  • Cardholder authentication (3-D Secure) for remote payments
  • Payment methods supported: cash, check, wire, credit card and other methods vs just credit cards provides significantly tighter controls and data insights

Dealers hesitant to replace desktop EMV chip terminals due to prior investments should bite the bullet. Better solutions to improve customer experience and back office efficiency will reduce ROI time for acquisitions.

ABOUT: Christine Speedy is a payment processing expert with deep experience in the multi-department needs of dealerships. Solutions empower CFO’s to achieve common customer satisfaction goals with tight financial controls, risk mitigation, and reduced PCI Compliance burden. Need standardization help? Call 954-942-0483 to learn more about solutions for your business that are quick and easy to adopt, increasing efficiency and growing profits virtually overnight.

 

PCI SECURITY STANDARDS COUNCIL PUBLISHES SUPPLEMENTAL PCI DSS SCOPING GUIDANCE

Guidance Clarifies Scoping Principles Outlined in the PCI Data Security Standard —
WAKEFIELD, Mass., 9 December 2016 — Incorrectly identifying where and how payment data is at risk in an organization’s systems continues to lead to data breaches. Today, the PCI Security Standards Council (PCI SSC) published Guidance for PCI DSS Scoping and Network Segmentation to help businesses address this challenge.

PCI Data Security Standard (PCI DSS) Requirement 1.1 states that organizations need to maintain a cardholder data flow diagram to help identify which systems are in scope and need protection. Yet data breach investigation reports continue to find that companies suffering compromises were unaware that cardholder data was present on their compromised systems. This guidance provides a method to help organizations identify systems that, at a minimum, need to be included in scope for PCI DSS. It includes guidance on how segmentation can be used to help reduce the number of systems that require PCI DSS controls and illustrative examples of some common segmentation approaches.

“For years, we have preached the need to simplify and minimize the footprint of cardholder data,” said PCI SSC Chief Technology Officer Troy Leach. “One way to accomplish this is through good segmentation. It allows an organization to focus their attention on a limited number of assets and more readily address security issues as they arise. As a result, it should also reduce the level of effort to comply with PCI DSS.”

While segmentation is not a PCI DSS requirement, it is a strongly recommended practice. Segmentation of networks included in or connected to the cardholder data environment is important for organizations as it can limit the exposure of payment data in a system, simplify PCI DSS compliance efforts and reduce the chance of being targeted by a criminal. However, as improper segmentation can put cardholder data at risk, it’s critical that organizations understand and implement segmentation properly.

The guidance was developed with industry input and collaboration in order to address common questions from PCI SSC stakeholders on scoping and segmentation. Christian Janoff, PCI SSC Board of Advisor member and Security Solutions Architect for Cisco, works regularly with merchants using scoping and segmentation products and was a leading contributor to the guidance. “Knowing the scope of your cardholder data environment and properly segmenting to protect it has been a challenge for many organizations. By providing guidance, we hope this will help to simplify the process, making it easier to secure payment card data,” he said. “We at Cisco are proud to partner with the Council and industry peers to bring additional scoping and segmentation guidance to the industry.”

Guidance for PCI DSS Scoping and Network Segmentation is intended for organizations looking to understand scoping and segmentation principles when applying PCI DSS to their environments. It also provides a method for facilitating effective scoping discussions between entities and is useful for:

  • • Merchants, acquirers, issuers, service providers (issuer processors, token service providers, and others) responsible for meeting PCI DSS requirements for their enterprises;
    • Assessors responsible for performing PCI DSS assessments;
    • Acquirers evaluating merchants’ or service providers’ PCI DSS compliance documentation;
    • PCI Forensic Investigators (PFI) responsible for determining PCI DSS scope as part of an investigation.

It is important to note each organization is responsible for making its own scoping decisions and that following this guidance does not guarantee that effective segmentation has been implemented, nor does it guarantee compliance with PCI DSS. The guidance is available on the PCI SSC website. Chief Technology Officer Troy Leach provides additional insights on the topic on the PCI Perspectives blog.

About the PCI Security Standards Council
The PCI Security Standards Council is a global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security.

Credit Card Authorization Form and PCI Compliance Update

A Credit Card Authorization Form enables a business to charge a credit card one-time or for recurring purchases. Is your form PCI Compliant with 2016 standards? Edited from my original contribution to Credit Today, learn the pitfalls and solutions to traditional paper authorization forms.

Do your business practices meet current PCI Compliance standards?

  1. Is it OK to store the form in a locked drawer?
  2. Is it OK to store the form in the cloud if it’s encrypted?
  3. Is it OK to receive them via email?
  4. Is it possible to qualify for the lowest processing rates using them?
  5. Is it OK to key enter each transaction for cards on file?credit card authorization form pci compliant

Credit Card Authorization Forms and PCI Compliance Rules

  • Per PCI 3.2, Neither Primary Account Number (PAN) nor Card Verification Code (CVV) can be stored on paper after authorization.
  • Per PCI 3.4, must render PAN unreadable anywhere stored (including on portable digital media, backup media, and in logs) using one of four cited approaches.
  • No. Per PCI 2 Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.).
  • No. Most cards, except regulated debit, can qualify for multiple rates depending on how the transaction is submitted. For example, MasterCard World card rates:
Rate Name Rate Qualified Rate Reason
Standard 2.95% + $.10 Not all criteria met for another rate.
Merit I 2.05% + $.10 Key-entered or ecommerce and valid authorization + other criteria met.
Full UCAF 1.87% = $.10 Ecommerce; Cardholder authentication and other criteria met.

To qualify for UCAF, the customer must initiate payment.

Ecommerce includes online paypage and other electronic payment channels the customer initiates.

  • No. If a customer authorizes to store a card, then after the initial transaction, all subsequent transactions must be sent with the correct transaction type: recurring or repeat sale.

Alternative methods to process Card Not Present orders:

Hosted pay page. The merchant directs customers to web page to pay any invoice online. Acceptable implementation methods have changed in the last year or two for PCI Compliance. For maximum reduced PCI burden, send customers directly to the 3rd party payment gateway web URL. The gateway may or may not be the same as your processor. NOTE: If hosting on your own web site with an embedded payment (iframe) object, PCI requirements have changed; any old forms should be updated.

Electronic Bill Presentment & Payment. (EBPP or EIPP) This is basically a proactive version of the above. As a standalone solution, the merchant user logs in to a gateway web portal, and sends a payment request via text or email which the customer clicks and pays. Integrated to billing software, it sends the actual invoice, and may require customer to login to make the payment.

All the major payment gateways include a Virtual terminal, hosted pay page, and shopping cart checkout capability, tokenization to store card data for future orders. Some, including CenPOS also offer EBPP.

If you accept cards over the phone, gateways with a virtual encrypted keyboard can reduce PCI scope since card data never touches computers or networks.

Christine Speedy, CenPOS reseller, maximizes profits, efficiency, and security with payment processing solutions including EIPP, collections automation, and online payments. She can be reached at 954-942-0483 or cspeedy AT 3dmerchant.com.

 

 

MAGENTO VULNERABILITIES IMPACT PCI COMPLIANCE

Magento, a popular e-commerce platform, released multiple security patches this year, several addressing critical and high credit card data breach vulnerabilities. Merchants that haven’t deployed security patches, as required by PCI standards, are vulnerable to remote exploits that can compromise customer account and credit card data.

One cross-site scripting (XSS) flaw potentially allows an attacker to add malicious JavaScript code to a comment via the PayFlow Pro payment module. The JavaScript code is executed server-side when the targeted site’s administrator views the attacker’s order.

PCI Compliance Requirement 6: Develop and maintain secure systems and applications. All critical systems must have the most recently released software patches to prevent exploitation. The average merchant relies upon third party developers for web site maintenance, but unless specifically contracted to update the e-commerce software and add-on modules, don’t count on it.

Only 16.4% of organizations that had suffered a data breach were compliant with Requirement 6, compared to an average of 64% of organizations assessed by our QSAs in 2014- Verizon 2015 PCI Compliance Report.

Payment gateway implementation requirements have changed over time as a result of cross-site scripting and cross-site request forgery (CSRF) to meet current PCI Compliance standards. Merchants should verify all components of their ecommerce ecosystem are current, and have a system for ongoing monitoring and updating.

RESOURCES

  • Magento Security Center
  • VISA MAGENTO SECURITY ALERT, July 2016
  • Christine Speedy, 3D Merchant Services, offers Magento payment gateway module for merchants to improve their omnichannel customer experience and mitigate risk. B2B customer benefits include friction-less payments across all sales channels; text and email Express Checkout, customer invoice portal for 24/7 ACH, credit card, wire and more payment types, and US EMV with level 3 processing. Magento and ERP modules combine to provide a powerful array of solutions to improve cash flow and profits while maximizing security. 954-942-0483.

 

 

Retailers Ask FTC to Investigate Credit Card Industry’s PCI Security Group for Antitrust Concerns

WASHINGTON – The National Retail Federation today announced that it has asked the Federal Trade Commission to conduct an investigation into an organization founded by the credit card industry that sets data security standards, saying the group’s controversial practices raise antitrust concerns.

“We urge the FTC not to rely on PCI DSS for any purpose, particularly not as an example of industry best practices nor as a benchmark in determining what may constitute responsible data security standards in the payment system or any other sector,” NRF Senior Vice President and General Counsel Mallory Duncan said in a letter to FTC Chairwoman Edith Ramirez and other commission members.

The Payment Card Industry Security Standards Council is “a proprietary organization formed and controlled by a single industry sector – the major credit card networks” and “fails to meet any of the principles adopted by the federal government for voluntary standard-setting organizations,” Duncan said. “We believe you will conclude PCI itself is an inappropriate exercise of market power by the dominant U.S. payment card networks and PCI should not continue setting data security standards through its current processes.”

NRF’s request comes as the FTC is conducting an inquiry into how third-party companies perform assessments of PCI compliance by retailers and other businesses that accept credit cards. NRF understands that the FTC is also considering PCI requirements as an example of industry best practices.

The PCI council was formed in 2006 by the major credit card companies – Visa, MasterCard, American Express, Discover and JCB. It imposes its rules on millions of U.S. businesses but continues to be governed by an executive committee made up of representatives of only those five companies.

In a 19-page white paper submitted to the FTC, NRF said the card companies use their market power to “unfairly leverage their brands and proprietary technology through webs of closely controlled interdependent bodies and compliance regimes” including the council. While portrayed as voluntary, the Payment Card Industry Data Security Standard requirements set by the council are “forced upon businesses that cannot refuse to accept credit and debit cards.”

The council’s practices “raise antitrust concerns” for a number of reasons, including “general antitrust dangers when competitors collaborate on setting market standards” and “more targeted concerns insofar as they allow the networks to leverage their proprietary technology,” the paper said.

Among other concerns, PCI requirements act as “as an anticompetitive barrier to innovation” because they “exhaust” funds and other resources retailers have available for data security, the paper said.

NRF asked that the FTC investigate the council’s practices in general and particularly their impact on competition. The FTC should also reject government use of PCI standards as any benchmark for data security, and instead work with “legitimate U.S. standard setting bodies” such as the American National Standards Institute, NRF said.

NRF is the world’s largest retail trade association, representing discount and department stores, home goods and specialty stores, Main Street merchants, grocers, wholesalers, chain restaurants and Internet retailers from the United States and more than 45 countries. Retail is the nation’s largest private sector employer, supporting one in four U.S. jobs – 42 million working Americans. Contributing $2.6 trillion to annual GDP, retail is a daily barometer for the nation’s economy. NRF’s This is Retail campaign highlights the industry’s opportunities for life-long careers, how retailers strengthen communities, and the critical role that retail plays in driving innovation. NRF.com