Visa is announcing plans to accelerate the migration to contact chip and contactless EMV chip technology in
the U.S. The adoption of dual-interface chip technology will help prepare the U.S. payment infrastructure for the
arrival of Near Field Communication (NFC)-based mobile payments by building the necessary infrastructure to
accept and process chip transactions.

Not only will chip technology accelerate mobile innovations, it is also expected to enhance payment security
through the use of dynamic authentication. Chip technology greatly reduces a criminal’s ability to use stolen
payment card data by introducing dynamic values for each transaction. Even if payment card data is
compromised, a counterfeit card would be unusable at the point of sale (POS) without the presence of the
card’s unique elements. By eliminating static authentication, we reduce the value of stolen cardholder data,
benefiting all stakeholders.

Visa’s plan includes merchant incentives to upgrade to EMV chip-enabled terminals, requirements for acquirer
processors to support chip acceptance and the introduction of U.S. liability shift policies.

Specifically, Visa will waive Payment Card Industry Data Security Standard (PCI DSS) compliance validation
requirements to encourage merchant investment in contact and contactless chip payment terminals. Visa will
also require acquirer processors to ensure that their systems support dynamic data acceptance (i.e., chip) and
will institute a domestic and cross-border counterfeit liability shift.

Visa’s Counterfeit Liability Shift Policies

Visa intends to institute a liability shift in the U.S. for domestic and cross-border counterfeit transactions
effective 1 October 2015. Visa’s global POS counterfeit liability shift policies are designed to encourage EMV
chip card issuance and acceptance in participating geographical regions, effectively creating a more secure
environment for transactions within and between each participating Visa region. Note: The liability shift
encourages chip transactions because any chip-on-chip transaction (i.e., a chip card read by a chip terminal)
provides dynamic authentication data, which helps to better protect all parties.

With this type of liability shift, the party that is the cause of a chip-on-chip transaction not occurring (i.e., either
the issuer or the merchant’s acquirer) will be financially liable for any resulting card-present counterfeit fraud
losses. When a transaction occurs using chip technology, any liability for counterfeit fraud, though unlikely,
would follow current Visa Operating Regulations.

The policy assigns liability for counterfeit fraud to the party that has not made the investment in EMV chip cards
(issuers) or terminals (merchants’ acquirers). The policy encourages wider deployment of EMV cards and
terminals.

EMV chip implementation is accelerating globally. Today, excluding the U.S., 44 percent of all cards are EMV
chip cards, and 74 percent of all terminals are EMV chip-capable, with 62 percent of cross-border transactions
conducted with a chip card at a chip terminal.

U.S. Participation Introduced in Global Counterfeit Liability Shift Policy

Visa plans that effective 1 October 2015, the U.S. will be included in the Global POS Liability Shift Policy, which
will apply to all issuers and merchants’ acquirers in the U.S., with the exception of transactions at Automated
Fuel Dispensers (AFDs). Transactions made at AFDs will be excluded from the liability shift for a period of two
(2) years due to the challenges faced by the petroleum industry in upgrading terminals to accept EMV chip
cards. Similarly, effective 1 October 2017, transactions made at AFD terminals will be included in the Global
POS Liability Shift Policy.

Note: This liability shift policy change excludes counterfeit fraud at U.S. ATMs. Visa will continue to evaluate
the potential for an expansion to include ATMs.

Preparing for Payment Technology Evolution

As the U.S. point-of-sale payment infrastructure continues to evolve from the static magnetic stripe to intelligent
devices such as EMV chip cards and Near Field Communication (NFC) mobile phones, this liability shift policy
change will help ensure that the acceptance infrastructure is ready. It will also allow acquirers, merchants and
issuers to invest in new technology to ensure that cardholders can continue to make secure and frictionless
transactions across all channels.

In this first article of a series we explore insider theft, related to data breaches,  based on key elements of the Verizon 2011 data breach report.  The number of 2010 data breaches exploded in companies with 11 to 100 employees. A key commonality is simply the opportunity was there.

The 2011 Data Breach Investigations Report (DBIR) is a study conducted by the Verizon RISK team in cooperation with the U.S. Secret Service and the Dutch High Tech Crime Unit.

Who is behind the data breaches?

• 92% external agents
• 17% implicated insiders
• < 1% business partners
• 9% involved multiple parties

How do breaches occur? ?

• 50% involved some sort of hacking
• 49% incorporated malware
• 29% physical attacks
• 17% from privilege misuse
• 11% employe social tactics

What commonalities exist?

• 83% were victims of opportunity
• 92% were not difficult
• 76% of all data was compromised from servers
• 86% discovered by a third party
• 96% were avoidable through simple or intermediate controls
• 89% of victims subject to PCI-DSS had not achieved compliance

End of excerpt. Continue reading for blog author comments.

A healthcare company stores credit card data on servers, unencrpyted. Their excuse? It’s not connected to the actual credit card processing and access is restricted so it’s not a PCI Compliance problem.  See related article Shocking lack of payment processing security in healthcare industry. No data breach yet, but statistically, the company is at great financial risk, including up to  $1.5 million fine for violating the HITECH ACT.

Employees at a car dealer tape passwords next to their computer and in the first unlocked drawer of their desk. Their excuse?  It’s too hard to remember the password and they don’t acknowledge it’s a security issue.

Employees at a retail rental shop have a file folder in plain view of anyone entering the shop containing copies of drivers licenses and the front and back of credit cards. Their excuse? They didn’t know they couldn’t do it and didn’t know of an alternative method that would meet their needs to bill customers if they never returned with the goods.

Think these are exceptions? Businesses everywhere have these problems in some fashion. As each of these examples illustrate,  employee training is essential. Industry wide, merchants are completing  PCI Compliance Security Standards data worksheets. At that point in time, the merchant can be certified PCI Compliant. But without internal enforcement and training, the merchant is generally not compliant when a data breach occurs and thus is fully liable for all the associated fines, fees and damages.

In conclusion, the establishment of training procedures and distribution of data security expectations to employees is essential. Most employees are honest, right? But when companies have lax security policies, it presents an OPPORTUNITY for good employees to break the law.

Here’s three things you can do to mitigate internal employee risk:

1. Create a data security training checklist for all employees handling sensitive data. Update the training and content quarterly or at least once per year. The employee cannot accept credit cards or any sensitive data until they’ve completed training, plus sign and date the checklist.
2. Make data security a formal part of employee performance reviews. Require annual checklist review and signature at the time of performance reviews.
3. Implement a reward system for identifying vulnerabilities of real life practices- whether people, software, or hardware.

Bonus: Implement a hosted payment processing solution with extensive tools to prevent internal fraud. Call for information.

There’s room for improvement in medical billing for card not present transactions. The lack of security in the healthcare industry with respect to payment processing is evident in nearly every business I’ve interviewed in the last two years. With all the effort put into HIPAA, you’d think they’d be more likely to be PCI Compliant than other industries, but in my experience talking to and interacting with healthcare  companies, I think 50% PCI DSS  (Payment Card Industry Data Security Standards) Compliance would be extremely optimistic.

So what’s got my gander up today? A widespread lack of security by healthcare suppliers with my HSA debit card data. Before giving out my credit card information, I always ask what they are going to do with it.  As a cardholder, I have a right to know. Like many Americans, I have an HSA account and funds for payments are accessible only via a debit card. That means any misuse could wipe out the account.  Under Visa’s Zero Liability policy  consumers are not held responsible for fraudulent charges made with the card or account information, but identity theft is another matter the consumer is left to deal with.

I talked to three different personnel for the story that follows. The last one said the first two didn’t entirely follow normal protocol, which does nothing to spare them from the liabilities associated with identity theft.

This article is about a medical industry merchant storing credit card data in a database and the misunderstanding of potential  liability exposure as a result. Storing card data even for 24 hours poses a huge risk both financially and criminally. In this article we’ll review their processes and solutions to mitigate risk.

First, let’s review the payments process.  Consumers receive invoices in the mail. They can mail a check or pay by Visa or MasterCard by returning a form, or call on the phone. The merchant then uses a multi-step process to collect the information and process it.

PAY INVOICE BY MAIL

This invoice format is quite common for medical billing.

RISK: Merchant collects the CVV code, listed as signature code above, and bills are sent to a their corporate office. Collecting and storing CVV codes is always a bad idea. The mail could be stolen by internal employees familiar with the billing process. Someone could copy or even quickly photo each billing form. It’s doubtful they could prove PCI Compliance and would likely have no safe harbor in the event of a data breach.

SOLUTION: Remove the security code from the form. Have all bills sent to a lockbox. Reduce mail payments by enabling customers to pay their bills online.

PAY INVOICE BY PHONE

The first person to take my payment was covering for someone who was on vacation or otherwise out of the office.

• She took down my invoice number and credit card information on a piece of paper. She entered something into their billing system so there was  a record of my call and payment.
• The paper went into an “in box”. It was Friday.
• The person emptying the “in box” and posting payments would be in Monday to complete the transaction.
• Monday the posting person key entered the transaction into a desktop terminal.
• Tuesday, presumably,  paper was shredded. The paper is held for a day to ensure the payment went through properly so the customer does not need to be called.

RISK:  The paper with full card data was exposed for up to 5 days. Was the ‘in box’ emptied and put in a locked drawer when not being worked on, including breaks? Do cleaning personnel have access to the facility on evenings and weekends?

SOLUTION: Enter the card information directly into our smart virtual terminal. Some flexible options include:

• Entering the card and customer data and instantly charging the account. In this case, you can enter the CVV for extra fraud protection.
• Creating a customer and entering the card information for later billing. Using a process called tokenization, the card data is stored encrypted on PCI Compliant servers, never at the merchant location.  CVV is NEVER stored, not even encrypted, since it’s against card association rules.
• Entering the card and customer information and obtaining an authorization only, for other personnel to charge later.

The seccond person to take my payment on a future date was the actual representative for my account.

• She entered information in the billing system so there was  a record of my call and payment.
• My card data, including CVV,  was entered into a ‘notes’ section of the billing database.
• The customer service representative has no access to see the card data after it is entered.
• An accounting person retrieves the card data for payment in bulk with others within 1 business day.
• The posting person key enters the transaction into a dial-up desktop terminal.
• The next business day, presumably,  the computer notes are deleted.

RISK:  Full card data is exposed on a computer network. It doesn’t matter that access is restricted to certain personnel. This data storage is certainly a violation of FACTA and PCI Compliance standards, and probably HIPAA too. The merchant is open to both criminal and financial penalties in the event of a data breach. Additionally, the merchant would need to securely wipe or destroy every associated hard drive removed from service in the future to eliminate data theft potential.

SOLUTION: Enter the card information directly into our smart virtual terminal, same as above.

What are the financial risks with this data exposure?

• Replacement cost per card compromised, $25.
• Mandatory consumer credit report service for one year, $12/mth per card holder.
• Reimburse all claims from card associations.
• Fines from FACTA, HIPAA, and PCI Compliance violations
• Your business could come to a screeching halt while a forensics team investigates.
• Bad PR could result in loss of business.

What are the criminal risks associated with card data exposure? Felony.

FINAL NOTES: There is some use of an online gateway within the organization, but those details are unknown. I spoke to staff that believes since the payment processing is via a dial up terminal and is not connected to the card data in the database, that there is no risk. That is completely untrue. The company would not only save time by reducing steps, but would tremendously reduce risk by key entering card data directly into a virtual terminal. Moreover, an intelligent VT would provide a boatload of other benefits.

Ignorance is not an excuse. PCI Compliance standards were established nearly a decade ago. A critical first step to compliance and mitigating risk is a solution that supports all your payment processing needs. We offer that solution.

See also related article, How to reduce time and money for outpatient procedure billing.

On a side note, based on the invoice billing form, the merchant is not accepting American Express cards, probably because they don’t want to pay the high fees associated with Amex. If managing costs to improve EBITDA is important, our hosted payment processing platform with intelligent switch is critical.

Cyber Criminals Shifting to Smaller, More Opportunistic Attacks; External Attacks, Especially Hacking, on Rise

April 19, 2011

NEW YORK – Data loss through cyber attacks decreased sharply in 2010, but the total number of breaches was higher than ever, according to the “Verizon 2011 Data Breach Investigations Report.” These findings continue to demonstrate that businesses and consumers must remain vigilant in implementing and maintaining security practices.

The number of compromised records involved in data breaches investigated by Verizon and the U.S. Secret Service dropped from 144 million in 2009 to only 4 million in 2010, representing the lowest volume of data loss since the report’s launch in 2008. Yet this year’s report covers approximately 760 data breaches, the largest caseload to date.

According to the report, the seeming contradiction between the low data loss and the high number of breaches likely stems from a significant decline in large-scale breaches, caused by a change in tactics by cybercriminals. They are engaging in small, opportunistic attacks rather than large-scale, difficult attacks and are using relatively unsophisticated methods to successfully penetrate organizations. For example, only 3 percent of breaches were considered unavoidable without extremely difficult or expensive corrective action.

The report also found that outsiders are responsible for 92 percent of breaches, a significant increase from the 2010 findings. Although the percentage of insider attacks decreased significantly over the previous year (16 percent versus 49 percent), this is largely due to the huge increase in smaller external attacks. As a result, the total number of insider attacks actually remained relatively constant.

Hacking (50 percent) and malware (49 percent) were the most prominent types of attack, with many of those attacks involving weak or stolen credentials and passwords. For the first time, physical attacks — such as compromising ATMs –appeared as one of the three most common ways to steal information, and constituted 29 percent of all cases investigated.

For the second year in a row, the U.S. Secret Service collaborated with Verizon in preparing the report. In addition, the National High Tech Crime Unit of the Netherlands Policy Agency (KLPD) joined the team this year, allowing Verizon to provide more insight into cases originating in Europe. Approximately one-third of Verizon’s cases originated in either Europe or the Asia-Pacific region, reflecting the global nature of data breaches.

“Through our Data Breach Investigations Report series, Verizon continues to provide the industry with a first-hand look at cybercrime around the globe,” said Peter Tippett, Verizon’s vice president of security and industry solutions. “This year, we witnessed highly automated and prolific external attacks, low and slow attacks, intricate internal fraud rings, countrywide device-tampering schemes, cunning social engineering plots and more. And yet, at the end of day, we found once again that the vast majority of breaches can be avoided without extremely difficult, expensive security measures.”

Tippett added: “It is important to remember that data breaches can happen to any business — regardless of size or industry — or consumer, at any place in the world. A good offense remains the best defense. It is imperative to implement essential security measures broadly throughout your security infrastructure, whether that is a small home setup or an expansive enterprise infrastructure.”

U.S. Secret Service Assistant Director A.T. Smith said, “Americans over the past several years have seen the significant impacts data breaches are having on our nation’s financial infrastructure. Today cyber criminals are operating in nearly every civilized nation in the world, exposing Americans’ personal information, either stored or transmitted, to substantial risk.”

Smith added, “By participating in the Verizon 2011 Data Breach Investigations Report, the Secret Service is working closely with our private-sector partners to educate Americans about the threats of cyber criminals. With the help of our Electronic Crimes Task Force partners, such as Verizon, we are studying technologies and trends to prevent and mitigate attacks against critical financial infrastructure.”

The Data Breach Investigation Report (DBIR) series now spans seven years and more than 1,700 breaches involving more than 900 million compromised records, making it the most comprehensive study of its kind.

(NOTE: Additional resources supporting the 2011 Data Breach Investigations Report are available, including high-resolution charts and an audio podcast. B-roll available upon request.)

Key Findings of the 2011 Report

Data from the 2011 report shows that:

• Large-scale breaches dropped dramatically while small attacks increased. The report notes there are several possible reasons for this trend, including the fact that small to medium-sized businesses represent prime attack targets for many hackers, who favor highly automated, repeatable attacks against these more vulnerable targets, possibly because criminals are opting to play it safe in light of recent arrests and prosecutions of high-profile hackers.
• Outsiders are responsible for most data breaches. Ninety-two percent of data breaches were caused by external sources. Contrary to the malicious-employee stereotype, insiders were responsible for only 16 percent of attacks. Partner-related attacks continued to decline, and business partners accounted for less than 1 percent of breaches.
• Physical attacks are on the rise. After doubling as a percentage of all breaches in 2009, attacks involving physical actions doubled again in 2010, and included manipulating common credit-card devices such as ATMs, gas pumps and point-of-sale terminals. The data indicates that organized crime groups are responsible for most of these card-skimming schemes.
• Hacking and malware is the most popular attack method. Malware was a factor in about half of the 2010 caseload and was responsible for almost 80 percent of lost data. The most common kinds of malware found in the caseload were those involving sending data to an external entity, opening backdoors, and keylogger functionalities.
• Stolen passwords and credentials are out of control. Ineffective, weak or stolen credentials continue to wreak havoc on enterprise security. Failure to change default credentials remains an issue, particularly in the financial services, retail and hospitality industries.

Recommendations for Enterprises

The 2011 report found again that the prescription for data breaches is to use simple, essential security practices such as:

• Focus on essential controls. Many enterprises make the mistake of pursuing exceptionally high security in certain areas while almost completely neglecting others. Businesses are much better protected if they implement essential controls across the entire organization without exception.
• Eliminate unnecessary data. If you do not need it, do not keep it. For data that must be kept, identify, monitor and securely store it.
• Secure remote access services. Restrict these services to specific IP addresses and networks, minimizing public access to them. Also, ensure that your enterprise is limiting access to sensitive information within the network.
• Audit user accounts and monitor users with privileged identity. The best approach is to trust users but monitor them through pre-employment screening, limiting user privileges and using separation of duties. Managers should provide direction, as well as supervise employees to ensure they are following security policies and procedures.
• Monitor and mine event logs. Focus on the obvious issues that logs pick up, not the minutia. Reducing the compromise-to-discovery timeframe from weeks and months to days can pay huge dividends.
• Be aware of physical security assets. Pay close attention to payment card input devices, such as ATMs and gas pumps, for tampering and manipulation.

A complete copy of the “Data Breach Investigations Report” is available for download.

About Verizon
Verizon Communications Inc. (NYSE, NASDAQ:VZ), headquartered in New York, is a global leader in delivering broadband and other wireless and wireline communications services to mass market, business, government and wholesale customers. Verizon Wireless operates America’s most reliable wireless network, serving 94.1 million customers nationwide. Verizon also provides converged communications, information and entertainment services over America’s most advanced fiber-optic network, and delivers innovative, seamless business solutions to customers around the world. A Dow 30 company, Verizon employs a diverse workforce of more than 194,000 and last year generated consolidated revenues of $106.6 billion. For more information, visit www.verizon.com.

Can I store encrypted credit card data and bill different amounts to a customer?  Yes, and this video demo of our most advanced virtual terminal shows you exactly how. This is a universal PCI Compliant virtual terminal, meaning it’s compatible with all major credit card processors.

Almost any virtual terminal solution can securely store card data for recurring billing, where the card is charged the same amount each time, but none of the most popular virtual terminals offers a secure token solution to charge a variable amount.  Chase Paymentechs’ Orbital ®Gateway, Authorize.net ®, and PC Charge® all offer recurring billing, but do not offer variable amount billing for their standard gateway. If there is a custom option, I’m not aware of it.

Chase Paymentech Orbital, Authorize.net, PC Charge are all gateways. Our solution is a SWITCH, and also  a gateway. What’s the difference? A gateway passes data over the internet to facilitate an electronic transaction. A switch identifies the data,  makes logical decisions, and then routes the data based upon pre-defined parameters. For example, a gateway passes card data from the point of collection to the payment processor. Our switch can identify the card issuing bank, determine what’s needed to qualify the transaction for the lowest cost interchange, and then pass the data needed to meet that requirement. This is just one example of what switch technology can do.

This article on Virtual Terminal Solutions addresses credit card processing in a law firm or individual attorney practice. How can improve security, prevent fraud, improve PCI Compliance, and reduce time to collect payments from repeat clients?

Virtual terminals are accessed via a secure web page enabling merchants to key enter credit card or other payment information. I recently helped someone hire a specialized attorney. There was no need to meet the attorney in person, and as it turns out, the specialist wasn’t local anyway. Read this article and see if you find any similarities with your own legal practice.

SCENARIO:  Collecting payment with customer not present.
A prospective client contacts an attorney regarding a legal matter for a third party. The individual desires to pay the legal bills for the party needing the services. After a brief discussion, the attorney sends a questionnaire to be filled out. After reviewing the information, a conference call is to be scheduled. There is an initial consultation fee for research, review and conference call. If the client desires to move forward, additional payment(s) will apply.

The party paying the bill requested to supply credit card information immediately to avoid any future delays as the process moved forward.  The ‘regular staff’ wasn’t in due to the holidays and an assistant took the credit card information over the phone, including CVV security code, writing it down on paper.  The firm will charge the card on the conference call date. I know the assistant doesn’t normally handle this function, but how often does this scenario happen in your law firm?

AVOID HIGH RISK

Collecting and writing down CVV information is a risky practice, and is generally not acceptable for most PCI Compliance situations. Creating a policy for Storage of Credit Card Details both on and off your premises is an essential element of PCI Compliance. Your company should have a clear written policy and all employees with access to sensitive information should have at least an abbreviated version of the written policy and have had training.

See related article, “Should you require CVV or AVS for phone orders?”.

How can a virtual terminal improve data security?

The key to selecting the best virtual terminal for a law firm is understanding the entire process for how payments are made, knowing the differences in virtual terminals available, and understanding the steps to PCI Compliance.

CRITERIA FOR SELECTING CREDIT CARD PROCESSING VIRTUAL TERMINAL SOLUTION FOR A LAW FIRM

1. Must enable multiple users, each with their own login. This is so you can track who makes every transaction. (Risk Management)
2. Uniquely control user privileges- who can enter “sale”, “void”, “refund”. Each of these should be uniquely configurable. Most systems provide ALL privileges to all users, but to reduce risk, you shouldn’t provide refund capabilities to someone who is not normally involved in the billing process, as in the scenario above.
3. Token billing for variable amounts- if you want to re-bill a customer over and over again, require tokenization. There are two unique types of token billing. One is to charge a variable amount on demand; the other is to charge multiple payments of the same amount at specific intervals, also known as installment payments. The card data is key entered via a secure web page one time only. Most solutions have an installment option, but very few have a solution for variable amount, on-demand payments.

BONUS CRITERIA- these features are not required, but there are strong reasons to put them on your list.

1. Client/contract management. With this solution, the merchant can set up multiple contracts for the same client ID, and assign different billing periods, amounts etc.; enter the card data one time only. Each contract is given a unique token.
2. Least cost routing. This technology will automatically require AND pass all data elements needed to qualify for the lowest cost interchange for any given card type, on to your processor. Human error and specific technical knowledge are eliminated from the process. This feature can reduce costly downgrades; for example up to .70% extra on corporate credit cards. What’s unique about this?

• Not all virtual terminals collect the information needed.
• Not all virtual terminals REQUIRE the information needed so it’s easy to bypass.
• Not all virtual terminals pass on the data to the processor even if it’s collected; the merchant has no way of knowing what’s needed or what is passed on.
• Users are typically in control, rather than intelligent software.
• Most virtual terminals are simply gateways. There are input fields and data is passed forward. Our professional services virtual terminal solution is not just a gateway. It’s an intelligent switch that recognizes the card type and determines what is the least costly way to submit the transaction for processing. Then it collects and passes the necessary data.

3D MERCHANT SOLUTION- All of the above plus, these additional law firm friendly features:

Would you like data interaction between your credit card processing and your legal software? Via API or CSV Export, you can update your legal software application. You CANNOT export or see card data ever, but you can use last 4 digits, name, card type and other fields.

Executive Reporting: Who’s billing the most?  Eliminate wasted time creating reports and totaling data. Via the executive dashboard, you can see billing in real time, with up to 7 years data to pull from. Organize your reporting preferences by division, region, and or attorney.

See related article best virtual terminal for card not present for comparison.

FAQ for 3D Merchant recommended virtual terminal

How much does the virtual terminal cost?

The virtual terminal is very affordable. Pricing is based on volume, either dollars or transactions. Depending on your credit card processing fees now, it may even be net neutral. For a firm proposal, please submit at least 2 months merchant statements for review. (You can keep your processor or change, no difference in price.)

Are there computer requirements? High speed internet and updated browser with flash plugin. PC or MAC compatible.

How easy is it to use? After logging in and changing the temporary password, most users will figure out everything they need to know in about 5-10 minutes. There are dozens of short 15-30 second HELP video clips for instant answers.

What is the implementation time? Contract approval to account set up is usually 2-5 business days. If you’re switching processors, we’ll have everything ready for you to start accepting payments immediately. Just add users in a matter of minutes and you’re ready to go. You can even batch upload existing client data.

If you’re not switching processors, we’ll provide you with a form for your processor to complete so we can link to your existing merchant account.

Read the latest merchant news bulletin in 3D Merchant Services newsletter. Highlights include Red Flags Rule, American Express critical fee change, and Re-bill customers using tokens to prevent identity theft. Plus What’s your risk for a financil data breach?

3D Merchant Services newsletter (PDF download)

Token Billing enables a merchant to store encrypted card data and then charge the card again at a later date. Unlike recurring billing, merchants can charge a VARIABLE AMOUNT to the same credit card. Tokenization is the process of collecting, storing, and rebilling encrypted credit card data. Our PCI Compliant solution enables you to control spiraling credit card fees, reduce fraud risk, and see real time cash flow reports.

B2B companies often need this service. Their customers sign faxed forms authorizing the merchant to bill their card on an ongoing basis. Lawyers, accountants, staffing and service companies with auto fleets are all examples of companies who can benefit.

TOP REASONS TO USE OUR TOKEN BILLING SOLUTION

• Enter customer profile data one time only, then simply enter the token ID and amount to charge for subsequent transactions. Save TONS of billing time.
• Unlimited customers – pay only when you charge a customer, plus a minimum monthly fee.

• Host based solution. No software to download.
• Always up to date with the latest parameters for interchange qualification (the wholesale cost of credit card processing).
• Least cost routing will identify the lowest cost method to process a transaction and pass all data needed to qualify for it. This is NOT just providing the standard level II data that 99% of other service providers deliver.
• Compatible with all major payment processors.
• PCI Compliant. No credit data is ever stored at your facility.

Certain industries may also be eligible for pinless debit. This enables merchants to qualify for pin-debit interchange rates, even though the customer is not present to enter their pin number. Given the closing gap on the merchant value of pin debit vs signature debit, our solution will route your transaction based on cost and risk factors that you choose.

Read more about token billing.