Recurly Visa Stored Credential Framework blog omission

A Recurly blog article “How Recurly is Supporting Visa’s Stored Credential Framework” has some misinformation. The cited dates are incorrect and merchant responsibilities are understated. Why is that important? Most payment gateways and technology solution providers are not keeping up with the rapid pace of rules and compliance changes, impacting merchant profits and risk. Therefore, payment technology vendor selection, including payment gateway selection, is critical.

Recurly, like others in the cloud solutions space, is partially dependent on their partners to keep their clients in compliance with a myriad of rules. When should technology partners alert their integrated solutions partners about industry changes affecting their mutual clients? Solutions providers and merchants are getting inaccurate advice, or none at all, from trusted advisors, technology providers, and consultants of all sizes and sources.

As soon as Visa released the news in their Merchant Business News Digest in August 2017, Recurly began reaching out to our gateway partners to get ahead of the work required to fulfill the mandates.” The real dates were much earlier than cited. Visa typically announces at least one year in advance of due dates for any significant change, which this update is. Updates were in the October 2016 Visa Core Rules and Visa Product and Service Rules rules, citing changes coming in April and October 2017. On April 27, 2017 Visa published further information for merchants via the Stored Credential Framework document, which also references prior articles published on the subject dating back to 2016.

For most merchants, the mandate went into effect October 14, 2017, not April 2018, however, Visa did announce a delay in compliance action to April 2018.

From Recurly, “There is no action needed from our customers.” While technology solutions and payment gateways manage technical aspects for compliance, there’s much that’s left to merchants. Here’s an excerpt from the Stored Credential Framework document:

Merchants and their third-party agents, payment facilitators, or stored digital wallet operators that offer cardholders the opportunity to store their credentials on file must:
• Disclose to cardholders how those credentials will be used.
• Obtain cardholders’ consent to store the credentials.
• Notify cardholders when any changes are made to the terms of use.
• Inform the issuer via a transaction that payment credentials are now stored on file.
• Identify transactions with appropriate indicators when using stored credentials.

I strongly recommend reading Visa Core Rules Table 5-20: Requirements for Prepayments and Transactions Using Stored Credentials and Disclosure to Cardholder and Cardholder Consent. For example, how will you provide proof of cardholder consent (think time and date stamp) upon request? Are you providing the required receipt with proper format for zero dollars when storing a card without running a transaction?

Note: This article is not a review, endorsement or complaint about the quality of Recurly services which I have never used. It is simply identifying errors and omissions related to the stored credential mandate that may impact merchant profits, risk and decision making. I would have written in their blog comments, but it wasn’t available. When choosing a payment gateway, consider how agile they’ve been in meeting deadlines for changes, and how they’ll help reduce compliance burden, among other factors.

Christine Speedy, CenPOS Authorized Reseller, 954-942-0483 is a PCI Council QIR certified professional based out of South Florida, near Fort Lauderdale, and Rochester, NY, with extensive payment gateway experience. Christine can uniquely help merchants and technology providers navigate the complexities of PCI, acquirer, and card brand compliance rules.

MasterCard Processing Integrity Final Auth Alert

Compliance is not just about payment security. Each card brand has a set of rules for payment processing. Follow them and get rewarded with increased authorizations, reduced fraud risk, and lower merchant fees. The cost of non-compliance is heavy and getting worse.

Look at this MasterCard PROCESSING INTEGRITY FINAL ATH Fee on a recent Chase Paymentech merchant statement.

mastercard PROCESSING INTEGRITY FINAL ATHOver $536,000 multiplied by .25% penalty fee for a total of $1,340.10 in avoidable costs. This is due to not properly authorizing and settling transactions, including reversals for unused authorizations. It’s too complicated to get into why this happens, but I’ve written multiple articles related to authorization validity, including one about the Visa Stored Credential Mandate.

The new fee of 0.25%, minimum $0.04 is assessed for each approved final authorization when:

  • Authorization expired. The Final Authorization transaction is not cleared within 7 calendar days of authorization date.
  • Authorization mismatch. The Final Authorization transaction cleared in 7 calendar days from the authorization date, but the transaction amount is different than the authorization amount and an authorization reversal was not performed within 7 days.
  • Unused Authorization. The Final Authorization transaction did not clear and full authorization reversal was not submitted. What’s really painful about this one, is if an order is cancelled, you can lose .25% of the transaction amount so you lost money not making a sale!

How can merchants avoid the MasterCard Processing Integrity fee?

Technology to manage the authorization and settlement process is the only way. Leaving it up to employees to figure out when an authorization is expiring and when a reversal is needed is a recipe for compliance fees like the above. Plus, chances are whatever system they’re using doesn’t even support the required data messages that need to go with the transaction.

The payment gateway plays a crucial role in authorization validity. A common misconception is that using a popular gateway, or even one owned by a card brand, or acquirer, will automatically get your transactions compliant. That is not the case.

I have extensive knowledge of many payment gateways. In my opinion, the CenPOS cloud commerce platform with suite of business solutions, including payment gateway, offers the best tools to automate authorization validity so you can avoid the MasterCard processing integrity final authorization fee as well as other penalty fees and assessments by multiple card brands.

CenPOS is an integrated commerce technology platform driving innovative, omnichannel solutions tailored to meet a merchant’s market needs. Providing a single point of integration, the CenPOS platform combines payment, commerce and value-added functionality enabling merchants to transform their commerce experience, eliminate the need to manage complex integrations, reduce the burden of accepting payments and create deeper customer relationships.
Powered by its enterprise-class, end-to-end transaction engine, CenPOS’ secure, cloud-based solutions seamlessly integrate with a merchants existing infrastructure minimizing disruption and saving time and money. Committed to a
merchant-centric approach CenPOS provides a one-to-one level of service and support, enabling merchants to focus on their core business.
Headquartered in Miami, Florida, CenPOS is reshaping the future of commerce through technology innovation and the secure, flexible and simple solutions this enables.

Christine Speedy, CenPOS Global Sales, 954-942-0483 is based out of South Florida, near Fort Lauderdale, and Rochester, NY.

cenpos logo

Equipment Rental Credit Card Processing Rules Change

Bobcat, Caterpillar, and similar that offer rental equipment, all are impacted by new credit card processing rules for rentals. equipment rentals credit card processing

While businesses expect their software, including ERP, Point of Sale, and ecommerce shopping carts to help them manage compliance with credit card acceptance rules, the reality is that many don’t. Compliance increases profits; non-compliance increases new chargeback risks, interchange fees, penalty fees and authorization declines.

Traditional desktop terminals don’t support the new transaction data requirements. If merchant is not using EMV chip device, now is the time to upgrade to a cloud-based solution and fix two problems at once. Rental merchants cannot meet both card acceptance and Payment Card Industry Data Security Standards compliance requirements using traditional paper credit card authorization forms. Cloud technology and a compliant payment gateway are needed. For example, pair the Verifone MX 915 with the CenPOS validated Point to Point Encryption (P2PE) solution and use either a standalone or integrated to ERP such as Microsoft Dynamics AX.

Key elements for compliance:

Initial authorization transaction must send new transaction indicator that it’s an estimate; the final amount could change for example because the renter kept it longer or damaged the equipment. This is technically managed by the payment gateway.
If applicable, send incremental authorizations with related indicator.
If storing the card, the Visa Stored Credential mandate outlines the specific requirements for agreement with customer, cardholder authentication, and procedures to use a stored card on file. For example, perform cardholder authentication with either security code or 3-D Secure. 3-D Secure can only be invoked if the customer self-pays; it shifts friendly fraud liability to the issuer and merchants can also qualify some cards for even lower interchange rates. CenPOS Express Checkout via text or email includes 3-D Secure capability as part of a layered security approach.
Final authorization with related indicator.
Update language in agreements for opt-in to terms and conditions as required by Visa.

Card issuers and acquirers were mandated to be compliant in 2017, and merchants by October 2017, however, there’s no mandate for payment gateways. Even if an existing payment gateway supports the new requirements, merchants must make changes. Visa is the most complex, however other brands have similar rules.

From tokenization to Express Checkout, CenPOS creates a seamless commerce experience throughout the enterprise. Innovations, including Express Checkout via text or email, help businesses maximize profit in all departments. CenPOS takes the heavy lifting out of payment acceptance offering a range of solutions that simplify every aspect of implementing, operating and maintaining a payment system enabling merchants to focus on their business.

CenPOS is an integrated commerce technology platform driving innovative, omnichannel solutions tailored to meet a merchant’s market needs. Providing a single point of integration, the CenPOS platform combines payment, commerce and value-added functionality enabling merchants to transform their commerce experience, eliminate the need to manage complex integrations, reduce the burden of accepting payments and create deeper customer relationships. Powered by its enterprise-class, end-to-end transaction engine, CenPOS’ secure, cloud-based solutions seamlessly integrate with a merchants existing infrastructure minimizing disruption and saving time and money. Committed to a merchant-centric approach CenPOS provides a one-to-one level of service and support, enabling merchants to focus on their core business.

Headquartered in Miami, Florida, CenPOS is reshaping the future of commerce through technology innovation and the secure, flexible and simple solutions this enables. Christine Speedy, CenPOS Global Sales, 954-942-0483.

Reference:

https://usa.visa.com/dam/VCOM/global/support-legal/documents/stored-credential-transaction-framework-vbs-10-may-17.pdf

See also core rules, especially section 5 https://usa.visa.com/dam/VCOM/download/about-visa/visa-rules-public.pdf

Are You Compliant? B2B Credit Card Processing Fact Check

Merchant compliance with various credit card processing rules maximizes profits while mitigating risk. This is especially true for business to business companies. But that task is getting harder and harder with the onslaught of new rules, and virtually impossible if not using a sophisticated cloud solution to help manage compliance.

b2b visa stored credentialIf your B2B company stores credit cards, there’s a pretty good chance you’re not compliant. For example, Visa’s 2017 Stored Credential Transaction framework (PDF download from Visa) outlines merchant responsibilities to obtain customer consent as well as storing credit cards, using stored credentials (token), and managing stored tokens. Failure to comply with Authorization rules, for example preauthorization and final settlement do not match, has far-reaching consequences including higher interchange rates (the bulk of credit card processing fees), penalty fees and new chargeback risks. With so many new rules across multiple card brands that vary based on business and transaction type how can a business quickly ascertain if they’re compliant?

Quick tips to validate compliance:

  1. Is cardholder authentication performed when a new card is stored? When the cardholder data is entered and submitted, the issuer responds with an approval or declined message. A small charge is not an acceptable practice to submit transaction for approval; instead a zero dollar authorization request for authentication is submitted. If authentication is via 3-D Secure -Verified by Visa, MasterCard Secure Code, whereby the customer self-authenticates vs merchant initiating, reduced rates may apply. Under the new rules, two transactions occur at the time a card is stored. Compliant answer is yes.
  2. Is a transaction receipt delivered to customer when you store a credit card? This will be either for an amount or a zero dollar authorization. When stored credit card credential (token) is created, a transaction receipt is generated with the approval or decline and other mandatory fields. Compliant answer is yes.
  3. Does the receipt include “RECURRING” or “REPEAT SALE” for token transactions? Compliant answer is yes.
  4. Review merchant statements, usually the last 1-2 pages with the heading “pending interchange” or “fees” section. Do you see EIRF, STANDARD (STD), or DATA RATE I? Compliant answer is no.
  5. Can you produce documentation of customer consent to store their card (including with 3rd party service) and how it will be used?

If you’re not in compliance, your payment gateway is the most likely culprit, followed by ERP or other software integration limitation. I can fix that.

Reference: Links for all Card brands.

Christine Speedy, CenPOS Sales 954-942-0483, 9-5 ET. Need help getting compliant? Ask me!

3dcart and CenPOS Payment Gateway Partner To Grow B2B Vertical

Miami, FL April 23, 2018. The business-to-business (B2B) e-commerce sales channel presents new opportunities and challenges, particularly with increasingly complex credit card processing requirements. 3dcart, a leading e-commerce platform, has partnered with CenPOS, an integrated technology commerce platform. The CenPOS ‘Super Payment Gateway’ maximizes profits while mitigating the higher dollar value transaction risk in the B2B vertical.

Payment gateways directly impact the cost of credit card acceptance, including interchange fees, the bulk of merchant fees. The CenPOS 3dcart integration offers all the required elements to qualify B2B transactions for the lowest rates possible, including:

  •  Level 3 data for purchasing, corporate and business cards
  • Resolve authorization and settlement amount mismatch
  • Visa unscheduled, recurring, and installment stored credential mandate compliance
  • 3-D Secure – Verified by Visa, MasterCard SecureCode, American Express Safekey and Discover ProtectBuy

“Our first mutual customer reduced fees over 30% just by changing their payment gateway,” commented Christine Speedy, CenPOS sales expert for 3dcart users. “Both our customers can expand into new markets while maximizing profits, security and compliance.”

“With the CenPOS integration, we expand the payment solutions offered by 3dcart to provide existing and prospective customers globally an additional alternative to how they process credit cards today, with any acquirer they choose,” stated Gonzalo Gil, 3dcart CEO.

The 3dcart CenPOS integration currently supports credit card, EFT/echeck with and without guarantee, Paypal and alternative payment methods. CenPOS POS and mobile and are available standalone now and will be integrated in the future to provide 3-D Cart customers a validated point to point encryption (P2PE) option. A validated P2PE solution significantly reduces merchant scope for PCI Compliance. CenPOS also includes to all 3dcart customers their electronic bill presentment and payment (EBPP) solution, supporting wire payments, text messaging, and other key B2B items of interest.

cenpos logoAbout CenPOS

CenPOS (https://www.CenPOS.com is a merchant-centric, end-to-end payments engine that drives enterprise-classsolutions for businesses, saving them time and money, while enabling merchants to create deeper lasting relationships with their customers. CenPOS’ secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.  PCI Level 1 Service provider, QIR Certified, P2PE Validated, HIPAA compliant. https://www.cenpos.com/ CenPOS 877-630-7960, Christine Speedy direct 954-942-0483.

logo 3dcartAbout 3dcart

3dcart (https://www.3dcart.com) is the most SEO-friendly eCommerce platform for retailers and internet marketers to grow their online stores’ traffic and sales. 3dcart includes 24×7 Technical Support, 100+ Mobile-Ready Themes, order management software, built-in blog, email marketing tools and more. Since 1997, the company has been a leader in the eCommerce market, building online stores for businesses of all sizes. Today, 3dcart is Visa PCI Certified and a Google Partner. Sales 800-828-6650