Tokenization is the process of replacing sensitive data with a meaningless number. There is no universal standard for tokenization in payments. The key principal is that no part of the token has any relation to the credit card or check data.  The tokens themselves are useless outside of the system for which they are designed to be used. Tokens can be created for one time use or stored for recurring.

Encryption is the conversion of data into a form that cannot be easily read by others. That which is encrypted can be decrypted.

Payment card industry data security standards (PCI DSS) do not allow credit card numbers to be stored on a retailer’s point-of-sale (POS) terminal or in its databases after a transaction, with very rare exception.  If you store card data on your servers, regardless of access limitations, you’ll have a hard time proving your company was PCI Compliant in the event of a data breach. The financial liability, and potential criminal liability, is substantial.

If PAN data (primary account/ credit card number ) is encrypted, it’s still within the merchant scope for PCI because it can be decrypted. The exception is if the merchant is using a third party that is using PCI Compliant strong encryption, and there is no ability for the merchant to decrypt the data and get back PAN’s. *

Tokenization helps merchants reduce the scope for PCI DSS compliance whenever credit card data is stored, because the merchant cannot reverse engineer to access the PAN data. Encryption can be used by the third party to protect the data in the token vault. It is not required by PCI.  When a merchant uses a token to process a transaction, the associated payment information in the vault is delivered to the processor. How and in what format? The logical and physical elements vary by provider and specific controls are secret for security reasons, but it’s a fair question to ask when considering a new provider.

The CenPOS payment platform uses both tokenization and encryption for maximum reduction of PCI scope for merchants, and for data security throughout the payment cycle. It provides the most flexibility for merchants, because they can change processors with no disruption to their business.

*Refer to PCI guidelines for further details. Official PCI Security Standards Council Site

Warning: preg_replace() [function.preg-replace]: Compilation failed: unknown option bit(s) set at offset 0 in /home/merch3d/public_html/blog/wp-includes/shortcodes.php on line 257

I can’t imagine a law firm not getting one. Do you have an online contact form? As a legal practice, wouldn’t you want to go the extra step to secure any communication sent to you via that contact form? The SSL certificate has multiple uses for your web site domain including accepting payments, securing surveys and securing communications.
To accept payments on your web site with CenPOS, most, if not all, law firms prefer to embed the payment object onto your own web page so the client never leaves your web site. This is achieved with an iframe, a single line of html that you place on your web page. Although the CenPOS object is secured, if you do not have an SSL certificate, the little lock will not appear at the bottom of the web page, leaving your client to wonder about security. You could also create a pop up box and it would display a CenPOS URL with the secure lock.

See also Which SSL certificate should I choose?

CenPOS is easy to implement and this overview is for  ’card not present’, or CNP, where the customer is not in the office to make a payment.  Three popular CNP uses are reviewed, including getting started with the virtual terminal, the hub of all payment activity. Additionally, setting up a web pay page and EBPP are included. This overview assumes CenPOS is connecting to your current merchant account.

NEEDS REVIEW: How will you use the many tools available? Who will be the key users?

PAPERWORK:

• Complete the application. Like a merchant account application, CenPOS requires ownership information to meet US Patriot Act requirements.
• IRS W9 form
• Copy of Voided check or bank letter
• Credit card processing is standard. Ask your processor “what front-end are you using for my merchant account?”.  The ‘front end’ is basically a network pipe to communicate.  The answer will be something like– First Data North, First Data South, Paymentech Tampa, Tsys etc.
• Check processing services: Do you need remote deposit capture, check guarantee, check 21, or ACH/echeck? Advise of existing processor & services or new needs.

SET-UP: 1-5 days

• CENPOS: Based on your ‘front-end’ we’ll provide you with a TID (terminal identification) request for your processor and a key contact for your account set up.
•  MERCHANT: Call your agent or the number on your merchant statement for the TID request. TID’s are normally free to set up and your processor will give you a response in 1-3 business days that it’s ready. It may be as simple as an email-  ”TID002 is ready”.
• MERCHANT: Inform CenPOS when TID is ready and forward response sheet if they send you one.
• MERCHANT: contact your bank to have ACH block released for CenPOS monthly  fees.
• CENPOS: Account boarding is completed. Email generated for master administrator. Self-paced training checklist delivered (Exclusively from Christine)
• MERCHANT: Obtain an SSL certificate* if you do not have one and will be using a webpayment page.

MERCHANT FINAL STEPS BEFORE FULL LAUNCH:

• MERCHANT: Process 1 transaction and validate through deposit to bank
• CENPOS: Remotely review (webex or similar) risk management tools with merchant (covers current gap not in online help, but coming soon). Recommended immediately if multiple people will be processing transactions, otherwise can be deferred to a later date.
• MERCHANT: Add additional users to the platform, assign permissions
• MERCHANT: Confirm users have completed training checklist

MERCHANT POWER CENPOS  USERS:

• Login to Dashboard on regular schedule
• Create custom Key Metric Indicator (KEI) reports, with automated email distribution
• Create automated real time alerts for various transaction types (risk management, customer satisfaction/dissatisfaction)

 

Warning: preg_replace() [function.preg-replace]: Compilation failed: unknown option bit(s) set at offset 0 in /home/merch3d/public_html/blog/wp-includes/shortcodes.php on line 257

I previously addressed salon solutions with multimerchant terminals. Is that still the best choice today? Let’s explore the pros and cons of various merchant account options for the salon environment, where most workers are independent contractors renting a chair or a ‘booth’.

Under new IRS reporting requirements, credit card receipts are now reported to the IRS by the credit card processor on schedule 1099k. * This indicates gross proceeds so your tax returns will need to match accordingly or it will result in an audit. This can also result in fines from the IRS over whether the other stylists are employees of the salon or independent contractors. Separate merchant accounts may help prove there are no employee relationships.

Credit card processing options:

1. Single terminal, one merchant account:

• PRO: Contractors can easily be commissioned on product sales since everything is tracked
• PRO: Salon owner always gets their rent on time since disbursements are net
• CON: software is typically required to track sales to an contractor
• CON: Contractors must wait to get paid
• CON: Contractor may not have transparent reports, thus leads to discontent and higher turnover.
• CON: See IRS reporting requirements

2. Single terminal, one merchant account, with CenPOS:

• PRO: Easily track sales by contractor; optionally assign sales to type, including service, product, tip
• PRO: Automatically qualifies transactions for lowest cost, reducing processing fees
• PRO: Add/remove users and contractors on demand
• PRO: contractors can see their sales and estimated proceeds remotely any time
• PRO: 7 years records stored
• PRO: ensures the operation PCI Compliant
• CON: See IRS reporting requirements
• CON: Contractors must wait to get paid

3. Contractors bring their own terminal:

• PRO: Contractors get their money sooner- may reduce churn.
• PRO: Simplified bookkeeping
• CON: How many phone lines will be needed?
• CON: Potential rent collection issues
• CON: Contractors not likely to push high profit product sales without commissions, which cannot be integrated. Customers will have 2 charges if they want to buy products.
• CON: If a contractor has a terminal that is not PCI Compliant, or there is a data breach, can the owner be held liable?
• CON: Space – a wall of terminals takes up space you may not have

4. Multi-merchant Terminal:

• PRO: A multimerchant terminal eliminates need for contractors to invest in hardware.
• PRO: Contractors get their money sooner- may reduce churn.
• PRO: Simplified bookkeeping
• PRO: Owner is in control of hardware PCI Compliance
• CON: How many phone lines will be needed?
• CON: Potential rent collection issues
• CON: Everytime a contractor leaves or comes on board, new programming has to be downloaded
• CON: the terminals start at $499 and new regulations may require future replacement to support NFC

5. CenPOS with multi-merchant:  (signature capture terminal or card reader plus a receipt printer.

• PRO: eliminates need for contractors to invest in hardware.
• PRO: It’s host based so owners and contractors never have to download terminal updates.
• PRO: Contractors get their money sooner- may reduce churn.
• PRO: Simplified bookkeeping;
• PRO: PCI DSS (data security) Compliance for all contractors mitigates risks
• PRO: Mitigate risk of IRS issues
• CON: Unless their next salon has CenPOS, the contractor will have to either buy equipment or sign up for a CenPOS account, an additional monthly fee to bear.
• CON: Each contractor will have a login. Reception can login all users at the start of day, but to switch between accounts, the password will need to be re-entered.

BEAUTY SALON MERCHANT RECOMMENDATION:

The salon must take into account several factors including turnover and overall sales volume to make the best choice. My recommendation is #5, CenPOS with multi-merchant. The overall benefits for the salon owner and the contractors far outweigh any potential annoyance on the  switching.

• Owner can remotely view via web overall sales for the entire operation, including all contractors.
• A sales incentive program can be implemented for products by using a drop down menu to enter sales into ‘buckets’ for tracking.
• No extra phone lines needed, just one high speed internet line.

• 

PIN DEBIT COMMENT:

Pin debit requires an encryption key unique to each processor. Since not all merchants are likely to use the same processor, pin debit should not be used for multi-merchant. The main impact is risk from customer disputes is 120 days vs 14 days. This may not be an issue in the salon environment. Under 2011 law, regulated debit fees are now the same for both pin and swipe so this is no longer an issue.

PRODUCT SALES COMMENT:

Regardless of how you choose to sell products, you’ll want to provide some incentive to involve contractors. The receptionist can be key, but when a stylist tells their customer to buy a product, it carries a lot more weight. A program can be as simple as a chart with each stylists name and then add a check or sticker for each time their customers bought something. The person with the most stickers gets a $100 gift card.

Other articles you might like:

IRS Link  Cash Intensive Businesses Audit Techniques Guide – Chapter 10, Beauty Salon Defined
Salon merchant account solutions SPECIAL DEAL (older)

In some respects, the Common Short Code Administration (CSCA) is to Common Short Codes as ICAAN and Whois are to Domains. Common short codes are administered by the CSC Administration (CSCA) for wireless carriers. In addition, the CSCA oversees the CSC Registry, which provides the technical and operational aspects of CSC functions and maintains a single database of available, reserved, and registered CSCs.

With mobile messaging exploding, CSC’s are certain to become as valuable as URL’s. Businesses cannot buy short codes, rather they lease them for a specified period of time, and for a specific campaign type. Leases are offered at different prices fromt the four provider types (see below).

What is a Common Short Code (CSC)?

Common Short Codes (CSCs) are short numeric codes to which text messages can be sent from a mobile phone.

• They’re compatible across all participating carriers.
• CSCs are either five-digit or six-digit numbers.
• CSCs can be leased by anyone.
• USA CSC’s are not recognized by phones issued in other countries, which are developing their own CSC’s.
• Applications route all messages addressed to a registered CSC number from any and all wireless networks initiating a message.
• There are four (4) groups of companies that work together to bring CSCs to wireless subscribers; they include content providers , application providers , connectivity aggregators, and wireless service providers. Merchants lease short codes from a provider.

Should I lease my short code directly from the CSCA?

Not necessarily.  If you’re ready to begin a campaign, research what solution you’ll be using for delivering and managing your SMS messages and payments first. They may offer a bundled package. If you’re not ready and have the funds to spare, you may want to reserve your short code to ensure availability when you need it.

501(c)(3) Non-profits must lease directly from the CSCA to be eligible for a 60% reduction in published rates.

How much does a short code lease cost? On the CSCA site 1/1/2012, registering and leasing a CSC costs $1,000 per month for each “Selected CSC” and $500 per month for each “Random CSC.” THESE FEES ARE NON-REFUNDABLE REGARDLESS OF WHETHER ANY WIRELESS CARRIER AGREES TO ACTIVATE YOUR CSC. The Registry must receive payment in full for the duration of the registration at the time your application is approved. The CSCA offers Registration Terms of 3 months, 6 months and one year. Because fees are due up front, if you register a Selected CSC for three months the cost is $3000.00, and Random CSC for three months is $1500.00.

Do I need to register a CSC for each type of campaign? Yes.

Are there discounts for charities? Yes, provided that all conditions of the Mobile Giving program are complied with. That includes donations only, no recurring billing, and not product sales.

LINKS:

More information about the Mobile Giving program.

Official Common Short Code (CSC) directory (links to CSCA) and information center.

Official CTIA Guidelines for Mobile Giving (links to CTIA PDF)

This is a great question. Should non-profits have a field on their mail order donor response cards? Reading the 2011 Visa Card Acceptance Guidelines for Visa Merchants, it’s still  open to interpretation as to whether to ask for CVV on mailings. Here’s the official excerpts:

General Card-Absent Transaction Procedures

Pg 46 “Always ensure that, at a minimum, you collect the following details from your customer:

• The card account number
• The name as it appears on the card
• The card expiration date as it appears on the card
• The cardholder’s statement address”

Pg 46 “If you are taking an order through the mail or via a fax:

• Obtain a signature on the order form .
•  Always retain a copy of the written order .
• Get proof of delivery”

Pg 48  “A cardholder’s CVV2 may never be stored as a part of order information or customer data . The storage of CVV2 is strictly prohibited subsequent to authorization.”

“An initial, or set-up, recurring transaction should be processed the same as any MO/TO or Internet transaction . If set up by mail or telephone, you should submit both AVS* and CVV2** queries with the authorization.

The sales receipt for an initial recurring transaction must include the following information:

• The phrase “recurring transaction.
• The frequency of the charges.
• The period of time the cardholder has agreed to for the charges.”

* In certain markets, CVV2 is required to be present for all card-absent transactions . ** In some markets, if the transaction is approved, but the CVV2 response is a no match, the merchant is protected against fraud chargebacks.

In summary, the merchant can leave the CVV off and reduce risk, but should use the correct indicator for authorizations, “You have chosen not to submit CVV2.”

If the merchant has a history of mail order fraud, then the merchant may want to collect the CVV2 using a lockbox service to reduce risk. If the merchant is retaining response cards, then the response card should be designed so that the CVV can easily be detached after the initial authorization, and securely shredded. If the response card is scanned, the fields with sensitive data cannot be scanned.

Please note PCI DSS compliance rules always take precedence over individual card network rules.

See also, new 2011 card absent receipt requirements.

 

At what point does it make financial sense to convert from a Paypal to a regular merchant account? I frequently recommend new small businesses start out with a Paypal account initially. There are factors you need to consider in making this decision, including risk of chargeback and whether you’ll be in front of your customer at the time the payment is needed. Below we examine two  business scenario’s and solutions. Both have customers that pay mostly by check or cash so credit card volume is low.

• A home improvement company meets with customers in person. Multiple salespeople are in the field so traditional wireless devices could be expensive. Some customers make a decision later and fax over their signed contracts.
• A boat towing service company has a fleet of part time captains that respond to emergencies on the water. Most customers pay cash so the credit Traditional wireless devices are impractical due to the number needed and inability to withstand weather elements.

All companies have their service personnel call in the credit card information for an approval over the phone, or they key enter it back in the office later.

Charge slips are impractical and expose the company to risk of a data breach whether through internal or external theft. Paypal is month to month, enabling new businesses to test the waters and build credit card volume before seeking prices from traditional merchant services companies. On the negative side, deposits to your bank account will usually take 3-5 days.  A merchant account will deposit funds to your bank in 1-2 days automatically, and deduct fees once per month.

Paypal is $30 per month plus the table below:

Paypal payments received (monthly)	Fee per transaction
$0.00 USD – $3,000.00 USD	2.9% + $0.30 USD
$3,000.01 USD – $10,000.00 USD	2.5% + $0.30 USD
$10,000.01 USD – $100,000.00 USD	2.2% + $0.30 USD
> $100,000.00 USD	1.9% + $0.30 USD

Paypal -month to month, no application fee. Deposits to your Paypal account, then you have to manually transfer it to your bank account which takes 3-5 days. Fees are deducted from every transaction, so you receive net transaction deposit. Some find this to be inconvenient for accounting.

Merchant account- Usually a 3 year agreement, and penalty for early termination and application fee may apply. Deposits to your bank account in 1-2 days and fees are deducted via ACH monthly.

How much will a merchant account cost? All credit card processing fees are based on interchange rates.  There are hundreds of rates. Hardly anyone charges $30/mth, so if your volume is low, be sure to include this when calculating your effective rate.

PAYPAL VS MERCHANT ACCOUNT FEE COMPARISON

The chart below shows examples of multiple scenarios of credit card processing for card not present transactions.  Foreign cards can have a major impact. Paypal charges 1% for foreign bank issued cards and most merchant accounts will pass through the extra fee which varies from .4% to .6% depending on the card brand. The chart assumes NO foreign cards which is a bit unrealistic.

 

Every situation will vary by number of transactions, types of transactions and actual merchant account fees. For your convenience, you can download the excel spreadsheet above and put in your own numbers. This spreadsheet is offered FREE for your convenience. It may not be used for commercial purposes, nor modified and distributed without express written permission from 3D Merchant Services.

Click to download the xls file Paypal vs merchant account fee calculator .
If you need a Paypal merchant account, click the image below.

Have you ever needed to check if a credit or debit card is valid, but you don’t want to authorize or charge yet? We’ve added a new feature for our CenPOS Virtual Terminal called Positive Card. CenPOS will go out to the networks with a zero authorization amount to validate the card with the issuer prior to being stored.

REVIEW OF ENCRYPTED PAYMENT STORAGE OPTIONS NOW AVAILABLE:
Positive Card- validates card. Merchant validate CVV, address and zip code passes fraud check and decide whether the answers are acceptable before storing. Why would you accept a card if it doesn’t pass everything? Only Canada and the UK participate in AVS check; If you know your customer, you may wish to allow the card anyway. This feature allows you to enter a card, then make an educated decision as to whether you want to store it for recurring billing.
Repeat Sale- Offered for check/ACH and credit/debit. Process a transaction and it creates a new token to use for future sales transactions. CVV not allowed per PCI Compliance. Later, check the Token Box, enter the Token ID, amount and invoice #. That’s it.
Recurring Payments Module: Offered for check/ACH and credit/debit. Set up client contracts and store multiple cards, payors, and payment methods for a single account. Regardless of where a token was issued (resale, recurring, positive etc) the token is the same for all.
Securely store any payment type for variable amount token billing or fixed recurring billing.

FAQ:
How do I get this feature? Administrators login to the Virtual Terminal and turn on for each user you want to have access. (This also applies to the other options.)
Will this also validate checks? No, It resides in the credit/debit. If you have a need, let us know.
Are there fees? Yes. 6/14/11 MasterCard charges $.03 for this service, effective with their announcement to support zero auth address verification (AVS), card verification code 2 (CVC 2) validation or both. Expect similar fees on all networks now or in the future. Standard CenPOS per transaction fees apply.
Can we use tokens for the EBPP/ E-invoice service? Not yet, but it’s in development. Currently customers will click the email and enter payment information for each invoice.

The tools are in place for you to eliminate faxed authorization forms that expose payment data and reduce PCI Compliance scope. If you need help using the features or how to deliver the token approval form for signature to your clients, please do not hesitate to call.