VISA FRAUD DISPUTE RULES CHANGES IMPACT CARD NOT PRESENT

April 5, 2017—This alert contains critical information regarding new and revised Visa card acceptance rules effective now and coming in the future for merchants. Business to business companies may be at higher risk of associated chargeback losses or declines due to the average size of order. Effective April 22, 2017, Revisions have been made to split the “Other Fraud” Dispute condition under Enhanced Dispute Resolution into separate conditions for Card-Present and Card-Absent Transactions, and to incorporate changes to the payment flow related to Disputes.

Christine’s Analysis: Merchants need to support both EMV chip for Card-Present and Verified by Visa for card not present. Verified by Visa is their brand for 3-D Secure, a global security protocol for cardholder authentication across all card brands. For example, a  cardholder might be asked to enter a PIN number or answer some other type of authentication question. Cardholder authentication for Card-Absent Transactions shifts liability for “it wasn’t me” disputes to the issuer. This card-absent cardholder authentication process requires cardholders self-initiate payments, eliminating collecting card numbers via phone or paper credit card authorization forms. Merchants are rewarded for using cardholder authentication with reduced interchange rates and increased approvals.

Christine’s TIP: Per Visa rule 5.4.2.5, a US merchant or its agent must not Request the Card Verification Value 2 data on any paper Order Form. Replace paper forms with digital, PCI Compliant forms and online payment solutions with cardholder authentication ASAP.

Online payment solutions include a hosted pay page like the one shown below.

hosted paypage online payments

A hosted pay page empowers customers to make secure payments online using a 3rd party provider (Payment Gateway also known as a Payment Facilitator.)

Other solutions include pushing out payment requests, such as via a text or email. electronic invoice presentment and payment eippWith new and revised rules impacting the entire payment ecosystem including issuer, acquirer, gateway, merchant, and potentially other software like ERP’s and ecommerce shopping carts, merchants should verify all parts their payment ecosystem supports them. Desktop terminals are not capable of supporting all the rules for card absent needs; a cloud-based payment gateway is required whether non-integrated, or integrated ecommerce shopping cart, ERP or other software.

Does your online payment solution support Verified by Visa, or do you need a solution? Contact Christine Speedy at 954-942-0483 for a fast and easy solution, compatible with your existing credit card processor.

Credit Card Authorization Form and PCI Compliance Update

A Credit Card Authorization Form enables a business to charge a credit card one-time or for recurring purchases. Is your form PCI Compliant with 2016 standards? Edited from my original contribution to Credit Today, learn the pitfalls and solutions to traditional paper authorization forms.

Do your business practices meet current PCI Compliance standards?

  1. Is it OK to store the form in a locked drawer?
  2. Is it OK to store the form in the cloud if it’s encrypted?
  3. Is it OK to receive them via email?
  4. Is it possible to qualify for the lowest processing rates using them?
  5. Is it OK to key enter each transaction for cards on file?credit card authorization form pci compliant

Credit Card Authorization Forms and PCI Compliance Rules

  • Per PCI 3.2, Neither Primary Account Number (PAN) nor Card Verification Code (CVV) can be stored on paper after authorization.
  • Per PCI 3.4, must render PAN unreadable anywhere stored (including on portable digital media, backup media, and in logs) using one of four cited approaches.
  • No. Per PCI 2 Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.).
  • No. Most cards, except regulated debit, can qualify for multiple rates depending on how the transaction is submitted. For example, MasterCard World card rates:
Rate Name Rate Qualified Rate Reason
Standard 2.95% + $.10 Not all criteria met for another rate.
Merit I 2.05% + $.10 Key-entered or ecommerce and valid authorization + other criteria met.
Full UCAF 1.87% = $.10 Ecommerce; Cardholder authentication and other criteria met.

To qualify for UCAF, the customer must initiate payment.

Ecommerce includes online paypage and other electronic payment channels the customer initiates.

  • No. If a customer authorizes to store a card, then after the initial transaction, all subsequent transactions must be sent with the correct transaction type: recurring or repeat sale.

Alternative methods to process Card Not Present orders:

Hosted pay page. The merchant directs customers to web page to pay any invoice online. Acceptable implementation methods have changed in the last year or two for PCI Compliance. For maximum reduced PCI burden, send customers directly to the 3rd party payment gateway web URL. The gateway may or may not be the same as your processor. NOTE: If hosting on your own web site with an embedded payment (iframe) object, PCI requirements have changed; any old forms should be updated.

Electronic Bill Presentment & Payment. (EBPP or EIPP) This is basically a proactive version of the above. As a standalone solution, the merchant user logs in to a gateway web portal, and sends a payment request via text or email which the customer clicks and pays. Integrated to billing software, it sends the actual invoice, and may require customer to login to make the payment.

All the major payment gateways include a Virtual terminal, hosted pay page, and shopping cart checkout capability, tokenization to store card data for future orders. Some, including CenPOS also offer EBPP.

If you accept cards over the phone, gateways with a virtual encrypted keyboard can reduce PCI scope since card data never touches computers or networks.

Christine Speedy, CenPOS reseller, maximizes profits, efficiency, and security with payment processing solutions including EIPP, collections automation, and online payments. She can be reached at 954-942-0483 or cspeedy AT 3dmerchant.com.

 

 

Online Payment Form Security Alert

Is your online payment form out of date and a security risk? Securing online payment forms requires an annual review at a minimum. Just because a hosted paypage form still works, doesn’t mean it’s secure or PCI Compliant.

PCI Compliance requirements have steadily tightened since 2014 for pay pages and all ecommerce transactions.

Hosted paypage options:

  1. Merchant hosts the form and collects payment on their web site. Beginning with PCI 3.0, significant additional PCI burden applies. Highest risk.
  2. 3rd party payment gateway hosted pay page; Provide a link directly to customers to pay. The form is served by and submitted by the payment gateway. It significantly reduces the potential for malicious activity that could compromise cardholder data. Lowest risk.
  3. An iframe hosted paypage has the appearance of residing on the merchant web site, but the payment data is captured by the 3rd party directly on their web host. The implementation method using iframes for payments has changed over the years to meet current PCI Compliance requirements, including to combat malicious javascript and Cross-Site Scripting threats.

“If your iframe hosted paypage hasn’t been updated in the last year or so it’s likely not PCI Compliant,” Christine Speedy, Card Not Present Expert.

A payment gateway is a secure transaction engine that facilitates the transfer of sensitive information to the processor, and is required for all online payment forms. Some gateways provide online payment forms at no additional charge. Vendor selection has a significant impact on risk mitigation, payment processing fees, efficiency, and PCI Compliance burden.

A payment gateway can be proprietary to a specific processor, or agnostic and compatible with multiple processors. While one provider for both services may seem to be the best choice, there are significant reasons the opposite may also be true, including risk mitigation. Bots present a significant risk of exploitation of online payment forms and may result in profit loss if additional steps are not implemented to mitigate risk of ‘card testing’, where criminals use online forms to submit fake transactions to determine if cards are good or bad. Every attempted transaction has an associated cost with it, and adding in chargeback fees from resulting  disputes, the result could be tens of thousands in dollars in fees in a matter of hours.

If you don’t want to be the next law firm, CPA firm, hotel or distributor data breach headline, consult with a payments expert that understands the financial and risk ramifications of one payment gateway choice and implementation method over another vs ecommerce consultants or bankers that may have limited in-depth expertise to maximize your profits and mitigate risk exposure.

TIP FOR NON-TECHS: Does your online payment form look good on smart phones and other mobile devices? If not, there’s a pretty good chance your online payment page needs an update and is not PCI Compliant.

RESOURCES:

  • PCI – Payment Card Industry Data Security Standards
  • https://www.us-cert.gov/publications/securing-your-web-browser
  • http://pcisecuritystandards.org

For PCI compliant solutions to collect online payments from your customers, contact Christine Speedy today. Get paid via your preferred methods, including ACH, credit card, wire and Paypal, while increasing security and convenience.

Stopping Online Credit Card Testers

Online credit card testing by fraudsters can dramatically drive up payment gateway fees.  Historically, card not present financial fraud grows exponentially in countries after implementing EMV chip card processing, as thieves seek the weakest link for fake credit card purchases. Thieves use software to rapidly send cardholder data to payment web sites to verify if stolen cards are good, card testing, and since merchants pay a per transaction fee, regardless of approval, the financial impact can be devastating.

Companies with online pay pages are at increased risk. Since October 2015, online fraud attacks were up 11% 2015 Q4 Vs Q3, and up 215 percent from 2015 Q1. 83% of attacks involved botnets. Source: The Global Fraud Attack Index™, a PYMNTS/Forter collaboration. The preferred web pay pages have no login required, and provide detailed decline response reasons. I’m often asked by others in the industry to provide the latter, and for the same reason as for retail, it’s better than no one knows the reason for the decline. If you inform a criminal the expiration date is no good, they just need to figure out the right one.

PREVENTING ONLINE CARD TESTING

A layered approach is required to stop card testers since no single solution will stop fraudsters. Generally, the harder you make it, the more likely they will seek a path of less resistance.

  • Block known fraudulent incoming IP addresses. The bad guys also use hostile proxy servers, with dynamically changing IP addresses every authorization attempt, but this is still a first step everyone should employ.

For additional assistance, please contact us. I won’t make it easier for criminals by identifying all the tools here in the blog!

EBill payments via text or email improve PCI Compliance video

Ebill and einvoice systems send invoices vs Electronic Bill Presentment and Payment or EBPP gets you paid from that request via text or email. This critical difference has a major impact on security and PCI Compliance. This  video demo is for a standalone solution to accept online payments, including credit card. ACH and wire. Integrated solutions for Quickbooks, ERP, or other, are also available.

Video CenPOS EBPP Lite demo shows the simplicity of sending an einvoice with request for payment via email to an existing customer, that has previously made a purchase and stored their credit card. Customers can self-update their payment methods, store multiple methods. Ask for any feature, and yes, we probably support it.

A layered approach to card not present fraud protection is critical with increasing financial industry changes. In addition to the traditional address and CVV verification, cardholder authentication, IP blocking and other tools can be used to guarantee payment against fraud globally (some restrictions apply).

Eliminate credit card authorization forms with sensitive cardholder data. No one likes them, they’re time wasters for both parties, cards get expired etc. At best, they offer flimsy protection against fraud. Worse, they’re a PCI Compliance nightmare.  In the event of a data breach, it’s likely impossible to prove compliance if you use them. Regardless of how secure and loyal you think your employees are, stuff happens and when identity theft related to credit cards occurs, your business has a 50% chance of survival.

Contact Christine Speedy, 954-942-0483, 3D Merchant Services, 9-5 ET. Your merchant account, our cloud hosted payment gateway solutions.