Credit Card Authorization Form and PCI Compliance Update

A Credit Card Authorization Form enables a business to charge a credit card one-time or for recurring purchases. Is your form PCI Compliant with 2016 standards? Edited from my original contribution to Credit Today, learn the pitfalls and solutions to traditional paper authorization forms.

Do your business practices meet current PCI Compliance standards?

  1. Is it OK to store the form in a locked drawer?
  2. Is it OK to store the form in the cloud if it’s encrypted?
  3. Is it OK to receive them via email?
  4. Is it possible to qualify for the lowest processing rates using them?
  5. Is it OK to key enter each transaction for cards on file?credit card authorization form pci compliant

Credit Card Authorization Forms and PCI Compliance Rules

  • Per PCI 3.2, Neither Primary Account Number (PAN) nor Card Verification Code (CVV) can be stored on paper after authorization.
  • Per PCI 3.4, must render PAN unreadable anywhere stored (including on portable digital media, backup media, and in logs) using one of four cited approaches.
  • No. Per PCI 2 Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.).
  • No. Most cards, except regulated debit, can qualify for multiple rates depending on how the transaction is submitted. For example, MasterCard World card rates:
Rate Name Rate Qualified Rate Reason
Standard 2.95% + $.10 Not all criteria met for another rate.
Merit I 2.05% + $.10 Key-entered or ecommerce and valid authorization + other criteria met.
Full UCAF 1.87% = $.10 Ecommerce; Cardholder authentication and other criteria met.

To qualify for UCAF, the customer must initiate payment.

Ecommerce includes online paypage and other electronic payment channels the customer initiates.

  • No. If a customer authorizes to store a card, then after the initial transaction, all subsequent transactions must be sent with the correct transaction type: recurring or repeat sale.

Alternative methods to process Card Not Present orders:

Hosted pay page. The merchant directs customers to web page to pay any invoice online. Acceptable implementation methods have changed in the last year or two for PCI Compliance. For maximum reduced PCI burden, send customers directly to the 3rd party payment gateway web URL. The gateway may or may not be the same as your processor. NOTE: If hosting on your own web site with an embedded payment (iframe) object, PCI requirements have changed; any old forms should be updated.

Electronic Bill Presentment & Payment. (EBPP or EIPP) This is basically a proactive version of the above. As a standalone solution, the merchant user logs in to a gateway web portal, and sends a payment request via text or email which the customer clicks and pays. Integrated to billing software, it sends the actual invoice, and may require customer to login to make the payment.

All the major payment gateways include a Virtual terminal, hosted pay page, and shopping cart checkout capability, tokenization to store card data for future orders. Some, including CenPOS also offer EBPP.

If you accept cards over the phone, gateways with a virtual encrypted keyboard can reduce PCI scope since card data never touches computers or networks.

Christine Speedy, CenPOS reseller, maximizes profits, efficiency, and security with payment processing solutions including EIPP, collections automation, and online payments. She can be reached at 954-942-0483 or cspeedy AT 3dmerchant.com.