Which states ban credit card surcharging?

Ten states, including California, Colorado, Connecticut, Florida, Kansas, Maine, Massachusetts, New York, Oklahoma, and Texas, plus Puerto Rico have laws that prohibit merchants from charging consumers with surcharges on credit card transactions. Minnesota prohibits a seller of goods or services that establishes and is responsible for its own customer credit card from imposing a surcharge on a purchaser who elects to use that credit card in lieu of payment by cash, check, or similar means. The language varies by state- B2B transactions may be excluded. Tread carefully, you may want to consult an attorney.  Merchants are not allowed to surcharge debit cards in any state.

The EU banned consumer surcharging effective January 2018.

Surcharge rules are complex and require special technology to automate compliance management. Contact Christine Speedy, CenPOS authorized reseller, 954-942-0483 for assistance. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.

3 Things CPA’s Must Advise B2B Clients in 2018

Accountants offer professional advice regarding cash flow, accounts receivable, tax preparation and all sorts of other consulting. Credit card processing and all the compliance it encompasses introduced immense new compliance challenges in 2017, and it’s fair to say, most businesses have no idea what they are, or what the repercussions are. A big problem is people think it’s someone else’s responsibility to keep their business compliant. Every single merchant must make internal changes to comply.

Three things every B2B company needs to know about credit card processing right now:

  1. If you store credit cards, you must be compliant with Visa Stored Credential Framework. This is arguably as huge as the retail shift to EMV chip card acceptance. There are significant financial and risk consequences for non-compliance. Some solutions companies reduce the compliance burden more than others, while maximizing profits and cash flow.
  2. PCI Compliance mandate for TLS disablement will disrupt business, mostly starting right now, February 2018. Businesses need to ensure they’re servers, software (if applicable) and browsers are compliant, and also have an plan to help internal and external customers overcome issues trying to login to portals, make online payments etc.
  3. It’s a Visa rules violation to request the card security code on a paper credit card authorization form, or any digital form where the business can decrypt and view it. It can’t be stored, period. Not by the merchant nor service provider, including payment gateway.

Why these 3 things? Because 100% of B2B companies I talk to will fail on at least one, and usually two or three. That includes CPA firms also. 86% of all data breaches in 2016 were from level 4 merchants, defined as “Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.” By complying with the three items on my list, B2B companies will harden their systems and increase profits. The latter occurs because compliance with rules reduces fees. 

Example of solutions to solve these problems:

  1. An intelligent payment gateway can automate compliance with many elements of the Visa Stored Credential Framework. Simply passing data as most payment gateways do is not enough.
  2. Engage internal or external IT team to test all systems for TLS compliance, and verify at SSLlabs.com.
  3. Empower customers to self pay via push (text or email), or pull (online hosted pay page) technology so that employees never have access to cardholder data again. Whatever the old justification for using paper forms with full card data, there is a technology solution that has negated the need.

Christine Speedy, CenPOS authorized reseller, 954-942-0483. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.

Validated P2PE Solution

Looking for a Validated P2PE Solution? CenPOS launched their PCI-Validated P2P Encryption 3.2 solution in 2017.

Florida-Based Payment Solutions Company, CenPOS, Strives to Make Customer Experience More Secure with Launch of PCI-Validated P2P Encryption.

Data breaches are on the rise and they are costing both consumers and merchants money.

The 2017 Identity Fraud Study, released by Javelin Strategy & Research, found that $16 billion was stolen from 15.4 million U.S. consumers in 2016.

When the consumer data that makes such fraudulent activity possible comes from the merchant’s database, then the merchant can also incur some major damages. In fact, the 2017 Cost of Data Breach Study: United States, found that the total average organizational cost of a data breach has reached a new high at $7.35 million.

CenPOS aims to reduce the vulnerability of sensitive consumer data — that could be used to drain debit card-linked bank accounts, make “clone” credit cards, or buy items on certain less-secure online sites — to hackers with the release of its Validated P2PE solution.

Officially released on July 7th of this year, CenPOS Validated P2PE encrypts cardholder data so businesses can simplify compliance with Payment Card Industry Data Security Standards (PCI DSS) and consumers can stop worrying about data being stolen between “the store” and the bank.

Surprisingly, Validated P2PE is not new technology. It’s the strongest level of data encryption in the market right now and is offered by other merchant payment services companies. However, CenPOS is the first and only company with the Qualified Integrator & Reseller (QIR) designation to offer a Validated P2PE solution.

The QIR designation is awarded by the Payment Card Industry Security Standards Council, a global open body formed to develop, enhance, disseminate and assist with the understanding of security standards for payment account security.

According to their standards, “the quality, reliability, and consistency of a QIR Company’s work” should provide confidence that the merchant’s payment application has been implemented in a manner that supports PCI DSS compliance.

Chris Justice, CEO of CenPOS, is quoted saying: “We believe that loyalty is built on trust and that trust is built by delivering great customer experience over and over again. So, when consumers can have greater peace of mind because they know that the merchant has the proper data security in place to reduce exposure to painful events, like data breaches, we believe customer experience is enhanced and that consumer will choose that merchant over others who are less diligent.”

CenPOS Validated P2PE launched on Friday, July 7, 2017. To learn more, visit https://cenpos.com/solutions/data-security
More facts and further information about CenPOS, can be discovered at https://www.cenpos.com/

About CenPOS
CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS’ secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships. | CenPOS | @CenPOS

##

Christine Speedy, CenPOS Sales 954-942-0483, 9-5 ET is based out of South Florida and NY, selling globally. When you call Christine, there is no middle man; all agreements are direct with CenPOS. As one of the very first to sell for CenPOS, I have deep experience to help merchants understand benefits and get live fast.

See also this article for important certifications.

VP2PE and Payment Card Industry Acronyms Revealed

VP2PE and Payment Card Industry Acronyms Revealed

What does it mean to be HIPAA, PCI Level 1, VP2PE, and QIR compliant in the world of credit card processing? Learn the lingo and know what certifications to verify when choosing a payment gateway or any solution that touches payments.

PCI DSS

If you accept credit cards, you must comply with Payment Card Industry Data Security Standards. There’s no exception. Anyone who advises that a solution means you don’t have any responsibility is dead wrong. The PCI Security Standards Council (PCI SSC) mission is to enhance payment account data security by fostering broad adoption of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International. The council sets the standards, the card brands levy penalties and fines for non-compliance.

PCI Level 1 Service Provider

If a third party entity provides services for, or on behalf of a Merchant, and those services control or could impact the security of cardholder data or of transactions that are processed, that entity is a PCI Service Provider for the Merchant and falls within the Merchant’s scope of PCI DSS compliance. For example, if you accept payments online, the payment gateway is a PCI Service Provider. Or if you use a lockbox company, they must be certified. PCI Level 1 is the most common PCI Compliance certification for a service provider. You can verify if a service provider is compliant with Visa here https://www.visa.com/splisting/searchGrsp.do. If the company you’re doing business with is not on the list, ask questions.

PA DSS

If a software application controls or could impact the security of cardholder data or of transactions that are processed, for PCI compliance, merchants must only use Payment Application Data Security Standards that are certified. For example, a lock box company that processes transactions or a retail point of sale system. If payments are segregated from the application, then PA DSS does not apply.  In my experience, this is a weak area for merchants because not all application providers understand their requirements; some will do the standard PCI scan and say they’re PCI Compliant, but in reality, they’re using a homegrown application to process transactions which they have not certified.

HIPAA

There is no Health Insurance Portability and Accountability (HIPAA) certification for service providers and it does not fall under the purview of the PCI Council. However, a PCI Service Provider may choose to engage a third party auditor to attest compliance in order to better serve merchants in industries that require HIPAA compliance.

QIR

Organizations qualified by PCI SSC as Qualified Integrator and Reseller Companies (QIR Companies) are authorized to implement, configure, and/or support validated PA-DSS Payment Applications on behalf of merchants or service providers for purposes of performing Qualified Installations as part of the QIR Program.  Level 4 merchants were a big portion of data breaches so as of January 2017, they’re mandated to only use QIR certified individuals for their implementations and maintenance.  Level 4 are merchants with less than 20,000 Visa or MasterCard e-commerce transactions annually, and all other merchants processing up to 1 million Visa or MasterCard transactions annually. QIR applies to individuals; a company may have multiple people certified.

P2PE

Point-to-point encryption (P2PE) is a standard established by the PCI Security Standards Council. The objective of P2PE is to provide a payment security solution that instantaneously converts confidential payment card (credit and debit card) data and information into indecipherable code at the time the card is swiped to prevent hacking and fraud. It is designed to maximize the security of payment card transactions in an increasingly complex regulatory environment.

VP2PE

VP2PE is not an official acronym of the PCI Council for Validated P2PE, but it is descriptive. The P2PE Standard defines the requirements that a “solution” must meet in order to be accepted as a PCI validated P2PE solution. A “solution” is a complete set of hardware, software, gateway, decryption, device handling, etc.  Validated solutions are listed in the PCI Council web site. They reduce PCI compliance scope and burden for merchants. For example, about 35 questions vs 359, and 4 sections instead of 12.

Today there are only 42 companies with 49 validated solutions in the entire world. Some of the solutions are only valid with a particular acquirer. For merchants seeking an agnostic VP2PE solution, the list gets very small.

CenPOS

CenPOS, a payment technology provider, has a Health Insurance Portability and Accountability (HIPAA) attestation from a third party external auditor across a broad range of payment solutions offered by the company. CenPOS is listed as a registered Level 1 Service Provider on the Visa web site; and is listed on the PCI Council web site VP2PE solutions and QIR sections. The CenPOS Validated P2PE solution is compatible with many acquirers. You can also find me, Christine Speedy, under QIR certifications when searching by name. (CenPOS is not a software application so is not listed as PA DSS.

Christine Speedy, CenPOS Sales 954-942-0483, 9-5 ET is based out of South Florida and NY. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships. When you call Christine, there is no middle man; all agreements are direct with CenPOS. As one of the very first to sell for CenPOS, I have deep experience to help merchants understand benefits and get live fast.

icverify replacement 2018

icverify first data payment systems end of lifeNeed to replace ICVerify Software? It’s still in use in 2018, even though it was end of life back in 2015.  This means any company using is not PCI Compliant and likely has a non-PCI compliance fee of $19.95 per month on their monthly merchant statements. Alternatives are abundant for card not present and retail credit card processing, but none are comparable to CenPOS for meeting business to business (B2B) companies. authorize.net and others may be suitable options for other business types; Call 954-942-0483 9-5 ET for a consultation.

What does ICVERIFY Software end of life mean?

First Data sales, product development and support have ended. Continued use of the product will invalidate a merchants PCI Compliance.

What happens if my ICVERIFY Software stops working?

You will get zero support. If you cannot open due malfunction, you’ll have no access to records. If you’re acquirer shuts down your ability to send transaction data, and this is happening frequently because it’s not PCI Compliant, they will not turn it back on. If your acquirer finds out you’re using ICVerify in 2018, you will get shut down. It’s imperative to migrate to new solution as soon as possible.

What are alternative solutions to ICVERIFY?

A cloud payment gateway is required. There’s no software to install. You can use a payment gateway via integrated or non-integrated options, which include mobile app and virtual terminal via secure web site. ICVERIFY was a buy once and use forever product. Payment gateways have per transaction fees. Many businesses make the mistake of using the one with the cheapest fee or the one that their developer or consultant is familiar with because they’ve used it for a decade or more. Are you using the same cell phone you did 10 years ago? The cheapest fee could result in the highest actual credit card processing interchange rate qualifications or inefficiency. For example, most gateways do nothing to help merchants reauthorize after an authorization expires. That matters because even though the issuer usually approves the transaction for up to 30 days, it won’t qualify for the best rate, which could be half the cost of the non-qualified rate.

What is best alternative payment gateway to ICVERIFY for a B2B company?

I’m not going to waste your time listing all the cloud payment gateways on the planet like First Data Payeezy, authorize.net, Payflow Pro, Paytrace, Cybersource, Orbital, 3Delta Systems, or 3DSI and their differences. Each has bits and pieces but none has the whole package of solutions B2B companies need. CenPOS is the only solution I know of today that will get merchants compliant with all these critical items:

  1. Comply with 2017 and 2018 Visa stored credential framework and mandate deadlines. It’s complicated. CenPOS automates compliance with things like sending the merchant initiated or customer initiated use of stored credential flag.
  2. Eliminate paper credit card authorization forms with multiple digital ways to accept payments and store cards, including text and email. Sure, some gateways offer a hosted pay page, but can they generate a PCI Compliant authorization form automatically for those that still like paper?
  3. Automate authorization management, including requirement for preauthorization and settlement match and renew expired authorizations for card not present transactions.
  4. Automate compliance to qualify transactions properly for level 3 interchange rates for corporate, purchasing and business cards. Supporting level 3 is not enough, it’s complicated.
  5. Mitigate fraud risk with a layered approach, including supporting 3-D Secure, which shifts fraud liability to issuer.
  6. Encrypted Virtual Keypad (EVK) to reduce PCI Compliance scope and burden. (No card data touches your system for phone orders; avoid key logger dangers.)
  7. Audit trail as required for PCI. Every user, every touch. Available minimum 7 years.

What else makes CenPOS the best alternative payment gateway to ICVERIFY for a B2B company?

  • Graphically pleasing, easy to use. It’s like marrying the coolness of Apple design with an Amazon buying experience. People love it. Customers are happier (proven by our clients conducting their own studies).
  • Wire transaction support with electronic bill presentment and payment services. Stop the madness associated with matching deposits to invoices and getting paid the wrong amount.
  • Reports. Dynamic search and view online or download; robust custom reports, alerts and distribution. So much faster to research anything!
  • No capital investment. We make companies more profitable virtually overnight.
  • Deposits equal receivables, not net of fees. Other services are mixed. For example, authorize.net echeck service takes it’s fees out of your deposit so then you have to do some accounting magic to reconcile.

What if ours is not a B2B company? Call for a consultation. We offer multiple payment gateway options.

Ready to get started with CenPOS? Contact Christine Speedy right now at 954-942-0483.

Christine Speedy, CenPOS authorized reseller, 954-942-0483 is based out of South Florida and NY. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.