VISA FRAUD DISPUTE RULES CHANGES IMPACT CARD NOT PRESENT

April 5, 2017—This alert contains critical information regarding new and revised Visa card acceptance rules effective now and coming in the future for merchants. Business to business companies may be at higher risk of associated chargeback losses or declines due to the average size of order. Effective April 22, 2017, Revisions have been made to split the “Other Fraud” Dispute condition under Enhanced Dispute Resolution into separate conditions for Card-Present and Card-Absent Transactions, and to incorporate changes to the payment flow related to Disputes.

Christine’s Analysis: Merchants need to support both EMV chip for Card-Present and Verified by Visa for card not present. Verified by Visa is their brand for 3-D Secure, a global security protocol for cardholder authentication across all card brands. For example, a  cardholder might be asked to enter a PIN number or answer some other type of authentication question. Cardholder authentication for Card-Absent Transactions shifts liability for “it wasn’t me” disputes to the issuer. This card-absent cardholder authentication process requires cardholders self-initiate payments, eliminating collecting card numbers via phone or paper credit card authorization forms. Merchants are rewarded for using cardholder authentication with reduced interchange rates and increased approvals.

Christine’s TIP: Per Visa rule 5.4.2.5, a US merchant or its agent must not Request the Card Verification Value 2 data on any paper Order Form. Replace paper forms with digital, PCI Compliant forms and online payment solutions with cardholder authentication ASAP.

Online payment solutions include a hosted pay page like the one shown below.

hosted paypage online payments

A hosted pay page empowers customers to make secure payments online using a 3rd party provider (Payment Gateway also known as a Payment Facilitator.)

Other solutions include pushing out payment requests, such as via a text or email. electronic invoice presentment and payment eippWith new and revised rules impacting the entire payment ecosystem including issuer, acquirer, gateway, merchant, and potentially other software like ERP’s and ecommerce shopping carts, merchants should verify all parts their payment ecosystem supports them. Desktop terminals are not capable of supporting all the rules for card absent needs; a cloud-based payment gateway is required whether non-integrated, or integrated ecommerce shopping cart, ERP or other software.

Does your online payment solution support Verified by Visa, or do you need a solution? Contact Christine Speedy at 954-942-0483 for a fast and easy solution, compatible with your existing credit card processor.

EMV handbook for merchants by Verifone

emv guide verifone merchant terminalVerifone’s EMV handbook is a comprehensive guide for both retail and card not present merchants. It’s hardware agnostic and the Question and Answer section is especially useful.

Two questions on page 17 about hardware need to be read together. To clarify the liability shift going into effect October 1, the merchant’s hardware (terminal) needs to be more than capable of processing chip card transactions.  It needs to be certified on the processor platform and EMV must be enabled on the merchant account. This is an important distinction.

There may be thousands of terminals in use technically capable of accepting chip cards, but either the terminal is not yet certified for EMV chip card transactions, or the processor has not certified the terminal to their platform.

Beware purchasing terminals that will ‘get you ready’ to be EMV compliant. Will the seller guarantee the terminal will be certified for the acquirer platform you need? For example, acquirers usually have multiple platforms but not all merchants can switch between them. With the liability shift just weeks away, merchants wanting to be EMV compliant should not wait another minute:

  • Buy only EMV certified terminals acquirer confirms can be enabled.
  • Verify firmware and or software is current before buying
  • Request an EMV TID from acquirer
  • Download file, usually required for countertop terminals
  • Install new software driver, if applicable, for virtual terminals

Christine SpeedyThanks for reading! If your business needs EMV certified terminals or Card Not Present risk mitigation solutions today, contact me at 954-942-0483 or 3Dmerchant.com/contact. I specialize in business to business and mid-market payment solutions.

PCI Compliance: Card Not Present Merchant Quick Checklist

Do you (even occasionally or temporarily) create, receive, or otherwise come to possess any paper records or receipts that contain cardholder data? The number one rule card not present merchants violate is a Merchant Must Not Request the Card Verification Value 2 data on any paper Order Form.

Do you make sure that you NEVER, EVER store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions after authorization (even if encrypted)?

Are strong cryptography and security protocols, such as SSL/TLS, IPSec, or SSH used to safeguard cardholder data during transmission over open, public networks?

For SSL/TLS implementations, does HTTPS appear as part of the browser Universal Record Locator (URL), and is cardholder data required only when HTTPS appears in the URL?

Are policies, procedures, and practices in place to make sure that you NEVER, EVER send unencrypted PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat)?

Do your access limitations require restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities?

Do your access limitations require assignment of privileges to be based on individual personnel’s job classification and function?

Is your security policy established, published, maintained, and disseminated to all relevant personnel (for the purposes of Requirement 12, “personnel” refers to full-time and part-time employees, temporary employees and personnel, and contractors and consultants who are “resident” on the entity’s site or otherwise have access to the company’s site cardholder data environment)?

Is a formal security awareness program in place to make all personnel aware of the importance of cardholder data security?

zip code, address verification and cvv code validation responses

avs code responses

Above are all the possible responses for credit card address verification, in a screenshot from the CenPOS merchant parameter manager, where administrators can set rules and automatic alerts to mitigate fraud risk. Zip code and CVV each have additional response options.

Ever wondered what the possible responses when a merchant does a credit card address check? For card not present transactions, performing fraud checks can mean the difference between lost disputes and managed risk. Payment gateways vary widely in the response data returned to a merchant. For example, PASS, FAIL, and UNCHECKED, provide little information for a merchant to make an educated decision about whether to approve a transaction.

Payment Gateway Fraud Tools To Look for:

  • What responses are possible? What depth of information is available to review?
  • Can merchant automatically decline a transaction, but allow a supervisor to override?
  • Can merchant automatically send real time alerts to management of potential risky transactions?
  • Are there other fraud tools that can be used as part of the transaction review?
  • What services cost extra, and what are standard?

Equally important is the ability to automate activating different tools for different situations. For example, if a merchant switches between card present and swiped transactions.

How to use a stored token for credit card payment: CenPOS training video

Variable payment recurring billing is easy and fast using CenPOS token billing solutions. Video shows how to retrieve a stored token to charge a credit card again. Tokens replace sensitive card data with random alpha numeric characters. Merchants can then charge the card again, with customer permission, by retrieving the token.

A Christine Speedy, CenPOS global sales, training video. This video uses ZOOM so you can watch as is, or enlarge as it was recorded in larger 1280 width. If you have trouble viewing, watch it on youtube: #33 How to use a stored token for credit card payment: CenPOS training video .

Tokens replace sensitive payment information with the last 4 digits of the card only, and the random alpha numeric token ID that replaced the full card number. CVV can never be stored, per card association rules, but merchants can perform a zero dollar authorization before creating a token.

Click on the credit and debit tab.

Select USE TOKEN. If the ‘use token’ icon is not visible, contact the merchant administrator to update user permissions, either by moving the user to a new role that has the use token permission, or by updating the existing role to add the permission to all users in the role.

If you don’t know the token ID, search for it.

token billing screenshot

Select the token by clicking on it.

Then enter the sale details. If the merchant has set up additional information fields, enter now. If the credit card type qualifies for special interchange rates that require additional information, such as a purchasing card, CenPOS will automatically prompt for it.

A receipt is automatically delivered to the customer email address put on file when the card was originally stored and the token was created. As a reminder, full credit card data is never accessible to anyone after a token is created.

The same process applies for stored checking account information via the Checks tab. By regulation, merchants cannot initiate repeat sales creating an ACH on business checks. Customers must initiate business ACH transactions. CenPOS supports that via the Electronic bill presentment and payment, or EBPP electonic invoicing solution.

About the author: Christine specializes in providing merchants with innovative technology to create efficiencies and ease the burden of PCI compliance. With a primary focus on “card not present” payment processing solutions for mid-size companies, including manufacturers and wholesale distributors, merchants improve PCI Compliance and streamline the payment experience for both their company and their customers. It’s fast, easy to use, and requires no capital investment to implement. For sales call Christine Speedy at 954-942-0483 or click here for more information.