ERP and Payments: PCI Compliance Nightmare

A PCI Compliant ERP solution doesn’t make a merchant PCI Compliant. The features of the payment integration drive customer decisions to use or not use the an ERP payment module. When payment vendor choices are restricted artificially by using technology to control merchant services options, merchants often enter ERP relationships with a level of dissatisfaction right from the start.

Severely restricted payment gateway options, especially for business to business, results in either the merchant using an alternative non-integrated payment solution, thus sacrificing efficiency, or using the integrated solution, and failing to meet PCI 3.0 requirements or other payment needs. How can I make this statement? B2B companies that accept credit cards  typically have a portion of their sales via the telephone. To mitigate risk of fraud, they use paper credit card authorization forms. However, the forms are inherently risky in many ways.

  • Sensitive authentication data, which includes the security code (CVV/CID), can never be stored.
  • Forms offer option to send via email. Unprotected data cannot be sent via messaging technologies such as e-mail, instant messaging, chat, etc. (PCI section 4.2). Even if the form doesn’t offer it, customers sometimes ignore instructions and send via email.

In the absence of a best practice, employees will revert to whatever is necessary to get their job done and reduce the risk of looking bad (fraud losses). If the ERP payment module doesn’t help merchants eliminate credit card authorization forms, the entire operation may be at risk of a potential data breach.

For retail, data breaches have become commonplace. Few ERP Point of Sale (POS) solutions are using Point to Point (P2P) encryption and other best practices to reduce data breach risk. They raced to bring mobile to market, and many now have neither EMV chip terminals nor P2P, both increasing financial risk to merchants.

Why does an ERP restrict options for merchant services? Because it’s part of their revenue stream. When competition is eliminated, there’s almost no chance of having the best solution in the marketplace. The proof is a long string of failures to meet business needs. Failure to offer electronic bill presentment and payment, which would increase cash flow and efficiency. Failure to offer US EMV chip card acceptance solution prior to liability shift. Failure to offer level 3 processing for all sales channels. Failures reduce cash flow, profits, and security as companies attempt to work with the ERP limitations, or find ways to work around them.

The argument that it’s to protect merchants from data breaches is only partially true. For any modern payment gateway integration, the payment activity is usually outside the ERP to reduce PCI scope. That won’t change from one gateway to another, so the risk doesn’t change, provided the third party gateway is level 1 PCI Compliant.

Examples of ERP’s that restrict payment gateway and merchant services choices are Netsuite and Sage. Additionally, consultants are often compensated for payment gateway recommendations. Consulting with an independent payment specialist, like blog author Christine Speedy, can expose pros and cons of different options.

ERP’s holding onto merchant services and gateway revenue streams are short sighted, as these business practices that anger customers. Can you imagine if an ERP wouldn’t communicate with any other software, for example, Magento? ERP’s focused on delivering the best business software for all facets of a business, and enabling the merchant to follow best practices for PCI Compliance must give users the flexibility needed to run their business with their own financial partners.

If an ERP relies so much on their revenue stream from merchant services revenue share that they won’t let you choose your own financial partners, I’d think seriously about whether it’s the best ERP for your business.

EBill payments via text or email improve PCI Compliance video

Ebill and einvoice systems send invoices vs Electronic Bill Presentment and Payment or EBPP gets you paid from that request via text or email. This critical difference has a major impact on security and PCI Compliance. This  video demo is for a standalone solution to accept online payments, including credit card. ACH and wire. Integrated solutions for Quickbooks, ERP, or other, are also available.

Video CenPOS EBPP Lite demo shows the simplicity of sending an einvoice with request for payment via email to an existing customer, that has previously made a purchase and stored their credit card. Customers can self-update their payment methods, store multiple methods. Ask for any feature, and yes, we probably support it.

A layered approach to card not present fraud protection is critical with increasing financial industry changes. In addition to the traditional address and CVV verification, cardholder authentication, IP blocking and other tools can be used to guarantee payment against fraud globally (some restrictions apply).

Eliminate credit card authorization forms with sensitive cardholder data. No one likes them, they’re time wasters for both parties, cards get expired etc. At best, they offer flimsy protection against fraud. Worse, they’re a PCI Compliance nightmare.  In the event of a data breach, it’s likely impossible to prove compliance if you use them. Regardless of how secure and loyal you think your employees are, stuff happens and when identity theft related to credit cards occurs, your business has a 50% chance of survival.

Contact Christine Speedy, 954-942-0483, 3D Merchant Services, 9-5 ET. Your merchant account, our cloud hosted payment gateway solutions.

PCI Compliance email

PCI Compliance, credit card authorization form, and CenPOS bulletin were all in the February 2016 enewsletter. Did you miss it? Subscribe here for payment news.

PCI Compliance Fail

80% of companies FAIL an interim Payment Card Industry Data Security Standards (PCI-DSS) audit. It’s time to admit it- you’re company is one of the many struggling to keep up with new rules.

Have you noticed $19.95 fee sneak back into your merchant statements?

Check your quarterly scans. You may discover a scan failed with a reason related to SSL.  Fight back to stop these monthly fees. Not only is it premature, but the Payment Card Industry Security Standards Council (PCI SSC) changed the migration to date requiring TLS 1.1 encryption or higher from June 2016 to June 2018.


 Credit card authorization forms – a weak link for compliance

“We keep all cardholder data in a locked file drawer and I’m the only one with a key” does not comply with PCI 3.0 standards.
For new best practices, think like a forensic auditor. In the event of a suspected breach, how will you identify who, what, when, how, and maybe even where card data was touched? Without a system to automate logging, the time and cost of an audit will explode.

TIPS.

  • Unprotected data cannot be sent via messaging technologies such as e-mail, instant messaging, chat, etc. (PCI section 4.2)
  • PAN data (card number) cannot be stored unencrypted. (PCI section 3.x)
  • Sensitive authentication data, which includes the security code (CVV/CID), can never be stored. (PCI section 3.2)

Every moment a paper form exists, there’s an opportunity for misuse and identity theft. If your company extends credit, then Red Flags Rules also apply. The FTC can seek both monetary civil penalties and injunctive relief for violations. All told, the expense of a breach could run over a million dollars, uncovered by insurance, plus ongoing lost business due to damaged reputation.


Is your service provider PCI Compliant?

If a third party touches card data, they’re required to register with the card brands and have an annual on-site audit. That includes your payment gateway, caging service, and other software if their payments are not segregated from the applications. Click here to search the Visa service provider database 


Software Updates
Reminder: PCI section 6.1 mandates software security updates be applied within 30 days.  With all the activity lately, that means every month. Windows XP users are automatically non-compliant. Click here for Internet Explorer & other Microsoft CRITICAL updates issued this year


CenPOS Question of the Month

How can we collect cardholder data for B2B card not present customers without our credit card authorization form?

  1. Hosted online pay page
  2. Electronic request for payment (push to email or text)
  3. Electronic bill presentment & payment
  4. All of the above and a PCI Compliant authorization form

PCI Compliant credit card authorization form example: Video

Training & educational videos https://www.youtube.com/user/3Dmerchant/videos

Christine Speedy


WHAT DOES CHRISTINE SPEEDY DO ANYWAY?
Omnichannel payment solutions targeting  middle market ($10M to $1B per year), primarily to technology companies and distributors. With one call, I can provide any gateway, acquirer, or integrated solution.  Best of all, I’m agnostic- you can keep your merchant services or check processors. Call today for a free consultation and for answers about any burning question for business to business.

CenPOS is a processor agnostic end to end payment engine that increases EBITDA virtually instantly. From compliance to automating collections, we solve everyday business problems. Protecting the front door with US EMV certified multi-lane terminals for all processors and the back door with 3-D Secure certified solutions for customer initiated sales. Now in over 140 countries.

Feb 01, 2016 1:04 pm | Christine Speedy

Replacing ICVerify or other legacy software for batch credit card processing? Whether you’re in the cloud, or headed there, methods of payment processing have changed to meet current and future requirements for PCI Compliance and fraud prevention. For service providers, … Continue reading ?

Jan 25, 2016 11:14 am | Christine Speedy

Winter Storm Jonas is a reminder of the importance for business to business companies to accept payments online. What if you have a desktop terminal, but staff is working from home? How can accounts receivable be reached for call in … Continue reading ?

Jan 13, 2016 8:36 am | Christine Speedy

Getting a VeriFone EMV Vx520, FD55, Vx510, Vx570 CAPK expired error message? Visa has extended the EMV key’s expiration date from 12/31/2015 to 2022, and the terminal must be updated. OPTION 1: UPDATE CAPK FILE ONLY via partial download For … Continue reading ?

Jan 12, 2016 2:04 pm | Christine Speedy

Ready to improve PCI Compliance with token billing? Step by step instructions for CenPOS card not present token billing including creating, modifying, and using tokens follows. In the virtual terminal admin, Create a new Role* or Modify an existing role … Continue reading ?

Jan 11, 2016 12:26 pm | Christine Speedy

Need a 3rd party credit card authorization form template? Don’t count on wikiform.org and other internet resources that scrape the internet for free content and then redistribute it. There’s no guarantee that anything published is accurate, legal, or virus free. … Continue reading ?

Calendar Notes
February 5 – out of office, CenPOS training
February 12 – 15 Tampa/ Orlando
February 18 – 24 Atlanta
Contact me for FREE consultation
Monthly: Login to Paymentech Resource online- use it or lose it

About Christine Speedy

Global payment solutions; focused on card not present and omnichannel merchants. Is your integrated solution failing to keep up with technology? Send me an integration referral and I’ll send you a cool gift!

3rd PARTY CREDIT CARD AUTHORIZATION FORM

Need a 3rd party credit card authorization form template? Don’t count on wikiform.org and other internet resources that scrape the internet for free content and then redistribute it. There’s no guarantee that anything published is accurate, legal, or virus free.

3rd party credit card authorization form

January 2016 3rd party credit card authorization form from Wikiform.org

What’s wrong with this form? For starters, according to PCI DSS 3.1 standards, section 4.2, it’s never OK to email cardholder data. That problem alone is so egregious, I won’t go into all the other problems, since the 3D Merchant blog has other articles addressing them. Best practice is to abolish paper credit card authorization forms altogether and replace with alternatives such as online payments or electronic bill presentment and payment. If a signature is desired, get it on the receipt, which contains critical data needed to defend a dispute; combining with signature on the sales order containing product description and confirmation for acceptance of return policy via a checkbox will make chargeback much harder.

Can you recommend a PCI Compliant policy for storing credit cards?

Distributors and manufacturers can overcome PCI Compliance issues with better awareness of rules, and cost efficient solutions to ease PCI burden. A review of key problems and solutions will help companies with internal credit card authorization and storage policies. For credit card processing, a virtual terminal or integrated gateway, is the only cost efficient and secure option for these business types.

It’s never Ok to store credit card forms that have the CVV2, or security code, on them. It’s also never Ok to store CVV2 electronically in any format, encrypted or not. This is both a card acceptance and PCI Compliance 3.0, section 3 Protect Cardholder Data, problem. For any recurring charges, including variable, merchants only need to validate the CVV one time for a fraud check, and then never again. This is easily accomplished with a zero dollar authorization, however not all gateways support this feature.

The best paper credit card authorization form, is one that doesn’t have full card data, or better yet, doesn’t exist at all. If sales reps in the field are getting card numbers to be charged later, consider a mobile payment app that let’s them swipe and create a token, using a P2P encrypted reader. That way card data is never exposed at any point in time. Instead of getting card numbers over the phone, empower customers to self pay or store card data using online payment solutions, including either a hosted online pay page or electronic bill presentment and payment (EBPP). Use this to also eliminate credit card data in emails, which is another PCI Compliance problem.

Need to keep a card stored on file that you initiate charges on? It’s indefensible with today’s technology to have credit card data on paper, and it’s risky to use your own encrypted media. Tokenization, a payment gateway service for merchants to remove sensitive data from their environments, is the best practice for security and PCI Compliance.

Some businesses want a signature on file. A sales receipt is generated with almost any online payment solution and merchants can require a customer to print and sign it, or to simply forward the email receipt from company email address with typed name approving it. For recurring billing, choose a payment gateway that generates a PCI Compliant recurring billing authorization form. They’re useless if stolen, and contain all the right language for credit card authorization. It should be supplemented by a signed document with your own custom business terms and conditions, and limitations for duration and maximum charge amounts allowed. Merchants might also get a signed sales order with all terms and conditions, plus the token ID the customer has agreed you’ll charge to.

Third-party credit card authorization doesn’t exist as far as card issuers are concerned. It’s specifically written in the cardholder terms that they cannot allow any third party to use their card. Any form a merchant creates authorizing other parties is at risk for future disputes. The merchant can eliminate the risk by having the company issue purchasing cards for each buyer, or mitigate risk by sending the sales receipt automatically to the cardholder and asking the buyer to confirm receipt per T’s & C’s.

A huge problem is managing old stored data created prior to new PCI Compliance rules. The reality is, the merchant is not PCI Compliant as long as the old stuff exists. That likely means someone will need to be assigned to identify all the past ways that credit card numbers were captured. For electronic, IT will need to get involved to securely remove old data. There are tools to search emails and servers for card data as well.

PCI 3.0, in effect now, requires merchants not only are PCI compliant at a point in time, but that there’s a plan in place for monitoring and inspecting. Whoever is cleaning up the old problems should document who, what, where, how and when activities were identified and or completed, and continually add this to the master PCI file.

References:

Payment Card Industry (PCI) Data Security Standard, v3.1, pg 36 CVV
Visa Core Rules, October 2014 page 266, Merchant Must Not Request the Card Verification Value 2 data on any paper Order Form