VISA FRAUD DISPUTE RULES CHANGES IMPACT CARD NOT PRESENT

April 5, 2017—This alert contains critical information regarding new and revised Visa card acceptance rules effective now and coming in the future for merchants. Business to business companies may be at higher risk of associated chargeback losses or declines due to the average size of order. Effective April 22, 2017, Revisions have been made to split the “Other Fraud” Dispute condition under Enhanced Dispute Resolution into separate conditions for Card-Present and Card-Absent Transactions, and to incorporate changes to the payment flow related to Disputes.

Christine’s Analysis: Merchants need to support both EMV chip for Card-Present and Verified by Visa for card not present. Verified by Visa is their brand for 3-D Secure, a global security protocol for cardholder authentication across all card brands. For example, a  cardholder might be asked to enter a PIN number or answer some other type of authentication question. Cardholder authentication for Card-Absent Transactions shifts liability for “it wasn’t me” disputes to the issuer. This card-absent cardholder authentication process requires cardholders self-initiate payments, eliminating collecting card numbers via phone or paper credit card authorization forms. Merchants are rewarded for using cardholder authentication with reduced interchange rates and increased approvals.

Christine’s TIP: Per Visa rule 5.4.2.5, a US merchant or its agent must not Request the Card Verification Value 2 data on any paper Order Form. Replace paper forms with digital, PCI Compliant forms and online payment solutions with cardholder authentication ASAP.

Online payment solutions include a hosted pay page like the one shown below.

hosted paypage online payments

A hosted pay page empowers customers to make secure payments online using a 3rd party provider (Payment Gateway also known as a Payment Facilitator.)

Other solutions include pushing out payment requests, such as via a text or email. electronic invoice presentment and payment eippWith new and revised rules impacting the entire payment ecosystem including issuer, acquirer, gateway, merchant, and potentially other software like ERP’s and ecommerce shopping carts, merchants should verify all parts their payment ecosystem supports them. Desktop terminals are not capable of supporting all the rules for card absent needs; a cloud-based payment gateway is required whether non-integrated, or integrated ecommerce shopping cart, ERP or other software.

Does your online payment solution support Verified by Visa, or do you need a solution? Contact Christine Speedy at 954-942-0483 for a fast and easy solution, compatible with your existing credit card processor.

New Card Acceptance Process for Magnetic-Stripe Failures at the Point of Sale

Currently when the magnetic stripe fails during a face-to-face transaction, the merchant key enters the account number and must manually imprint the card to prove the card was present during the transaction for protection against fraud chargebacks. Effective for new transactions processed on or after October 15, 2011, merchants may include Card Verification Value 2 (CVV2) in the authorization request for Visa U.S. Domestic key entered face-to-face transactions when the magnetic stripe cannot be read by the terminal.
In order to qualify for chargeback protection against reason code 81 “Fraud-Card Present” the transaction must meet the following criteria:

  • Authorization Approval
  • U.S. Domestic Transaction
  • Card Present with magnetic stripe failure only
  • Transaction was keyed entered
  • CVV2 was included in the authorization request
  • Signature obtained on the sales draft and retrieval request properly fulfilled

The following transaction types are excluded from the chargeback protection:

  • Quasi Cash
  • Cash Back
  • Manual Cash Disbursement
  • Betting, including lottery tickets
  • Casino Gaming Chips
  • Off-Track Betting and Wagers at a Race Track
  • Visa International transactions

These merchants must continue to obtain an imprint of the card when the magnetic stripe cannot be read by the terminal for the protection against fraud chargebacks.

Shocking lack of payment processing security in healthcare industry

There’s room for improvement in medical billing for card not present transactions. The lack of security in the healthcare industry with respect to payment processing is evident in nearly every business I’ve interviewed in the last two years. With all the effort put into HIPAA, you’d think they’d be more likely to be PCI Compliant than other industries, but in my experience talking to and interacting with healthcare  companies, I think 50% PCI DSS  (Payment Card Industry Data Security Standards) Compliance would be extremely optimistic.

So what’s got my gander up today? A widespread lack of security by healthcare suppliers with my HSA debit card data. Before giving out my credit card information, I always ask what they are going to do with it.  As a cardholder, I have a right to know. Like many Americans, I have an HSA account and funds for payments are accessible only via a debit card. That means any misuse could wipe out the account.  Under Visa’s Zero Liability policy  consumers are not held responsible for fraudulent charges made with the card or account information, but identity theft is another matter the consumer is left to deal with.

I talked to three different personnel for the story that follows. The last one said the first two didn’t entirely follow normal protocol, which does nothing to spare them from the liabilities associated with identity theft.

This article is about a medical industry merchant storing credit card data in a database and the misunderstanding of potential  liability exposure as a result. Storing card data even for 24 hours poses a huge risk both financially and criminally. In this article we’ll review their processes and solutions to mitigate risk.

First, let’s review the payments process.  Consumers receive invoices in the mail. They can mail a check or pay by Visa or MasterCard by returning a form, or call on the phone. The merchant then uses a multi-step process to collect the information and process it.

PAY INVOICE BY MAIL

credit card payment form

This invoice format is quite common for medical billing.

RISK: Merchant collects the CVV code, listed as signature code above, and bills are sent to a their corporate office. Collecting and storing CVV codes is always a bad idea. The mail could be stolen by internal employees familiar with the billing process. Someone could copy or even quickly photo each billing form. It’s doubtful they could prove PCI Compliance and would likely have no safe harbor in the event of a data breach.

SOLUTION: Remove the security code from the form. Have all bills sent to a lockbox. Reduce mail payments by enabling customers to pay their bills online.

PAY INVOICE BY PHONE

The first person to take my payment was covering for someone who was on vacation or otherwise out of the office.

  • She took down my invoice number and credit card information on a piece of paper. She entered something into their billing system so there was  a record of my call and payment.
  • The paper went into an “in box”. It was Friday.
  • The person emptying the “in box” and posting payments would be in Monday to complete the transaction.
  • Monday the posting person key entered the transaction into a desktop terminal.
  • Tuesday, presumably,  paper was shredded. The paper is held for a day to ensure the payment went through properly so the customer does not need to be called.

RISK:  The paper with full card data was exposed for up to 5 days. Was the ‘in box’ emptied and put in a locked drawer when not being worked on, including breaks? Do cleaning personnel have access to the facility on evenings and weekends?

SOLUTION: Enter the card information directly into our smart virtual terminal. Some flexible options include:

  • Entering the card and customer data and instantly charging the account. In this case, you can enter the CVV for extra fraud protection.
  • Creating a customer and entering the card information for later billing. Using a process called tokenization, the card data is stored encrypted on PCI Compliant servers, never at the merchant location.  CVV is NEVER stored, not even encrypted, since it’s against card association rules.
  • Entering the card and customer information and obtaining an authorization only, for other personnel to charge later.

The seccond person to take my payment on a future date was the actual representative for my account.

  • She entered information in the billing system so there was  a record of my call and payment.
  • My card data, including CVV,  was entered into a ‘notes’ section of the billing database.
  • The customer service representative has no access to see the card data after it is entered.
  • An accounting person retrieves the card data for payment in bulk with others within 1 business day.
  • The posting person key enters the transaction into a dial-up desktop terminal.
  • The next business day, presumably,  the computer notes are deleted.

RISK:  Full card data is exposed on a computer network. It doesn’t matter that access is restricted to certain personnel. This data storage is certainly a violation of FACTA and PCI Compliance standards, and probably HIPAA too. The merchant is open to both criminal and financial penalties in the event of a data breach. Additionally, the merchant would need to securely wipe or destroy every associated hard drive removed from service in the future to eliminate data theft potential.

SOLUTION: Enter the card information directly into our smart virtual terminal, same as above.

What are the financial risks with this data exposure?

  • Replacement cost per card compromised, $25.
  • Mandatory consumer credit report service for one year, $12/mth per card holder.
  • Reimburse all claims from card associations.
  • Fines from FACTA, HIPAA, and PCI Compliance violations
  • Your business could come to a screeching halt while a forensics team investigates.
  • Bad PR could result in loss of business.

What are the criminal risks associated with card data exposure? Felony.

FINAL NOTES: There is some use of an online gateway within the organization, but those details are unknown. I spoke to staff that believes since the payment processing is via a dial up terminal and is not connected to the card data in the database, that there is no risk. That is completely untrue. The company would not only save time by reducing steps, but would tremendously reduce risk by key entering card data directly into a virtual terminal. Moreover, an intelligent VT would provide a boatload of other benefits.

Ignorance is not an excuse. PCI Compliance standards were established nearly a decade ago. A critical first step to compliance and mitigating risk is a solution that supports all your payment processing needs. We offer that solution.

See also related article, How to reduce time and money for outpatient procedure billing.

On a side note, based on the invoice billing form, the merchant is not accepting American Express cards, probably because they don’t want to pay the high fees associated with Amex. If managing costs to improve EBITDA is important, our hosted payment processing platform with intelligent switch is critical.

How can you improve collecting payments for large outpatient bills?

When a patient has a large medical bill, do you ever agree to multiple payments? How do you handle it? For some operations, the answer is for the customer to call back each month to phone in their payment. The most frequent reason cited is to avoid risks associated with credit card fraud and identity theft.

This scenario is bad for multiple reasons:

  1. The patient may not call back.
  2. Your staff might have to make more calls to collect later.
  3. Staff has to key enter the transaction each and every time a payment is made.
  4. Staff has access to credit card data over and over again. (risk)
  5. Staff may be writing down card information to keypunch in later, each time creating a period of risk.

All of these can be avoided with a virtual terminal solution that meets all medical billing needs. Your computer can be a virtual terminal simply by logging in to a secure web page. Some think there is more risk with this, however, there is actually less risk.  Unlike desktop terminals, administration controls and manages access remotely on demand. This eliminates risk associated with wrongful use of hardware by cleaning personnel, repair crews and unauthorized employees, plus you can instantly remove, restrict, or expand credit card processing access.

We put the virtual terminal on steroids so you also receive these benefits:

  • Save gobs of time! When a customer agrees to multiple payments, enter the customer data one time only and then set the payment schedule. Eliminate the follow up phone calls and other activities. (Recurring Billing)
  • Reduce receivables and predict cashflow- Since payment is on ‘autopilot’, collection is more predictable. Dynamic real-time graphic report shows future receivables.
  • Instant alerts based on thresholds you set can be transmitted via email to multiple personnel to reduce risk. For example, every refund over $50 sends an email.
  • Create a one time payment for a different amount, then future fixed payments. No other virtual terminal allows you to do this! (Token billing)
  • If a customer has multiple bills from different dates, enter the card data one time. Then simply add more ‘contracts’ for billing.
  • Add multiple cards for a customer and multiple billing addresses- every possible option you need to collect payments are available.
  • Least cost routingeliminate human error and hardware settings from impacting the cost of accepting credit cards.
  • Improve workflow. Enter payments from immediate work area.
  • Optional integration with patient check-ins- customers can make partial payment at hospital on arrival, and agree to rebill same card for balance. You get swipe rate at hospital and phone rate in the future.
  • Pay a bill online- create a payment page quickly and easily with just 3 lines of html code to put on an existing web page. Web page creation available for a fee.

FAQ

Can I keep the same credit card processor? Yes. The Virtual Terminal is compatible with all major processors.

Where is the card data stored? It is encrypted and stored on remote PCI Compliant servers with redundant back-up. Once the card data is entered, you’ll never have access to the card information, other than the last 4 digits, again.

How long will it take to learn? The basic tasks are learned in under 15 minutes. Users of advanced features will probably spend a few hours over the course of a week.

Do you provide phone support? Yes, 24/7. There are also dozens of 15-25 second videos for instant answers for every situation so your customers don’t have to wait. Phone support is included in the service.

How much does it cost? A better question is, how much will you save? Reduced credit card processing fees, reduced staff time, and improved cash flow. All agreements are per quote and may include a per transaction fee and or percentage of transaction fee. We custom quote so your business pays a fee relative to your business size, and not a penny more.

What are the computer requirements? Windows XP and above or any Mac OSX, with high speed internet.  There is no software to install. This is a host-based solution.

Can I see a demo? Yes! Call 954-942-0483.  If you want to know what your credit card processing savings will be, please send two consecutive merchant statements for analysis.

Do you offer credit card processing? They are two distinct agreements and we offer both.

How does this work if we also have a billing company handling our lockbox? The set up is very flexible. You can have one account that all users can see data for ie patient payment history and contract set up or not. You’ll have total control as to which users can see what data and what functions they can perform. You’ll never have to wait for a report again because you’ll have real time access to all transactions- on your schedule, and in a format that works for you.

How can we protect against fraud if we don’t ask for the CVV; don’t we save money by getting the CVV? The security or CVV, CVV2, CID code is not required for MAIL/PHONE payments. CVV never impacts cost. There are many other fraud protections such as address verification. Since CVV cannot be stored electronically, we do not collect it for recurring billing or token billing.

What about risks from computers? No data is stored on your computer. To meet PCI Compliance your individual computers or network will need PCI Scanning.