Currently when the magnetic stripe fails during a face-to-face transaction, the merchant key enters the account number and must manually imprint the card to prove the card was present during the transaction for protection against fraud chargebacks. Effective for new transactions processed on or after October 15, 2011, merchants may include Card Verification Value 2 (CVV2) in the authorization request for Visa U.S. Domestic key entered face-to-face transactions when the magnetic stripe cannot be read by the terminal.
In order to qualify for chargeback protection against reason code 81 “Fraud-Card Present” the transaction must meet the following criteria:

• Authorization Approval
• U.S. Domestic Transaction
• Card Present with magnetic stripe failure only
• Transaction was keyed entered
• CVV2 was included in the authorization request
• Signature obtained on the sales draft and retrieval request properly fulfilled

The following transaction types are excluded from the chargeback protection:

• Quasi Cash
• Cash Back
• Manual Cash Disbursement
• Betting, including lottery tickets
• Casino Gaming Chips
• Off-Track Betting and Wagers at a Race Track
• Visa International transactions

These merchants must continue to obtain an imprint of the card when the magnetic stripe cannot be read by the terminal for the protection against fraud chargebacks.

There’s room for improvement in medical billing for card not present transactions. The lack of security in the healthcare industry with respect to payment processing is evident in nearly every business I’ve interviewed in the last two years. With all the effort put into HIPAA, you’d think they’d be more likely to be PCI Compliant than other industries, but in my experience talking to and interacting with healthcare  companies, I think 50% PCI DSS  (Payment Card Industry Data Security Standards) Compliance would be extremely optimistic.

So what’s got my gander up today? A widespread lack of security by healthcare suppliers with my HSA debit card data. Before giving out my credit card information, I always ask what they are going to do with it.  As a cardholder, I have a right to know. Like many Americans, I have an HSA account and funds for payments are accessible only via a debit card. That means any misuse could wipe out the account.  Under Visa’s Zero Liability policy  consumers are not held responsible for fraudulent charges made with the card or account information, but identity theft is another matter the consumer is left to deal with.

I talked to three different personnel for the story that follows. The last one said the first two didn’t entirely follow normal protocol, which does nothing to spare them from the liabilities associated with identity theft.

This article is about a medical industry merchant storing credit card data in a database and the misunderstanding of potential  liability exposure as a result. Storing card data even for 24 hours poses a huge risk both financially and criminally. In this article we’ll review their processes and solutions to mitigate risk.

First, let’s review the payments process.  Consumers receive invoices in the mail. They can mail a check or pay by Visa or MasterCard by returning a form, or call on the phone. The merchant then uses a multi-step process to collect the information and process it.

PAY INVOICE BY MAIL

This invoice format is quite common for medical billing.

RISK: Merchant collects the CVV code, listed as signature code above, and bills are sent to a their corporate office. Collecting and storing CVV codes is always a bad idea. The mail could be stolen by internal employees familiar with the billing process. Someone could copy or even quickly photo each billing form. It’s doubtful they could prove PCI Compliance and would likely have no safe harbor in the event of a data breach.

SOLUTION: Remove the security code from the form. Have all bills sent to a lockbox. Reduce mail payments by enabling customers to pay their bills online.

PAY INVOICE BY PHONE

The first person to take my payment was covering for someone who was on vacation or otherwise out of the office.

• She took down my invoice number and credit card information on a piece of paper. She entered something into their billing system so there was  a record of my call and payment.
• The paper went into an “in box”. It was Friday.
• The person emptying the “in box” and posting payments would be in Monday to complete the transaction.
• Monday the posting person key entered the transaction into a desktop terminal.
• Tuesday, presumably,  paper was shredded. The paper is held for a day to ensure the payment went through properly so the customer does not need to be called.

RISK:  The paper with full card data was exposed for up to 5 days. Was the ‘in box’ emptied and put in a locked drawer when not being worked on, including breaks? Do cleaning personnel have access to the facility on evenings and weekends?

SOLUTION: Enter the card information directly into our smart virtual terminal. Some flexible options include:

• Entering the card and customer data and instantly charging the account. In this case, you can enter the CVV for extra fraud protection.
• Creating a customer and entering the card information for later billing. Using a process called tokenization, the card data is stored encrypted on PCI Compliant servers, never at the merchant location.  CVV is NEVER stored, not even encrypted, since it’s against card association rules.
• Entering the card and customer information and obtaining an authorization only, for other personnel to charge later.

The seccond person to take my payment on a future date was the actual representative for my account.

• She entered information in the billing system so there was  a record of my call and payment.
• My card data, including CVV,  was entered into a ‘notes’ section of the billing database.
• The customer service representative has no access to see the card data after it is entered.
• An accounting person retrieves the card data for payment in bulk with others within 1 business day.
• The posting person key enters the transaction into a dial-up desktop terminal.
• The next business day, presumably,  the computer notes are deleted.

RISK:  Full card data is exposed on a computer network. It doesn’t matter that access is restricted to certain personnel. This data storage is certainly a violation of FACTA and PCI Compliance standards, and probably HIPAA too. The merchant is open to both criminal and financial penalties in the event of a data breach. Additionally, the merchant would need to securely wipe or destroy every associated hard drive removed from service in the future to eliminate data theft potential.

SOLUTION: Enter the card information directly into our smart virtual terminal, same as above.

What are the financial risks with this data exposure?

• Replacement cost per card compromised, $25.
• Mandatory consumer credit report service for one year, $12/mth per card holder.
• Reimburse all claims from card associations.
• Fines from FACTA, HIPAA, and PCI Compliance violations
• Your business could come to a screeching halt while a forensics team investigates.
• Bad PR could result in loss of business.

What are the criminal risks associated with card data exposure? Felony.

FINAL NOTES: There is some use of an online gateway within the organization, but those details are unknown. I spoke to staff that believes since the payment processing is via a dial up terminal and is not connected to the card data in the database, that there is no risk. That is completely untrue. The company would not only save time by reducing steps, but would tremendously reduce risk by key entering card data directly into a virtual terminal. Moreover, an intelligent VT would provide a boatload of other benefits.

Ignorance is not an excuse. PCI Compliance standards were established nearly a decade ago. A critical first step to compliance and mitigating risk is a solution that supports all your payment processing needs. We offer that solution.

See also related article, How to reduce time and money for outpatient procedure billing.

On a side note, based on the invoice billing form, the merchant is not accepting American Express cards, probably because they don’t want to pay the high fees associated with Amex. If managing costs to improve EBITDA is important, our hosted payment processing platform with intelligent switch is critical.

When a patient has a large medical bill, do you ever agree to multiple payments? How do you handle it? For some operations, the answer is for the customer to call back each month to phone in their payment. The most frequent reason cited is to avoid risks associated with credit card fraud and identity theft.

This scenario is bad for multiple reasons:

1. The patient may not call back.
2. Your staff might have to make more calls to collect later.
3. Staff has to key enter the transaction each and every time a payment is made.
4. Staff has access to credit card data over and over again. (risk)
5. Staff may be writing down card information to keypunch in later, each time creating a period of risk.

All of these can be avoided with a virtual terminal solution that meets all medical billing needs. Your computer can be a virtual terminal simply by logging in to a secure web page. Some think there is more risk with this, however, there is actually less risk.  Unlike desktop terminals, administration controls and manages access remotely on demand. This eliminates risk associated with wrongful use of hardware by cleaning personnel, repair crews and unauthorized employees, plus you can instantly remove, restrict, or expand credit card processing access.

We put the virtual terminal on steroids so you also receive these benefits:

• Save gobs of time! When a customer agrees to multiple payments, enter the customer data one time only and then set the payment schedule. Eliminate the follow up phone calls and other activities. (Recurring Billing)
• Reduce receivables and predict cashflow- Since payment is on ‘autopilot’, collection is more predictable. Dynamic real-time graphic report shows future receivables.
• Instant alerts based on thresholds you set can be transmitted via email to multiple personnel to reduce risk. For example, every refund over $50 sends an email.
• Create a one time payment for a different amount, then future fixed payments. No other virtual terminal allows you to do this! (Token billing)
• If a customer has multiple bills from different dates, enter the card data one time. Then simply add more ‘contracts’ for billing.
• Add multiple cards for a customer and multiple billing addresses- every possible option you need to collect payments are available.
• Least cost routing – eliminate human error and hardware settings from impacting the cost of accepting credit cards.
  
• Improve workflow. Enter payments from immediate work area.
• Optional integration with patient check-ins- customers can make partial payment at hospital on arrival, and agree to rebill same card for balance. You get swipe rate at hospital and phone rate in the future.
• Pay a bill online- create a payment page quickly and easily with just 3 lines of html code to put on an existing web page. Web page creation available for a fee.

FAQ

Can I keep the same credit card processor? Yes. The Virtual Terminal is compatible with all major processors.

Where is the card data stored? It is encrypted and stored on remote PCI Compliant servers with redundant back-up. Once the card data is entered, you’ll never have access to the card information, other than the last 4 digits, again.

How long will it take to learn? The basic tasks are learned in under 15 minutes. Users of advanced features will probably spend a few hours over the course of a week.

Do you provide phone support? Yes, 24/7. There are also dozens of 15-25 second videos for instant answers for every situation so your customers don’t have to wait. Phone support is included in the service.

How much does it cost? A better question is, how much will you save? Reduced credit card processing fees, reduced staff time, and improved cash flow. All agreements are per quote and may include a per transaction fee and or percentage of transaction fee. We custom quote so your business pays a fee relative to your business size, and not a penny more.

What are the computer requirements? Windows XP and above or any Mac OSX, with high speed internet.  There is no software to install. This is a host-based solution.

Can I see a demo? Yes! Call 954-942-0483.  If you want to know what your credit card processing savings will be, please send two consecutive merchant statements for analysis.

Do you offer credit card processing? They are two distinct agreements and we offer both.

How does this work if we also have a billing company handling our lockbox? The set up is very flexible. You can have one account that all users can see data for ie patient payment history and contract set up or not. You’ll have total control as to which users can see what data and what functions they can perform. You’ll never have to wait for a report again because you’ll have real time access to all transactions- on your schedule, and in a format that works for you.

How can we protect against fraud if we don’t ask for the CVV; don’t we save money by getting the CVV? The security or CVV, CVV2, CID code is not required for MAIL/PHONE payments. CVV never impacts cost. There are many other fraud protections such as address verification. Since CVV cannot be stored electronically, we do not collect it for recurring billing or token billing.

What about risks from computers? No data is stored on your computer. To meet PCI Compliance your individual computers or network will need PCI Scanning.

Nearly all the medical bills I see now have an option to pay with a credit card. These forms also request the security code (CVV, CVV2) on the form. Should merchants ask for it? Is it legal? Is it safe? What are they doing with these forms?  I’m personally not writing down my 3 digit security code on any form and returning that through the mail.

Should medical billing companies ask for the card security code on mail response forms?  NO. The CVV is not needed for interchange qualification; it has zero impact on your processing costs. It is used to protect against fraud, especially cloned credit cards. If the customer has already used their card to swipe, the CVV is no longer needed for rebilling. But that’s not something the biller knows.

According to Visa’s Ecommerce Risk Management Guide dated December 2009, for information security purposes, all merchants are prohibited from storing Card Verification Value 2 (CVV2). Per Visa’s Data Security Tips, “Do not store the three-digit number on the back of Visa payment cards (CVV2) in any format. Do not request the CVV2 number on mail-order forms or billing forms. ”

Per a merchant processor RULES ON MOTO/INTERNET, You (the merchant) are prohibited from storing CVV2, CVC2, magnetic stripe track data, and AVS and PIN data. Each party will store all media containing Cardholder numbers in an area limited to selected personnel on a ‘need to know’ basis only and prior to either party discarding any material containing cardholder information, the party will destroy it in a manner rendering the Card account numbers unreadable.

MERCHANT QUESTIONS:

What if my payment processing system requires a CVV to process a credit card transaction? You need an alternative solution to input transactions. You’re required to ask for the security code on internet transactions, but not on mail order. Call and we can set you up quickly with a virtual terminal.

Why check for address instead of CVV for mail orders to protect against fraud? Shouldn’t CVV or CVV2 be checked before anything else? The difference really lies in the way your firm processes orders and the need to be PCI Compliant.

MO/TO or MOTO stands for Mail orders/telephone orders. The same rules apply for fax orders.

Mail orders or fax orders generally involve a pre-printed form returned with the buyers selection and pricing. The card is then scanned with an OCR device or the order is keypunched. BEWARE IF YOUR form asks for the CVV or CID code, this presents a security risk from the moment it leaves the senders hands. Therefore, when the order is received, the merchant MUST PROTECT THIS DATA AND MUST NOT STORE IT. You can also choose to find a way to process the order that does not require a CVV code, but still protects the merchant from fraud. The AVS or address verification then becomes essential to prevent fraud. If using a virtual terminal, the terminal should require an AVS check.

If you complete Phone orders by keypunching the cardholders data while on the phone with the customer, you can ask for the CVV or CVV2 code. The assumption is that you are using a PCI Compliant solution whether it be software or a virtual terminal, that does not store the CVV data. A secure method such as a virtual terminal can prompt for the CVV code and also perform an address check. There is still some risk by taking CVV over the phone because the data is exposed to whoever handles the order. If the merchant writes down transaction information to be keypunched later, merchants should be avoid writing down CVV whenever possible; if they are written down, follow special PCI Compliance standards to protect the data temporarily until it is securely shredded.

The AVS response can be a full match, partial match, no match, unavailable, or retry.

Full match – both the zip code and address match.

partial match- only the zip code or address match, but not both. You may wish to determine what risk you are willing to assume based on the order value.

no match- zip and address don’t match. This is a sign of fraud and further steps should be taken to verify it’s a valid transaction. If you’re on the phone ask questions and get the CVV. If you’re not on the phone, you might want to invest time for a little research depending on the value of the order. For example, I’ve used whitepages.com to research name, phone and address. If the person moved, there could be a legitimate reason, but the person should be able to recite their old address.

Unavailable- The system is unavailable or the card issuer does not support it. US card issuers must support AVS, but this is not true worldwide. For merchants that have a lot of transactions from foreigners, requiring AVS can be a problem because they can’t pass. However, all cards should be able to pass CVV. Merchants lose all chargeback prevention rights for card not present transactions if the CVV or AVS response is U.

Retry – The card issuers system is anavailble- try again later.

For more details, please see the Visa Card Acceptance Guide.

If the merchant performs an address check and gets a full match, plus has a CVV match, they’ll be in a better position to win chargeback disputes. However, your customer types, order processing methods, employees and industry all are factors in assessing risk and determining what steps are best for you to mitigate risk. Whatever methods you choose, be sure to communicate policies with employees and always review PCI Data Security Standards.

CenPOS is a technology solution with numerous controls to help management set criteria globally and down to the cashier level. Settings include AVS (full and partial) and CVV plus dollar thresholds.

In conclusion,  whether you require CVV or not is a business decision for MOTO transactions. You must factor in the risk of not taking the CVV and of having data exposed until you’ve used it and then shredded it vs possible credit card fraud. For small ticket orders, you might wish to skip it to reduce risk. For large value orders, you may not want to risk your product going out the door. In that case, be sure to have a PCI Compliance program in place, and train employees. AVS should be required to pass without exception.

Merchants who continue to persist in storing credit card data including CVV codes do not meet PCI Compliance standards. It is never Ok to store the CVV code.  One of the most common reasons is for corporate accounts. The merchant has the customer sign a document that says it’s Ok to charge their card for services rendered or hard goods delivered on an ongoing basis. The form contains an area for the customer to enter their card information, including the CVV code.

The merchant should omit storing the CVV code by simply not having a space for the CVV code on the form.  At the time the first transaction is processed, call the customer for the CVV code. If you write it down, securely shred upon completion of the transaction. The purpose of the code is to protect against fraud by validating the card. Once you’ve run an AVS and CVV for card not present, there is no reason to store the CVV again. You already know the customer!

If you file other card data, it should be in a locked cabinet with restricted access. A better alternative might be a secure host based processing solution that offers recurring billing. The host stores encrypted data off site, and never the CVV.

Links for PCI Data Security Standards.

Links to blog articles about PCI Compliance for credit card processing – hit the ‘older articles’ button at the bottom of page for more articles.