Electronic bill presentment and payment, or EBPP, improves PCI Compliance by removing employees from having access to credit card information. Instead of credit card numbers on fax forms or employees accepting payment information over the phone, simply send an e-invoice which the customer can click to pay.

The image below shows the landing page after a customer clicks the text message or email link to pay.

Better than electronic invoicing, our solution enables customers to make payments right from the email. Why is this important? By delivering the invoice and the ability to pay without logging in, you’ll dramatically reduce time from invoice to payment collection.

EBPP sales sheet (PDF)

Our EBPP is fast, easy to use, and requires no capital investment to implement. For sales call Christine at 954-942-0483 or click here for more information.

In this training video, I show how to securely store credit card data so that no one can ever see it again. It’s virtually impossible to prove Payment Card Industry Data Security Standards (PCI DSS) Compliance if storing credit card authorization forms with full card data. This solution can significantly increase boost PCI Compliance and reduce losses due to disputes and resulting chargebacks.

The positive card verification checkbox is used to submit a zero dollar authorization transaction. This validates all rules in the merchant administration and on a user basis. For example, if rules require an address, zip code, and cvv security code verification, the items will be validated with the card issuer. The receipt is the merchant record of proof that the card issuer passed the verification.

Optionally send the repeat sale credit card charge form to your customer. Have the customer sign and send it back. This replaces credit card authorization forms that have full card data.

TIP: Include a cancellation and refund policy on all invoices, as required for all card not present transactions per card acceptance guidelines.

CenPOS works with your existing processor, and is fast, easy, and requires no capital investment to implement. Call Christine Speedy in sales 954-942-0483 or click here for more information.

To convert a paper sales order form, with credit card authorization, from paper to electronic, including securely collecting an online payment, there are multiple options. This article addresses the business to business need for a quick solution to become PCI Compliant. PCI is short for PCI DSS or Payment Card Industry Data Security Standards, the mandatory standards for all merchants accepting credit cards.

How critical is the security of the data being collected? What will be done with the information after? The simplest solution is to create a quick script that collects the data and sends it to an email address. After the form is submitted, the return URL (the page that appears after the form data is submitted)  contains a link to secure pay page hosted by a third party. I like having a link on the return URL instead of immediately redirecting because it provides an opportunity to assure the payer the link is to a trusted web page.  Because the form data is not in a spreadsheet that can be imported into a database, or collected automatically in a database, some manual work will be needed after. However, don’t get hung up on this! If the current process is faxing back and forth credit card authorization forms, the entire process is already manual. At a minimum, staff will save time key entering credit card data, plus this process is more secure for business owners and their customers. Additionally, the back office for the pay page will have an export feature making it possible to import transaction information into accounting programs.

All of the above can be done with no html programming experience. There’s plenty of free and low cost options to create custom forms. I’ve personally used wufuu, jotform, Logiforms, SugarCRM forms, and custom made forms over the years. Here’s a link to form reviews.  It’s a bit dated, however, the table may help to identify what’s important to look for when choosing a form builder.

With a little bit of html work, elements of the information filled into the order form, can be transferred automatically to the matching payment fields. For budgeting outsourced help, plan on an hour for the programmer to review what to do, what URL’s to link to, and reviewing the API. Budget another hour to implement and test.

In summary, payments can be securely accepted online with an update to your web site navigation, and single line of html linked to a secure hosted pay page. This process is more secure than credit card information exposed on paper, and provides an easily retrievable record in the event of a dispute, that can occur up to 120 days later. To convert a sales order form to electronic, an online form builder is a low cost option that saves both merchants and customers time.

Disclaimer: The information above does not replace a merchants obligation to follow all rules associated with their merchant account, card acceptance guidelines and payment card industry data security standards. Many additional options

For more information about this and other solutions to streamline payment acceptance for your business to business company with card not present customer transactions, contact us.

 

Genesco, a sports apparel retailer,  is fighting back against the arbitrary multi-million-dollar penalties that credit card companies impose on banks and merchants for data breaches by filing a first-of-its-kind $13 million lawsuit against Visa. While specifics are not fully public, the company maintains that it found packet-sniffing software on its network but never uncovered forensic evidence that the hackers actually stole any card data.

http://www.wired.com/threatlevel/2013/03/genesco-sues-visa/

###

CenPOS, a private cloud, hosted-payment processing network, can reduce PCI burden for retailers. Contact us for more information.

 

Interestingly, it’s 2013 and yet a 2010 document related to cardholder data breaches affecting franchise locations is a top 5 rated download at Visa.com. The definition of Corporate Franchise Servicer (CFS) , the new Visa third party servicer category, links related to the subject, and commentary are shared below.

Visa determined that data breaches quickly spread among franchises that use a system owned or operated by a corporate franchise organization. Particularly when the franchisor has no role or say in the system used to process, store or transmit payments,  they cannot manage PCI DSS (Payment Card Industry Data Security Standards) compliance.

As a result Visa created a new third party category. From Visa, “A Corporate Franchise Servicer is defined as a corporate entity or franchisor that provides or controls a centralized or hosted network environment irrespective of whether Visa cardholder data is being stored, transmitted or processed through it.” Further, “If PCI DSS-compliant segmentation exists between these assets and the franchisee cardholder data environment, the corporate franchise may be excluded from this requirement.”

Is Your Data Secure? – Published by Multi-Unit Franchise, Issue 2 2011

Visa Classifies Corporate Franchisors As Third-Party Agents - Storefront Backtalk November 11th, 2010

BLOG AUTHOR COMMENTS:

CenPOS is an intelligent payment processing network that streamlines the payment experience for businesses and consumers by using state-of-the-art technology to replace inefficient, outdated payment systems.  CenPOS products include a virtual terminal, electronic bill presentment and payment, secure online pay page, and mobile payment applications. Additionally, the Dashboard provides executives insights with hierarchy based organization.

CenPOS reduces the burden of PCI DSS compliance, while also providing transparency and scalability in the franchise environment.  Special markets include business to business, automotive, fitness, moving and storage, retail and medical.

Most merchants have printable authorization forms that don’t comply with the basic requirements to protect against disputes or don’t comply with Payment Card Industry Data Security Standards (PCI Compliance) guidelines.
Download this Credit card authorization form template and modify as you wish.

USE AND DISTRIBUTION

This form contains language suitable for businesses where all of these elements apply:

• business to business
• card not present – phone, fax, email, or other order (not ecommerce)
• repeat customers with sales of variable amounts; need to bill customers on an occasional or regular basis for varying purchases
• sensitive card data is stored via a PCI compliant solution that replaces card data with a ‘token’ ; the token is linked used to charge the card

Card Acceptance Guidelines for Visa Merchants (2012) PDF download from Visa.com

You won’t find a “fax authorization form” in the guidelines, however, there is much information about receipt requirements.

Do you want to empower your customers to pay 24/7 via a secure pay online page? Would you like to reduce scope for PCI Compliance?

Would you to eliminate fax authorization forms that expose card data?   Contact Christine Speedy at 954-942-0483.

— PCI Special Interest Group offers guidance to merchants to help secure payments accepted over the Internet—

WAKEFIELD, Mass., January 31, 2013 — Today the PCI Security Standards Council (PCI SSC), an open, global forum for the development of payment card security standards published the PCI DSS E-commerce Guidelines Information Supplement, a product of the E-commerce Security Special Interest Group (SIG). Businesses selling goods and services over the Internet can use this resource as a guide for choosing e-commerce technologies and third-party service providers that will help them secure customer payment data and support PCI DSS compliance efforts.
PCI Special Interest Groups (SIGs) are community-driven initiatives that provide additional guidance and clarifications or improvements to the PCI Standards and supporting programs.
In 2012, PCI Participating Organizations selected e-commerce security as a key area to address via the SIG process. More than 60 global organizations representing banks, merchants, security assessors and technology vendors collaborated to produce guidance that will help organizations better understand their responsibilities when it comes to PCI DSS; the risks they need to evaluate when considering ecommerce solutions; and how to determine their PCI DSS scope.
“Take SQL injections as an example. This is not a new attack, and something we’ve known about in the industry for years. Yet it continues to be one of the most common methods by which e-commerce websites are compromised, said Bob Russo, general manager, PCI Security Standards Council. “This can be addressed through simple, prudent coding practices, but merchants often don’t know where to start. These guidelines will help them better understand their responsibilities and the kinds of questions they need to ask of their service providers. In the case of SQL injections, one of the most important items to request of an e-commerce service provider is a description of the security controls and methods it has in place to protect websites against these vulnerabilities.”
The PCI DSS E-commerce Guidelines Information Supplement provides an introduction to e- commerce security and guidance around the following primary areas and objectives:

•  E-commerce Overview – provides merchants and third parties with explanation of typical e-commerce components and common implementations and outlines high-level PCI DSS scoping guidance to be considered for each.
• Common Vulnerabilities in E-commerce Environments – educates merchants on vulnerabilities often found in web applications (such as e-commerce shopping carts) so they can emphasize security when developing or choosing e-commerce software and services.
• Recommendations – provides merchants with best practices to secure their e- commerce environments, as well as list of recommended industry and PCI SSC resources to leverage in e-commerce security efforts.

The document also includes two appendices to address specific PCI DSS requirements and implementation scenarios:

•  PCI DSS Guidance for E-commerce Environments – provides high-level e-commerce guidance that corresponds to the main categories of PCI DSS requirements; includes chart to help organizations identify and document which PCI DSS responsibilities are those of the merchant and which are the responsibility of any e-commerce payment processor.
• Merchant and Third-Party PCI DSS Responsibilities – for outsourced or “hybrid” e- commerce environments, includes sample checklist that merchants can use to identify which party is responsible for compliance and specify the details on the evidence of compliance.

The information supplement can be downloaded from the documents library on the PCI SSC website at https://www.pcisecuritystandards.org/security_standards/documents.php.
Merchants who use or are considering use of e-commerce technologies in their cardholder data environment, and any third-party service providers that provide e-commerce services, e- commerce products, or hosting/cloud services for merchants can benefit from this guidance. This document may also be of value for assessors reviewing e-commerce environments as part of a PCI DSS assessment.
As with all PCI Council information supplements, the guidance provided in this document is supplemental and does not supersede or replace any PCI DSS requirements.
“E-commerce continues to be a target for attacks on card data, especially with EMV technology helping drive so much of the face-to-face fraud down in Europe and other parts of the world, said Jeremy King, European director, PCI Security Standards Council. “We are pleased with this guidance that will help merchants and others better understand how to secure this critical environment using the PCI Standards.”
Those interested in learning more about this guidance and how to use it are invited to join the PCI Council for a webinar on February 7 and 14, 2013. Visit the PCI SSC website for more information and to register: https://www.pcisecuritystandards.org/training/webinars.php.
About the PCI Security Standards Council
The PCI Security Standards Council is an open global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security. Founded in 2006 by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., the Council has over 600 Participating Organizations representing merchants, banks, processors and vendors worldwide. To learn more about playing a part in securing payment card data globally, please visit: pcisecuritystandards.org.
Connect with the PCI Council on LinkedIn: http://www.linkedin.com/company/pci-security- standards-council Join the conversation on Twitter: http://twitter.com/#!/PCISSC

Highlights from the  Global Payments quarterly report  released January 8 2013, reveals that costs related to the 2012 data breach have reached 93.9 million and additional material costs will be incurred in 2013.  The company is still working on PCI DSS certification. The company has not yet been put back on the list of PCI DSS compliant service providers, however, the impact on revenue has been “immaterial”. 

“As a result of this event, certain card networks removed us from their list of PCI DSS compliant service providers. Our removal from certain networks’ lists of PCI DSS compliant service providers could mean that certain existing customers and other third parties may cease using, referring or selling our products and services. Also, prospective customers and other third parties may choose to delay or choose not to consider us for their processing needs. In addition, the card networks could refuse to allow us to process through their networks. To date, the impact on revenue that we can confirm related to our removal from the lists has been immaterial. Also the impact on revenue of customers or other third parties who have failed to renew, terminated negotiations, or informed us they are not considering us at all, where we can confirm it is related to our removal from the lists, has been immaterial.    We continue to process transactions worldwide through all of the card networks. We hired a Qualified Security Assessor, or QSA, to conduct an independent review of the PCI DSS compliance of our systems. Our work to remediate our systems and processes is substantially complete. Our QSA is currently evaluating our remediation work. Once the QSA’s evaluation is complete we will work closely with the networks to return to the list of PCI DSS compliant service providers as quickly as possible. Our failure or a delay in returning to the list could have a material adverse effect on our business, financial condition, results of operations and cash flows.”

In addition to the credit card data breach, the “investigation also revealed potential unauthorized access to servers containing personal information collected from merchants who applied for processing services.” Merchant account applications contain sensitive information for identity theft thieves, including business owner social security numbers and home addresses.

Another potential financial blow is the class action suit related to the ‘intrusion’, as Global Payments has identified the breach. “We have not recorded a loss accrual related to this matter because we have not determined that a loss is probable.”