How to get CVV2 and be PCI Compliant: request a payment

Credit card authorization form pci

Credit card authorization form example is not PCI Compliant.

According to Visa Core Rules, October 2014 page 266, Merchant Must Not Request the Card Verification Value 2 data on any paper Order Form. So how can a merchant get the CVV for card not present customers?  Online payments, request a payment and electronic bill presentment and payment all solve the problem. Below are solutions possible with CenPOS, a merchant centric payment processing platform. Other payment gateways may not have the same functionality.

Online payments, passive:

hosted paypage online payments

  • Secure hosted pay page is managed by the payment gateway so payment data never touches merchant web servers.
  • Customers can store card data for charges to be applied later. In this case, the user registers, creating an account so they can manage payment methods including ACH, credit card and wire. A zero dollar authorization is performed when a credit card is stored, and CVV can be validated. Once validated, it’s never needed again, and therefore is never stored.  A random token ID is generated, which both the cardholder and merchant can see, but neither will ever have access to sensitive data again. The cardholder can also update the expiration date, but if the CVV changes with a future card replacement, then a new token must be created.
  • Customer can make payments for any amount without logging in.

Request a Payment or Electronic Bill Presentment and Payment (EBPP or EIPP), proactive.

  • Reduces accounts receivable friction.

EBPP Electronic Bill Presentment & Payment

  • Non-Integrated – Merchants use the CenPOS EBPP portal to create the payment request, including optional invoice detail. The customer is sent a text and or email with a payment link.
  • Integrated – same as above, except the invoice is sent from accounting or financial software such as ERP.

With EBPP, customers have a portal to pay multiple invoices, view payments, download invoices, and manage payment methods.

At a minimum, merchants with card not present customers should offer online payments as a way to enable customers to securely pay a bill. If a signature is required, have the customer print and sign the receipt, and email that authorization back, which is more valuable than traditional credit card authorization forms.

Need a secure solution but don’t want to change your merchant account? No problem. Contact Christine Speedy for secure, cost effective and efficient solutions.

PCI Compliance: Card Not Present Merchant Quick Checklist

Do you (even occasionally or temporarily) create, receive, or otherwise come to possess any paper records or receipts that contain cardholder data? The number one rule card not present merchants violate is a Merchant Must Not Request the Card Verification Value 2 data on any paper Order Form.

Do you make sure that you NEVER, EVER store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions after authorization (even if encrypted)?

Are strong cryptography and security protocols, such as SSL/TLS, IPSec, or SSH used to safeguard cardholder data during transmission over open, public networks?

For SSL/TLS implementations, does HTTPS appear as part of the browser Universal Record Locator (URL), and is cardholder data required only when HTTPS appears in the URL?

Are policies, procedures, and practices in place to make sure that you NEVER, EVER send unencrypted PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat)?

Do your access limitations require restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities?

Do your access limitations require assignment of privileges to be based on individual personnel’s job classification and function?

Is your security policy established, published, maintained, and disseminated to all relevant personnel (for the purposes of Requirement 12, “personnel” refers to full-time and part-time employees, temporary employees and personnel, and contractors and consultants who are “resident” on the entity’s site or otherwise have access to the company’s site cardholder data environment)?

Is a formal security awareness program in place to make all personnel aware of the importance of cardholder data security?

Video: PCI Compliant credit card authorization forms

Token billing solves the problem of storing credit card data for recurring billing customers, but that doesn’t fix the merchant problem of replacing credit card authorization forms.

Video Transcript: Meet Mary.  She manages accounts receivable. The problem is credit card security. Customer approval is needed for accounts on file. Image credit card authorization form. But there’s no secure way to store the authorization without also storing the credit card number and security code.

Until now. Introducing 3D Merchant Services. Cloud payment solutions that work with YOUR financial partners. Here’s how it works. Create a token. Image iphone, computer with virtual terminal screen, batch upload, point of sale, and integrated solutions. Anywhere.  Or have customers create and manage their own. Electronic bill presentment and payment, ecommerce, online payments. And then, for every token created, a prefilled form is automatically created! PCI DSS compliant.

Charge cards in seconds. Rocket blasting. ACH? Ditto. Efficient, secure, processor neutral, Level III processing, YES.

Call 3D Merchant Services 954-942-0483 for a demo and free trial.

Author: Christine Speedy. “PCI compliance is virtually impossible without a technology solution.  The right payment gateway selection is critical to merchant success and reduced PCI burden.”

 

CenPOS Completes EMV Certification

emv smart card

Miami, FL (PRWEB) January 5, 2015 CenPOS announced today that it has successfully completed its EMV (Europay, MasterCard & Visa) certification with Visa, American Express, Discover and MasterCard. The Card Association announced in August 2011 its EMV migration plan for the US as well as the benefits of EMV compliance, including a liability shift for merchants. Under the current migration plan, merchants processing 75 percent or more of their transactions captured by EMV terminals will be relieved 100 percent from Account Data Compromise compliance. Merchants that do not migrate to EMV and/or are utilizing providers that are not EMV certified will assume 100 percent of the POS fraud liability and retain 100 percent of the PCI burden and related costs.
Currently, POS fraud in the US is estimated in the billions of dollars annually. CenPOS provides merchants with a unified payment platform, a single solution for businesses regardless of the industry type: Retail, Mail Order, eCommerce with VbyV, Mobility, Recurring Billing and Electronic Bill Presentment and Payment. CenPOS also offers additional services at no additional cost to merchants such as Point-to-Point encryption, tokenization, electronic signature capture and BIN management. As a single point provider the platform drives a myriad of payment types like PayPal, ACH, Remote Deposit Capture, Gift cards, Cash, and the typical debit, credit card transactions.
“We are very pleased to have completed this very important certification well ahead of schedule and ahead of most of the other providers. Our merchants now have a sigh of relief in knowing that they will be EMV ready by the current mandated date of October 1st 2015”, remarked Jorge Fernandez Co-Founder and Chairman of CenPOS. “Under the current Card Association mandates the weakest link in the payment ecosystem will bear 100 percent of the POS fraud liability, which is currently assumed by the card issuing banks. CenPOS merchants can now be early adopters of EMV and avoid the risk of being ‘late to the game’ and possibly not meeting the current deadline,” added Fernandez
About CenPOS: CenPOS’ secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships. For additional information please call 877.630.7960.
### For global sales,  integrations and more information, contact Christine Speedy, 954-942-0483, 8-6 ET. 

You completed PCI Rapid Comply, what’s next?

irst Data pci rapid comply

Screenshot of PCI Rapid Comply by First Data home page

You’ve completed the online forms at PCI Rapid comply, what’s next? By now you already know that PCI is not a quarterly or annual event.

First, If you received notice of noncompliance, print the web page shown above and send to your merchant processor relationship manager to stop recurring non-compliance fees, if applicable.

Next, go to MY DOCUMENTS and download everything. These are starter documents to help you with compliance, but you’ll need to modify and add some information.

pci-rapidcomply-docsFor example, on the incident response form, you’ll need to add the responsible names and contact information.

The security policy should be reviewed and disseminated to all employees that touch payments, and are involved in network security. I recommend HR manage the confirmed receipt as part of employee performance reviews. You may want to create a test to validate employee understanding, and record the date and time of completion to prove compliance.

  • The Risk Management Guide has a number of blanks to fill in. If you have retail transactions, you’ll need to create a monitoring and inspection program, which includes serial numbers and locations of all equipment.
  • Enter network administrator and payment administration on the access control guide. If you’re a CenPOS user, most of this requirement is managed with CenPOS Roles & user management.
  • Maintaining and monitoring your program is a critical component of PCI 3.0. If you don’t currently have a compliance officer, create accountability by assigning someone to ensure monitoring is completed on schedule.

About PCI Rapid Comply: PCI Rapid Comply is a First Data service available to all their merchants. First Data merchants can use this or a third party service of their choice.

About 3D Merchant Services author Christine Speedy: Offers payment gateway and cloud solutions to reduce scope and PCI Compliance burden. No new merchant account is required, however merchant services are available upon request. PCI Rapid Comply is available to merchant clients on select processor platforms, at no additional fee.