Visa Introduces Corporate Franchise Servicer as a New Third Party Agent Category

Interestingly, it’s 2013 and yet a 2010 document related to cardholder data breaches affecting franchise locations is a top 5 rated download at The definition of Corporate Franchise Servicer (CFS) , the new Visa third party servicer category, links related to the subject, and commentary are shared below.

Visa determined that data breaches quickly spread among franchises that use a system owned or operated by a corporate franchise organization. Particularly when the franchisor has no role or say in the system used to process, store or transmit payments,  they cannot manage PCI DSS (Payment Card Industry Data Security Standards) compliance.

As a result Visa created a new third party category. From Visa, “A Corporate Franchise Servicer is defined as a corporate entity or franchisor that provides or controls a centralized or hosted network environment irrespective of whether Visa cardholder data is being stored, transmitted or processed through it.” Further, “If PCI DSS-compliant segmentation exists between these assets and the franchisee cardholder data environment, the corporate franchise may be excluded from this requirement.”

Is Your Data Secure? – Published by Multi-Unit Franchise, Issue 2 2011

Visa Classifies Corporate Franchisors As Third-Party Agents - Storefront Backtalk November 11th, 2010


CenPOS is an intelligent payment processing network that streamlines the payment experience for businesses and consumers by using state-of-the-art technology to replace inefficient, outdated payment systems.  CenPOS products include a virtual terminal, electronic bill presentment and payment, secure online pay page, and mobile payment applications. Additionally, the Dashboard provides executives insights with hierarchy based organization.

CenPOS reduces the burden of PCI DSS compliance, while also providing transparency and scalability in the franchise environment.  Special markets include business to business, automotive, fitness, moving and storage, retail and medical.

3D Merchant Services Powered by CenPOS
2633 NE 26th Ave Metro South FloridaFL33064 USA 
 • 954-942-0483

Credit card authorization form template

Most merchants have printable authorization forms that don’t comply with the basic requirements to protect against disputes or don’t comply with Payment Card Industry Data Security Standards (PCI Compliance) guidelines.
Download this Credit card authorization form template and modify as you wish.


This form contains language suitable for businesses where all of these elements apply:

  • business to business
  • card not present – phone, fax, email, or other order (not ecommerce)
  • repeat customers with sales of variable amounts; need to bill customers on an occasional or regular basis for varying purchases
  • sensitive card data is stored via a PCI compliant solution that replaces card data with a ‘token’ ; the token is linked used to charge the card

Card Acceptance Guidelines for Visa Merchants (2012) PDF download from

You won’t find a “fax authorization form” in the guidelines, however, there is much information about receipt requirements.

Do you want to empower your customers to pay 24/7 via a secure pay online page? Would you like to reduce scope for PCI Compliance?

Would you to eliminate fax authorization forms that expose card data?   Contact Christine Speedy at 954-942-0483.


— PCI Special Interest Group offers guidance to merchants to help secure payments accepted over the Internet—

WAKEFIELD, Mass., January 31, 2013 — Today the PCI Security Standards Council (PCI SSC), an open, global forum for the development of payment card security standards published the PCI DSS E-commerce Guidelines Information Supplement, a product of the E-commerce Security Special Interest Group (SIG). Businesses selling goods and services over the Internet can use this resource as a guide for choosing e-commerce technologies and third-party service providers that will help them secure customer payment data and support PCI DSS compliance efforts.
PCI Special Interest Groups (SIGs) are community-driven initiatives that provide additional guidance and clarifications or improvements to the PCI Standards and supporting programs.
In 2012, PCI Participating Organizations selected e-commerce security as a key area to address via the SIG process. More than 60 global organizations representing banks, merchants, security assessors and technology vendors collaborated to produce guidance that will help organizations better understand their responsibilities when it comes to PCI DSS; the risks they need to evaluate when considering ecommerce solutions; and how to determine their PCI DSS scope.
“Take SQL injections as an example. This is not a new attack, and something we’ve known about in the industry for years. Yet it continues to be one of the most common methods by which e-commerce websites are compromised, said Bob Russo, general manager, PCI Security Standards Council. “This can be addressed through simple, prudent coding practices, but merchants often don’t know where to start. These guidelines will help them better understand their responsibilities and the kinds of questions they need to ask of their service providers. In the case of SQL injections, one of the most important items to request of an e-commerce service provider is a description of the security controls and methods it has in place to protect websites against these vulnerabilities.”
The PCI DSS E-commerce Guidelines Information Supplement provides an introduction to e- commerce security and guidance around the following primary areas and objectives:

  •  E-commerce Overview – provides merchants and third parties with explanation of typical e-commerce components and common implementations and outlines high-level PCI DSS scoping guidance to be considered for each.
  • Common Vulnerabilities in E-commerce Environments – educates merchants on vulnerabilities often found in web applications (such as e-commerce shopping carts) so they can emphasize security when developing or choosing e-commerce software and services.
  • Recommendations – provides merchants with best practices to secure their e- commerce environments, as well as list of recommended industry and PCI SSC resources to leverage in e-commerce security efforts.

The document also includes two appendices to address specific PCI DSS requirements and implementation scenarios:

  •  PCI DSS Guidance for E-commerce Environments – provides high-level e-commerce guidance that corresponds to the main categories of PCI DSS requirements; includes chart to help organizations identify and document which PCI DSS responsibilities are those of the merchant and which are the responsibility of any e-commerce payment processor.
  • Merchant and Third-Party PCI DSS Responsibilities – for outsourced or “hybrid” e- commerce environments, includes sample checklist that merchants can use to identify which party is responsible for compliance and specify the details on the evidence of compliance.

The information supplement can be downloaded from the documents library on the PCI SSC website at
Merchants who use or are considering use of e-commerce technologies in their cardholder data environment, and any third-party service providers that provide e-commerce services, e- commerce products, or hosting/cloud services for merchants can benefit from this guidance. This document may also be of value for assessors reviewing e-commerce environments as part of a PCI DSS assessment.
As with all PCI Council information supplements, the guidance provided in this document is supplemental and does not supersede or replace any PCI DSS requirements.
“E-commerce continues to be a target for attacks on card data, especially with EMV technology helping drive so much of the face-to-face fraud down in Europe and other parts of the world, said Jeremy King, European director, PCI Security Standards Council. “We are pleased with this guidance that will help merchants and others better understand how to secure this critical environment using the PCI Standards.”
Those interested in learning more about this guidance and how to use it are invited to join the PCI Council for a webinar on February 7 and 14, 2013. Visit the PCI SSC website for more information and to register:
About the PCI Security Standards Council
The PCI Security Standards Council is an open global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security. Founded in 2006 by the major payment card brands American Express, Discover Financial Services, JCB International, MasterCard Worldwide and Visa Inc., the Council has over 600 Participating Organizations representing merchants, banks, processors and vendors worldwide. To learn more about playing a part in securing payment card data globally, please visit:
Connect with the PCI Council on LinkedIn: standards-council Join the conversation on Twitter:!/PCISSC

Global Payments Not Certified PCI-DSS Compliant – Breach Costs Reach $94M

Highlights from the  Global Payments quarterly report  released January 8 2013, reveals that costs related to the 2012 data breach have reached 93.9 million and additional material costs will be incurred in 2013.  The company is still working on PCI DSS certification. pdf The company has not yet been put back on the list of PCI DSS compliant service providers, however, the impact on revenue has been “immaterial”. 

“As a result of this event, certain card networks removed us from their list of PCI DSS compliant service providers. Our removal from certain networks’ lists of PCI DSS compliant service providers could mean that certain existing customers and other third parties may cease using, referring or selling our products and services. Also, prospective customers and other third parties may choose to delay or choose not to consider us for their processing needs. In addition, the card networks could refuse to allow us to process through their networks. To date, the impact on revenue that we can confirm related to our removal from the lists has been immaterial. Also the impact on revenue of customers or other third parties who have failed to renew, terminated negotiations, or informed us they are not considering us at all, where we can confirm it is related to our removal from the lists, has been immaterial.    We continue to process transactions worldwide through all of the card networks. We hired a Qualified Security Assessor, or QSA, to conduct an independent review of the PCI DSS compliance of our systems. Our work to remediate our systems and processes is substantially complete. Our QSA is currently evaluating our remediation work. Once the QSA’s evaluation is complete we will work closely with the networks to return to the list of PCI DSS compliant service providers as quickly as possible. Our failure or a delay in returning to the list could have a material adverse effect on our business, financial condition, results of operations and cash flows.”

In addition to the credit card data breach, the “investigation also revealed potential unauthorized access to servers containing personal information collected from merchants who applied for processing services.” Merchant account applications contain sensitive information for identity theft thieves, including business owner social security numbers and home addresses.

Another potential financial blow is the class action suit related to the ‘intrusion’, as Global Payments has identified the breach. “We have not recorded a loss accrual related to this matter because we have not determined that a loss is probable.”

iPad Mobile payments- important security notice

With a proliferation of newcomers to the market, merchants need to be aware of potential mobile payments security problems. The PCI Security Standards Council recently released new standards for developers as well as guidelines for merchants. One important aspect to ask questions about, is ‘store and forward‘.

If the mobile application enables you to accept credit cards when you cannot connect to the internet, clearly the data resides on the device, which creates a potential security risk.  This issue is addressed in a new Best Practice for Mobile Payments Developers released by the PCI Security Standards Council. Who can access the card information, pending presentment to your processor for an authorization? In what format does that data reside? If the user cannot access, is it possible other malware could access the data?

Editor’s note: Our CenPOS iPad mobile app does not support store on device and forward for presentment later. Merchants must have access to an internet connection. There are multiple options should you need to store payment data with that live connection:

  1. Zero dollar auth- validate the card only, and store data for later billing.
  2. Auth- Get an authorization for a specific sale, but don’t charge yet; store data for later billing.
  3. Repeat sale- Process transaction now, and store payment information for future billing.

In each case above, the credit card information is encrypted and replaced by a random alpha-numeric character, or ‘token’.   The encrypted payment information can never be seen again.
Accepting Mobile Payments with a Smartphone or Tablet  (PDF download from PCI Security Standards Council)

For additional information about mobile payments solutions, please contact Christine.

What is a Visa compliant credit card authorization form?

Do you accept fax order forms from your customers? Are you a business to business company needing to store credit card data on file for recurring billing of variable amounts? The typical fax authorization form does not meet Visa requirements.

Card Acceptance Guidelines for Visa Merchants (2012) PDF download from

You won’t find a “fax authorization form” in the guidelines, however, there is much information about receipt requirements.

Transaction Receipt Requirements are referenced on page 495 and Recurring Transactions starts on pg 585. The guidelines vary depending on whether your recurring billing order is from an ecommerce or other method.

Sample of a receipt for a sale from a stored card transaction:

recurring sale receipt compliant

A fax order form for a one time purchase should comply with the  standard receipt requirements. The invoice detail is generally accepted on  a separate page for B2B; the invoice number should be on the receipt.

A recurring billing order form should comply with the recurring rules and standard receipt requirements.

Chargeback prevention tips for business to business, card not present:

  • Deliver a receipt via email to the cardholder immediately upon charging the card. If there is going to be a dispute, resolve the issue quickly.
  • Send an invoice detail.
  • Use EBPP.  If you send an electronic invoice to the cardholder and they click and pay, it’s pretty hard to dispute someone else ordered the items.
  • Bill to and ship to addresses should match unless you have something in writing from the cardholder that they authorize shipping to another address.
  • Get a signed recurring billing authorization form if you’re storing card data.
  • Make sure your receipts have ‘recurring’ or ‘repeat sale’ for recurring billing.
Sample of stored card data authorization to pay form, replacing a fax form.

Fax authorization form compliant

There are too many variables to address all the options for a compliant fax authorization form in this article. For PCI DSS compliance, we recommend you replace all traditional forms with exposed credit card or check data with one that references tokens, an alpha numeric string that replaces the card data and is useless outside your payment processing system, even if stolen.

CenPOS is a universal payment processing platform that provides efficiencies for merchants and their customers, reduces PCI DSS compliance burden, and many other benefits.


CenPOS is sold through direct agents and resellers. There is also a referral program. Click here to become a CenPOS agent, reseller, or referral partner.  Click here to become a customer or call the hotline at the top of this web page.