Delay in Compliance Action for Visa Stored Credential Framework

From the Visa Merchant Business News Digest, October 17, 2017.

In the 1 September 2016 edition of the Visa Business News, Visa introduced new rules related to credential-on-file transactions, including merchant disclosure requirements and transaction identifier requirements went into effect for merchants and acquirers on 14 October 2017.

However, based on stakeholder feedback, and after assessing market readiness and taking into account the holiday season system freeze, Visa will extend the time to make the necessary system changes until 30 April 2018.

While the rule is still effective as of 14 October 2017, Visa will not take any compliance action or assess non-compliance assessments to non-compliant entities prior to 30 April 2018. Entities that comply with the rule by 30 April 2018 will not be required to submit a waiver request to Visa.

https://usa.visa.com/support/merchant/library/visa-merchant-business-news-digest.html

End Visa bulletin.

The stored credential framework applies to all merchants that store credit cards. Note, while some stakeholders were not ready as per the above statements, CenPOS was. CenPOS replaces other payment gateways, for example authorize.net, as well as solutions such as BillTrust, while enabling customers to keep their acquirers and other partners.

Christine Speedy, CenPOS authorized reseller, 954-942-0483. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.

Magento Developer Alert: Visa Mandate and Payment Gateways

How can Magento developers help merchants get compliant with the Visa Stored Credential Transaction framework and mandates effective October 14, 2017?

Drive your profits while helping clients keep compliant with fast changing credit card processing rules.

Step by step guide:

How will clients manage consent record requirements? See Improving Authorization Management for Transactions with Stored Credentials https://usa.visa.com/dam/VCOM/global/support-legal/documents/stored-credential-transaction-framework-vbs-10-may-17.pdf . Will gateway provide a checkbox for consent records and ability to retrieve records on demand? (I called authorize.net on October 2 and they advised they will not offer this service, and will leave up to merchants.) Will you develop a custom application to include opt-in date, time and other requirements, plus storage and retrieval capability? Will you advise merchants to choose a technology solution, including payment gateway, that will manage automatically?  CenPOS, a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement will provide an automated solution for clients. Contact me for the plugin.

Update terms and conditions. Ensure online order terms include sale, refund and cancellation policies. Add a checkbox for customer opt-in to terms, including online payments. CenPOS has an opt-in box and you can customize the text.

Verify if there’s a system to manage authorization validity. What the heck does that mean? Many businesses, especially B2B companies, have complex needs including pre-authorizations, incremental authorizations, delayed shipping etc. While merchants may get issuer approvals, that doesn’t mean the authorization is valid. The two most common rules businesses struggle with are “Settlement within 72 hours” for card not present sales, and “Authorization amount and settlement amount must be equal”. (I asked authorize.net support about both items on October 2 and was told they do not offer automated solution.) CenPOS automates compliance. Other payment gateways are incapable or may leave it up to developers to create a solution. How can a developer verify if merchant has an issue? Ask clients to look at their merchant statement ‘pending interchange fees. If you see EIRF or STD, that’s a red flag there’s a problem.

Create a hosted pay page. B2B Businesses almost always have more than one sales channel and use of paper credit card authorization forms is common. They need help to eliminate. You already have the SSL certificate, so it’s a natural add on to provide clients a secure web page with an iframe a solution to collect payments. With CenPOS, end customers can use the same stored credential in Magento and the pay page, both credit card and ACH. hosted online pay pagePrevent brute force attacks. System hardening is a PCI compliance requirement. See Visa best practices to prevent brute force attacks. https://usa.visa.com/support/merchant/library/visa-merchant-business-news-digest.html. CenPOS includes recaptcha and client managed velocity and other rules as part of a layered security approach.

Payment Gateway checklist:

  • Verify payment gateway will send correct transaction data and flags for the initial transaction and subsequent transactions.
  • Advise clients to set gateway for zero dollar authorization when storing a new card.
  • Ensure client is registered for 3-D Secure and it’s enabled.
  • Confirm if gateway will automatically flag a transaction as customer initiated stored credential or merchant initiated stored credential (automated recurring billing). Additionally, the merchant initiated transaction must be sent with the MOTO indicator, not ecommerce.
  • Does gateway support level 3 data?

CenPOS manages all compliance and other items seamlessly in the background.

Communicate with clients. Advise any upcoming changes will increase efficiency and security for everyone. Advise clients to learn more about CenPOS payment gateway – call Christine Speedy, 954-815-6040.

Why comply? With full compliance and following my recommendations, merchants can expect better qualified interchange rates, increased approvals (avoid declines based on issuer risk averse algorithms), reduced PCI Compliance burden, fraud liability shift to issuer and increased efficiency for both buyer and seller. The cost of non-compliance is hefty, including higher interchange rates, penalty fees, and risk of both issuer and cardholder chargebacks.

interchange rate qualification

The same transaction can process at different rates as shown above, depending on which rules you follow. CenPOS Smart Rate Selector automates compliance to qualify transactions at the lowest rate possible. Which rates are on your merchant statement now?

Magento developer billing: Developers also need to comply with recurring billing requirements for your sales. What’s worked before is not compliant- everyone needs to change.

Resources and documentation http://3dmerchant.com/blog/merchant-bulletins-downloads – bookmark it!.  Join Christine Speedy’s email list.

DISCLAIMER: condensed and incomplete information! Information may be quickly outdated.

With the fast pace of changing rules, developers need a technology partner to automate compliance. Did you know?

  • For those not ready to give up paper, CenPOS creates a printable PCI Compliant credit card authorization form for every stored card.
  • CenPOS has ERP, ecommerce shopping cart, accounting and other plug-in modules available for quick and easy implementation.
  • I’ve been selling for CenPOS since day 1. Though I have other payment gateways available in my arsenal, nothing else compares for meeting business to business needs.

Christine Speedy, CenPOS authorized reseller, 954-942-0483 is based out of South Florida and NY. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.

Installment Prepayments Credit Card Processing Rules Change 2017

Installment prepayment credit card processing rules change effective October 2017 will impact business profits and chargeback risk. Everyone in the payment ecosystem has or will need to make changes to comply, including acquirer, issuer, payment gateway, merchant, and sometimes software solution.

payment gateway SaaS recurringInstallment prepayment credit card processing best practices:

  • When capturing card data to create a random token replacing sensitive data for the first time, perform an Account Number Verification Transaction via a Zero Dollar Authorization. There’s a payment gateway procedure, including using specific transaction indicator, for this. If the solution you’re using performs a $1 authorization, often with a void or reversal after, that’s because the payment gateway, and or the implementation, are out of date and don’t support current requirements. Ask how yours works and contact us for help now if you cannot do a zero dollar authorization!
  • Payment gateway to identify all future transactions after storing:

With an indicator that shows that the Transaction is using a Stored Credential
– With the Transaction Identifier of the initial Transaction.

  • The sales receipt must include phrase “recurring transaction”
  • A convenience fee cannot be charged on an Installment Transaction.
  • Transactions cannot be key entered into desktop terminals; a cloud based payment gateway is required

Guidelines and rules vary by card brand, business type and many other factors. Additionally, the rules are complicated. This article may oversimplify such complexities. Merchants are advised to use tools, including intelligent payment gateways, to help comply automatically to maximize profits and mitigate risk.

Reference: For example, read Visa Stored Credential Transaction Mandates and also Visa Core RulesTable 5-21: Requirements for Prepayments and Transactions Using Stored Credentials.

Before selecting a payment gateway for installments, ask these questions:

  • How will it help with new Visa Stored Credential Mandates compliance?
  • Does it support 3-D Secure cardholder authentication, for customer initiated payment?
  • What type of digital record is created at the time of customer opt-in to terms, how is it retrieved, and how long is it retained?
  • Does it support Zero Dollar Authorization?
  • Does the receipt dynamically change based on type of transaction, i.e. cash, credit card single payment, installment payment etc.
  • Does it level 3 processing for commercial cards (if applicable to business type)?
  • If I change banks or payment processors, how will it affect my customers? My business?

TIP: An easy starting point to reduce the list of options is to ask any payment gateway what type of digital record is created at the time of creating an installment agreement, and how will you access it? Need help to get compliant? Contact Christine Speedy to learn more about solutions for your business that are quick and easy to adopt, increasing efficiency and growing profits virtually overnight.

Visa Stored Credential Transaction Mandates 2017

Whether you use token billing or have been considering it, all businesses storing credit cards are impacted by Visa rules updates. Visa has published multiple updates about requirements for its Stored Credential Transaction framework, including mandates to identify initial storage and subsequent usage of payment credentials.

If your business stores credit cards, including a 3rd party payment gateway or any software, you’re impacted. Merchants should not assume that any software or technology in their payment processing ecosystem is automatically updated and compliant. To the contrary, there are specific items that merchants will need to take action to implement. Now is the time to learn more and make a plan. While some businesses were impacted in April, most have until October 14, 2017 to comply.

Visit the Visa USA web site for more information; Visa Merchant Business News Digest. PDF download: Advance Copy of Rules for Stored Credential Transaction Framework REGIONS: US, AP, Canada, CEMEA, LAC, Europe, 15 JUN 2017.

##

TIP: All card brands have their own spin but frequently have similar rules. Need help to get compliant? Contact Christine Speedy to learn more about solutions for your business that are quick and easy to adopt, increasing efficiency and growing profits virtually overnight.

What is Auth Code 14, declined?

A credit card processing response of Auth Code 14, is a decline for Processor Declined, Fraud Suspected. Why does this happens for recurring billing, including unscheduled recurring billing using a stored credential, also known as a token on file? The method used to store the first transaction, and process subsequent transactions can impact authorization approvals.

For example, a merchant has successfully processed unscheduled transactions using a token on file since 2016. However, in 2017, declined for Auth Code 14 appeared.

auth code decline 14

Why would a previously stored and working card decline now? Look at the AVS,  ZIP, and CVV response above. Compare to the example below.

token billing

For the second receipt, AVS match Y= address and 5 digit zip match, Zip match Y=Address and 5 digit zip match, CVV = match X, cannot verify CVV. Because CVV was verified a match on the initial zero dollar authorization it’s not required to be presented on subsequent transactions.

The first example is returning that information does not match, thus the reason for suspected fraud. Without looking at the very first authorization when token was created, several possibilities exist, including  cardholder issued a new chip card with same number but other changes occurred in the interim; cardholder address changed or was never validated.

Merchants are at risk of issuer initiated chargeback if authorization rules are not followed. Refer to  Visa Product and Service Rules, Table 5-21: Requirements for Prepayments and Transactions Using Stored Credentials for more information. With recent rules changes, and more coming October 2017, merchants need a cloud based solution that can automate compliance. Not all of them have that intelligence. For example, some cloud based payment gateways enable merchants to perform prohibited transaction requests that put the authorization at risk of chargeback for non-compliance.

Due to many recent and upcoming changes for card absent and recurring billing with stored credentials, merchants are advised to review processes to include empowering customers to self-manage adding cards on file, and using cardholder authentication. Visa requires Verified by Visa for cardholder authentication in a card not present environment; without it, expect increasing declines.

Disclaimer: The rules of card acceptance are very complex and change typically twice a year, sometimes with interim bulletins regarding more changes. Merchants should read the manual for complete details regarding card acceptance for your business type.

Christine Speedy, authorized CenPOS reseller, provides universal payment processing solutions, including cardholder authentication, to maximize merchant profits and mitigate risk across multiple sales channels. Contact Christine at 954-942-0483.