What is Auth Code 14, declined?

A credit card processing response of Auth Code 14, is a decline for Processor Declined, Fraud Suspected. Why does this happens for recurring billing, including unscheduled recurring billing using a stored credential, also known as a token on file? The method used to store the first transaction, and process subsequent transactions can impact authorization approvals.

For example, a merchant has successfully processed unscheduled transactions using a token on file since 2016. However, in 2017, declined for Auth Code 14 appeared.

auth code decline 14

Why would a previously stored and working card decline now? Look at the AVS,  ZIP, and CVV response above. Compare to the example below.

token billing

For the second receipt, AVS match Y= address and 5 digit zip match, Zip match Y=Address and 5 digit zip match, CVV = match X, cannot verify CVV. Because CVV was verified a match on the initial zero dollar authorization it’s not required to be presented on subsequent transactions.

The first example is returning that information does not match, thus the reason for suspected fraud. Without looking at the very first authorization when token was created, several possibilities exist, including  cardholder issued a new chip card with same number but other changes occurred in the interim; cardholder address changed or was never validated.

Merchants are at risk of issuer initiated chargeback if authorization rules are not followed. Refer to  Visa Product and Service Rules, Table 5-21: Requirements for Prepayments and Transactions Using Stored Credentials for more information. With recent rules changes, and more coming October 2017, merchants need a cloud based solution that can automate compliance. Not all of them have that intelligence. For example, some cloud based payment gateways enable merchants to perform prohibited transaction requests that put the authorization at risk of chargeback for non-compliance.

Due to many recent and upcoming changes for card absent and recurring billing with stored credentials, merchants are advised to review processes to include empowering customers to self-manage adding cards on file, and using cardholder authentication. Visa requires Verified by Visa for cardholder authentication in a card not present environment; without it, expect increasing declines.

Disclaimer: The rules of card acceptance are very complex and change typically twice a year, sometimes with interim bulletins regarding more changes. Merchants should read the manual for complete details regarding card acceptance for your business type.

Christine Speedy, authorized CenPOS reseller, provides universal payment processing solutions, including cardholder authentication, to maximize merchant profits and mitigate risk across multiple sales channels. Contact Christine at 954-942-0483. 

Card Not Present Token Billing Best Practice & CenPOS Training

Ready to improve PCI Compliance with token billing? Step by step instructions for CenPOS card not present token billing including creating, modifying, and using tokens follows.

  1. In the virtual terminal admin, Create a new Role* or Modify an existing role to include token billing permissions, only for what the user is allowed to do. For example, if you employees are allowed to create tokens, but not conduct sales, check the Manage Token and Positive Card only.

    token billing roles

    Virtual Terminal administration- Partial list of permission options; token billing related items are checked

  2. Are email receipts available now? If no, send an email request to support via link on the virtual terminal login page. In the subject put: “your CenPOS MID” email receipt request. In the body, include all your contact info, the MID, and what email address you want receipts to come from.
  3. Prepare training worksheet for distribution
  4. Distribute Self-paced training checklist (10 minutes to complete) to all users
  5. Get documentation of all training- who, what, when. It may be useful as part of an overall PCI Compliance (Payment Card Industry Data Security Standards) plan to comply with section 12, Maintain an Information Security Policy.
  6. Assign users to the new roles with return of documentation
  7. If there’s any legacy cardholder data on file, plan it’s secure destruction

References: Token Billing Training Videos

*See CenPOS Virtual Terminal Manual for details on using Role Templates.

A sample document, created by Christine Speedy,  for training and documentation is available upon request.

Can you recommend a PCI Compliant policy for storing credit cards?

Distributors and manufacturers can overcome PCI Compliance issues with better awareness of rules, and cost efficient solutions to ease PCI burden. A review of key problems and solutions will help companies with internal credit card authorization and storage policies. For credit card processing, a virtual terminal or integrated gateway, is the only cost efficient and secure option for these business types.

It’s never Ok to store credit card forms that have the CVV2, or security code, on them. It’s also never Ok to store CVV2 electronically in any format, encrypted or not. This is both a card acceptance and PCI Compliance 3.0, section 3 Protect Cardholder Data, problem. For any recurring charges, including variable, merchants only need to validate the CVV one time for a fraud check, and then never again. This is easily accomplished with a zero dollar authorization, however not all gateways support this feature.

The best paper credit card authorization form, is one that doesn’t have full card data, or better yet, doesn’t exist at all. If sales reps in the field are getting card numbers to be charged later, consider a mobile payment app that let’s them swipe and create a token, using a P2P encrypted reader. That way card data is never exposed at any point in time. Instead of getting card numbers over the phone, empower customers to self pay or store card data using online payment solutions, including either a hosted online pay page or electronic bill presentment and payment (EBPP). Use this to also eliminate credit card data in emails, which is another PCI Compliance problem.

Need to keep a card stored on file that you initiate charges on? It’s indefensible with today’s technology to have credit card data on paper, and it’s risky to use your own encrypted media. Tokenization, a payment gateway service for merchants to remove sensitive data from their environments, is the best practice for security and PCI Compliance.

Some businesses want a signature on file. A sales receipt is generated with almost any online payment solution and merchants can require a customer to print and sign it, or to simply forward the email receipt from company email address with typed name approving it. For recurring billing, choose a payment gateway that generates a PCI Compliant recurring billing authorization form. They’re useless if stolen, and contain all the right language for credit card authorization. It should be supplemented by a signed document with your own custom business terms and conditions, and limitations for duration and maximum charge amounts allowed. Merchants might also get a signed sales order with all terms and conditions, plus the token ID the customer has agreed you’ll charge to.

Third-party credit card authorization doesn’t exist as far as card issuers are concerned. It’s specifically written in the cardholder terms that they cannot allow any third party to use their card. Any form a merchant creates authorizing other parties is at risk for future disputes. The merchant can eliminate the risk by having the company issue purchasing cards for each buyer, or mitigate risk by sending the sales receipt automatically to the cardholder and asking the buyer to confirm receipt per T’s & C’s.

A huge problem is managing old stored data created prior to new PCI Compliance rules. The reality is, the merchant is not PCI Compliant as long as the old stuff exists. That likely means someone will need to be assigned to identify all the past ways that credit card numbers were captured. For electronic, IT will need to get involved to securely remove old data. There are tools to search emails and servers for card data as well.

PCI 3.0, in effect now, requires merchants not only are PCI compliant at a point in time, but that there’s a plan in place for monitoring and inspecting. Whoever is cleaning up the old problems should document who, what, where, how and when activities were identified and or completed, and continually add this to the master PCI file.

References:

Payment Card Industry (PCI) Data Security Standard, v3.1, pg 36 CVV
Visa Core Rules, October 2014 page 266, Merchant Must Not Request the Card Verification Value 2 data on any paper Order Form

 

Balancing card not present risk with customer convenience

Accepting credit cards for card not present customers can be risky, and merchants have long sought solutions to protect themselves from future disputes. The problem is most of those methods are PCI Compliance nightmares, often storing card data in the clear on paper credit card authorization forms. Enabling customers to self pay is one way to mitigate risk.

HOSTED PAY PAGE – ONLINE PAYMENTS

accept payments onlineWith a hosted pay page solution, customers are directed to a secure web page. The ‘host web server’ is the payment gateway, thus reducing merchant PCI Compliance burden. Gateways have different fraud tools for merchants, beyond the usual address and CVV security verification. Examples of hosted pay page solutions:

  1. Link to custom payment processor URL (First Data)
  2. Embedded payment object on merchant web page; the merchant should have an SSL certificate, even though the payment object itself is on a different server. This is usually achieved with an iframe. (CenPOS)
  3. Link to a custom payment gateway URL (CenPOS); this provides continuity when merchants change processors

ELECTRONIC BILL PRESENTMENT & PAYMENT (EBPP)

EBPP Electronic Bill Presentment & PaymentCustomers are sent an electronic invoice, which they can pay remotely. Both merchants and customers have a portal to manage various functions. EBPP used to be costly, upwards of $100,000, but now, there’s solutions for all price ranges based on merchant needs. Examples of EBPP solutions:

  1. Standalone– merchants login to a web based portal and generate an invoice which is delivered electronically to customers. (Paypal, CenPOS)
  2. Integrated, accounting software managed – customers receive electronic invoices with data originating from accounting, ERP, or other software, and the ERP managing the delivery of the invoice, reminders etc (Quickbooks & Intuit merchant services, ERP/CenPOS).
  3. Integrated, gateway managed – customers receive electronic invoices with data originating from accounting, ERP, or other software (Quickbooks & Intuit merchant services, Quickbooks & 3rd party gateway integration/ any merchant account), and the gateway managing the delivery of the invoice, collection reminders etc.

EBPP BENEFITS VS HOSTED PAY PAGE

  • Pushes out to customer- less friction to complete the payment and or sale
  • Reduce risk with additional evidence trail for dispute defense; records of invoice delivery and customer opted to pay strengthen defense; card brand rules include chargeback protection without a signature if bill to address matches the company address and the employee email address was used. (See Visa Merchant Rules for details)
  • Automated reminders if they don’t pay (solutions vary widely how this works)
  • Customer visibility to credit outstanding; ability to self-free up credit to buy more
  • Reduced calls to accounts receivable for questions about what invoices are outstanding

HOSTED PAY PAGE & EBBP VENDOR SELECTION

There are wide differences in payment gateways, and the related solutions. The best solution varies depending on the business type.

Critical needs for business to business:

  • Level III processing supported for all payment channels
  • Collections automation
  • Flexibility – the average merchant changes processors every three years; choose a gateway independent of the processor to avoid business disruptions
  • 3 D Secure (Vbyv and MasterCard Secure) – card not present fraud is expected to rise dramatically with US EMV adoption
  • Tokenization – empower customers to self store and manage payment methods
  • Card Updater – if applicable for recurring service

CenPOS is a merchant centric, end to end payment engine that meets all omnichannel and critical business to business needs. For sales and integrations, contact Christine Speedy 954-942-0483.