6 Ways To Increase Omnichannel Payment Security & PCI Compliance

Chip card acceptance has propelled companies to rethink how EMV compliance impacts overall PCI Compliance strategies. According to the Verizon 2015 PCI COMPLIANCE REPORT, 80% of companies fail an interim Payment Card Industry Data Security Standards (PCI-DSS) audit. CenPOS deploys multiple cloud solutions to reduce data security risk, and comply with EMV, while meeting top business priorities like improving customer engagement and the customer experience.

Point-to-Point Encryption (P2PE) – Working with Verifone and Ingenico, CenPOS Enterprise Payments Suite encrypts card data at the point of card swipe or insertion to prevent clear text information from traversing the network thereby protecting data in transit.

Electronic Bill Presentment and Payment (EBPP) – Key entering cardholder data into a computer without the use on an encrypting keypad introduces vulnerabilities that can be exploited by key logging malware.  EBPP allows you to push final invoices to consumer mobile devices via text and email so that they can complete the transaction—eliminating your staff’s need to enter data and reducing vulnerabilities.

Consumer Validation – As chip cards proliferate the United States, counterfeit card fraud rapidly migrates to online channels.  CenPOS Consumer Validation shifts risk to the consumer’s bank, reduces acceptance costs, and increases the approval rate for higher sales.

Chip Card Acceptance (EMV) – The deadline to avoid shifting liability associated with EMV acceptance was October 1, 2015.  Chip card transactions processed using legacy magnetic stripes could result in a chargeback to the merchant with no possibility of reversal.  CenPOS has certified the Verifone MX915 to all processing platforms to protect businesses from the liability shift. CenPOS has been processing chip transactions on multi-lane terminals since January 2015.

Tokenization – Sensitive cardholder data is replaced by a surrogate number, called a token, that eliminates the risk of storing customer information on internal systems.  Subsequent transactions and adjustments can be processed safely using the token to facilitate a transaction.  This service is automatically deployed.  Any attempt to store sensitive cardholder data evokes the tokenization system.

Encrypted Virtual Keypad (EVK) – In some instances, it is desirable to manually enter cardholder information into a system.  The CenPOS EVK uses advanced technology to secure data entry by clicking the numbers on an encrypted screen-based keypad.

encrypted virtual keyboard evk cenpos

The combination of these solutions reduces the risk of data loss along with the financial and brand damage associated with security breaches. Additionally, merchants also benefit from increased efficiency, cash flow and EBITDA.

Contact Christine Speedy for P2PE, EBPP, EMV and Customer Validation options, including integrated solutions,

Card Not Present Token Billing Best Practice & CenPOS Training

Ready to improve PCI Compliance with token billing? Step by step instructions for CenPOS card not present token billing including creating, modifying, and using tokens follows.

  1. In the virtual terminal admin, Create a new Role* or Modify an existing role to include token billing permissions, only for what the user is allowed to do. For example, if you employees are allowed to create tokens, but not conduct sales, check the Manage Token and Positive Card only.

    token billing roles

    Virtual Terminal administration- Partial list of permission options; token billing related items are checked

  2. Are email receipts available now? If no, send an email request to support via link on the virtual terminal login page. In the subject put: “your CenPOS MID” email receipt request. In the body, include all your contact info, the MID, and what email address you want receipts to come from.
  3. Prepare training worksheet for distribution
  4. Distribute Self-paced training checklist (10 minutes to complete) to all users
  5. Get documentation of all training- who, what, when. It may be useful as part of an overall PCI Compliance (Payment Card Industry Data Security Standards) plan to comply with section 12, Maintain an Information Security Policy.
  6. Assign users to the new roles with return of documentation
  7. If there’s any legacy cardholder data on file, plan it’s secure destruction

References: Token Billing Training Videos

*See CenPOS Virtual Terminal Manual for details on using Role Templates.

A sample document, created by Christine Speedy,  for training and documentation is available upon request.

4 Credit Card Processing Tips for Consultants & Accountants

profits Following several years of regulatory and technology credit card processing changes, 2015 has been another big year of changes. As we close out 2015, what are you advising clients to maximize profits? Every consultant to distributors, especially for building materials, including lumber and millwork, electrical, marble & stone, and plumbing supply, needs to update their merchant services knowledge. These businesses tend to have both a retail and a ‘to the trade’ component, making old solutions potentially outdated, risky, and costly.

  1. EMV liability shift October 2015, shifted liability for counterfeit card, and sometimes lost and stolen card, transaction losses from the issuer to the merchant, if the merchant does not support EMV chip card acceptance. Since businesses never saw this fraud, the financial risk is unknown, but guesses put it in the 1-2% of sales range. The first acquirer (Vantiv) announced penalties effective January 1 if a retail operation does not support EMV chip card transactions. These fees will grow throughout the payment chain in 2016, and be passed down to the merchant. If profit margins are important, EMV compliance is not optional. Between growth in credit card fraud losses and new penalties, distributors need to make the change ASAP.
  2. EMV terminal selection. Retail Distributors fall into two categories: Those who use countertop terminals, and those who use anything else, including mag swipe reader or signature capture terminal. Only the latter are even capable of supporting level 3 data, critical for qualifying for level 3 interchange rates, which makes up more than 95% of credit card processing, or merchant, fees. Yet, the vast majority of recommended EMV solutions are incapable of level 3, and or there is no certification for it. While updating, add NFC for ApplePay and newer payment methods, and P2PE, which encrypts at the terminal head, further mitigating data breach risk.  The best EMV terminal selection for distributors may reduce merchant fees an average of 32% and mitigate data breach risk. Conversely, the wrong choice will directly reduce profit margins. 
  3. PCI Compliance. Internal and external data breaches are a serious growing problem (Lowes and Home Depot both admitted), and best practices are being shared among peers that are ‘risky’ at best. Top areas of concern are paper credit card authorization forms and electronically storing card data (without certified compliant tokenization such as a payment gateway). Both should be eliminated. Online pay pages and other technology solutions have negated the need for employees to ever have access to credit card data, not even for a minute. Has your own company eliminated them?
  4. Quickbooks. For operations that used Intuit Merchant Services because there was no other integrated choice, that’s no longer an issue. Third party integrations empower businesses to use any acquirer. Look for one that supports all payment methods needed (ACH, check, wire, credit card etc). If processing more than $500k annually, fees may drop up to 50%.

CHRISTINE’S RECOMMENDATIONS FOR CLIENT ADVICE TO DISTRIBUTORS:

  • Implement EMV ASAP to avoid penalties and fraud losses.
  • Only implement an EMV solution certified for level 3 processing to maximize profit margins.
  • Get PCI 3.0 Compliant to mitigate risk of financial losses from a data breach- Replace all practices that include credit card access by any employee, even for a minute, with a technology solution.
  • Replace Intuit Merchant Services to maximize profit margins.

Note: this advice is applicable to any business that has a customer base which includes some business to business and retail, even if retail is a small part of the overall payment types accepted.

Can you recommend a PCI Compliant policy for storing credit cards?

Distributors and manufacturers can overcome PCI Compliance issues with better awareness of rules, and cost efficient solutions to ease PCI burden. A review of key problems and solutions will help companies with internal credit card authorization and storage policies. For credit card processing, a virtual terminal or integrated gateway, is the only cost efficient and secure option for these business types.

It’s never Ok to store credit card forms that have the CVV2, or security code, on them. It’s also never Ok to store CVV2 electronically in any format, encrypted or not. This is both a card acceptance and PCI Compliance 3.0, section 3 Protect Cardholder Data, problem. For any recurring charges, including variable, merchants only need to validate the CVV one time for a fraud check, and then never again. This is easily accomplished with a zero dollar authorization, however not all gateways support this feature.

The best paper credit card authorization form, is one that doesn’t have full card data, or better yet, doesn’t exist at all. If sales reps in the field are getting card numbers to be charged later, consider a mobile payment app that let’s them swipe and create a token, using a P2P encrypted reader. That way card data is never exposed at any point in time. Instead of getting card numbers over the phone, empower customers to self pay or store card data using online payment solutions, including either a hosted online pay page or electronic bill presentment and payment (EBPP). Use this to also eliminate credit card data in emails, which is another PCI Compliance problem.

Need to keep a card stored on file that you initiate charges on? It’s indefensible with today’s technology to have credit card data on paper, and it’s risky to use your own encrypted media. Tokenization, a payment gateway service for merchants to remove sensitive data from their environments, is the best practice for security and PCI Compliance.

Some businesses want a signature on file. A sales receipt is generated with almost any online payment solution and merchants can require a customer to print and sign it, or to simply forward the email receipt from company email address with typed name approving it. For recurring billing, choose a payment gateway that generates a PCI Compliant recurring billing authorization form. They’re useless if stolen, and contain all the right language for credit card authorization. It should be supplemented by a signed document with your own custom business terms and conditions, and limitations for duration and maximum charge amounts allowed. Merchants might also get a signed sales order with all terms and conditions, plus the token ID the customer has agreed you’ll charge to.

Third-party credit card authorization doesn’t exist as far as card issuers are concerned. It’s specifically written in the cardholder terms that they cannot allow any third party to use their card. Any form a merchant creates authorizing other parties is at risk for future disputes. The merchant can eliminate the risk by having the company issue purchasing cards for each buyer, or mitigate risk by sending the sales receipt automatically to the cardholder and asking the buyer to confirm receipt per T’s & C’s.

A huge problem is managing old stored data created prior to new PCI Compliance rules. The reality is, the merchant is not PCI Compliant as long as the old stuff exists. That likely means someone will need to be assigned to identify all the past ways that credit card numbers were captured. For electronic, IT will need to get involved to securely remove old data. There are tools to search emails and servers for card data as well.

PCI 3.0, in effect now, requires merchants not only are PCI compliant at a point in time, but that there’s a plan in place for monitoring and inspecting. Whoever is cleaning up the old problems should document who, what, where, how and when activities were identified and or completed, and continually add this to the master PCI file.

References:

Payment Card Industry (PCI) Data Security Standard, v3.1, pg 36 CVV
Visa Core Rules, October 2014 page 266, Merchant Must Not Request the Card Verification Value 2 data on any paper Order Form

 

Is it OK for sales reps to collect credit card data?

secure credit card salesman token biulling

If salespeople accept credit cards, instead of writing down credit card data on paper, sales should immediately process the transaction or enter sensitive payment data into a secure payment portal to encrypt and tokenize for future use.

What’s the best practice for sales reps to collect credit card data? This question primarily pertains to business to business companies, where billing may be done later by the credit or finance department. The initial sale, and possibly future sales, requires a credit card. 

Option 1: Eliminate sales from ever touching credit card data. This can be achieved by:

  • Creating an online payment page. The customer self-creates an account and manages their payment data, including whether they want to store it.
  • Using a ‘request for payment‘ service. This is a slimmed down version of electronic bill presentment and payment ( or EBPP Lite). The user enters whatever customer data management requires, including email or mobile number, invoice number, and amount due. The customer immediately receives a link to a unique secure URL to make the payment.
  • EBPP – there are multiple methods to send an electronic invoice for the customer pay, both integrated and non-integrated. This may be less desirable for new customers

Option 2: If the salesperson physically meets with the customer, use an enterprise mobile payment solution to include card reader, point to point encryption, tokenization, and data management for both card present and card not present transactions.

It’s much harder for merchants to maintain PCI compliance while mitigating risk of losses due to disputes or fraud, when sales uses alternative methods, including paper authorization forms.