Credit card processing is complicated. It doesn’t matter how good your deal is if you don’t have the best base price plan to start with. Your merchant statement has the critical evidence of whether or not you are even in the game, including qualifying for low regulated debit interchange rates (Durbin Amendment, part of Dodd-Frank).

Above image is example of one type of credit card processing rate structures.

This video uses ZOOM so it is not necessary to blow it up.

About the author: Christine specializes in providing merchants with innovative technology to manage the cost of accepting credit cards, without changing merchant accounts.  With a primary focus on “card not present” payment processing solutions for mid-size companies, including manufacturers and wholesale distributors,  merchants improve PCI Compliance and streamline the payment experience for both their company and their customers. It’s fast, easy to use, and requires no capital investment to implement. For sales call Christine at 954-942-0483 or click here for more information.

Dealerships that try CenPOS payment technology stay customers for life. Here’s three features CenPOS users will never give up, and that competitors can’t duplicate:

1. Interchange optimization- CenPOS removes people and outdated terminals from impacting the cost of accepting credit cards. Other cloud solutions have the same intelligence as old dial up terminals- NONE. CenPOS dynamically makes decisions in seconds based on risk and other merchant defined rules.
2. Token billing with online payments- CenPOS replaces fax credit card authorization forms and telephone orders. I don’t care what HQ policies are, every dealer has this going on whether upper management knows it or not; sometimes only accounting has permission to accept them but that’s stiil too many people. In either case, it’s a poor business practice. Making it easier for your customers to pay, while mitigating risks, can make all the difference whether a customer chooses to do business with you or not. CenPOS offers two secure online payment solutions. No employees ever have access to payment data- no one, ever. No payment data touches your servers, ever.
3. Reporting- whether one location or many, CenPOS creates numerous back office efficiencies, including reconciliation, transaction research, electronic receipt retrieval, and audit trails are just a few.
4. Bonus- Mobile payments- not quite a necessity for everyone yet, but there has been growing demand, especially in service departments. Why is CenPOS different? There is no additional effort needed to implement or for reconciliation. User permissions carry across all points of payment acceptance per rules merchants set up, and all the other benefits of CenPOS extend to mobile.

Dealer Brochure- CenPOS  overview

CenPOS products include:

• Virtual Terminal
• Online payments
• Pre-filled Request for Payment (electronic bill presentment & payment or EBPP)
• Dashboard- exeuctive insights
• Recurring Billing- installment and scheduled payments
• Token billing- charge any amount to stored payment method
• Mobile apps – Droid, iPad, iPhone

About CenPOS: CenPOS is an innovative payment processing network that streamlines the payment experience for both merchants and customers. It’s multi-channel support and SaaS model, has catapulted a shift in payment technology adoption in a variety of industries. CenPOS is fast, easy to use, and requires no capital investment to implement. For CenPOS sales call Christine at 954-942-0483 or click here for more information.

In this training video, I show how to securely store credit card data so that no one can ever see it again. It’s virtually impossible to prove Payment Card Industry Data Security Standards (PCI DSS) Compliance if storing credit card authorization forms with full card data. This solution can significantly increase boost PCI Compliance and reduce losses due to disputes and resulting chargebacks.

The positive card verification checkbox is used to submit a zero dollar authorization transaction. This validates all rules in the merchant administration and on a user basis. For example, if rules require an address, zip code, and cvv security code verification, the items will be validated with the card issuer. The receipt is the merchant record of proof that the card issuer passed the verification.

Optionally send the repeat sale credit card charge form to your customer. Have the customer sign and send it back. This replaces credit card authorization forms that have full card data.

TIP: Include a cancellation and refund policy on all invoices, as required for all card not present transactions per card acceptance guidelines.

CenPOS works with your existing processor, and is fast, easy, and requires no capital investment to implement. Call Christine Speedy in sales 954-942-0483 or click here for more information.

Most merchants have printable authorization forms that don’t comply with the basic requirements to protect against disputes or don’t comply with Payment Card Industry Data Security Standards (PCI Compliance) guidelines.
Download this Credit card authorization form template and modify as you wish.

USE AND DISTRIBUTION

This form contains language suitable for businesses where all of these elements apply:

• business to business
• card not present – phone, fax, email, or other order (not ecommerce)
• repeat customers with sales of variable amounts; need to bill customers on an occasional or regular basis for varying purchases
• sensitive card data is stored via a PCI compliant solution that replaces card data with a ‘token’ ; the token is linked used to charge the card

Card Acceptance Guidelines for Visa Merchants (2012) PDF download from Visa.com

You won’t find a “fax authorization form” in the guidelines, however, there is much information about receipt requirements.

Do you want to empower your customers to pay 24/7 via a secure pay online page? Would you like to reduce scope for PCI Compliance?

Would you to eliminate fax authorization forms that expose card data?   Contact Christine Speedy at 954-942-0483.

How could this business to business vendor error have been prevented? How could everyone have saved time? Let’s review what happened, the resolution, and the repercussions for all parties, both time and money.

SCENARIO:

• Business “A”, an equipment seller for business to business only,  issued a PO to a vendor, a wholesale distributor for the trade only.
• The vendor, “merchant”, created an invoice.
• The accounting department uses the invoice and pulls the credit card information to charge the card. Business A credit card information is on file with the merchant, sent via fax some years ago. Where is that information stored?
• The business asked that the equipment ship in 2 days, which is also when the card will be charged.

WHAT HAPPENED NEXT:

• Two days later, merchant called business A to report that the card declined.
• The Business reviews their credit card account online and does not see any pending transactions or any reason for a decline and calls back the vendor to report same.
• Vendor runs the card again, and again declines.
• Business calls the credit card issuer, pressing voice prompt keys, finally gets ‘press 3 now’ to be connected to an operator, and then is promptly disconnected. DON’T YOU HATE IT WHEN THAT HAPPENS?
• Business calls card company back and spends 5 minutes reviewing what they already checked online- the account is in good standing and there is a sufficient credit line.
• After further review, it’s determined there is a large charge from the vendor that is pending, but not yet funded. It would be 5-7 days to remove the hold if the transaction is disputed.
• Business does not want to dispute – this should be worked out with the vendor.
• Business calls back vendor, who realizes they made an error and had charged someone elses invoice to that account.
• Vendor issues a refund to the business for the difference between the original charge and the amount that is really owed. (Difference between actual invoice and some other customers invoice. )

REPERCUSSIONS:

• LOST TIME. How much time did everyone waste?  At least 15 minutes for each party. Both operations were disrupted.
• NO ACCESS TO FUNDS. The business does not have access to credit card funds availability until the refund goes through.
• EXTRA FEES. The merchant pays multiple transaction fees.

HOW THIS TRANSACTION COULD HAVE BEEN MORE EFFICIENT:

• ERROR FREE. The vendor could send the business an email confirmation the PO total is correct and the business self-pays via a secure online payment page.
• ERROR FREE AND SAVE TIME. The vendor could have used electronic bill payment and the business would click and pay the invoice.
• ERROR IDENTIFIED FASTER. The vendor could have sent a copy of the transaction receipt immediately. The business could recognize there was an issue and notify the vendor. The transaction could then be voided, or preferably a reverse authorization could have been requested, if their credit card processing vendor supports that transaction type.

HOW CENPOS PAYMENT WOULD HELP THIS MERCHANT:

EFFICIENCY

1. AUTOMATE TO SAVE MAXIMUM TIME FOR BOTH PARTIES AND ELIMINATE ERRORS. EBPP- CenPOS automatically email the invoice for payment. Business clicks the email link, chooses how they want to pay, and the merchant ships upon payment completion.
2. ERROR FREE, SAVE A LITTLE TIME. Merchant sends email with their invoice or other method to confirm bill amount owed. CenPOS Free online payment page and business would have self paid with their payment of choice.
3. ERRORS FOUND FASTER. Merchant could have key entered the transaction in the virtual terminal and emailed a receipt. The cardholder would have known instantly of the mistake.
4. SAVE TIME. Merchant could have securely stored payment data with the business saving keystrokes to process the transaction.

 HARD DOLLAR SAVINGS

• I know that this merchant uses a desktop terminal and a virtual terminal (authorize.net). Neither of those requires the user to enter data into fields that could qualify transactions for lower interchange rates. Additionally, neither of them support enhanced or “level III data”, required to qualify certain transactions for extra low purchasing card rates. Sending the right data could save a merchant up to almost 1%, a big deal when margins are tight.
• The merchant will pay auth fees for one sale, two declines and a refund, 3 more than they should have.

See something relevant to your business? Contact us for more information.

 

Tokenization is the process of replacing sensitive data with a meaningless number. There is no universal standard for tokenization in payments. The key principal is that no part of the token has any relation to the credit card or check data.  The tokens themselves are useless outside of the system for which they are designed to be used. Tokens can be created for one time use or stored for recurring.

Encryption is the conversion of data into a form that cannot be easily read by others. That which is encrypted can be decrypted.

Payment card industry data security standards (PCI DSS) do not allow credit card numbers to be stored on a retailer’s point-of-sale (POS) terminal or in its databases after a transaction, with very rare exception.  If you store card data on your servers, regardless of access limitations, you’ll have a hard time proving your company was PCI Compliant in the event of a data breach. The financial liability, and potential criminal liability, is substantial.

If PAN data (primary account/ credit card number ) is encrypted, it’s still within the merchant scope for PCI because it can be decrypted. The exception is if the merchant is using a third party that is using PCI Compliant strong encryption, and there is no ability for the merchant to decrypt the data and get back PAN’s. *

Tokenization helps merchants reduce the scope for PCI DSS compliance whenever credit card data is stored, because the merchant cannot reverse engineer to access the PAN data. Encryption can be used by the third party to protect the data in the token vault. It is not required by PCI.  When a merchant uses a token to process a transaction, the associated payment information in the vault is delivered to the processor. How and in what format? The logical and physical elements vary by provider and specific controls are secret for security reasons, but it’s a fair question to ask when considering a new provider.

The CenPOS payment platform uses both tokenization and encryption for maximum reduction of PCI scope for merchants, and for data security throughout the payment cycle. It provides the most flexibility for merchants, because they can change processors with no disruption to their business.

*Refer to PCI guidelines for further details. Official PCI Security Standards Council Site

Is it any surprise that actual Payment Card Industry (PCI) Data Security Standard (DSS) assessments by Verizon’s team of Qualified Security Assessors (QSAs) shows growth of compliance is stagnant? Even worse, organizations that suffered data breaches were much less likely to be compliant than a normal population of PCI clients? About 20 percent of organizations passed less than half of the DSS requirements, while 60 percent scored above the 80 percent mark. For all those merchants sounding off about an annual PCI Compliance Fee, the evidence is clear that merchants still have a long ways to go. 100% PCI DSS compliance is the only acceptable statistic.

Organizations struggled most with the following PCI requirements:

• 3 (protect stored cardholder data)
• 10 (track and monitor access)
• 11 (regularly test systems and processes)
• 12 (maintain security policies)

The first two of these can easily be resolved with our hosted payment processing technology, CenPOS. If you’re going to store cardholder data, it needs to be encrypted. One of the major problems with this has been ready access to solutions for storing cardholder data for variable billing. Most gateways have a PCI Compliant solution to store encrypted card data for recurring billing,  charging the same amount on a fixed schedule. However, CenPOS is unique to offer storing card data for billing a variable amount, token billing. Additionally, it is the only technology this writer is aware of that also includes interchange optimization, of major importance to companies trying to control credit card processing fees.

Requirement 10 (Tracking and Monitoring) is a major component of CenPOS. Every user has a unique login and management can micro manage permissions. Where others create a few tiered levels of permission such as cashier, finance, and administrator, CenPOS offers a plethora of options, plus management tracking and research tools.

• User Permissions: Control precise transaction types allowed, set maximum thresholds, set alerts based on responses, amounts and other criteria. Extensive Permissions enable maximum merchant protection from lower level employees, plus there are tools for secondary oversight at the admin level to mitigate risk of high level employee fraud.
• Tracking and Monitoring: The requirement calls for the tracking and monitoring of all access to network resources and cardholder data, the main objective is to maintain system logs and have procedures that ensure proper utilization, protection, and retention. According to the Verizon Report, this has historically been one of the most challenging, but is critical to forensic investigations if needed. CenPOS logs everything related to the payments process including user ID, time stamps and every other element of interaction with the system. Merchants must have their own internal logging system for their network.

Requirement 11 (Regular Testing) had the least compliance in the Verizon report. “Organizations continue to have difficulty meeting the sub-requirements regarding network vulnerability scanning (11.2), penetration testing (11.3), and file integrity monitoring (11.5).”  Our recommendation is that merchants hire a qualified outside vendor to assist them with this requirement. We have no direct affiliation with such companies but know several with good reputations should you need a resource.

Requirement 12 (Security Policies) While the best laid written plans may exist, there is still the human factor. Weaknesses identified include poorly written policies, including so long that they are stuffed in a desk never to be read again, and those that are too vague. Note that the requirements are directly related to the services in scope of the organization’s PCI DSS. The more the merchant reduces their scope, the more the burden is on their service provider instead of their internal personnel. CenPOS reduces the merchant scope in several ways, including but not limited to:

• Web payments on a hosted pay page, not the merchants web page
• Electronic Bill Presentment and Payment- same as above.
• Storing all card data, encrypted, on CenPOS servers, eliminating file drawer and merchant stored data

Learn more about how CenPOS can help you with PCI DSS Compliance.

 

 

 

I received a cold call from a representative of HostedPCI so I decided to review what they offer. HostedPCI sales pitch is to offer an quick and easy way to become PCI DSS compliant by offering an interface to your existing applications. Basically, their ‘vault’ receives the payment information, tokenizes it, and from that point, only the token is used for processing payments., regardless of the connection interface such as authorize.net.

The core services are currently call center and checkout express. The call center application changes the customer over to a secure payment call session where the consumer enters their card information. Then the operator gets a pop up on the screen with the token ID which can then be used for processing. This removes the operator from hearing the card information, improving security, and also making it easier to comply with regulations regarding recording payment information over the phone. Is this a one time use token? Is the customer told their card data is being stored? How long is it stored for? Whether they exist now or later, there are certain to be new regulations coming regarding the rules for storing, even with a secure token.

The company 2138617 Ontario Inc., dba HostedPCI appears to be Canadian, though it’s not entirely transparent since there is no address on the web site.

It is not a gateway and the salesperson said you’d still need one to accept payments online. I have to wonder, what is the real value of this application vs our Smart Virtual Terminal?

Tokenization – Yes, they both have it. HostedPCI tokenizes every transaction.  Our Smart VT only tokenizes data if there is a need for a repeat sale, and the merchant can issue an approval form for signature, perfect for B2B needs. There are so many other benefits for ours vs theirs (see our token billing page), there is really no comparison. Winner: Smart Virtual Terminal.

Call center - HostedPCI wins hands down because we don’t offer any voice related services. However, you can explore 3rd party options that already exist and if it makes business sense, we’ll integrate.

Gateway- HostedPCI integrates with gateways, ours Smart VT replaces them, eliminating gateway fees. Winner- open to interpretation.

Shopping cart integration- Hosted PCI Checkout Express uses an iFrame and also offers an API, same as our Smart VT. Hosted PCI has ready made API’s for Drupal and Magento;  We’ve never had a customer ask for this so we haven’t made one specifically for this purpose yet. Winner: open to interpretation.

Reporting: HostedPCI doesn’t mention any and our Smart Vt is more robust than anything else on the market. There is no comparison. Winner: Smart Virtual Terminal.

Flexibility: HostedPCI is developing new applications. Smart Virtual Terminal is ready today for Kiosk, EBPP, ecommerce, web payments, mobile, and retail POS and accepts loyalty, credit/debit, check, check guarantee, ACH and other payment methods. Numerous ground breaking features are in the works. Winner” Smart Virtual Terminal.

With prices that start at $.30 per transaction for HostedPCI, if you have an ecommerce PCI Compliance problem and spend less than $100 per month in gateway fees now,  then HostedPCI may be a viable option for you. If you have a call center, check the legal requirements in your state on what’s allowed, including phone script requirements. Smart Virtual Terminal provides significantly more value for mid size merchants at competitive prices (non-published).