The best hotel third party authorization forms are fully compliant with card brand rules to mitigate chargeback risk, especially for friendly fraud. Paper and digital credit card authorization forms often have  problems perpetuated by misinformation from people and internet postings. PCI compliance and card brand rules dictates allowable best practices.

Paper credit card authorization forms are dead.

Per Visa Core rule 5.4.2.5, a US merchant or its agent must not Request the Card Verification Value 2 data on any paper Order Form. I could go on with all the PCI compliance and data breach risk problems related to them, but because merchants must authenticate the cardholder with the security code or 3-D secure cardholder authentication (which requires digital interaction) for card not present transactions, paper forms are effectively dead. This also applies to secure document service companies and any solution where sensitive cardholder data can be viewed or decrypted for use in another solution.

Web- based third party authorization forms are required for card absent compliance.

More than just PCI compliance, a myriad of rules changes since 2017, and continuing into 2019, impact every hotel. Everyone must make changes to comply and it’s not automatic. For example, you’re getting a sales deposit, and will definitely or will possibly charge more later. There’s a new set of transaction data standards which include estimate, incremental, and final authorization. While the technical piece is handled by payment gateways, not all have made the modifications required. Additionally, some elements are left to merchants to manage.

• Comply with Visa 5.8.3.1 Authorization Amount Requirements.  The Merchant must use the Estimated/Initial Authorization Request indicator for the first transaction,
  then the Incremental Authorization Request indicator for interim if applicable, and Final Authorization Request indicator when closing out the transaction; the same Transaction Identifier must be included for all Authorization Requests. Don’t accept an authorization online and then swipe or dip the same card later unless your card present system can tie back to the initial authorization.

Here’s some key elements if the initial authorization is not the final authorization. Terminology:

• PCI compliance- short for Payment Card Industry Data Security Standards. All businesses are mandated to comply with rules which are outlined on the PCI Security Standards Council web site.
• 3-D secure (3D Secure) is a global XML-based protocol designed to be an additional security layer for online credit and debit card transactions. Each card brand has their own version. For example, Visa Secure, formely  Verified by Visa.
• Link to Visa and all card brand Rules

Call 3D Merchant Service, for simple solutions to complex B2B payment transaction problems, 954-942-0483, 9-5 ET. With a focus on card not present and omnichannel technology, Christine has been a sought out payment technology resource for clients, consultants, panels/forums, and the media.