About Christine Speedy

B2B cloud payment acceptance solutions and CenPOS enterprise cloud payment solutions global sales.

PCI Security Standards Council Extension of PCI PTS POI v3 Devices

PCI Security Standards Council Bulletin: Extension of Expiration of the Approval of PCI PTS POI v3 Devices, March 10, 2020.

Due to supply-chain disruptions related to the coronavirus, the PCI Council has extended the expiration date of PIN Transaction Security Point-of-Interaction (PTS POI) v3 devices from 30 April 2020 to 30 April 2021.

For those countries and entities not impacted by the coronavirus, we strongly encourage the deployment and use of next generation solutions such as devices approved to PTS POI v4 or v5 and migrating to POI v6 devices when the standard is released later this year.

On advisement from our industry stakeholders, the Council has determined the preventive controls to stop the spread of the coronavirus will impact previously planned rollouts of POI v3 devices. While recognizing that earlier versions of POI devices may be less robust in withstanding certain of the latest generations of attacks, we do not believe that this limited one-year extension of the approval expiry date for POI v3 devices will materially impact that risk.

The PCI SSC advises merchants, financial institutions, vendors and other users of PTS POI v3 devices, specifically v3 PEDs (PIN entry devices), non-PEDs, EPPs (encrypting PIN pads), UPTs (unattended payment terminal), and SCRs (Secure Card Readers) to contact their device vendors regarding the availability of more recently approved models to use as replacements and in new deployments. Effective 30 April 2021, the affected devices will be removed from the approved POI devices list on the PCI SSC website and listed separately here

3 Things Accountants Must Advise B2B Clients in 2020

Credit card processing may be a big part of the revenue stream or a small part. It doesn’t matter. B2B companies all suffer from the same issues that impact EBITDA and risk. Compliance, cost and security. It’s fair to say, most businesses have no idea what the hot buttons or repercussions are.

Three things every B2B company needs to know about credit card processing right now:

  1. If you store credit cards, you must be compliant with Visa Stored Credential Framework. I posted this in 2017. Guess what? Most payment gateways (if you accept payments online from an invoice or any other source, a payment gateway is involved) are still not compliant! There are significant financial and risk consequences for non-compliance, including penalty fees, fines, and issuer generated chargebacks.
  2. Failure to settle transactions with a proper authorization will be even more expensive starting in April 2020. For example, many Visa credit card rates will go to 3.15%, reflecting upwards of 0.75% increase in some cases; that’s strictly interchange fees, nothing more. Instead of assuming you’re already settling properly, go to your merchant statement and look for DATA RATE I (instead of Data Rate III), STD/Standard, and EIRF. Do you have any of these? See also https://3dmerchant.com/blog/merchant-processing-services/credit-card-transaction-fees-checkup
  3. It’s a Visa rules violation to request the card security code on a paper credit card authorization form, or any digital form where the business can decrypt and view it. It can’t be stored, period. Not by the merchant nor service provider, including payment gateway. Yet even the AICPA

Why these 3 things? Because 100% of B2B companies I talk to will fail on at least one, and usually two or three. That includes CPA firms. Among the American Institute of Certified Public Accountants missions is to provide “the most relevant knowledge, resources” etc. Yet as of this writing, AICPA affinity credit card processing partners include a long list of technology solutions that are not compliant with all three of the above.

86% of all data breaches in 2016 were from level 4 merchants, defined as “Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.” By complying with the three items on my list, B2B companies will harden their systems and increase profits. The latter occurs because compliance with rules reduces fees. 

If your current acquirer could truly fix all the problems above, why haven’t they taken the initiative to help you in the past? By the way, if someone ever says they help you qualify for level 2 rates, run! All B2B companies should have the right technology to qualify for level 3 rates. Why pay more?

Christine Speedy, 954-942-0483. For a fast, free checkup on your merchant account, contact us today for a secure, cloud-based solution optimizing acceptance for all payment types across multiple channels without disrupting banking relationships.

New Visa SaaS subscription rules for trial periods

Effective April 18, 2020, merchants must comply with new Visa subscription billing terms and conditions. These are, once again, big changes that merchants must take action on to comply with. The payment gateway will be critical, and not all are ready to meet the new technology requirements for authorization and receipts.

Who do the new Visa rules apply to?

  • All merchants globally
  • Merchants that offer a free or discounted introductory offer as part of a subscription service

What are key Visa SaaS subscription changes?

  • Merchants must get express consent to enter into agreement for recurring billing. For example, if an online purchase, a checkbox agreeing to the terms is acceptable.
  • Notification via text, email, or other agreed upon method (not realistic for most businesses), of the subscription terms including start date, product/service details, billing frequency, billing start date, and link to cancel.
  • Notification at least 7 days in advance of the expiration

Revised sale transaction receipts are required.

  • Details to include length of trial period, introductory offer, or promotional period, and notice the cardholder will be charged unless the cardholder takes steps to cancel.
  • Date it starts, even if no payment is due, and date subsequent recurring transactions begin.
  • A link to cancel or other simple method.

Payment Gateway and settlement changes to support new Visa Authorization is required.

Many payment gateways are not yet compliant with the October 2017 stored credential mandate and they won’t be ready with this either as it is not a simple update.

  • A new descriptor, “trial” or similar, must be sent with Merchant Name field of the Clearing Record for the first transaction at the end of a trial period. This descriptor will then appear on cardholder statements, online banking etc.

“This is another huge change that most merchants will probably have difficulty complying with because of outdated payment gateways,” according to Christine Speedy, 3D Merchant Services payment gateway expert.

Merchants must make it easier to cancel recurring billing.

This is actually an extension of rules and recommended changes over the last few years. For example, if a customer signs up online, they should be able to cancel online, not have to call on the phone. The new rule now says regardless of where they signed up, retail store or other, they must be able to cancel online.

Visa expands cardholder dispute rights for subscription billing via existing condition “Misrepresentation”.

Basically, merchants need to be able to prove that the cardholder expressly opted in, and they notified customer before processing after the trial period.

Visa will actively monitor trial period compliance.

This is huge. While they don’t state how, the advances of Artificial Intelligence (AI) make if fairly easy. Additionally, merchants that are using recurring billing properly already notify the parties in financial ecosystem that they are doing recurring billing via the 2017 recurring billing stored credential changes.

What are merchants benefits to comply with Visa rules?

Merchants can expect increased authorization approvals, better rate qualification (higher profits), and increased customer satisfaction. Merchants avoid getting shut down, fined, assessed fees, penalty fees and also reduce customer service bandwidth.

DISCLAIMER: condensed and incomplete information. Information may be quickly outdated. Follow links from our Merchant Rules web page here or click here to download Visa’s PDF with review and quick reference card. Two page PDF, 675kb.

Call Christine Speedy for compliant payment gateway solutions to maximize profits and improve your customer experience. 954-942-0483, 9-5 ET for all your recurring billing and stored credential payment gateway and virtual terminal needs.

Verifone PCI 3 End of Life Terminals

Did you know terminals have their own Payment Card Industry or PCI certification? The standards are part of the overall merchant requirements to maintain the security of cardholder data. Those rules change over time and a bunch of Verifone equipment is expiring, including the popular Vx520 countertop terminal and Vx820 pinpad.

Last August, Verifone issued end of life notification on their PCI 3 range of payment devices in compliance with the PCI Security Standards Council PCI 3 expiration date of April 30, 2020. Often merchants will get notifications like this from their acquirer on their merchant statement.

Which Verifone terminals are impacted?

  • Vx520
  • Vx805 – M280-703-0X-XXX-X
  • Vx820 pin pad
  • Vx675, Vx680, Vx685, Optimum M5
  • Mx915 (PN 132-XX…), Mx925 (PN 132-XX…)
  • H5000
  • This list may not include all devices. Merchants should check with their providers especially if using a non-EMV device or if you were an early EMV chip adopter.

What does End of Life mean?

  • Final date for new terminal sales (fall 2019)
  • End of Development- Improvements or changes have stopped
  • End of Support Date- Verifone will not issue software updates after April 2020, except that, until April 2023 they will continue to provide error corrections for Severity 1 (Critical) software errors, including security vulnerabilities.
  • End of Service Date- April 2023. Verifone will honor any extended support contracts to their term. Subject to component availability and other factors, Verifone will also continue to provide repair.

(PCI) PIN Transaction Security (PTS) v4 expires April 30, 2023. PCI PTS v5 expires April 30, 2026.

Are merchants PCI Compliant if they continue to use PCI 3 terminals after April 2020? The PCI Council urges but does not mandate merchants use approved PTS devices in their payment environments. However, in our experience, between payment brand and acquirer requirements, merchants generally need to use only approved PTS devices or risk getting shut down. Research expiration dates of terminals on the PCI Council web site. I’d be concerned about liability and the ability to prove PCI compliance, especially in the event of a data breach. Verifone will not issue software updates or provide development support after April 2020. If security vulnerabilities or exploits are identified by the processors after April 2020, and you’re using the terminals, who’s to say when or even if a solution could be found to fix it?

How disruptive would it be for your business to have to shut down using them and get another solution? There are always people who procrastinate making changes. And when something goes wrong, phone calls to processors explode, so change is usually not as swift as you’d like.

Note, only employees and PCI QIR certified individuals can install or touch your credit card terminals. Terminals are one of the most important factors determining rates you pay and chargeback risk. Why? Call now to learn more. This is the perfect time for an external account review by a payments expert.

TIP for Christine Speedy Verifone Mx915 customers: If you have a part number that starts with this “PN 132”, replace the terminal. If you were an early adopter and had your terminals deployed prior to the EMV chip liability shift in October 2015, there’s no need to check part numbers; They need to be replaced. Please contact me directly to consult on replacement options.

Call Christine Speedy , PCI QIR certified, for new PCI 5 terminals, technology review and or merchant account review to maximize profits and improve your customer experience. 954-942-0483, 9-5 ET

D365 Customer facing invoice portal D365 F&O

Looking for D635 F&O solution for clients to access online portal to view and pay invoices? One of the key solution differentiators is the integrated payment gateway for credit card processing. Easily overlooked, it’s most impactful on profits. Other than merchant discount, the payment gateway is the single largest influence on the cost of credit card acceptance and chargeback risk.

How can a payment gateway impact costs?

  1. Authorization management. There’s a slew of rules, which are continually changing, regarding what has to happen in order to qualify transactions for the lowest cost possible. Virtually no payment gateways support all of them. For example, authorize.net doesn’t support unscheduled credential on file (stored card on file). Reference https://community.developer.authorize.net/t5/Integration-and-Testing/Visa-Stored-Credentials/td-p/60149. The average cost differential for a Mastercard business card is 1% for a transaction with valid authorization vs invalid (but approved).
  2. Customer disputes and chargebacks. A merchant can only defend disputes if they have proper authorization in #1. Instead of wasting time defending disputes, merchants can prevent them with 3-DSecure 2.0, a global cardholder authentication solution. If the payment gateway supports it, “it wasn’t me, I didn’t authorize it” goes away; liability belongs to the issuer.
  3. Rate Qualification. Items 1 and 2 above both reduce the cost of card acceptance. So does supporting level 3 data. It amazes me how many calls I get from consultants and merchant services salesmen that just want to help their customers qualify business and purchasing cards for level 2 rates. Why wouldn’t you want all clients to qualify for level 3 rates, which are substantially lower for business to business transactions?
  4. Stored credential compliance. This is not just securely tokenizing cardholder data, but complying with a new set of rules established in 2017, which all merchants and acquirers are required to comply with. Payment gateways have no such requirement. They can choose to provide the services to clients or not. The trickiest is unscheduled credential on file, which is what most business to business companies need, unless they have a SaaS billing model. Towards the end of 2019, a few more gateways were offering this, but the list is very small.

Few payment gateways support all four items above.

Call Christine Speedy for D365 F&O invoice portal with compliant payment gateway to maximize profits and improve your customer experience. 954-942-0483, 9-5 ET for all your recurring billing and stored credential payment gateway and virtual terminal needs.