PCI Compliance email

PCI Compliance, credit card authorization form, and CenPOS bulletin were all in the February 2016 enewsletter. Did you miss it? Subscribe here for payment news.

PCI Compliance Fail

80% of companies FAIL an interim Payment Card Industry Data Security Standards (PCI-DSS) audit. It’s time to admit it- you’re company is one of the many struggling to keep up with new rules.

Have you noticed $19.95 fee sneak back into your merchant statements?

Check your quarterly scans. You may discover a scan failed with a reason related to SSL.  Fight back to stop these monthly fees. Not only is it premature, but the Payment Card Industry Security Standards Council (PCI SSC) changed the migration to date requiring TLS 1.1 encryption or higher from June 2016 to June 2018.


 Credit card authorization forms – a weak link for compliance

“We keep all cardholder data in a locked file drawer and I’m the only one with a key” does not comply with PCI 3.0 standards.
For new best practices, think like a forensic auditor. In the event of a suspected breach, how will you identify who, what, when, how, and maybe even where card data was touched? Without a system to automate logging, the time and cost of an audit will explode.

TIPS.

  • Unprotected data cannot be sent via messaging technologies such as e-mail, instant messaging, chat, etc. (PCI section 4.2)
  • PAN data (card number) cannot be stored unencrypted. (PCI section 3.x)
  • Sensitive authentication data, which includes the security code (CVV/CID), can never be stored. (PCI section 3.2)

Every moment a paper form exists, there’s an opportunity for misuse and identity theft. If your company extends credit, then Red Flags Rules also apply. The FTC can seek both monetary civil penalties and injunctive relief for violations. All told, the expense of a breach could run over a million dollars, uncovered by insurance, plus ongoing lost business due to damaged reputation.


Is your service provider PCI Compliant?

If a third party touches card data, they’re required to register with the card brands and have an annual on-site audit. That includes your payment gateway, caging service, and other software if their payments are not segregated from the applications. Click here to search the Visa service provider database 


Software Updates
Reminder: PCI section 6.1 mandates software security updates be applied within 30 days.  With all the activity lately, that means every month. Windows XP users are automatically non-compliant. Click here for Internet Explorer & other Microsoft CRITICAL updates issued this year


CenPOS Question of the Month

How can we collect cardholder data for B2B card not present customers without our credit card authorization form?

  1. Hosted online pay page
  2. Electronic request for payment (push to email or text)
  3. Electronic bill presentment & payment
  4. All of the above and a PCI Compliant authorization form

PCI Compliant credit card authorization form example: Video

Training & educational videos https://www.youtube.com/user/3Dmerchant/videos

Christine Speedy


WHAT DOES CHRISTINE SPEEDY DO ANYWAY?
Omnichannel payment solutions targeting  middle market ($10M to $1B per year), primarily to technology companies and distributors. With one call, I can provide any gateway, acquirer, or integrated solution.  Best of all, I’m agnostic- you can keep your merchant services or check processors. Call today for a free consultation and for answers about any burning question for business to business.

CenPOS is a processor agnostic end to end payment engine that increases EBITDA virtually instantly. From compliance to automating collections, we solve everyday business problems. Protecting the front door with US EMV certified multi-lane terminals for all processors and the back door with 3-D Secure certified solutions for customer initiated sales. Now in over 140 countries.

Feb 01, 2016 1:04 pm | Christine Speedy

Replacing ICVerify or other legacy software for batch credit card processing? Whether you’re in the cloud, or headed there, methods of payment processing have changed to meet current and future requirements for PCI Compliance and fraud prevention. For service providers, … Continue reading ?

Jan 25, 2016 11:14 am | Christine Speedy

Winter Storm Jonas is a reminder of the importance for business to business companies to accept payments online. What if you have a desktop terminal, but staff is working from home? How can accounts receivable be reached for call in … Continue reading ?

Jan 13, 2016 8:36 am | Christine Speedy

Getting a VeriFone EMV Vx520, FD55, Vx510, Vx570 CAPK expired error message? Visa has extended the EMV key’s expiration date from 12/31/2015 to 2022, and the terminal must be updated. OPTION 1: UPDATE CAPK FILE ONLY via partial download For … Continue reading ?

Jan 12, 2016 2:04 pm | Christine Speedy

Ready to improve PCI Compliance with token billing? Step by step instructions for CenPOS card not present token billing including creating, modifying, and using tokens follows. In the virtual terminal admin, Create a new Role* or Modify an existing role … Continue reading ?

Jan 11, 2016 12:26 pm | Christine Speedy

Need a 3rd party credit card authorization form template? Don’t count on wikiform.org and other internet resources that scrape the internet for free content and then redistribute it. There’s no guarantee that anything published is accurate, legal, or virus free. … Continue reading ?

Calendar Notes
February 5 – out of office, CenPOS training
February 12 – 15 Tampa/ Orlando
February 18 – 24 Atlanta
Contact me for FREE consultation
Monthly: Login to Paymentech Resource online- use it or lose it

About Christine Speedy

Global payment solutions; focused on card not present and omnichannel merchants. Is your integrated solution failing to keep up with technology? Send me an integration referral and I’ll send you a cool gift!

Batch processing accounts receivable and donations- Caging services solutions

Replacing ICVerify or other legacy software for batch credit card processing? Whether you’re in the cloud, or headed there, methods of payment processing have changed to meet current and future requirements for PCI Compliance and fraud prevention. For service providers, including non-profit mail processing, payment gateway selection impacts efficiency, merchant fees, and even client PCI Compliance burden.

The first way efficiency can be increased is the batch upload process. It’s basically the same for credit card processing and check processing. Here’s comparisons for payment gateway methodology for batch upload service:

CenPOS Batch Processing File Upload

  1. Save file to configurable directory (listening folder)

CenPOS Batch Processing Response File Retrieval

  1. Retrieve one or multiple files from configurable directory (response folder)

Authorize.net, Payeezy (First Data) and similar Batch Processing File Upload

  1. Log in to your Merchant Interface at https://account.authorize.net or other
  2. Click Upload Transactions.
  3. Click Upload New Transaction File.
  4. Click Browse.
  5. Locate from your system the file that you want to upload.
  6. Click Upload File.

Authorize.net, Payeezy (First Data)and similar Batch Processing Response File Retrieval

  1. Log into the Merchant Interface at https://account.authorize.net or other
  2. Click Tools from the main toolbar.
  3. Click Upload Transactions.
  4. Click View Status of Uploaded Transaction Files.
  5. Select the desired uploaded transaction file from the Select Upload File drop-down list.
  6. Click Submit.

CenPOS increases efficiency to upload and retrieve responses, reduces friction with no login required, and also supports multi-merchant login, enabling users to toggle between accounts, creating efficiency for both the service provider and the merchant.

More BATCH UPLOAD differences authorize.net CenPOS
Custom fields (share across channels) No Yes
Reporting 2 years Indefinite
Telephone support no yes 24/7

Merchant fees are impacted when a transaction does not qualify at the lowest interchange rate possible. For example, business to business companies must submit level III data to qualify for related rates, which are often 90 basis points (0.90%) lower than without. The payment gateway must be certified for level III to each acquirer supported. Only a few payment gateways are level III certified, and even fewer of those offer an acceptable batch upload solution.

PCI Compliance burden is reduced with tokenization, outsourced payment processing, reduced vendors and reporting. The latter is critically important for forensic audits, as well as financial. The average gateway only saves data for two years, and has limited data retrieval capabilities. CenPOS audit reports cover every touch to the platform- who, what, when, and more, with records available for a minimum of 7 years to match IRS requirements, reducing the cost of on-site and remote audits.

To learn more about batch credit card processing, replacing ICVerify, and cloud payment differentiators, Contact Christine Speedy for a free consultation for all your omnichannel global payment needs.

Card Not Present Token Billing Best Practice & CenPOS Training

Ready to improve PCI Compliance with token billing? Step by step instructions for CenPOS card not present token billing including creating, modifying, and using tokens follows.

  1. In the virtual terminal admin, Create a new Role* or Modify an existing role to include token billing permissions, only for what the user is allowed to do. For example, if you employees are allowed to create tokens, but not conduct sales, check the Manage Token and Positive Card only.

    token billing roles

    Virtual Terminal administration- Partial list of permission options; token billing related items are checked

  2. Are email receipts available now? If no, send an email request to support via link on the virtual terminal login page. In the subject put: “your CenPOS MID” email receipt request. In the body, include all your contact info, the MID, and what email address you want receipts to come from.
  3. Prepare training worksheet for distribution
  4. Distribute Self-paced training checklist (10 minutes to complete) to all users
  5. Get documentation of all training- who, what, when. It may be useful as part of an overall PCI Compliance (Payment Card Industry Data Security Standards) plan to comply with section 12, Maintain an Information Security Policy.
  6. Assign users to the new roles with return of documentation
  7. If there’s any legacy cardholder data on file, plan it’s secure destruction

References: Token Billing Training Videos

*See CenPOS Virtual Terminal Manual for details on using Role Templates.

A sample document, created by Christine Speedy,  for training and documentation is available upon request.

Magento B2B Payment Gateway Developer Selection – CenPOS vs Authorize.net vs

Which is the best payment gateway for Magento developers B2B clients?

The answer lies in Magento top user concerns, which are security & PCI Compliance, cost, customer experience and flexibility with other systems including ERP and accounting.

Security and PCI Compliance: PCI should be a non-issue as any payment gateway being suggested for a B2B company should be level 1 PCI Compliant. However, developers can help merchants reduce PCI Compliance burden by partnering with a B2B payment gateway specialist who can recommend payment gateway solutions compatible with all business needs, not just Magento. For example, does the business also send invoices from an ERP? Do salesmen or credit managers get credit card numbers via fax or phone? Magento developers are not experts in payments and cannot be expected to ask the right questions to help solve unrelated compliance problems.

Internal and external fraud protection are critical. At a minimum, the payment gateway must support 3-D Secure, including Verified by Visa and MasterCard SecureCode to shift liability for certain types of fraud from merchant to card issuer.

Payment Gateway Cost: The worst mistake is recommending or selection a payment gateway based on per transaction cost. The payment gateway plays a critical role in interchange rate qualification, which comprises over 95% of merchant fees. Gateway capabilities, and lack thereof, can literally double the cost of credit card acceptance for B2B. The most important base criteria is it must support Level 3 processing. There are many nuances to qualifying transactions correctly, that most credit card processor salesmen don’t understand, so there’s little expectation a developer would have the global financial expertise to recommend the best choice.

Treasury Management: Where are your customers? Where are your offices? What currency do you want to collect and bill in? Authorize.net has virtually nothing to help manage cross-border sales. CenPOS has a multitude of treasury solutions that can be customized.

For example, a company bills everything from the US, but also has operations in Canada and the European Union. Authorize.net will process every transaction in USD. The company pays cross-border fees on foreign issued cards, which now exceed 1% in some cases, and then pays again to repatriate revenue back to the EU or Canadian operations. CenPOS automatically identifies and processes the transaction in the local issuer currency, avoiding costly cross-border fees and more expensive US interchange rates, and deposits in the regional account. It does this seamlessly with no special developer programming.

Customer Experience: Will the gateway enhance or detract? In most cases, there’s very little difference in the checkout experience, but for B2B, there’s a bigger picture. What if the customer buys via multiple channels? Sharing tokens across multiple channels, including for emailed invoices may be important. A holistic look at all sales channels and payment methods is essential, but it’s not a good use of a developers time, thus deferring to payment expert will yield a better ROI for developer and better result for the business.

Flexibility: Payment acceptance types, global availability, omnichannel integrations, flexibility and scalability are all factors in choosing not only the best B2B payment gateway for Magento, but also for the entire organization. For example, if there’s also a retail component, US businesses also need an EMV solution that supports level 3 processing for retail. If the distributor is global, how many countries is the gateway available in?

Back Office Efficiency: If you’ve ever done research in Authorize.net reports, and then in CenPOS, you’ll appreciate the massive difference between download and search vs dynamic drill down within CenPOS online reports. CenPOS reports were designed with input from today’s businesses, not those of over a decade ago. Too many differences to mention here.

There’s a plethora of misinformation across multiple industries ranging from consultants to developers. Defaulting to Authorize.net or Payflow Pro because they’re two of the oldest payment gateways, is an injustice to the end user. Payment gateway selection plays a crucial role in business profits, security and efficiency. By partnering with a payments expert, clients are provided the best solution, and Magento developers can grow revenues with specialty implementation and add-on services the expert recommends.  

“I have some knowledge of Magento, including as a developer in it’s early years, but I’m not a Magento expert,” says Christine Speedy, owner of 3D Merchant Services and B2B payment gateway expert. “Likewise, there are great B2B Magento developers, that are not payment gateway experts. By partnering, we can offer businesses more appropriate solutions to maximize profits and security, while also mutually benefiting. “

Building Supply Industry Profits Impacted by EMV chip card terminals

EMV terminal selection directly impacts interchange rate qualification, the bulk of credit card processing fees.

November 4, 2015– EMV, short for Europay, MasterCard,Visa, chip card terminals are in high demand, short supply, and most likely an unwelcome expense. Building material suppliers go to great lengths to negotiate with their payment processors for reduced rates, but this approach only impacts a fraction of costs. There is much bigger value is managing the entire payment process to affect the biggest component of fees – card interchange. The EMV terminal implemented will directly impact interchange rate qualification, and none of the most popular terminals recommended today meet critical lumber and building supply requirements.

Interchange rates are non-negotiable, but they can be influenced. There are hundreds of fees that can be tacked on based on each transaction type. Due to complexities, building material suppliers must have an intelligent solution to manage the payment process and ensure compliance with all the rules.

PURCHASING CARDS

To qualify for the lowest interchange rates, transactions must meet all the rules for the specific card and transaction method. For building material suppliers business to business (B2B), processing level III data for Corporate, Purchasing, and Business cards is critical. Their card use is growing and savings of 90 basis points or more for some cards is an attractive margin difference worth achieving.

mastercard rates level-lll

Sample interchange rates for the same credit card transaction; Failing to follow rules results in costly extra fees.

Countertop terminals like the popular First Data FD Series, Verifone VX series, or Ingenico iCT series, with downloaded programming, cannot support level III. The US EMV ecosystem requires a web-based payment gateway with EMV terminal and level III retail certification. For example, CenPOS has certified the Verifone MX915 to First Data, Chase Paymentech and Tsys, the latter which enables use with most processors. Merchants can use CenPOS via a web browser virtually instantly or an integrated application.

EMV COMPLIANCE DATES

While EMV is not a mandate, effective October 1, the party that does not support EMV (short for Europay, MasterCard, Visa) chip card acceptance is liable for counterfeit card, and sometimes lost or stolen card transactions. Because card issuers previously absorbed most of these losses without any notification to the merchant, businesses can expect losses if action is not taken. Additionally, non-EMV compliance fees have already been announced by at least one provider, NPC, starting January 1, 2016.

Christine Speedy, CenPOS global sales and integrated solutions reseller, 954-942-0483. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS? secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant?s banking relationships.