VP2PE and Payment Card Industry Acronyms Revealed

What does it mean to be HIPAA, PCI Level 1, VP2PE, and QIR compliant in the world of credit card processing? Learn the lingo and know what certifications to verify when choosing a payment gateway or any solution that touches payments.

PCI DSS

If you accept credit cards, you must comply with Payment Card Industry Data Security Standards. There’s no exception. Anyone who advises that a solution means you don’t have any responsibility is dead wrong. The PCI Security Standards Council (PCI SSC) mission is to enhance payment account data security by fostering broad adoption of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International. The council sets the standards, the card brands levy penalties and fines for non-compliance.

PCI Level 1 Service Provider

If a third party entity provides services for, or on behalf of a Merchant, and those services control or could impact the security of cardholder data or of transactions that are processed, that entity is a PCI Service Provider for the Merchant and falls within the Merchant’s scope of PCI DSS compliance. For example, if you accept payments online, the payment gateway is a PCI Service Provider. Or if you use a lockbox company, they must be certified. PCI Level 1 is the most common PCI Compliance certification for a service provider. You can verify if a service provider is compliant with Visa here https://www.visa.com/splisting/searchGrsp.do. If the company you’re doing business with is not on the list, ask questions.

PA DSS

If a software application controls or could impact the security of cardholder data or of transactions that are processed, for PCI compliance, merchants must only use Payment Application Data Security Standards that are certified. For example, a lock box company that processes transactions or a retail point of sale system. If payments are segregated from the application, then PA DSS does not apply.  In my experience, this is a weak area for merchants because not all application providers understand their requirements; some will do the standard PCI scan and say they’re PCI Compliant, but in reality, they’re using a homegrown application to process transactions which they have not certified.

HIPAA

There is no Health Insurance Portability and Accountability (HIPAA) certification for service providers and it does not fall under the purview of the PCI Council. However, a PCI Service Provider may choose to engage a third party auditor to attest compliance in order to better serve merchants in industries that require HIPAA compliance.

QIR

Organizations qualified by PCI SSC as Qualified Integrator and Reseller Companies (QIR Companies) are authorized to implement, configure, and/or support validated PA-DSS Payment Applications on behalf of merchants or service providers for purposes of performing Qualified Installations as part of the QIR Program.  Level 4 merchants were a big portion of data breaches so as of January 2017, they’re mandated to only use QIR certified individuals for their implementations and maintenance.  Level 4 are merchants with less than 20,000 Visa or MasterCard e-commerce transactions annually, and all other merchants processing up to 1 million Visa or MasterCard transactions annually. QIR applies to individuals; a company may have multiple people certified.

P2PE

Point-to-point encryption (P2PE) is a standard established by the PCI Security Standards Council. The objective of P2PE is to provide a payment security solution that instantaneously converts confidential payment card (credit and debit card) data and information into indecipherable code at the time the card is swiped to prevent hacking and fraud. It is designed to maximize the security of payment card transactions in an increasingly complex regulatory environment.

VP2PE

VP2PE is not an official acronym of the PCI Council for Validated P2PE, but it is descriptive. The P2PE Standard defines the requirements that a “solution” must meet in order to be accepted as a PCI validated P2PE solution. A “solution” is a complete set of hardware, software, gateway, decryption, device handling, etc.  Validated solutions are listed in the PCI Council web site. They reduce PCI compliance scope and burden for merchants. For example, about 35 questions vs 359, and 4 sections instead of 12.

Today there are only 42 companies with 49 validated solutions in the entire world. Some of the solutions are only valid with a particular acquirer. For merchants seeking an agnostic VP2PE solution, the list gets very small.

CenPOS

CenPOS, a payment technology provider, has a Health Insurance Portability and Accountability (HIPAA) attestation from a third party external auditor across a broad range of payment solutions offered by the company. CenPOS is listed as a registered Level 1 Service Provider on the Visa web site; and is listed on the PCI Council web site VP2PE solutions and QIR sections. The CenPOS Validated P2PE solution is compatible with many acquirers. You can also find me, Christine Speedy, under QIR certifications when searching by name. (CenPOS is not a software application so is not listed as PA DSS.

Christine Speedy, CenPOS Sales 954-942-0483, 9-5 ET is based out of South Florida and NY. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships. When you call Christine, there is no middle man; all agreements are direct with CenPOS. As one of the very first to sell for CenPOS, I have deep experience to help merchants understand benefits and get live fast.

A B2B supplier’s guide to optimizing commercial card payments review

Mastercard and The Strawhecker Group released A B2B supplier’s guide
to optimizing commercial card payments. Selecting the right merchant acquirer and payment gateway, and optimizing interchange, can help reduce suppliers’ collection efforts and costs associated with commercial card payments. By Marie Elizabeth Aloisi and Peter Michaud. Christine Speedy, blog author, reviews the guide. In my opinion some elements, present an incomplete picture for merchants, especially the business suppliers accepting commercial payments that is the target of the paper.

The executive summary cites research that suppliers can reduce the cost of collecting funds from customers by 31% if they accept credit cards. I googled to find that commercial credit card research data, and though this is not the referenced Mastercard and Kaiser Associates, Commercial Card Acceptance Cost-Benefit Study, of November 2016, it has similar data:

  • This study estimated card acceptance at the point-of-sale to be 37% less costly than using other payment collections methods – yielding savings of $12 on a $500 transaction
  • Card acceptance provides a similar sized net benefit regardless of the funds transfer tool it replaces – e.g. check vs. ACH vs. wire
  • The bulk of value from commercial card acceptance lies in its use as a pre-payment tool – providing revenue assurance against bad debts

 

I have a problem with the next line in the report, “That’s because getting paid by check—or even ACH or wire—involves many manual steps, onerous costs, and potential errors that are a burden to a supplier’s accounting, finance, and treasury functions.”  Checks are still the most onerous even with a scanner, but with electronic bill presentment and payment, any other payment method can be automated for increased efficiency. Our cloud payment processing solutions, including integrated with ERP, automate all types of payment processing, including check/ACH, wire, credit card, and can update journals etc.

The paper goes on to explain why working with your acquirer is critical. While it mentions suppliers can benefit from advanced gateways, most acquirers offer a limited number of payment gateways to merchants. In fact, they may offer suppliers only one solution – they’re own- and it may not be the best for the supplier, it’s just the only one they offer. Independent payment gateways, like CenPOS that I offer, can provide significant advantages to maximize profits, efficiency and flexibility. For example, fulfilling the need to simplify wire transactions and match to invoices.

The three best practices cited to work with acquirers are to automate payments, optimize interchange and negotiate pricing. 

The devil is in the details not cited. For example, “suppliers can only take advantage of lower interchange rates if the payment gateway is set up to pass Data Rate 3 information along with the transaction.” This is true. But the bigger problem is compliance with all the other rules required to qualify the transaction for Data Rate 3. For example, suppliers often do a preauthorization, which expires before settlement (but can still settle) or is not the same as the final settlement amount. These common transaction types will nullify qualifying for the best interchange rates, including MasterCard Data Rate 3. There are many more rules that make it tough to qualify and if the payment gateway does not automatically manage for suppliers, passing Data Rate 3 info doesn’t matter. The reality is most payment gateways do not have a solution to help suppliers comply.

Again, if the acquirer doesn’t have the best solution, should suppliers rely on their advice? A supplier client of mine went to their acquirer (top 5 in USA) and told them what I was offering. They would keep their acquirer but switch to my payment gateway; they’d use our electronic bill presentment and payment solution to eliminate paper credit card authorization forms and employees getting cardholder data over the phone. Customers would self-manage their payment methods, including storing & tokenizing if they chose to. Their acquirer did not want them to use any solution other than their own.  They offered them a substantially worse solution- the silliest I’ve ever heard. The acquirer would give them a new merchant account with virtual terminal exclusively for one large client that they knew was using a commercial card. What about all the other clients? What about eliminating employee access to cardholder data and storing data on paper? Advising to use substandard solutions happens all the time.

In summary, Mastercard and The Strawhecker Group put out some great research data for suppliers. I’m a huge fan of the people at The Strawhecker Group and their work. Suppliers should look to cloud payment processing solution providers like myself at CenPOS for advice. Suppliers need the best payment gateway because without it, the rest doesn’t matter. Combining a robust payment gateway, business solutions, and the flexibility to change acquirers without business disruption can provide significant advantages.

All comments and statements herein are strictly my personal opinion and do not represent that of any company.

Christine Speedy, CenPOS sales 954-942-0483. CenPOS is a cloud business solutions provider with end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement.

CenPOS Hosted Pay Page vs EBPP

I’m advising my CenPOS clients with card not present transactions to use either the hosted pay page or Electronic Bill Presentment and Payment (EBPP), also known as electronic invoice presentment and payment (EIPP) due to increasingly complex rules. Plus cardholders are weary about giving out card data over the phone, and paper or digital credit card authorization forms should be abolished. Reducing friction to collect payments, while putting cardholders in control of their data, is proven to increase sales, profits and cashflow so updating procedures is a win win for you and your customers.

What is a hosted pay page?

A hosted pay enables customers to passively pay bills online via a secure web page hosted on a CenPOS server. The form can be embedded on your web site secured with an SSL certificate or you can direct customers to your custom CenPOS URL. The most common payment types CenPOS users enable are credit cards, Paypal, and ACH (echeck).

  • The burden for completing data fields to make a payment is on your customer.
  • Customers can optionally create an account and store and manage all payment methods.
  • Depending on your customer agreement, either you or the customer can use a stored token on file to initiate future transactions.
  • Customers can view prior payment history, but not actual invoices.

What is EBPP?

With EBPP, the payment request is delivered to the customer via email or text. The message includes a custom link to pay a specific bill or invoice and some of the fields are pre-filled. Customers prefer EBPP vs hosted pay page. The most common payment types CenPOS users enable are credit cards, Paypal, ACH (echeck) and wire transfer. The last is very important for international businesses to streamline bank reconciliation and match deposits to invoices.

  • Data fields, including invoice number and amount, are pre-filled to save your customer time.
  • Customers can optionally create an account to store card data, pay multiple invoices, review payment and invoice history in the CenPOS hosted portal.
  • Depending on your agreement with your customer, either you or the customer can use a stored token on file to initiate future transactions.
  • With a CenPOS ERP or accounting software integration, your records are automatically updated with payments, and reminders are automatically delivered.
  • Optional 2-way texting service has many benefits, including communicating with customers via their preferred methods- whether phone, text or email.

What are the benefits of customer initiated payments with hosted pay page or EBPP?

  • Increased efficiency to comply with new stored credential rules.
  • Reduced merchant fees for some cards (3-D Secure cardholder authentication must be enabled.)
  • Increased approvals with cardholder authentication.
  • Mitigate chargeback risk – with cardholder authentication fraud liability shifts to issuer.

In summary, either method of online payments increases security and enables customers to pay 24/7 to increase cash flow. EBPP solutions have significant additional benefits and the cost to implement is virtually nil, with many businesses experiencing an instant ROI.

Christine Speedy, CenPOS authorized reseller, 954-942-0483. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.

Quickbooks Payment link on Statements

Is it possible to have the payment link on statements as it is on invoices emailed to customer?

Yes, businesses using a desktop or self-hosted version of Quickbooks Enterprise and other versions can use the custom text field in the template set up to create a link. Customers click from the statement to a self-service portal to pay all invoices. This is not available with Intuit Merchant Services, but is supported with our third party module. The link from the invoice is to pay the specific invoice, no login required.

Are you tired of following up on late or past due receivables? Does it take weeks and months to get paid? Do your customers ‘lose invoices’? Do you want to qualify for low level III interchange rates for purchasing cards? Boost cash flow, efficiency and profits virtually overnight with the best alternative to Intuit merchant services for Quickbooks. Compatible with QuickBooks 2015 and 2016 Pro, Plus, Enterprise versions. (Not Quickbooks online.)

Adding a Pay Now Button Link To Quickbooks Statements

  1. Non-Intuit merchant account required to accept credit cards. Christine Speedy will help you with a wholesale account if you don’t already have one.
  2. Sign up for a CenPOS account with Christine Speedy.
  3. Install the supplied module.

Benefits

  • Send invoices the way your customers want- text or email
  • Automated reminder collections built-in
  • Quickbooks updated automatically when customers pay
  • ACH, wire, and Paypal, also supported
  • 3-D Secure supported to shift card not present fraud liability to issuer
  • For retail, full cashiering supported for 100% financial transparency.
  • EMV chip and pin, chip and signature supported
  • Smart rate selector reduces merchant fees

It’s quick and easy to get started with our Quickbooks credit card processing module so employees can get right to work without disruption.

Note: This article was accurate at the time written. Solutions are continually updated. Contact us for the latest facts.

Christine Speedy, CenPOS authorized reseller, 954-942-0483. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.

ICVERIFY Alternatives 2017

ic verify replacement alternativeICVerify Software is still in use in 2017, even though it was end of life back in 2015.  Alternatives are abundant, but none are comparable to CenPOS for meeting business to business (B2B) companies.

What does ICVERIFY Software end of life mean?

First Data sales, product development and support have ended. Continued use of the product will invalidate a merchants PCI Compliance.

What happens if my ICVERIFY Software stops working?

You will get zero support. If you cannot open due malfunction, you’ll have no access to records. If you’re acquirer shuts down your ability to send transaction data, and this is happening frequently because it’s not PCI Compliant, they will not turn it back on. If your acquirer finds out you’re using ICVerify in 2017, you will get shut down. It’s imperative to migrate to new solution as soon as possible.

What are alternative solutions to ICVERIFY?

A cloud payment gateway is required. There’s no software to install. You can use a payment gateway via integrated or non-integrated options, which include mobile app and virtual terminal via secure web site. ICVERIFY was a buy once and use forever product. Payment gateways have transaction fees. Many businesses make the mistake of using the one with the cheapest fee or the one that their developer or consultant is familiar with because they’ve used it for a decade or more. Are you using the same cell phone you did 10 years ago? The cheapest fee could result in the highest actual cost or inefficiency. For example, most gateways do nothing to help merchants reauthorize after an authorization expires. That matters because even though the issuer may approve the transaction, it won’t qualify for the best rate, which could be half the cost of the non-qualified rate.

What is best alternative payment gateway to ICVERIFY for a B2B company?

I’m not going to waste your time listing all the cloud payment gateways on the planet like First Data Payeezy, authorize.net, Payflow Pro, Paytrace, Cybersource, Orbital, 3Delta Systems, or 3DSI and their differences. Each has bits and pieces but none has the whole package of solutions B2B companies need. CenPOS is the only solution I know of today that will get merchants compliant with all these critical items:

  1. Comply with 2017 Visa stored credential framework and mandates. It’s complicated. CenPOS automates compliance with things like sending the merchant initiated or customer initiated use of stored credential flag.
  2. Eliminate paper credit card authorization forms with multiple digital ways to accept payments and store cards, including text and email. Sure, some gateways offer a hosted pay page, but can they generate a PCI Compliant authorization form automatically for those that still like paper?
  3. Automate authorization management, including requirement for preauthorization and settlement match and renew expired authorizations for card not present transactions.
  4. Automate compliance to qualify transactions properly for level 3 interchange rates for corporate, purchasing and business cards. Supporting level 3 is not enough, it’s complicated.
  5. Mitigate fraud risk with a layered approach, including supporting 3-D Secure, which shifts fraud liability to issuer.
  6. Encrypted Virtual Keypad (EVK) to reduce PCI Compliance scope and burden. (No card data touches your system for phone orders; avoid key logger dangers.)
  7. Audit trail as required for PCI. Every user, every touch. Available minimum 7 years.

What else makes CenPOS the best alternative payment gateway to ICVERIFY for a B2B company?

  • Graphically pleasing, easy to use. It’s like marrying the coolness of Apple design with an Amazon buying experience. People love it. Customers are happier (proven by our clients conducting their own studies).
  • Wire transaction support with electronic bill presentment and payment services. Stop the madness associated with matching deposits to invoices and getting paid the wrong amount.
  • Reports. Dynamic search and view online or download; robust custom reports, alerts and distribution. So much faster to research anything!
  • No capital investment. We make companies more profitable virtually overnight.
  • Deposits equal receivables, not net of fees. Other services are mixed. For example, authorize.net echeck service takes it’s fees out of your deposit so then you have to do some accounting magic to reconcile.

Will I be able to port over my existing data? Yes. Per PCI Compliance rules, merchants need to securely remove sensitive cardholder data from all systems. Qualified Security Assessor (QSA) companies are independent security organizations that have been qualified by the PCI Security Standards Council to validate an entity’s adherence to PCI DSS. You can find one here https://www.pcisecuritystandards.org/assessors_and_solutions/qualified_security_assessors.

Ready to get started with CenPOS? Contact Christine Speedy right now at 954-942-0483.

Christine Speedy, CenPOS authorized reseller, 954-942-0483 is based out of South Florida and NY. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.