Magento Developer Alert: Visa Mandate and Payment Gateways

Posted on October 11, 2017 by Christine Speedy

How can Magento developers help merchants get compliant with the Visa Stored Credential Transaction framework and mandates effective October 14, 2017?

Drive your profits while helping clients keep compliant with fast changing credit card processing rules.

Step by step guide:

How will clients manage consent record requirements? See Improving Authorization Management for Transactions with Stored Credentials https://usa.visa.com/dam/VCOM/global/support-legal/documents/stored-credential-transaction-framework-vbs-10-may-17.pdf . Will gateway provide a checkbox for consent records and ability to retrieve records on demand? (I called authorize.net on October 2 and they advised they will not offer this service, and will leave up to merchants.) Will you develop a custom application to include opt-in date, time and other requirements, plus storage and retrieval capability? Will you advise merchants to choose a technology solution, including payment gateway, that will manage automatically? CenPOS, a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement will provide an automated solution for clients. Contact me for the plugin.

Update terms and conditions. Ensure online order terms include sale, refund and cancellation policies. Add a checkbox for customer opt-in to terms, including online payments. CenPOS has an opt-in box and you can customize the text.

Verify if there’s a system to manage authorization validity. What the heck does that mean? Many businesses, especially B2B companies, have complex needs including pre-authorizations, incremental authorizations, delayed shipping etc. While merchants may get issuer approvals, that doesn’t mean the authorization is valid. The two most common rules businesses struggle with are “Settlement within 72 hours” for card not present sales, and “Authorization amount and settlement amount must be equal”. (I asked authorize.net support about both items on October 2 and was told they do not offer automated solution.) CenPOS automates compliance. Other payment gateways are incapable or may leave it up to developers to create a solution. How can a developer verify if merchant has an issue? Ask clients to look at their merchant statement ‘pending interchange fees. If you see EIRF or STD, that’s a red flag there’s a problem.

Create a hosted pay page. B2B Businesses almost always have more than one sales channel and use of paper credit card authorization forms is common. They need help to eliminate. You already have the SSL certificate, so it’s a natural add on to provide clients a secure web page with an iframe a solution to collect payments. With CenPOS, end customers can use the same stored credential in Magento and the pay page, both credit card and ACH. Prevent brute force attacks. System hardening is a PCI compliance requirement. See Visa best practices to prevent brute force attacks. https://usa.visa.com/support/merchant/library/visa-merchant-business-news-digest.html. CenPOS includes recaptcha and client managed velocity and other rules as part of a layered security approach.

Payment Gateway checklist:

Verify payment gateway will send correct transaction data and flags for the initial transaction and subsequent transactions.
Advise clients to set gateway for zero dollar authorization when storing a new card.
Ensure client is registered for 3-D Secure and it’s enabled.
Confirm if gateway will automatically flag a transaction as customer initiated stored credential or merchant initiated stored credential (automated recurring billing). Additionally, the merchant initiated transaction must be sent with the MOTO indicator, not ecommerce.
Does gateway support level 3 data?

CenPOS manages all compliance and other items seamlessly in the background.

Communicate with clients. Advise any upcoming changes will increase efficiency and security for everyone. Advise clients to learn more about CenPOS payment gateway – call Christine Speedy, 954-815-6040.

Why comply? With full compliance and following my recommendations, merchants can expect better qualified interchange rates, increased approvals (avoid declines based on issuer risk averse algorithms), reduced PCI Compliance burden, fraud liability shift to issuer and increased efficiency for both buyer and seller. The cost of non-compliance is hefty, including higher interchange rates, penalty fees, and risk of both issuer and cardholder chargebacks.

The same transaction can process at different rates as shown above, depending on which rules you follow. CenPOS Smart Rate Selector automates compliance to qualify transactions at the lowest rate possible. Which rates are on your merchant statement now?

Magento developer billing: Developers also need to comply with recurring billing requirements for your sales. What’s worked before is not compliant- everyone needs to change.

Resources and documentation /blog/merchant-bulletins-downloads – bookmark it!. Join Christine Speedy’s email list.

DISCLAIMER: condensed and incomplete information! Information may be quickly outdated.

With the fast pace of changing rules, developers need a technology partner to automate compliance. Did you know?

For those not ready to give up paper, CenPOS creates a printable PCI Compliant credit card authorization form for every stored card.
CenPOS has ERP, ecommerce shopping cart, accounting and other plug-in modules available for quick and easy implementation.
I’ve been selling for CenPOS since day 1. Though I have other payment gateways available in my arsenal, nothing else compares for meeting business to business needs.

Christine Speedy, CenPOS authorized reseller, 954-942-0483 is based out of South Florida and NY. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.

American Express SafeKey Video and B2B tips

Posted on June 6, 2017 by Christine Speedy

American Express SafeKey® leverages the global industry standard, 3-D Secure®*, to detect and reduce online fraud by adding an extra layer of security when Card Members shop online. Merchant and customer experience answers in this article.

American Express SafeKey

How does Amex SafeKey impact the customer shopping experience? The cardholder may have some or no difference in the checkout experience, based on many factors, including prior online shopping history. The cardholder may be asked authentication question(s) to confirm it’s really the cardholder.

How does Amex SafeKey impact merchants?

Fraud liability for “It wasn’t me, I didn’t authorize it” goes away as liability shifts back to the issuer.
For business to business, where cardholder billing and shipping address frequently vary, cardholder authentication plays an important role not available with four digit CID security code validation only.
At this writing, American Express merchants do not receive a specific interchange discount as may be available with other card brands.

How can merchants adopt the Amex SafeKey service?

Enroll your company on the American Express web site. https://network.americanexpress.com/globalnetwork/safekey/us/en/merchants-acquirers
Receive e-mail from SafeKey Certification Team with your SafeKey ID and next steps.
SafeKey Certification Team gets approval from Acquirer.
Acquirer and SafeKey Certification Team complete required setup.
Activate 3-D Secure on the application. (Ecommerce shopping cart, payment gateway, or ERP.) Both payment gateway and application must support the service.

* 3-D Secure is a registered trademark of Visa International Service Association in the United States and other countries.

Have a question about how to add to your business? Contact CenPOS global sales and integrations reseller, Christine Speedy, 954-942-0483 for more information.

MAGENTO VULNERABILITIES IMPACT PCI COMPLIANCE

Posted on September 26, 2016 by Christine Speedy

Magento, a popular e-commerce platform, released multiple security patches this year, several addressing critical and high credit card data breach vulnerabilities. Merchants that haven’t deployed security patches, as required by PCI standards, are vulnerable to remote exploits that can compromise customer account and credit card data.

One cross-site scripting (XSS) flaw potentially allows an attacker to add malicious JavaScript code to a comment via the PayFlow Pro payment module. The JavaScript code is executed server-side when the targeted site’s administrator views the attacker’s order.

PCI Compliance Requirement 6: Develop and maintain secure systems and applications. All critical systems must have the most recently released software patches to prevent exploitation. The average merchant relies upon third party developers for web site maintenance, but unless specifically contracted to update the e-commerce software and add-on modules, don’t count on it.

Only 16.4% of organizations that had suffered a data breach were compliant with Requirement 6, compared to an average of 64% of organizations assessed by our QSAs in 2014- Verizon 2015 PCI Compliance Report.

Payment gateway implementation requirements have changed over time as a result of cross-site scripting and cross-site request forgery (CSRF) to meet current PCI Compliance standards. Merchants should verify all components of their ecommerce ecosystem are current, and have a system for ongoing monitoring and updating.

RESOURCES

Magento Security Center
VISA MAGENTO SECURITY ALERT, July 2016
Christine Speedy, 3D Merchant Services, offers Magento payment gateway module for merchants to improve their omnichannel customer experience and mitigate risk. B2B customer benefits include friction-less payments across all sales channels; text and email Express Checkout, customer invoice portal for 24/7 ACH, credit card, wire and more payment types, and US EMV with level 3 processing. Magento and ERP modules combine to provide a powerful array of solutions to improve cash flow and profits while maximizing security. 954-942-0483.

Visa revises Merchant Location rules effective October 15, 2016

Posted on September 26, 2016 by Christine Speedy

Visa rules for how merchants must identify their name, type of business, and location are changing to keep up with the growing number of ways merchants interact and conduct transactions with their customers. Visa cites these rules are necessary to help prevent unnecessary cardholder disputes and reduce additional risk to the Visa system. Conversely, failure to comply with the rules could increase merchant risk to lose customer disputes.

“If you are an eCommerce merchant, your website must contain the merchant location on either the checkout screen used to present the final transaction amount or within the sequence of web pages that the cardholder accesses during the checkout process. It must not be a link to a separate page.” Visa Bulletin VBS 02.AUG.16

What is the proper location? It must be the country of your principal place of
business, where your executive officers direct, control, and coordinate your activities — generally, your company’s headquarters. I’d venture that 99% of ecommerce site are not compliant with this rule today, including Amazon.

For complete details, download PDF Official Bulletin by Visa Providing the Proper Location
of Your Merchant Business

Payment Account Reference (PAR) Impact On Recurring Billing

Posted on July 28, 2016 by Christine Speedy

Payment Account Reference (PAR) will become a major force in changing in how recurring billing transactions are processed, and risks that merchants will bear. Swiped, key-entered, and e-commerce transactions are all impacted because merchants will need to tie subsequent token transactions to the original transaction that customer authorized. This raises questions as to what technology will be able to support it, and how quickly will companies be able to adopt it?

EMVco updated their EMV Payment Tokenization Specification Technical Framework earlier this year to include a new field for PAR. This field must transcend throughout the payment ecosystem to acquirers, issuers, and merchants by updating all those systems to support it. That means changes to payment terminals, gateways, processing systems, and potentially ERP and other integrated solutions. With the framework in place, the rest of the ecosystem can begin updating systems to take advantage of the benefits.

PAR enables the payment acceptance community to link a cardholder’s payment token with their PAN transactions without needing to use their underlying card account number.

Merchant Liability

Official announcement is not yet available, however, following the logic of similar security updates, the merchant would risk chargeback on any transaction that does not include the PAR value. The issuer or the acquirer could potentially initiate on the premise there’s no proof customer approved, and therefore there’s fraud liability risk. To reduce their risk, the merchant could be held liable. That means 3 months into a service, all prior transactions could be ACH’d right out of merchant bank account, plus there’d be chargeback fees for each transaction. Additionally, with multiple chargebacks with a single cardholder it’s foreseeable merchants could end up in oversight pool for excessive chargebacks.

Timeline for Compliance

Official announcement is not yet available, however, technical framework specifications for developers were released about 6 months ago. Changes impacting processing fees etc. are typically effective October and April of each year.

Why PAR now?

PAR enables the industry to move away from dependence on the PAN as the primary linkage between various payment processing and value-added services, for example, loyalty programs. As EMV grows increasing card present security, fraud tends to move online; PAR is intended to reduce card not present fraud, increase security, and create a consistent global framework for all participants.

Current Recurring Billing Compliance

Today, when a merchant processes a transaction for a card the customer has authorized to keep on file, the ‘recurring‘ transaction type indicator is required to be sent with each authorization request. A payment gateway is a required, since physical terminals are unable to meet requirements. For example, a retail store sends a SALE transaction type, while a company offering SaaS sends Recurring Payment indicator in authorization messages. Business to business merchants run into compliance, and risk of chargeback losses, when a customer agrees authorizes keep card on file, and they key enter the card number. As far as the issuer and acquirer are concerned, it’s a retail sale, and all the rules of acceptance, risk, and interchange rate qualification apply.

Some companies use paper credit card authorization forms, and they key enter into a retail terminal or virtual terminal each and every time; those transactions are NOT sent correctly with RECURRING indicator.

Future Recurring Billing Compliance

Tokens replace sensitive card data and are then used to perform future variable, fixed, or installment recurring billing. PAR cannot be used to initiate payment transactions nor reverse engineered to obtain PAN data. When a token is created, a PAR value will also be created. The PAR must be supplied with all future authorization requests.

Merchants using ‘dumb terminals’, i.e. terminals that are not payment gateway driven, are incapable of supporting such a service. For omnichannel merchants, partnering with a progressive technology company that meets all current and future payment needs is going to be essential to comply with PAR and more payment changes likely to come.

“If your current provider was late to market with EMV, if they don’t support 3D Secure, if they can’t provide one payment gateway for all sales channels, it’s probably time to start looking for another payment technology partner,” Christine Speedy, Global Reseller for CenPOS, a merchant-centric, enterprise payment solutions company.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Card Not Present, CenPOS, credit card processing

B2B Cloud payment processing technology blog about increasing profits, efficiency and security.

Category Archives: ecommerce