SaaS Startups: Credit Card Customer Onboarding 2017

Critical rules changes for credit card processing, especially recurring billing, will impact business profits and chargeback risk effective October 2017. Simply copying what other big SaaS businesses are doing successfully is not good enough. Everyone needs to make opt-in updates to comply, and EMV chip card acceptance is a good example of how even big companies can takes months or years to change.

payment gateway SaaS recurring

Critical SaaS recurring billing credit card processing rules past, present and future:

    • To validate a card and create a token for future purchases, perform a Zero Dollar Authorization. There’s a procedure, including using recurring indicator, and a transaction fee for this. If the solution you’re looking at suggests a $1 authorization, that’s because the payment gateway, and or the implementation, are out of date and don’t support current requirements. Run!
    • The sales receipt must include phrase “recurring transaction”, frequency of the charges, and the period of time agreed to.
    • Cardholder opt-in record. Rules may vary by each card brand; following Visa requirements is a good practice. For example, read Visa Stored Credential Transaction Mandates and also Visa Core Rules. One of the new requirements is specifying how the Cardholder will be notified of any changes to the agreement. The significance of new mandates is huge, and non-compliance will result in higher fees, penalties, reduced sale approvals and chargebacks.

Payment gateway selection directly impacts profits, risk, and your customer buying experience. Lots of developers integrate one or two of the oldest payment gateways because they’re “reliable” and familiar. True, but, this could cost your company it’s path to profitability and even existence. Any WordPress developer knows technology and implementation of technology changes. It’s constant. Before selecting a payment gateway for a SaaS startup, ask these questions:

  • How will it help with new Visa Stored Credential Mandates?
  • Does it support 3-D Secure cardholder authentication?
  • How will it help with account updating for expiration and replacement cards?
  • What type of digital record is created at the time of customer opt-in to agreement, how is it retrieved, and how long is it retained?
  • Does it support authorization reversals?
  • Does it level 3 processing for commercial cards (if applicable to business type)?
  • If I change banks or payment processors, how will it affect my customers? My business?

TIP: Most payment gateways are reliable; level 3 processing, and 3-D Secure support are starting points to reduce the list of options. Need help to get compliant? Contact Christine Speedy to learn more about solutions for your business that are quick and easy to adopt, increasing efficiency and growing profits virtually overnight.

Hotel credit card authorization form 2017 change

Hotel and lodging industry must update best practices due to 2016 and 2017 changes in Visa and MasterCard rules. Cardholder authentication and multiple authorization indicators are two key components of change. Hotels that comply will maximize profits and security. Noncompliance will result in higher credit card acceptance fees due to penalties, increased declines, reduced profits, and new chargeback risk.hotel credit card authorization formFor those still using paper credit card authorization forms, few are in compliance with Visa Core Rules 5.4.2.5 Prohibition against Requiring Cardholder or Account Data – US Region.

“A US Merchant or its agent must not: Request the Card Verification Value 2 data on any paper Order Form.”

Authorization validity is front and center to the 2017 rules changes. Merchants used to get and authorization, and settle it later at checkout. Now merchants must send the correct transaction types and link them all together with a unique identifier:

  1. The ESTIMATE (Visa) or UNDEFINED (MasterCard) indicator is sent when the final settlement amount is unknown. The customer must be informed that it is an estimate as well.
  2. INCREMENTAL authorization is obtained when the original authorization expires or to increase the amount on hold.
  3. Final Authorization says this is the final transaction.

TIP: Merchants need 3-D Secure (Verified by Visa, MasterCard SecureCode), a global cardholder authentication standard for card absent transactions, to maximize profits and compliance for card not present transactions, which is only available with customer initiated transactions: hosted pay page, digital payment request, online booking. Paper forms don’t create a digital record tied to the credit card, and cardholder authentication is not possible, as defined by the card brands. It’s also not possible to comply with the rule by key entering data into any desktop terminal.

The unique transaction transaction identifier can be a point of breakdown in the process. For example, the events manager obtains a paper credit card authorization form. The first charge is a deposit; the second charge is at the end of the event; a third charge occurs after assessing damages to a room. In each case, the amount is key entered into the payment processing terminal. Since there is no transaction identifier tying them all together, the authorizations are invalid and the ISSUER is within their rights to chargeback for invalid authorization, example Visa reason code 72.

There are so many nuances to the rules, and changes needed in the payments ecosystem, hotels should not assume existing partners have completed the required updates to comply. Technology that can automatically manage the authorization and settlement process- not the old way, but with all the new rules changes- requires a sophisticated payment gateway. Like EMV, there will be vendors that struggle to adapt.

For compliant solutions that can be used standalone or integrated, improving your customer experience, contact Christine Speedy, 954-942-0483.

Reference materials:

  • MasterCard® Pre & Final Authorization Mandate by CyberSource, December 2016.
  • Visa Core Rules October 2016.
  • MasterCard Revises Standards for Processing Authorizations and Preauthorizations by Vantiv December 2016.
  • MasterCard Transaction Processing Rules, November 2016.

See merchant bulletins – downloads for links to many resources.

What is Auth Code 51, declined?

A credit card processing response of Auth Code 51, is a decline for insufficient funds, the credit limit has been exceeded. What happens when the customer says, “there’s nothing wrong my Visa card, put it through again”? If put through again without a voice authorization, the merchant is at risk for chargeback of funds for invalid authorization.

Visa Product and Service Rules, 8.4.1.3 Original Credit Transactions – Prohibition against Clearing a Declined Transaction

An Originating Member must not send an Original Credit Clearing Transaction if it received a Decline Response to the corresponding Authorization Request.

Further information at page PSR-564, 11.1.16 Chargeback Reason Code 71 – Declined Authorization. NEW. Effective for Transactions completed on or after 15 April 2016,
A Transaction for which Authorization was obtained after a Decline Response
was received for the same purchase. This does not include an Authorization
Request that received a Pickup Response 04, 07, 41, or 43 or was submitted
more than 12 hours after the submission of the first Authorization Request.

This period is known as the black hole or dark period. For the first 12 hours after a decline, merchants should not attempt to process the same retail transaction. The reality is a consumer could simply walk away and go back to another cashier and try again. Some cloud based payment gateways will enable merchants to choose to prohibit multiple attempts in the black hole period.

Disclaimer: The rules of card acceptance are very complex. Merchants should read the manual for complete details regarding card acceptance for your business type.

Distributor EMV Credit Card Terminals – Profit busters, profit boosters

Distributors have special needs for retail credit card processing to maximize profits and mitigate risk. Here we identify credit card terminals that are certain fall short on delivering in an EMV environment. The two most critical retail needs are requiring customers to comply with the highest security supported, and supporting level III processing. Additionally, P2PE, encrypting at the terminal head, is important for a security and compliance.

Only cloud payment solutions have the potential to meet the primary distributor retail processing needs.  This precludes all First Data terminals, one of the most popular brands distributed, and similar devices. DISCLAIMER: comments are specifically regarding business to business needs, not all retail industry needs, and are not in any way intended to imply anything negative about the terminals.

The terminals below DO NOT meet the two most critical distributor needs to maximize profits.

verifone vx520 emv terminal

Verifone vx520

Clover Mini by First Data

Clover Mini by First Data

First Data FD35 EMV pin pad terminal

First Data FD35 EMV PinPad, attaches to a variety of FD terminals.

Ingenico iCT250 emv capable countertop terminal.

Ingenico iCT250 emv capable countertop terminal.

magtek mini card swiper

Magtek mini card swiper.

The terminals below have the POTENTIAL meet the two most critical distributor needs to maximize profits. Special certifications and payment gateway logic is required.

ingenico isc250 signature capture terminal

Ingenico isc250 EMV

 

verifone MX915 EMV terminal

Verifone MX915 EMV chip terminal

Fraud liability review for MasterCard, American Express, and Discover (credit and debit)

  • If the card is chip & sign, and the terminal is EMV only, the card issuer is liable
  • If the card is chip & pin, and the terminal is EMV without pin, or pin debit without EMV, the merchant is liable
  • If the card is chip & pin, and the terminal is EMV with pin, the issuer is liable
  • If the terminal supports EMV & pin, but the customer uses chip & sign, the merchant is liable. Acquirers generally support chip and pin bypass to chip and signature. Merchants should only use solutions that require the highest security on every transaction, including prohibiting customer bypass.
  • If the terminal supports EMV & pin, but the customer does chip & sign, the merchant is liable.

Merchants should only use solutions that require the highest security on every transaction, including prohibiting customer bypass.

If you want to enhance your customer experience, make a change that also maximizes profits too.

Christine Speedy, CenPOS global sales and integrated solutions reseller, 954-942-0483. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS? secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting merchant banking relationships. Keep your processor, upgrade your technology! Quick and easy to implement with no long term contract.

Updated Card Absent Chargeback Rule – 540 days

Business to business, automotive  and parts dealers, are especially stung by chargebacks for disputes relating to the quality of merchandise or services received. Effective for transactions processed on or after April 18, 2015, is a new clause that can increase the chargeback period from 120 days to 540 days for US and Canada.

Both Visa and MasterCard have implemented the new rule. I didn’t find a similar rule in a quick research of Discover and American Express, but my research was not exhaustive.  The rules are not identical and readers are advised to read the rules thoroughly, as this article does not include the full context for when the rule applies.

Visa Core Rules and MasterCard Chargeback Guide October 30, 2014:

  • Visa Chargeback Reason Code 53 – Not as Described or Defective Merchandise
  • MasterCard Reason Code 4853—Cardholder Dispute—Defective/Not as Described

One goal of the MasterCard rule appears to be providing customer recourse for ongoing interrupted services. The customer paid for something, they complained and worked it out within 120 days, but then there were recurring quality issues.

They both make it clear that a customer does not have to return goods and services in order to dispute at a later date. This is a change from the old rule.

How can merchants protect themselves in a dispute for these reasons?

  • Written return policy and proof of acknowledgement
  • All guarantees in writing acknowledged
  • Signed sales orders; include specific deliverables and policies at the time of agreement
  • All written communications, including emails, prior to and after the sale as part of the dispute process.
  • Save a log of phone calls with who, what, when, to submit as evidence.
  • For online payments, require check box to acceptance of your terms of sale

Note: the 540 day rule has been in existence, however, the rules have been updated with more specificity, certainly for Visa.