American Express SafeKey for hotels

Direct from American Express hospitality industry webinar, hotels number one protection from card not present fraud is American Express SafeKey®. SafeKey leverages the global industry standard, 3-D Secure®*, to detect and reduce online fraud by adding an extra layer of security when Card Members pay online.

How to mitigate 3rd party authorization chargeback risk? Merchant best practices:

  • Ensure the cardholder participated in the initial transactions. Safekey is the best method to prove that, making signatures irrelevant.
  • Get written authorization of what expenses the cardholder will allow.
  • Put cardholder name on the folio.
  • Show where cardholder opted in to all policies, including damages, cancellation etc.
  • Authorization must be CARD NOT PRESENT.
  • Use solution that includes cardholder name in the authorization response; retrievable record.

American Express SafeKey

How does Amex SafeKey impact the customer shopping experience? The cardholder may have some or no difference in the checkout experience, based on many factors, including prior online shopping history. The cardholder may be asked authentication question(s) to confirm it’s really the cardholder.

How does Amex SafeKey impact merchants?

  • Fraud liability for “It wasn’t me, I didn’t authorize it” goes away as liability shifts back to the issuer.
  • For business to business, where cardholder billing and shipping address frequently vary, cardholder authentication plays an important role not available with four digit CID security code validation only.
  • At this writing, American Express merchants do not receive a specific interchange discount as may be available with other card brands.

How can merchants adopt the Amex SafeKey service?

  1. Enroll your company on the American Express web site.
  2. Receive e-mail from SafeKey Certification Team with your SafeKey ID and next steps.
  3. SafeKey Certification Team gets approval from Acquirer.
  4. Acquirer and SafeKey Certification Team complete required setup.
  5. Activate 3-D Secure on the application. (Ecommerce shopping cart, payment gateway, or ERP.) Both payment gateway and application must support the service.

* 3-D Secure is a registered trademark of Visa International Service Association in the United States and other countries.

Want to add American Express SafeKey to your business and get a great third party authorization form solution all included? Contact CenPOS global sales and integrations reseller, Christine Speedy, 954-942-0483 for more information.

Magento Security Alert requires action to maintain PCI Compliance

Magento 2.3.1, 2.2.8 and 2.1.17 Security Update

A SQL injection vulnerability has been identified in pre-2.3.1 Magento code. To quickly protect your store from this vulnerability only, install patch PRODSECBUG-2198. However, to protect against this vulnerability and others, you must upgrade to Magento Commerce or Open Source 2.3.1 or 2.2.8. We strongly suggest that you install these full patches as soon as you can.

PCI Compliance Requirement 6: Develop and maintain secure systems and applications. All critical systems must have the most recently released software patches to prevent exploitation. The average merchant relies upon third party developers for web site maintenance, but unless specifically contracted to update the e-commerce software and add-on modules, don’t count on it.

Only 16.4% of organizations that had suffered a data breach were compliant with Requirement 6, compared to an average of 64% of organizations assessed by our QSAs in 2014- Verizon 2015 PCI Compliance Report.

Payment gateway implementation requirements have changed over time as a result of cross-site scripting and cross-site request forgery (CSRF) to meet current PCI Compliance standards. Merchants should verify all components of their ecommerce ecosystem are current, and have a system for ongoing monitoring and updating.


  • Magento Security Center
  • MAGENTO SECURITY ALERT, March 26, 2019
  • Christine Speedy, 3D Merchant Services, offers a Magento payment gateway module for merchants to improve their omnichannel customer experience and mitigate fraud and vulnerability risk. Special B2B customer benefits include friction-less payments across all sales channels; text and email Express Checkout, customer invoice portal for 24/7 ACH, credit card, wire and more payment types, and US EMV with level 3 processing. Magento and ERP modules combine to provide a powerful array of solutions to improve cash flow and profits while maximizing security. 954-942-0483.

Event sales credit card authorization form template 2019

Accepting credit card deposits for events requires compliance with both card not present and stored card rules. Not PCI Compliance rules for data security, but rather authorization rules set by Visa, MasterCard etc. Comply with the rules and get rewarded with more authorization approvals, qualify for lower rates and mitigate risk of chargebacks.

Professionalism starts on the phone and continues throughout the buying experience. By replacing traditional credit card authorization forms with technology that puts buyers in control of their cardholder data, merchants create a better buying experience. Traditional credit card authorization forms were created to establish a record to use in the event of a future dispute. They’re useless today.

Merchants must replace credit card authorization forms with technology compliant with new rules for storing and using stored cards.

  • The initial authorization authenticates the cardholder.
  • The initial authorization informs that the cardholder has agreed to merchant storing card.
  • The transaction type will indicate it’s an estimate.
  • Future authorizations will reference any required above items and be submitted as Incremental or Final.

Compliance with the above is not possible with desktop terminals and even most virtual terminals and payment gateways. Merchants need a virtual terminal and or payment gateway that supports Unscheduled Credential On File, Incremental and Final Authorization rules. This is new terminology and new fields in the transaction process.

“Don’t be surprised if vendors don’t know about or support these rules. Just like EMV chip rollout, it’s a huge change and few providers are keeping up. We’re an exception. I had solutions for my clients prior to the EMV shift in October 2015 and again for the 2017 stored card mandate.”

Christine Speedy

Our solutions reduce buyer friction to pay and enables event sales and back office staff to collect deposits and capture cardholder data via text or email. These include push out payment requests via text or email, capture cardholder data for later use, and upload an invoice to collect payment.

text payment
Click here to see one of multiple options available.

Benefits of compliant solution:

  • Reduced merchant fees even with the same merchant account.
  • Increased approvals with cardholder authentication.
  • Mitigate chargeback risk including fraud liability shifting to issuer.
  • More convenient for buyers- 24/7 payments on their schedule, not yours.
  • Buyers are in control of choosing to store payment methods

Call Christine Speedy, PCI Council QIR certified, for simple solutions to card not present payment transaction problems, 954-942-0483, 9-5 ET. The cloud technology you need today to accept all payment types, with optional merchant, check processing and other services. 

#hotel #creditcardauthorization

Hotel Third Party Credit Card Authorization Form Alert

Is your hotel third party authorization form compliant with both Payment Card Industry Data Security Standards (PCI) compliance and card network acceptance rules? Beware solutions that are neither, risking an expensive data breach, lost reputation, and reduced profits. Due to significant rules changes in 2017, hotel management and hospitality advisors must adopt new technology solutions to comply.

Shifting from a paper credit card authorization form to a digitally signed cloud form often fails to meet intended goals to prevent fraud and increase security. For example, some digitally signed third party credit card authorization form solutions authenticate the cardholder with address and security code verification. Authorized merchant employees access and decrypt the signed document, then key-enter the cardholder data into another system for subsequent authorizations. The document containing PAN and security code remains on file for some period of time.

“This method is rife with compliance problems, leaving hotels unprotected from friendly fraud, ‘it wasn’t me, I didn’t authorize’ and data breach risk”, per Christine Speedy, PCI Council QIR certified.

For instance, per PCI Compliance 3.2, the security code, must not be stored after authorization, even if encrypted. Whether the security code can be stored prior to authorization, PCI leaves up to card brands and acquirers. Per Visa Core rules, section, merchants cannot even ask for the Card Verification Value 2 (CVV2) from the Cardholder on any written form.

A series of card not present acceptance rules changes are driving an urgent need for hotels to update. These significant changes include the process to store cards, use stored cards, and obtain authorizations. All this means, whatever worked in the past is no longer valid today. In the digitally signed form example, there’s no relation between the initial cardholder authentication transaction and any future authorizations. However, if done properly, the issuer would have returned a response acknowledging the merchant notification that they’d gotten permission to store the card; future authorizations would include that response.

Hackers continue to target the hospitality industry and they’ve been quite successful. With 338 breaches in the 2018 Verizon Data Breach report, the accommodation sector ranks in the top three of most incidents and breaches. InterContinental Hotels Group, Marriott International, Radisson Hotel Group, Hilton, and Hyatt have all had breaches as have suppliers to the industry like Sabre Hospitality. If you know you’re going to be attacked, why not eliminate employee access to cardholder data completely?

How can hotels better protect against card not present credit card fraud? 3-D secure is a global protocol designed to be an additional security layer for online credit and debit card transactions. By combining a web-based authorization form with 3-D Secure cardholder authentication, including Verified by Visa, fraud liability shifts to the issuer, much like EMV chip shifts liability to the issuer. By using a payment gateway to manage initial and subsequent authorizations, with the capability to invoke 3-D secure, merchants mitigate chargeback risk and avoid the time consuming process of fighting to get their money back after they occur. As a bonus, some issuers support reduced interchange rates, the bulk of credit card processing fees, when 3-D Secure is invoked. No cardholder data is ever visible to employees.

With every part of the payment ecosystem needing to make changes- card issuer, acquirer (merchant account processor), payment gateway- it’s inevitable that there will be gaps in compliance. Non-compliance with rules can result in fines, penalty fees, and removal from card acceptance. 

Key questions to ask when evaluating hotel third party credit card authorization solutions:

·      Is the security code ever stored?

·      Is 3-D secure supported?

·      Is it compliant with the Visa stored credential mandate, including unscheduled credential on file?

·      After the initial authorization, are subsequent authorizations submitted with retail, MOTO (telephone order), or e-commerce transaction type?

·      Correct Answers: no, yes, yes, MOTO

Keywords: #creditcardfraud #databreach #lodging #hotels #pcicompliance #creditcardauthorizationform

Call Christine Speedy, PCI Council QIR certified, for PCI compliant web-based third party authorization forms and other hotel payment technology to make your business more profitable and secure. 954-942-0483, 9-5 ET.

Credit card authorization form template alert

Searching for a credit card authorization form template? Maybe PCI compliant form or Microsoft Word compatible template? Stop! If your web browser is not up to date, just landing on the web site that has the form might introduce malicious code into a company’s systems and network, leading to a future data breach.

Businesses should be replacing traditional credit card authorization forms with other payment methods where the customer self-pays:

  • Hosted pay page
  • Push out a payment request via text or email

Per Visa, merchants are never allowed to ask for the security code on paper.  Merchants also cannot store the form with full card numbers. They increase risk of fraud and identity theft and nobody likes them!

What are the benefits of customer initiated payments?

  • Reduced merchant fees for some cards (3-D Secure cardholder authentication such as Verified by Visa must be enabled.)
  • Increased approvals with cardholder authentication.
  • Mitigate chargeback risk – with 3-D Secure cardholder authentication, fraud liability shifts to issuer.
  • More convenient for buyers- 24/7 payments on their schedule, not yours
  • Buyers are in control of choosing to store payment methods

How do you choose the best solution? Here’s some of our product differentiators:

  • PCI Compliant credit card authorization form generated automatically, should you have a need to get a signature to terms for storing and using stored cards.
  • 3-D Secure cardholder authentication supported.
  • Choose any acquirer.
  • Automated interchange management, including level 3 processing for business to business (B2B) and business to government (B2G), to reduce fees and maximize profits.
  • If preauthorizations are needed, ongoing authorization management is critical and we do that automatically.

Call Christine Speedy, PCI Council QIR certified, for simple solutions to complex payment transaction problems, 954-942-0483, 9-5 ET. CenPOS authorized reseller based out of South Florida and NY. CenPOS is an integrated commerce technology platform driving innovative, omnichannel solutions tailored to meet a merchant’s market needs. Providing a single point of integration, the CenPOS platform combines payment, commerce and value-added functionality enabling merchants to transform their commerce experience, eliminate the need to manage complex integrations, reduce the burden of accepting payments and create deeper customer relationships.