Balancing card not present risk with customer convenience

Posted on July 21, 2015 by Christine Speedy

Accepting credit cards for card not present customers can be risky, and merchants have long sought solutions to protect themselves from future disputes. The problem is most of those methods are PCI Compliance nightmares, often storing card data in the clear on paper credit card authorization forms. Enabling customers to self pay is one way to mitigate risk.

HOSTED PAY PAGE – ONLINE PAYMENTS

With a hosted pay page solution, customers are directed to a secure web page. The ‘host web server’ is the payment gateway, thus reducing merchant PCI Compliance burden. Gateways have different fraud tools for merchants, beyond the usual address and CVV security verification. Examples of hosted pay page solutions:

Link to custom payment processor URL (First Data)
Embedded payment object on merchant web page; the merchant should have an SSL certificate, even though the payment object itself is on a different server. This is usually achieved with an iframe. (CenPOS)
Link to a custom payment gateway URL (CenPOS); this provides continuity when merchants change processors

ELECTRONIC BILL PRESENTMENT & PAYMENT (EBPP)

Customers are sent an electronic invoice, which they can pay remotely. Both merchants and customers have a portal to manage various functions. EBPP used to be costly, upwards of $100,000, but now, there’s solutions for all price ranges based on merchant needs. Examples of EBPP solutions:

Standalone– merchants login to a web based portal and generate an invoice which is delivered electronically to customers. (Paypal, CenPOS)
Integrated, accounting software managed – customers receive electronic invoices with data originating from accounting, ERP, or other software, and the ERP managing the delivery of the invoice, reminders etc (Quickbooks & Intuit merchant services, ERP/CenPOS).
Integrated, gateway managed – customers receive electronic invoices with data originating from accounting, ERP, or other software (Quickbooks & Intuit merchant services, Quickbooks & 3rd party gateway integration/ any merchant account), and the gateway managing the delivery of the invoice, collection reminders etc.

EBPP BENEFITS VS HOSTED PAY PAGE

Pushes out to customer- less friction to complete the payment and or sale
Reduce risk with additional evidence trail for dispute defense; records of invoice delivery and customer opted to pay strengthen defense; card brand rules include chargeback protection without a signature if bill to address matches the company address and the employee email address was used. (See Visa Merchant Rules for details)
Automated reminders if they don’t pay (solutions vary widely how this works)
Customer visibility to credit outstanding; ability to self-free up credit to buy more
Reduced calls to accounts receivable for questions about what invoices are outstanding

HOSTED PAY PAGE & EBBP VENDOR SELECTION

There are wide differences in payment gateways, and the related solutions. The best solution varies depending on the business type.

Critical needs for business to business:

Level III processing supported for all payment channels
Collections automation
Flexibility – the average merchant changes processors every three years; choose a gateway independent of the processor to avoid business disruptions
3 D Secure (Vbyv and MasterCard Secure) – card not present fraud is expected to rise dramatically with US EMV adoption
Tokenization – empower customers to self store and manage payment methods
Card Updater – if applicable for recurring service

CenPOS is a merchant centric, end to end payment engine that meets all omnichannel and critical business to business needs. For sales and integrations, contact Christine Speedy 954-942-0483.

How to get CVV2 and be PCI Compliant: request a payment

Posted on March 31, 2015 by Christine Speedy

Credit card authorization form example is not PCI Compliant.

According to Visa Core Rules, October 2014 page 266, Merchant Must Not Request the Card Verification Value 2 data on any paper Order Form. So how can a merchant get the CVV for card not present customers? Online payments, request a payment and electronic bill presentment and payment all solve the problem. Below are solutions possible with CenPOS, a merchant centric payment processing platform. Other payment gateways may not have the same functionality.

Online payments, passive:

Secure hosted pay page is managed by the payment gateway so payment data never touches merchant web servers.
Customers can store card data for charges to be applied later. In this case, the user registers, creating an account so they can manage payment methods including ACH, credit card and wire. A zero dollar authorization is performed when a credit card is stored, and CVV can be validated. Once validated, it’s never needed again, and therefore is never stored. A random token ID is generated, which both the cardholder and merchant can see, but neither will ever have access to sensitive data again. The cardholder can also update the expiration date, but if the CVV changes with a future card replacement, then a new token must be created.
Customer can make payments for any amount without logging in.

Request a Payment or Electronic Bill Presentment and Payment (EBPP or EIPP), proactive.

Reduces accounts receivable friction.

Non-Integrated – Merchants use the CenPOS EBPP portal to create the payment request, including optional invoice detail. The customer is sent a text and or email with a payment link.
Integrated – same as above, except the invoice is sent from accounting or financial software such as ERP.

With EBPP, customers have a portal to pay multiple invoices, view payments, download invoices, and manage payment methods.

At a minimum, merchants with card not present customers should offer online payments as a way to enable customers to securely pay a bill. If a signature is required, have the customer print and sign the receipt, and email that authorization back, which is more valuable than traditional credit card authorization forms.

Need a secure solution but don’t want to change your merchant account? No problem. Contact Christine Speedy for secure, cost effective and efficient solutions.

PCI Compliance: Card Not Present Merchant Quick Checklist

Posted on March 31, 2015 by Christine Speedy

Do you (even occasionally or temporarily) create, receive, or otherwise come to possess any paper records or receipts that contain cardholder data? The number one rule card not present merchants violate is a Merchant Must Not Request the Card Verification Value 2 data on any paper Order Form.

Do you make sure that you NEVER, EVER store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions after authorization (even if encrypted)?

Are strong cryptography and security protocols, such as SSL/TLS, IPSec, or SSH used to safeguard cardholder data during transmission over open, public networks?

For SSL/TLS implementations, does HTTPS appear as part of the browser Universal Record Locator (URL), and is cardholder data required only when HTTPS appears in the URL?

Are policies, procedures, and practices in place to make sure that you NEVER, EVER send unencrypted PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat)?

Do your access limitations require restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities?

Do your access limitations require assignment of privileges to be based on individual personnel’s job classification and function?

Is your security policy established, published, maintained, and disseminated to all relevant personnel (for the purposes of Requirement 12, “personnel” refers to full-time and part-time employees, temporary employees and personnel, and contractors and consultants who are “resident” on the entity’s site or otherwise have access to the company’s site cardholder data environment)?

Is a formal security awareness program in place to make all personnel aware of the importance of cardholder data security?

Stone, Marble, automotive Dealer Design of the Future: Impact of Mobile Apps

Posted on January 9, 2015 by Christine Speedy

Design tips for commercial architects and interior planning designers. Mobile applications and other technology applications can impact floor planning. We’ve seen an explosion of automotive dealership renovation or outright new builds. Whether now or later, where and how customers pay their bill is changing. The same applies to large scale facilities like stone, marble, lumber, and other stores that cater to designers.

Trends and Planning Implications for Service Advisors Accepting Payments.

There is an explosion of service advisors accepting payments, in part due to cloud payment options. Some of the designs I’ve seen are not conducive to best practices for payment card industry data security standards (PCI Compliance), or are just not customer friendly. The main types of payment acceptance are:

Credit card magnetic stripe reader wedge that attaches to computer screen. Spotted at a newly renovated dealership in Fredericksburg MD- a high top counter that obscures the desk and computers of service advisors. While creating If the computer screen sits below a high top counter, the card will be out of site of the consumer. This presents significant risk to the merchant as the cashier or advisor could quickly photograph the card with a smart device, or swipe it on a secondary device.

Signature Capture Terminal. Consider that the consumer must see the terminal screen in order to see messages and sign their name. Unlike grocery stores, most dealers do not mount the terminal onto a permanent bracket which includes a swivel to change the angle of view. Given that the terminal will be placed on the desktop, 36 inches to 42 inches from floor is a comfortable range to accommodate viewing. Those hightop 50 inch circular customer service desks are too high for customers to see the and sign on the terminal.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Card Not Present, CenPOS, credit card processing

B2B Cloud payment processing technology blog about increasing profits, efficiency and security.

Category Archives: security