Hotel credit card authorization form 2017 change

Posted on March 31, 2017 by Christine Speedy

Hotel and lodging industry must update best practices due to 2016 and 2017 changes in Visa and MasterCard rules. Cardholder authentication and multiple authorization indicators are two key components of change. Hotels that comply will maximize profits and security. Noncompliance will result in higher credit card acceptance fees due to penalties, increased declines, reduced profits, and new chargeback risk.For those still using paper credit card authorization forms, few are in compliance with Visa Core Rules 5.4.2.5 Prohibition against Requiring Cardholder or Account Data – US Region.

“A US Merchant or its agent must not: Request the Card Verification Value 2 data on any paper Order Form.”

Authorization validity is front and center to the 2017 rules changes. Merchants used to get and authorization, and settle it later at checkout. Now merchants must send the correct transaction types and link them all together with a unique identifier:

The ESTIMATE (Visa) or UNDEFINED (MasterCard) indicator is sent when the final settlement amount is unknown. The customer must be informed that it is an estimate as well.
INCREMENTAL authorization is obtained when the original authorization expires or to increase the amount on hold.
Final Authorization says this is the final transaction.

TIP: Merchants need 3-D Secure (Verified by Visa, MasterCard SecureCode), a global cardholder authentication standard for card absent transactions, to maximize profits and compliance for card not present transactions, which is only available with customer initiated transactions: hosted pay page, digital payment request, online booking. Paper forms don’t create a digital record tied to the credit card, and cardholder authentication is not possible, as defined by the card brands. It’s also not possible to comply with the rule by key entering data into any desktop terminal.

The unique transaction transaction identifier can be a point of breakdown in the process. For example, the events manager obtains a paper credit card authorization form. The first charge is a deposit; the second charge is at the end of the event; a third charge occurs after assessing damages to a room. In each case, the amount is key entered into the payment processing terminal. Since there is no transaction identifier tying them all together, the authorizations are invalid and the ISSUER is within their rights to chargeback for invalid authorization, example Visa reason code 72.

There are so many nuances to the rules, and changes needed in the payments ecosystem, hotels should not assume existing partners have completed the required updates to comply. Technology that can automatically manage the authorization and settlement process- not the old way, but with all the new rules changes- requires a sophisticated payment gateway. Like EMV, there will be vendors that struggle to adapt.

For compliant solutions that can be used standalone or integrated, improving your customer experience, contact Christine Speedy, 954-942-0483.

Reference materials:

MasterCard® Pre & Final Authorization Mandate by CyberSource, December 2016.
Visa Core Rules October 2016.
MasterCard Revises Standards for Processing Authorizations and Preauthorizations by Vantiv December 2016.
MasterCard Transaction Processing Rules, November 2016.

See merchant bulletins – downloads for links to many resources.

Verifone Investigating Data Breach

Posted on March 29, 2017 by Christine Speedy

Reported by Krebs on Security, Verifone is investigating a breach of its internal computer networks that appears to have impacted a number of companies running its point-of-sale solutions. Verifone says the extent of the breach was limited to its corporate network and that its payment services network was not impacted.

“According to the forensic information to-date, the cyber attempt was limited to controllers at approximately two dozen gas stations, and occurred over a short time frame. We believe that no other merchants were targeted and the integrity of our networks and merchants’ payment terminals remain secure and fully operational.”

Read the full article here https://krebsonsecurity.com/2017/03/payments-giant-verifone-investigating-breach/

PCI SECURITY STANDARDS COUNCIL PUBLISHES SUPPLEMENTAL PCI DSS SCOPING GUIDANCE

Posted on December 16, 2016 by Christine Speedy

Guidance Clarifies Scoping Principles Outlined in the PCI Data Security Standard —
WAKEFIELD, Mass., 9 December 2016 — Incorrectly identifying where and how payment data is at risk in an organization’s systems continues to lead to data breaches. Today, the PCI Security Standards Council (PCI SSC) published Guidance for PCI DSS Scoping and Network Segmentation to help businesses address this challenge.

PCI Data Security Standard (PCI DSS) Requirement 1.1 states that organizations need to maintain a cardholder data flow diagram to help identify which systems are in scope and need protection. Yet data breach investigation reports continue to find that companies suffering compromises were unaware that cardholder data was present on their compromised systems. This guidance provides a method to help organizations identify systems that, at a minimum, need to be included in scope for PCI DSS. It includes guidance on how segmentation can be used to help reduce the number of systems that require PCI DSS controls and illustrative examples of some common segmentation approaches.

“For years, we have preached the need to simplify and minimize the footprint of cardholder data,” said PCI SSC Chief Technology Officer Troy Leach. “One way to accomplish this is through good segmentation. It allows an organization to focus their attention on a limited number of assets and more readily address security issues as they arise. As a result, it should also reduce the level of effort to comply with PCI DSS.”

While segmentation is not a PCI DSS requirement, it is a strongly recommended practice. Segmentation of networks included in or connected to the cardholder data environment is important for organizations as it can limit the exposure of payment data in a system, simplify PCI DSS compliance efforts and reduce the chance of being targeted by a criminal. However, as improper segmentation can put cardholder data at risk, it’s critical that organizations understand and implement segmentation properly.

The guidance was developed with industry input and collaboration in order to address common questions from PCI SSC stakeholders on scoping and segmentation. Christian Janoff, PCI SSC Board of Advisor member and Security Solutions Architect for Cisco, works regularly with merchants using scoping and segmentation products and was a leading contributor to the guidance. “Knowing the scope of your cardholder data environment and properly segmenting to protect it has been a challenge for many organizations. By providing guidance, we hope this will help to simplify the process, making it easier to secure payment card data,” he said. “We at Cisco are proud to partner with the Council and industry peers to bring additional scoping and segmentation guidance to the industry.”

Guidance for PCI DSS Scoping and Network Segmentation is intended for organizations looking to understand scoping and segmentation principles when applying PCI DSS to their environments. It also provides a method for facilitating effective scoping discussions between entities and is useful for:

• Merchants, acquirers, issuers, service providers (issuer processors, token service providers, and others) responsible for meeting PCI DSS requirements for their enterprises;
• Assessors responsible for performing PCI DSS assessments;
• Acquirers evaluating merchants’ or service providers’ PCI DSS compliance documentation;
• PCI Forensic Investigators (PFI) responsible for determining PCI DSS scope as part of an investigation.

It is important to note each organization is responsible for making its own scoping decisions and that following this guidance does not guarantee that effective segmentation has been implemented, nor does it guarantee compliance with PCI DSS. The guidance is available on the PCI SSC website. Chief Technology Officer Troy Leach provides additional insights on the topic on the PCI Perspectives blog.

About the PCI Security Standards Council
The PCI Security Standards Council is a global forum that is responsible for the development, management, education, and awareness of the PCI Data Security Standard (PCI DSS) and other standards that increase payment data security.

Credit Card Authorization Form and PCI Compliance Update

Posted on November 21, 2016 by Christine Speedy

A Credit Card Authorization Form enables a business to charge a credit card one-time or for recurring purchases. Is your form PCI Compliant with 2016 standards? Edited from my original contribution to Credit Today, learn the pitfalls and solutions to traditional paper authorization forms.

Do your business practices meet current PCI Compliance standards?

Is it OK to store the form in a locked drawer?
Is it OK to store the form in the cloud if it’s encrypted?
Is it OK to receive them via email?
Is it possible to qualify for the lowest processing rates using them?
Is it OK to key enter each transaction for cards on file?

Credit Card Authorization Forms and PCI Compliance Rules

Per PCI 3.2, Neither Primary Account Number (PAN) nor Card Verification Code (CVV) can be stored on paper after authorization.
Per PCI 3.4, must render PAN unreadable anywhere stored (including on portable digital media, backup media, and in logs) using one of four cited approaches.
No. Per PCI 2 Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.).
No. Most cards, except regulated debit, can qualify for multiple rates depending on how the transaction is submitted. For example, MasterCard World card rates:

Rate Name	Rate	Qualified Rate Reason
Standard	2.95% + $.10	Not all criteria met for another rate.
Merit I	2.05% + $.10	Key-entered or ecommerce and valid authorization + other criteria met.
Full UCAF	1.87% = $.10	Ecommerce; Cardholder authentication and other criteria met.

To qualify for UCAF, the customer must initiate payment.

Ecommerce includes online paypage and other electronic payment channels the customer initiates.

No. If a customer authorizes to store a card, then after the initial transaction, all subsequent transactions must be sent with the correct transaction type: recurring or repeat sale.

Alternative methods to process Card Not Present orders:

Hosted pay page. The merchant directs customers to web page to pay any invoice online. Acceptable implementation methods have changed in the last year or two for PCI Compliance. For maximum reduced PCI burden, send customers directly to the 3rd party payment gateway web URL. The gateway may or may not be the same as your processor. NOTE: If hosting on your own web site with an embedded payment (iframe) object, PCI requirements have changed; any old forms should be updated.

Electronic Bill Presentment & Payment. (EBPP or EIPP) This is basically a proactive version of the above. As a standalone solution, the merchant user logs in to a gateway web portal, and sends a payment request via text or email which the customer clicks and pays. Integrated to billing software, it sends the actual invoice, and may require customer to login to make the payment.

All the major payment gateways include a Virtual terminal, hosted pay page, and shopping cart checkout capability, tokenization to store card data for future orders. Some, including CenPOS also offer EBPP.

If you accept cards over the phone, gateways with a virtual encrypted keyboard can reduce PCI scope since card data never touches computers or networks.

Christine Speedy, CenPOS reseller, maximizes profits, efficiency, and security with payment processing solutions including EIPP, collections automation, and online payments. She can be reached at 954-942-0483 or cspeedy AT 3dmerchant.com.

What is CAVV Authentication Verification Value?

Posted on November 8, 2016 by Christine Speedy

Cardholder Authentication Verification Value, or CAVV, are potential responses for customer initiated Visa debit and credit card transactions where the Verified by Visa, or Vbyv, authentication method is used. E-commerce, online payments, and Electronic Invoice Presentment & Payment (EIPP or EBPP) are all solutions in which a customer can participate in self-authentication.

How does CAVV impact interchange rates, the bulk of credit card processing fees?

To qualify for CAVV interchange rates, merchants must register for Verified by Visa through their merchant services provider, and must use a payment gateway that supports the service as part of the transaction process. In addition, other rules apply such as settlement time and more; the latter part can be managed automatically with an intelligent payment gateway.

The best Visa Card Not Present Key entered transaction credit rate is 1.80%.
The same Visa transaction as above, but with a valid CAVV response is 1.70%.

How does CAVV impact fraud risk?

If a passed validation response is returned, then fraud risk shifts to the card issuer. Responses other than ‘fail’ may warrant additional scrutiny as part of a layered approach to mitigate fraud risk.

CAVV Transaction Response Code Values:

“ ” – Blank CAVV or AEVV Not Present
0 – CAVV or AEVV Not Validated due to erroneous data submitted
1 – CAVV or AEVV Failed Validation – Authentication Transaction. This is an indication of potential bad or fraudulent data submitted as the CAVV/AEVV.
2 – CAVV or AEVV Passed Validation – Authentication Transaction
3 – CAVV or AEVV Passed Validation – Attempted Authentication Transaction. (Determined that the Issuer ACS generated this value from the use of the Issuer’s CAVV/AEVV key[s]).
4 – CAVV or AEVV Failed Validation – Attempted Authentication Transaction. This is an indication of potential bad or fraudulent data submitted as the CAVV/AEVV. (Determined that Visa generated this value from the use of CAVV/AEVV key[s]).
5 – Reserved for future use – NOT USED
6 – CAVV or AEVV Not Validated – Issuer not participating in CAVV/AEVV validation. This value is generated when an Issuer requests the “do not verify” flag to be established for its BINs. This parameter enables an Issuer to temporarily stop CAVV/AEVV verification while resolving CAVV/AEVV key issues. VisaNet processes this value as a valid CAVV/AEVV.
7 – CAVV or AEVV Failed Validation – Attempted Authentication Transaction. This is an indication of potential bad or fraudulent data submitted as the CAVV/AEVV. (CAVV/AEVV generated with Visa Key)
8 – CAVV or AEVV Passed Validation – Attempted Authentication Transaction. (CAVV/AEVV generated with Visa Key)
9 – CAVV or AEVV Failed Validation – Attempted Authentication Transaction. This is an indication of potential bad or fraudulent data submitted as the CAVV/AEVV (CAVV/AEVV generated with Visa Key – Issuer ACS unavailable)
A – CAVV or AEVV Passed Validation – Attempted Authentication Transaction. (CAVV/AEVV generated with Visa Key – Issuer ACS unavailable)
B – CAVV or AEVV Failed Validation – Attempted Authentication Transaction. This is an indication of potential bad or fraudulent data submitted as the CAVV/AEVV. (CAVV/AEVV generated with Visa Key)
C – CAVV or AEVV Not Validated – Attempted Authentication Transaction. Issuer did not return a CAVV/AEVV results code in the authorization response. VisaNet will treat this as valid CAVV/AEVV if the Issuer approves the authorization.
D – CAVV or AEVV Not Validated – Authentication – Issuer did not return a CAVV/AEVV results code in the authorization response. VisaNet will treat this as valid CAVV/AEVV if the Issuer approves the authorization.
I – Invalid Security Data
U – Issuer does not participate or 3-D Secure data not utilized.
Default space filled

Note, other card brand authentication terms are AEVV, American Express Verification Value and MasterCard Universal Cardholder Authentication Field (UCAF^™). All of these, including VbyV, use the global standardized 3-D Secure XML security protocol. Payment gateways can implement 3-D Secure in different ways, which can potentially impact profits and risk.

For CenPOS solutions to enable customer cardholder authentication, including payment gateway, contact Christine Speedy today. Not all solutions work alike, contact an expert.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Card Not Present, CenPOS, credit card processing

B2B Cloud payment processing technology blog about increasing profits, efficiency and security.

Category Archives: security