Hotel Third Party Authorization Form Alert

The best hotel third party authorization forms are fully compliant with card brand rules to mitigate chargeback risk, especially for friendly fraud, where cardholder claims they did not authorize the transaction. Fraud liability can be shifted nearly one hundred percent with best practices, plus risk of data breach from employee and other access to card data can be mitigated. Avoid the paper and digital credit card authorization form problems perpetuated by misinformation from people and incorrect internet postings.

Paper credit card authorization forms are dead.

Per Visa Core rule 5.4.2.5, a US merchant or its agent must not Request the Card Verification Value 2 data on any paper Order Form. I could go on with all the PCI compliance and data breach risk problems related to them, but because merchants must authenticate the cardholder with the security code or 3-D secure cardholder authentication (which requires digital interaction) for card not present transactions, paper forms are effectively dead. This also applies to secure document service companies and any solution where sensitive cardholder data can be viewed or decrypted for use in another solution.

Web-based third party authorization forms are best for card absent compliance.

More than just PCI compliance, a myriad of rules changes since 2017, and continuing into 2019, impact every hotel. Everyone must change to comply and it’s not automatic. For example, you’re getting a sales deposit, and will definitely or will possibly charge more later. There’s a new set of transaction data standards which include estimate, incremental, and final authorization. While the technical piece is handled by payment gateways, not all have made the modifications required. Additionally, some elements are left to merchants to manage.

  • Comply with Visa 5.8.3.1 Authorization Amount Requirements.  The Merchant must use the Estimated/Initial Authorization Request indicator for the first transaction,
    then the Incremental Authorization Request indicator for interim if applicable, and Final Authorization Request indicator when closing out the transaction; the same Transaction Identifier must be included for all Authorization Requests. Don’t accept an authorization online and then swipe or dip the same card later unless your card present system can tie back to the initial authorization.
  • Stored cards. Are you storing cards for ongoing charges? Comply with Visa Rules Table 5-20: Requirements for Prepayments and Transactions Using Stored Credentials. There are too many variables to list here so I recommend downloading the rules and getting familiar. Two keys when capturing card data for the first time:
    • Obtain express consent per specifications for your refund and cancellation policies, how you’ll use the stored card, when your agreement expires and how the Cardholder will be notified of any changes to the agreement.
    • Perform a cardholder verification either via transaction or zero dollar authorization with the proper indicator.
    • This is a change! Two transactions occur when capturing cardholder data for the first time. Again, technical part can be handled by a payment gateway that supports it, but other elements are left to you.

Hotel third party authorization form solutions.

Contact me for solution that works standalone or integrated with SynXis. Shift friendly fraud liability and potentially qualify transactions for better rates with your existing merchant account. That’s because non-compliance with various rules can result in higher fees.

Here’s some key elements if the initial authorization is not the final authorization. Terminology:

  • PCI compliance- short for Payment Card Industry Data Security Standards. All businesses are mandated to comply with rules which are outlined on the PCI Security Standards Council web site.
  • 3-D secure (3D Secure) is a global XML-based protocol designed to be an additional security layer for online credit and debit card transactions. Each card brand has their own version. For example, Verified by Visa. Merchants register for 3-D Secure with their acquirer; always consult with the payment gateway first for instructions and to confirm they’re registered to offer service. 3-D Secure is invoked automatically by the payment gateway which then based on issuer response may or may not prompt for additional information to authenticate the cardholder.  Friendly fraud liability, “it wasn’t me, I didn’t authorize it”, shifts to the issuer. Because there are many parts to any transaction, including acquirer and issuer communications, plus continually changing rules, it’s possible that it will not be invoked.
  • Link to Visa and all card brand Rules.

Call Christine Speedy, PCI Council QIR certified, for global sales. 954-942-0483, 9-5 ET, CenPOS authorized reseller based out of South Florida and NY. CenPOS is an integrated commerce technology platform driving innovative, omnichannel solutions tailored to meet a merchant’s market needs. Providing a single point of integration, the CenPOS platform combines payment, commerce and value-added functionality enabling merchants to transform their commerce experience, eliminate the need to manage complex integrations, reduce the burden of accepting payments and create deeper customer relationships.

Christine Speedy on Ask the Expert Panel in Boca Raton

Christine Speedy will be on the BocaJS experts panel in Boca Raton, Florida. Christine’s background in ecommerce stems from when the internet first started. With skilled coding labor shortages, Christine learned html to help get stuff done for clients which included the Miami Dolphins, Blockbuster, the Florida Marlins and many others. While leaving serious work up to the coders and integrators today, her payment checkout insights are unparalleled for PCI Compliance and card network rules compliance. Get to know the industries best experts on everything from Development, Design, IT, DevOps, Recruiting, and Learning in Boca Raton, Florida.

Cendyn Spaces, in the Atrium

980 North Federal Highway · Boca Raton, FL

About The BocaJS group

The BocaJS group is here to represent the best that South Florida can bring to the world’s best Language (Javascript). And any else web related as well! In addition to vanilla java script, we’ll be looking at frameworks such as Node, AngularJS (1, 1.5 AND 2,4,5,6,…. 7 beta? ), Ember.js, jQuery, ReactJS and Ionic. Founded in September 2014 by Adam & Hector, and Run currently by Damian Montero and Jermbo Lawson this group continues to grow and thrive. Website: BocaJS.org (https://bocajs.org/)

About Christine Speedy

Christine Speedy is a Qualified Integrator and Reseller payments professional, certified by the Payment Card Industry Security Standards Council, and authorized CenPOS Reseller. Christine is a subject matter expert on PCI compliance and card network rules compliance, offering secure cloud payment technology to businesses, transforming the commerce and customer experience. South Florida Technology Alliance member.

Christine Speedy is PCI Council QIR Certified

Christine Speedy is Qualified Integrator and Reseller certified by the Payment Card Industry Security Standards Council. QIRs are integrators and resellers specially trained by PCI Security Standards Council to address critical security controls while installing merchant payment systems. QIRs reduce merchant risk and mitigate the most common causes of payment data breaches by focusing on critical security controls.pci qir certified logo

The council changed the QIR certification requirements after my certification in an effort to reduce barriers to certification, both financially and with the depth of training. While QIR certification always was for individuals, they were tied to companies. The tie to companies has been removed so as they change jobs the certification is not disrupted. Due to this change, the PCI council recently updated the web site search navigation. My company used to be the first listing when you clicked on the QIR link. Now, the only way to find me or any other QIR certified person is to do a search.

qir certified speedy

Before PCI QIR certification requirements change.

 

PCI QIR certified christine speedy

After PCI QIR certification requirements change.

While the Visa QIR mandate is for Level 4 merchants with card present transactions, I recommend that all merchants use QIR individuals for all transaction types. There’s a false sense of security that consultants and developers are guarding merchant security, but literally every day I find problems with companies of all sizes.

The Christine Speedy difference. PCI compliance is important to mitigate data breach risk, but equally important is compliance with complicated card network rules. Have you read any of the 1,000+ pages of Visa Rules? Or 300+ Mastercard transaction processing rules? Have any of the people you rely on? I’ve spent countless hours educating myself on them and learning about the nuances that impact your profit and risk. Technology directly impacts compliance. It doesn’t matter how big or how old a company is; the reality is most players in the payments industry fall behind with every new rule that comes out, even though these rules are usually announced years in advance so that they can prepare.

Resources:

Christine Speedy, QIR certified payments professional can be reached at 954-942-0483, 9-5 ET.

Data breach prevention: update every device due to Intel vulnerability

News of the Intel chip flaw creating vulnerability in virtually everything with a computer chip in it was announced last week. Microsoft, Google and tech companies now have a fix so it’s time to update all your devices. These emergency updates are to address the bugs called Meltdown and Spectre.

“These hardware bugs allow programs to steal data which is currently processed on the computer. While programs are typically not permitted to read data from other programs, a malicious program can exploit Meltdown and Spectre to get hold of secrets stored in the memory of other running programs. This might include your passwords stored in a password manager or browser, your personal photos, emails, instant messages and even business-critical documents.”

“Meltdown and Spectre work on personal computers, mobile devices, and in the cloud. Depending on the cloud provider’s infrastructure, it might be possible to steal data from other customers.”

For PCI compliance, merchants must update software within 30 days, however, I wouldn’t wait. Prioritize updates now.

For more information on the bugs, see https://krebsonsecurity.com/2018/01/scary-chip-flaws-raise-spectre-of-meltdown/

Christine Speedy, CenPOS authorized reseller, 954-942-0483. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.

Test and fix TLS 1.0 to TLS v1.2 for merchant non-compliance notice

To keep your data safe, the Payment Card Industry Security Standards Council (PCI SSC) has mandated a security upgrade impacting all merchants where web browsers can be used in the payment process. Acquirers and payment gateways have set various deadlines in advance of the required PCI TLS v1.2 Security Protocol Upgrade by  2018. Either hardware may need to be replaced or software updated.

Recently, multiple vulnerabilities have been uncovered. Criminals are using the vulnerabilities at massive levels over prior years. Security company Zscaler blocked an average of 8.4 million SSL/TLS-based malicious activities per day in the first half of 2017 for its customers on its Zscaler cloud platform. That’s why all merchants need to upgrade to the most current version of TLS (Version 1.2) and should do so as soon as possible. Because this is an absolute necessity, merchants are getting emails about hard stop dates; if not fixed, merchants will not be able to process transactions after the deadline.

TLS Deadlines vary by acquirer and payment gateway. Dates have been changing due to non-compliance so check with your partners.

  • Chase Paymentech, September 30, 2017.
  • Authorize.Net, February 28, 2018.
  • First Data varies by solution. Datawire will remove SSL v3, TLS v1.0, and TLS v1.1 on February 15th 2018.

TLS 1.0 and TLS 1.1 need to be disabled from browsers, servers and related applications. SSL 3.0 should have been disabled years ago.

Do not rely on server host companies or consultants to do this for you. It’s up to merchants to maintain PCI Compliance. If you get a notice of non-compliance from your acquirer and use a virtual terminal, test your browser below.

FREE Test SSL/TLS for Browser and Servers and updating TLS for card not present transactions:

Free SSL and TLS test from Qualys. https://www.ssllabs.com/ssltest/index.html.  If you get a YES next to TLS 1.0, SSL 3, or SSL 2, then hardening is needed.

Try updating your browser and then run the test again. If the browser is current, go to your web browser settings or preferences and disable SSL and TLS 1.0. Run the same test on your web site. If you get a yes, go to your host administration and disable in security settings.

What is TLS Security Protocol?

Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL) are both frequently referred to as “SSL”. When you go to a web page and the URL is “https”, the S stands for secure, and the domain host has a security certificate installed and enabled on the web host. Websites use TLS to secure all communications between their servers and web browsers. For example, when a merchant logs into a virtual terminal using a web browser, or a customer makes a payment online via a hosted pay page or ecommerce shopping cart.

 

Christine Speedy, CenPOS authorized reseller, 954-942-0483. B2B cloud payments solutions and CenPOS enterprise cloud payment solutions expert. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.