Credit Card Authorization Form and PCI Compliance Update

A Credit Card Authorization Form enables a business to charge a credit card one-time or for recurring purchases. Is your form PCI Compliant with 2016 standards? Edited from my original contribution to Credit Today, learn the pitfalls and solutions to traditional paper authorization forms.

Do your business practices meet current PCI Compliance standards?

  1. Is it OK to store the form in a locked drawer?
  2. Is it OK to store the form in the cloud if it’s encrypted?
  3. Is it OK to receive them via email?
  4. Is it possible to qualify for the lowest processing rates using them?
  5. Is it OK to key enter each transaction for cards on file?credit card authorization form pci compliant

Credit Card Authorization Forms and PCI Compliance Rules

  • Per PCI 3.2, Neither Primary Account Number (PAN) nor Card Verification Code (CVV) can be stored on paper after authorization.
  • Per PCI 3.4, must render PAN unreadable anywhere stored (including on portable digital media, backup media, and in logs) using one of four cited approaches.
  • No. Per PCI 2 Never send unprotected PANs by end-user messaging technologies (for example, e-mail, instant messaging, SMS, chat, etc.).
  • No. Most cards, except regulated debit, can qualify for multiple rates depending on how the transaction is submitted. For example, MasterCard World card rates:
Rate Name Rate Qualified Rate Reason
Standard 2.95% + $.10 Not all criteria met for another rate.
Merit I 2.05% + $.10 Key-entered or ecommerce and valid authorization + other criteria met.
Full UCAF 1.87% = $.10 Ecommerce; Cardholder authentication and other criteria met.

To qualify for UCAF, the customer must initiate payment.

Ecommerce includes online paypage and other electronic payment channels the customer initiates.

  • No. If a customer authorizes to store a card, then after the initial transaction, all subsequent transactions must be sent with the correct transaction type: recurring or repeat sale.

Alternative methods to process Card Not Present orders:

Hosted pay page. The merchant directs customers to web page to pay any invoice online. Acceptable implementation methods have changed in the last year or two for PCI Compliance. For maximum reduced PCI burden, send customers directly to the 3rd party payment gateway web URL. The gateway may or may not be the same as your processor. NOTE: If hosting on your own web site with an embedded payment (iframe) object, PCI requirements have changed; any old forms should be updated.

Electronic Bill Presentment & Payment. (EBPP or EIPP) This is basically a proactive version of the above. As a standalone solution, the merchant user logs in to a gateway web portal, and sends a payment request via text or email which the customer clicks and pays. Integrated to billing software, it sends the actual invoice, and may require customer to login to make the payment.

All the major payment gateways include a Virtual terminal, hosted pay page, and shopping cart checkout capability, tokenization to store card data for future orders. Some, including CenPOS also offer EBPP.

If you accept cards over the phone, gateways with a virtual encrypted keyboard can reduce PCI scope since card data never touches computers or networks.

Christine Speedy, CenPOS reseller, maximizes profits, efficiency, and security with payment processing solutions including EIPP, collections automation, and online payments. She can be reached at 954-942-0483 or cspeedy AT 3dmerchant.com.

 

 

MAGENTO VULNERABILITIES IMPACT PCI COMPLIANCE

Magento, a popular e-commerce platform, released multiple security patches this year, several addressing critical and high credit card data breach vulnerabilities. Merchants that haven’t deployed security patches, as required by PCI standards, are vulnerable to remote exploits that can compromise customer account and credit card data.

One cross-site scripting (XSS) flaw potentially allows an attacker to add malicious JavaScript code to a comment via the PayFlow Pro payment module. The JavaScript code is executed server-side when the targeted site’s administrator views the attacker’s order.

PCI Compliance Requirement 6: Develop and maintain secure systems and applications. All critical systems must have the most recently released software patches to prevent exploitation. The average merchant relies upon third party developers for web site maintenance, but unless specifically contracted to update the e-commerce software and add-on modules, don’t count on it.

Only 16.4% of organizations that had suffered a data breach were compliant with Requirement 6, compared to an average of 64% of organizations assessed by our QSAs in 2014- Verizon 2015 PCI Compliance Report.

Payment gateway implementation requirements have changed over time as a result of cross-site scripting and cross-site request forgery (CSRF) to meet current PCI Compliance standards. Merchants should verify all components of their ecommerce ecosystem are current, and have a system for ongoing monitoring and updating.

RESOURCES

  • Magento Security Center
  • VISA MAGENTO SECURITY ALERT, July 2016
  • Christine Speedy, 3D Merchant Services, offers Magento payment gateway module for merchants to improve their omnichannel customer experience and mitigate risk. B2B customer benefits include friction-less payments across all sales channels; text and email Express Checkout, customer invoice portal for 24/7 ACH, credit card, wire and more payment types, and US EMV with level 3 processing. Magento and ERP modules combine to provide a powerful array of solutions to improve cash flow and profits while maximizing security. 954-942-0483.

 

 

Retailers Ask FTC to Investigate Credit Card Industry’s PCI Security Group for Antitrust Concerns

WASHINGTON – The National Retail Federation today announced that it has asked the Federal Trade Commission to conduct an investigation into an organization founded by the credit card industry that sets data security standards, saying the group’s controversial practices raise antitrust concerns.

“We urge the FTC not to rely on PCI DSS for any purpose, particularly not as an example of industry best practices nor as a benchmark in determining what may constitute responsible data security standards in the payment system or any other sector,” NRF Senior Vice President and General Counsel Mallory Duncan said in a letter to FTC Chairwoman Edith Ramirez and other commission members.

The Payment Card Industry Security Standards Council is “a proprietary organization formed and controlled by a single industry sector – the major credit card networks” and “fails to meet any of the principles adopted by the federal government for voluntary standard-setting organizations,” Duncan said. “We believe you will conclude PCI itself is an inappropriate exercise of market power by the dominant U.S. payment card networks and PCI should not continue setting data security standards through its current processes.”

NRF’s request comes as the FTC is conducting an inquiry into how third-party companies perform assessments of PCI compliance by retailers and other businesses that accept credit cards. NRF understands that the FTC is also considering PCI requirements as an example of industry best practices.

The PCI council was formed in 2006 by the major credit card companies – Visa, MasterCard, American Express, Discover and JCB. It imposes its rules on millions of U.S. businesses but continues to be governed by an executive committee made up of representatives of only those five companies.

In a 19-page white paper submitted to the FTC, NRF said the card companies use their market power to “unfairly leverage their brands and proprietary technology through webs of closely controlled interdependent bodies and compliance regimes” including the council. While portrayed as voluntary, the Payment Card Industry Data Security Standard requirements set by the council are “forced upon businesses that cannot refuse to accept credit and debit cards.”

The council’s practices “raise antitrust concerns” for a number of reasons, including “general antitrust dangers when competitors collaborate on setting market standards” and “more targeted concerns insofar as they allow the networks to leverage their proprietary technology,” the paper said.

Among other concerns, PCI requirements act as “as an anticompetitive barrier to innovation” because they “exhaust” funds and other resources retailers have available for data security, the paper said.

NRF asked that the FTC investigate the council’s practices in general and particularly their impact on competition. The FTC should also reject government use of PCI standards as any benchmark for data security, and instead work with “legitimate U.S. standard setting bodies” such as the American National Standards Institute, NRF said.

NRF is the world’s largest retail trade association, representing discount and department stores, home goods and specialty stores, Main Street merchants, grocers, wholesalers, chain restaurants and Internet retailers from the United States and more than 45 countries. Retail is the nation’s largest private sector employer, supporting one in four U.S. jobs – 42 million working Americans. Contributing $2.6 trillion to annual GDP, retail is a daily barometer for the nation’s economy. NRF’s This is Retail campaign highlights the industry’s opportunities for life-long careers, how retailers strengthen communities, and the critical role that retail plays in driving innovation. NRF.com

PCI Compliance email

PCI Compliance, credit card authorization form, and CenPOS bulletin were all in the February 2016 enewsletter. Did you miss it? Subscribe here for payment news.

PCI Compliance Fail

80% of companies FAIL an interim Payment Card Industry Data Security Standards (PCI-DSS) audit. It’s time to admit it- you’re company is one of the many struggling to keep up with new rules.

Have you noticed $19.95 fee sneak back into your merchant statements?

Check your quarterly scans. You may discover a scan failed with a reason related to SSL.  Fight back to stop these monthly fees. Not only is it premature, but the Payment Card Industry Security Standards Council (PCI SSC) changed the migration to date requiring TLS 1.1 encryption or higher from June 2016 to June 2018.


 Credit card authorization forms – a weak link for compliance

“We keep all cardholder data in a locked file drawer and I’m the only one with a key” does not comply with PCI 3.0 standards.
For new best practices, think like a forensic auditor. In the event of a suspected breach, how will you identify who, what, when, how, and maybe even where card data was touched? Without a system to automate logging, the time and cost of an audit will explode.

TIPS.

  • Unprotected data cannot be sent via messaging technologies such as e-mail, instant messaging, chat, etc. (PCI section 4.2)
  • PAN data (card number) cannot be stored unencrypted. (PCI section 3.x)
  • Sensitive authentication data, which includes the security code (CVV/CID), can never be stored. (PCI section 3.2)

Every moment a paper form exists, there’s an opportunity for misuse and identity theft. If your company extends credit, then Red Flags Rules also apply. The FTC can seek both monetary civil penalties and injunctive relief for violations. All told, the expense of a breach could run over a million dollars, uncovered by insurance, plus ongoing lost business due to damaged reputation.


Is your service provider PCI Compliant?

If a third party touches card data, they’re required to register with the card brands and have an annual on-site audit. That includes your payment gateway, caging service, and other software if their payments are not segregated from the applications. Click here to search the Visa service provider database 


Software Updates
Reminder: PCI section 6.1 mandates software security updates be applied within 30 days.  With all the activity lately, that means every month. Windows XP users are automatically non-compliant. Click here for Internet Explorer & other Microsoft CRITICAL updates issued this year


CenPOS Question of the Month

How can we collect cardholder data for B2B card not present customers without our credit card authorization form?

  1. Hosted online pay page
  2. Electronic request for payment (push to email or text)
  3. Electronic bill presentment & payment
  4. All of the above and a PCI Compliant authorization form

PCI Compliant credit card authorization form example: Video

Training & educational videos https://www.youtube.com/user/3Dmerchant/videos

Christine Speedy


WHAT DOES CHRISTINE SPEEDY DO ANYWAY?
Omnichannel payment solutions targeting  middle market ($10M to $1B per year), primarily to technology companies and distributors. With one call, I can provide any gateway, acquirer, or integrated solution.  Best of all, I’m agnostic- you can keep your merchant services or check processors. Call today for a free consultation and for answers about any burning question for business to business.

CenPOS is a processor agnostic end to end payment engine that increases EBITDA virtually instantly. From compliance to automating collections, we solve everyday business problems. Protecting the front door with US EMV certified multi-lane terminals for all processors and the back door with 3-D Secure certified solutions for customer initiated sales. Now in over 140 countries.

Feb 01, 2016 1:04 pm | Christine Speedy

Replacing ICVerify or other legacy software for batch credit card processing? Whether you’re in the cloud, or headed there, methods of payment processing have changed to meet current and future requirements for PCI Compliance and fraud prevention. For service providers, … Continue reading ?

Jan 25, 2016 11:14 am | Christine Speedy

Winter Storm Jonas is a reminder of the importance for business to business companies to accept payments online. What if you have a desktop terminal, but staff is working from home? How can accounts receivable be reached for call in … Continue reading ?

Jan 13, 2016 8:36 am | Christine Speedy

Getting a VeriFone EMV Vx520, FD55, Vx510, Vx570 CAPK expired error message? Visa has extended the EMV key’s expiration date from 12/31/2015 to 2022, and the terminal must be updated. OPTION 1: UPDATE CAPK FILE ONLY via partial download For … Continue reading ?

Jan 12, 2016 2:04 pm | Christine Speedy

Ready to improve PCI Compliance with token billing? Step by step instructions for CenPOS card not present token billing including creating, modifying, and using tokens follows. In the virtual terminal admin, Create a new Role* or Modify an existing role … Continue reading ?

Jan 11, 2016 12:26 pm | Christine Speedy

Need a 3rd party credit card authorization form template? Don’t count on wikiform.org and other internet resources that scrape the internet for free content and then redistribute it. There’s no guarantee that anything published is accurate, legal, or virus free. … Continue reading ?

Calendar Notes
February 5 – out of office, CenPOS training
February 12 – 15 Tampa/ Orlando
February 18 – 24 Atlanta
Contact me for FREE consultation
Monthly: Login to Paymentech Resource online- use it or lose it

About Christine Speedy

Global payment solutions; focused on card not present and omnichannel merchants. Is your integrated solution failing to keep up with technology? Send me an integration referral and I’ll send you a cool gift!

What credit card data can a merchant store? PCI Compliance revisited.

There’s a lot of misinformation about collecting and storing credit card data, especially in business to business (B2B) environments for card not present transactions. Best card not present practices and how Payment Card Industry Data Security Standards (PCI DSS) requirement 3, protect stored cardholder data, applies are reviewed in this article.

Getting paid for one time it’s not OK to store cardholder data after authorization. The only cardholder data that may be stored after authorization is the primary account number or PAN (rendered unreadable), expiration date, cardholder name, and service code.

Merchants are not permitted to store full track data, which includes the cardholder number (primary account number or PAN) and expiration date or other sensitive authentication data after authorization.

Per Payment Card Industry Data Security Standards (PCI DSS) Requirement 3, protect stored cardholder data, The only cardholder data that may be stored after authorization is the primary account number or PAN (rendered unreadable), expiration date, cardholder name, and service code.

This applies even if the data is protected by:

Encryption
Password protection
Data scrambling/obfuscation
Masking
Proprietary data formats
Other mechanisms

What’s the exception?
Businesses may have a need to store track data (temporarily) for troubleshooting purposes. Why? Track misreads, network errors, encryption issues, etc. This is not a daily business practice, but a temporary solution. PCI requires documentation Ensure documented procedures include:

Collecting sensitive authentication data only when needed to solve a specific problem
Collecting the minimum amount of data needed to solve the specific problem
Storing any such data in a specific, secure location with limited access
Do not retain more data than needed
Encrypt data when stored/transmitted
Securely delete data immediately when troubleshooting is complete
Include a destruction practice
Verify data cannot be retrieved once troubleshooting is complete

Typical location of card verification value or codes include:

Paper
Databases
Flat files
Log files
Debug files

Systems that commonly store card verification value or code data:

Authorization servers
Web servers
Kiosk

Card verification value or codes are NOT required for recurring card-not-present transactions.? If your system requires you to key enter the CVV each time, this is a red flag. Ensure your systems is sending transactions with the proper flag for unscheduled credential on file. Reasons why you would have to enter every time:
Using a desktop terminal and key entering each time. The transactions are not being sent with correct indicator.
It’s also a PCI DSS requirement that unprotected PANs must not be sent or received via any end-user messaging technologies (such as e-mail, instant messaging, and chat). However, users may not be aware of this, and may be e-mailing PANs internally or even externally without the organization’s knowledge