3 Things Accountants Must Advise B2B Clients in 2020

Credit card processing may be a big part of the revenue stream or a small part. It doesn’t matter. B2B companies all suffer from the same issues that impact EBITDA and risk. Compliance, cost and security. It’s fair to say, most businesses have no idea what the hot buttons or repercussions are.

Three things every B2B company needs to know about credit card processing right now:

  1. If you store credit cards, you must be compliant with Visa Stored Credential Framework. I posted this in 2017. Guess what? Most payment gateways (if you accept payments online from an invoice or any other source, a payment gateway is involved) are still not compliant! There are significant financial and risk consequences for non-compliance, including penalty fees, fines, and issuer generated chargebacks.
  2. Failure to settle transactions with a proper authorization will be even more expensive starting in April 2020. For example, many Visa credit card rates will go to 3.15%, reflecting upwards of 0.75% increase in some cases; that’s strictly interchange fees, nothing more. Instead of assuming you’re already settling properly, go to your merchant statement and look for DATA RATE I (instead of Data Rate III), STD/Standard, and EIRF. Do you have any of these? See also https://3dmerchant.com/blog/merchant-processing-services/credit-card-transaction-fees-checkup
  3. It’s a Visa rules violation to request the card security code on a paper credit card authorization form, or any digital form where the business can decrypt and view it. It can’t be stored, period. Not by the merchant nor service provider, including payment gateway. Yet even the AICPA

Why these 3 things? Because 100% of B2B companies I talk to will fail on at least one, and usually two or three. That includes CPA firms. Among the American Institute of Certified Public Accountants missions is to provide “the most relevant knowledge, resources” etc. Yet as of this writing, AICPA affinity credit card processing partners include a long list of technology solutions that are not compliant with all three of the above.

86% of all data breaches in 2016 were from level 4 merchants, defined as “Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.” By complying with the three items on my list, B2B companies will harden their systems and increase profits. The latter occurs because compliance with rules reduces fees. 

If your current acquirer could truly fix all the problems above, why haven’t they taken the initiative to help you in the past? By the way, if someone ever says they help you qualify for level 2 rates, run! All B2B companies should have the right technology to qualify for level 3 rates. Why pay more?

Christine Speedy, 954-942-0483. For a fast, free checkup on your merchant account, contact us today for a secure, cloud-based solution optimizing acceptance for all payment types across multiple channels without disrupting banking relationships.

New Visa SaaS subscription rules for trial periods

Effective April 18, 2020, merchants must comply with new Visa subscription billing terms and conditions. These are, once again, big changes that merchants must take action on to comply with. The payment gateway will be critical, and not all are ready to meet the new technology requirements for authorization and receipts.

Who do the new Visa rules apply to?

  • All merchants globally
  • Merchants that offer a free or discounted introductory offer as part of a subscription service

What are key Visa SaaS subscription changes?

  • Merchants must get express consent to enter into agreement for recurring billing. For example, if an online purchase, a checkbox agreeing to the terms is acceptable.
  • Notification via text, email, or other agreed upon method (not realistic for most businesses), of the subscription terms including start date, product/service details, billing frequency, billing start date, and link to cancel.
  • Notification at least 7 days in advance of the expiration

Revised sale transaction receipts are required.

  • Details to include length of trial period, introductory offer, or promotional period, and notice the cardholder will be charged unless the cardholder takes steps to cancel.
  • Date it starts, even if no payment is due, and date subsequent recurring transactions begin.
  • A link to cancel or other simple method.

Payment Gateway and settlement changes to support new Visa Authorization is required.

Many payment gateways are not yet compliant with the October 2017 stored credential mandate and they won’t be ready with this either as it is not a simple update.

  • A new descriptor, “trial” or similar, must be sent with Merchant Name field of the Clearing Record for the first transaction at the end of a trial period. This descriptor will then appear on cardholder statements, online banking etc.

“This is another huge change that most merchants will probably have difficulty complying with because of outdated payment gateways,” according to Christine Speedy, 3D Merchant Services payment gateway expert.

Merchants must make it easier to cancel recurring billing.

This is actually an extension of rules and recommended changes over the last few years. For example, if a customer signs up online, they should be able to cancel online, not have to call on the phone. The new rule now says regardless of where they signed up, retail store or other, they must be able to cancel online.

Visa expands cardholder dispute rights for subscription billing via existing condition “Misrepresentation”.

Basically, merchants need to be able to prove that the cardholder expressly opted in, and they notified customer before processing after the trial period.

Visa will actively monitor trial period compliance.

This is huge. While they don’t state how, the advances of Artificial Intelligence (AI) make if fairly easy. Additionally, merchants that are using recurring billing properly already notify the parties in financial ecosystem that they are doing recurring billing via the 2017 recurring billing stored credential changes.

What are merchants benefits to comply with Visa rules?

Merchants can expect increased authorization approvals, better rate qualification (higher profits), and increased customer satisfaction. Merchants avoid getting shut down, fined, assessed fees, penalty fees and also reduce customer service bandwidth.

DISCLAIMER: condensed and incomplete information. Information may be quickly outdated. Follow links from our Merchant Rules web page here or click here to download Visa’s PDF with review and quick reference card. Two page PDF, 675kb.

Call Christine Speedy for compliant payment gateway solutions to maximize profits and improve your customer experience. 954-942-0483, 9-5 ET for all your recurring billing and stored credential payment gateway and virtual terminal needs.

D365 Customer facing invoice portal D365 F&O

Looking for D635 F&O solution for clients to access online portal to view and pay invoices? One of the key solution differentiators is the integrated payment gateway for credit card processing. Easily overlooked, it’s most impactful on profits. Other than merchant discount, the payment gateway is the single largest influence on the cost of credit card acceptance and chargeback risk.

How can a payment gateway impact costs?

  1. Authorization management. There’s a slew of rules, which are continually changing, regarding what has to happen in order to qualify transactions for the lowest cost possible. Virtually no payment gateways support all of them. For example, authorize.net doesn’t support unscheduled credential on file (stored card on file). Reference https://community.developer.authorize.net/t5/Integration-and-Testing/Visa-Stored-Credentials/td-p/60149. The average cost differential for a Mastercard business card is 1% for a transaction with valid authorization vs invalid (but approved).
  2. Customer disputes and chargebacks. A merchant can only defend disputes if they have proper authorization in #1. Instead of wasting time defending disputes, merchants can prevent them with 3-DSecure 2.0, a global cardholder authentication solution. If the payment gateway supports it, “it wasn’t me, I didn’t authorize it” goes away; liability belongs to the issuer.
  3. Rate Qualification. Items 1 and 2 above both reduce the cost of card acceptance. So does supporting level 3 data. It amazes me how many calls I get from consultants and merchant services salesmen that just want to help their customers qualify business and purchasing cards for level 2 rates. Why wouldn’t you want all clients to qualify for level 3 rates, which are substantially lower for business to business transactions?
  4. Stored credential compliance. This is not just securely tokenizing cardholder data, but complying with a new set of rules established in 2017, which all merchants and acquirers are required to comply with. Payment gateways have no such requirement. They can choose to provide the services to clients or not. The trickiest is unscheduled credential on file, which is what most business to business companies need, unless they have a SaaS billing model. Towards the end of 2019, a few more gateways were offering this, but the list is very small.

Few payment gateways support all four items above.

Call Christine Speedy for D365 F&O invoice portal with compliant payment gateway to maximize profits and improve your customer experience. 954-942-0483, 9-5 ET for all your recurring billing and stored credential payment gateway and virtual terminal needs.

PSD2 compliant payment gateway

Need a payment gateway that supports Strong Customer Authentication (SCA) requirements for the EU Payment Services Directive (PSD2)? The EU requirements went into effect September 14, 2019 and like many new regulatory and card acceptance rules changes, some payment gateways are ready, some are not, and some may never get updated. This article addresses online payments and ecommerce transactions only.

Do US companies with a US merchant accounts need to comply with PSD2?

Yes. This is hard to decipher when researching, but the key is, yes must comply if a transaction even ‘passes through’ the EU.

  • One leg out (OLO) transactions in any currency (where one of the Payment Service Providers (PSPs) is located inside the EEA and the other PSP is located outside the EEA). For example, a transaction involving US merchant account and an EU card issuer.

How does PSD2 Strong Cardholder Authentication impact US merchants?

  • It’s not required for Ecommerce transactions from EU cardholders to US merchants with US merchant accounts.
  • US merchants may experience increased issuer declines if not using SCA.
  • US merchants will likely experience increased fraud as the pool of web sites shrinks where criminals can commit fraud and get away with it.
  • GDPR regulations for ecommerce transactions from EU cardholders to US merchants with US merchant accounts does apply; choose payment gateways that support both GDPR and 3DS v2.2.0.

Which online payments are exempt from PSD2?

  • Commercial cards where there is no cardholder name, and thus no way to authenticate an individual.
  • Recurring transactions for the same amount- PSD 2 applies for the initial transaction. If the amount changes, PSD 2 applies. PSD 2 applies for Unscheduled Credential On File for each transaction unless cardholder whitelists as per next item.
  • White-lists of trusted beneficiaries- cardholders can notify their issuer to allow payments to go through without SCA after initial transaction.

How can merchants get compliant with PSD2?

Merchants should use a payment gateway that supports 3DS v2.2.0, which supports Strong Customer Authentication or SCA. Visa specifically states in their rules (Table 5-17: Acquirer Support of Visa Secure by Region/Country – Requirements) that acquirers in the EU must process transactions using Visa Secure, which is their version of 3D Secure, a global protocol for securing card not present transactions. Only 3D Secure 2.x, not 1.0, meets the PSD2 requirements, with v2.2.0 being the most current as of this writing. This will get merchants compliant with PSD2.

Which payment gateways support 3DS v2.2.0?

Because the payment gateway may one of multiple components in the checkout process it may not be on a certification list. One popular payment gateway apparently is not being updated- Authorize.net; users are advised to upgrade to Cybersource per the Cybersource web site.

Want a GDPR and 3DS v2.2.0 compliant payment gateway for your business? Contact us for solutions.

Resources:

DISCLAIMER: condensed and incomplete information! Information may be quickly outdated.

Want a GDPR and 3DS v2.2.0 compliant payment gateway for your business? Call Christine Speedy, 954-942-0483, 9-5 ET.

D365 ERP F&O credit card processing

Need a credit card processing solution for D365? What you used in Microsoft Dynamics AX is probably not what you want for Microsoft D365 F&O. That’s because most payment gateways are horribly outdated with current payment processing requirements. Aside from PCI compliance, equally critical is compliance with the card network rules.

Three things you need to ask before selecting a payment gateway for D365:

  • Does the payment gateway support Unscheduled Credential On File?
  • How will you identify expired authorizations and update them?
  • If the initial authorization and final settlement are different, how does the payment gateway manage the authorization so that you can meet requirements for level 3 processing?

D365, ERP, and ecommerce consultants are generally not great resources for the last mile- getting paid, because it’s not their core expertise. If anyone tells you here are two or three options, you choose whichever you want, RUN! Each payment gateway has unique attributes. You need a consultant that not only knows payment processing, but also knows differences between payment gateways and how each will help or hurt your goals.

How can you find a good D365 payment gateway consultant?

While there is not a specific certification that is critical, it helps to have some type of certification vs just experience. The PCI Council offers a few different options, all of which are expensive which is why most people won’t bother getting them. However, because level 4 merchants are required to use only PCI QIR certified individuals, the PCI Council has lowered the cost (as well as the complexity, but that’s another story) to increase the number certified.

Since you’re reading this article, you’re looking for expert help. You’ve found it. I’ve been blogging about payment processing for years. I have used, sold and implemented solutions for authorize.net, PayPal, Payflow Pro, CenPOS, First Data, Chase Paymentech and many, many others. I’ve analyzed merchant statements, ecommerce shopping carts, ERP’s, merchant processors / acquirers, and a host of solutions that interact to impact merchant security, fraud risk, processing fees, and efficiency. Because I’ve seen what happens after the sale, including non-qualified transactions, chargebacks, risky security practices that often go against company policy but employees do it anyway, and more, I’m in a better position than most to give you the best advice for business to business, business to government, large transactions, card not present sales and specialty retail. If I don’t know it, I research everything and ask lots of questions that consultants and merchants don’t know to ask.

The Christine Speedy difference. PCI compliance is important to mitigate data breach risk, but equally important is compliance with complicated card network rules. Have you read any of the 1,000+ pages of Visa Rules? Or 300+ Mastercard transaction processing rules? Have any of the people you rely on? I’ve spent countless hours educating myself on them and learning about the nuances that impact your profit and risk. Technology directly impacts compliance. It doesn’t matter how big or how old a company is; the reality is most players in the payments industry fall behind with every new rule that comes out, even though these rules are usually announced years in advance so that they can prepare. Call 954-942-0483, 9-5 ET for expert advice about all things payments.