Credit Card Expiration Updater & Recurring Billing

Posted on January 11, 2017 by Christine Speedy

Are automated recurring billing transactions declining due to expired credit cards? This article identifies methods to automate credit card expiration updating for installment, fixed recurring, and variable recurring token billing transactions.

All credit cards on file are managed at the payment gateway level for PCI Compliance. The ‘token’ is the alpha numeric character set that replaces sensitive card data. Businesses have access to the token, but not the sensitive cardholder data, after it’s stored. With token management, users can update the credit card expiration date manually. No other fields can be modified. If the CVV – CID security code or card number changes, a new token is created for the new card.

Per rules of card acceptance, the actual expiration date must be used. There have been recurring billing software solutions on the market that simply change the expiration date for recurring transactions with expired cards, for example by changing the date by one year. This enabled transactions to go through with an authorization in some cases because the expiration date was not validated by the issuer. However, for chargeback rights, the expiration date must be provided by the Cardholder and must be correct.

Credit Card Expiration Date Updater Methods

Self credit card updating. An email is generated by the recurring billing platform and or payment gateway alerting the cardholder of an upcoming expiration. The cardholder then self-updates their payment method via a web portal. While effective at reducing phone calls for updating, it still requires action by the busy cardholder, thus, many still go unattended until the point that a transaction fails. This impacts profits with attempted transaction fees, the time to manually reach out to customers, and cancellations; We all know that sometimes a customer pays for a service they do not use effectively, but don’t bother to cancel. Once they have to update their card… the revenue stream can be lost.
Automated credit card updating via the card brands. Merchants must register for the service with their merchant services provider, and must have a payment gateway that supports the updater service. Visa and MasterCard charge a one time fee for registration. There’s also a fee per card updated, which varies by merchant services provider; typically, the provider will mark up for profit.

Credit Card Expiration Date Updater Costs

One-time Visa Account Updater (VAU) Setup fee $250, MasterCard Automatic Billing Updater Setup fee $350 per merchant account. The fee per update varies. For example, we charge $.09 as of this writing and clients have been quoted $.30 by other companies.

Recurring Billing Compliance Alert

Significant changes are coming to recurring billing. After the first authorization, all subsequent recurring billing transactions are to include a unique reference to the initial authorization. This must be managed seamlessly in the background at the payment gateway level. Adding a new field to the transaction process is significant and the challenges are likely on par with the launch of US EMV. Expect problems in the next 12-24 months as gateways struggle to comply with these requirements.

Refer to Visa Public Rules, and search for “recurring”, including section 5.9.9 Prepayments, Repeated Payments, and Deferred Payments, for more details.

CenPOS and Credit Card Expiration Date Updater

CenPOS, an enterprise payment gateway and merchant centric processing platform, supports the account updater services. As your CenPOS representative, I can activate the service on CenPOS for you, however, if your merchant services resides with a third party, you’ll still need to register through them. Before proceeding, contact Christine Speedy at 954-942-0483 for more information.

Visa Partial Authorization Service

Posted on December 29, 2016 by Christine Speedy

Visa merchant library update on December 13, 2016. Visa provides a Partial Authorization service that provides an alternative to declining a transaction when the card’s available balance is not sufficient to approve a transaction in full. This flyer provides information about the benefits realized, how to use the service, and answers to frequently asked questions.

PDF 326 KB Visa Partial Authorization Service – Improve the Customer Experience and Increase Sales

“Partial authorization improves the customer experience by preventing embarrassment from a decline at the point of sale and enabling a seamless checkout with split tender transaction using multiple payment methods.” Christine Speedy

To accept partial authorizations for your business, a few items are needed:

Technology that supports it. Payment gateways certify partial authorization for each acquirer. Not all gateways certify. The receipt must also show each payment amount.
The merchant must enable it. For example, this could be a checkbox in the ERP or shopping cart software payments module, or it might be turned on at the gateway administration level. It’s possible a gateway is certified, but the related software using the gateway does not support it.

If partial authorization is not supported, and there’s a decline due to insufficient funds, there’s still an open authorization for the funds that were in the account. An authorization reversal should be completed to remove hold on any cardholder funds. If you don’t want screaming customers, this is a must! Intelligent technology can automate this process.

Compliance with credit card processing rules can be extremely complicated. Relying upon employee training is futile. To improve your customer experience and automate rules compliance, contact Christine today at 954-942-0483.

What is CAVV Authentication Verification Value?

Posted on November 8, 2016 by Christine Speedy

Cardholder Authentication Verification Value, or CAVV, are potential responses for customer initiated Visa debit and credit card transactions where the Verified by Visa, or Vbyv, authentication method is used. E-commerce, online payments, and Electronic Invoice Presentment & Payment (EIPP or EBPP) are all solutions in which a customer can participate in self-authentication.

How does CAVV impact interchange rates, the bulk of credit card processing fees?

To qualify for CAVV interchange rates, merchants must register for Verified by Visa through their merchant services provider, and must use a payment gateway that supports the service as part of the transaction process. In addition, other rules apply such as settlement time and more; the latter part can be managed automatically with an intelligent payment gateway.

The best Visa Card Not Present Key entered transaction credit rate is 1.80%.
The same Visa transaction as above, but with a valid CAVV response is 1.70%.

How does CAVV impact fraud risk?

If a passed validation response is returned, then fraud risk shifts to the card issuer. Responses other than ‘fail’ may warrant additional scrutiny as part of a layered approach to mitigate fraud risk.

CAVV Transaction Response Code Values:

“ ” – Blank CAVV or AEVV Not Present
0 – CAVV or AEVV Not Validated due to erroneous data submitted
1 – CAVV or AEVV Failed Validation – Authentication Transaction. This is an indication of potential bad or fraudulent data submitted as the CAVV/AEVV.
2 – CAVV or AEVV Passed Validation – Authentication Transaction
3 – CAVV or AEVV Passed Validation – Attempted Authentication Transaction. (Determined that the Issuer ACS generated this value from the use of the Issuer’s CAVV/AEVV key[s]).
4 – CAVV or AEVV Failed Validation – Attempted Authentication Transaction. This is an indication of potential bad or fraudulent data submitted as the CAVV/AEVV. (Determined that Visa generated this value from the use of CAVV/AEVV key[s]).
5 – Reserved for future use – NOT USED
6 – CAVV or AEVV Not Validated – Issuer not participating in CAVV/AEVV validation. This value is generated when an Issuer requests the “do not verify” flag to be established for its BINs. This parameter enables an Issuer to temporarily stop CAVV/AEVV verification while resolving CAVV/AEVV key issues. VisaNet processes this value as a valid CAVV/AEVV.
7 – CAVV or AEVV Failed Validation – Attempted Authentication Transaction. This is an indication of potential bad or fraudulent data submitted as the CAVV/AEVV. (CAVV/AEVV generated with Visa Key)
8 – CAVV or AEVV Passed Validation – Attempted Authentication Transaction. (CAVV/AEVV generated with Visa Key)
9 – CAVV or AEVV Failed Validation – Attempted Authentication Transaction. This is an indication of potential bad or fraudulent data submitted as the CAVV/AEVV (CAVV/AEVV generated with Visa Key – Issuer ACS unavailable)
A – CAVV or AEVV Passed Validation – Attempted Authentication Transaction. (CAVV/AEVV generated with Visa Key – Issuer ACS unavailable)
B – CAVV or AEVV Failed Validation – Attempted Authentication Transaction. This is an indication of potential bad or fraudulent data submitted as the CAVV/AEVV. (CAVV/AEVV generated with Visa Key)
C – CAVV or AEVV Not Validated – Attempted Authentication Transaction. Issuer did not return a CAVV/AEVV results code in the authorization response. VisaNet will treat this as valid CAVV/AEVV if the Issuer approves the authorization.
D – CAVV or AEVV Not Validated – Authentication – Issuer did not return a CAVV/AEVV results code in the authorization response. VisaNet will treat this as valid CAVV/AEVV if the Issuer approves the authorization.
I – Invalid Security Data
U – Issuer does not participate or 3-D Secure data not utilized.
Default space filled

Note, other card brand authentication terms are AEVV, American Express Verification Value and MasterCard Universal Cardholder Authentication Field (UCAF^™). All of these, including VbyV, use the global standardized 3-D Secure XML security protocol. Payment gateways can implement 3-D Secure in different ways, which can potentially impact profits and risk.

For CenPOS solutions to enable customer cardholder authentication, including payment gateway, contact Christine Speedy today. Not all solutions work alike, contact an expert.

Online Payment Form Security Alert

Posted on October 25, 2016 by Christine Speedy

Is your online payment form out of date and a security risk? Securing online payment forms requires an annual review at a minimum. Just because a hosted paypage form still works, doesn’t mean it’s secure or PCI Compliant.

PCI Compliance requirements have steadily tightened since 2014 for pay pages and all ecommerce transactions.

Hosted paypage options:

Merchant hosts the form and collects payment on their web site. Beginning with PCI 3.0, significant additional PCI burden applies. Highest risk.
3rd party payment gateway hosted pay page; Provide a link directly to customers to pay. The form is served by and submitted by the payment gateway. It significantly reduces the potential for malicious activity that could compromise cardholder data. Lowest risk.
An iframe hosted paypage has the appearance of residing on the merchant web site, but the payment data is captured by the 3rd party directly on their web host. The implementation method using iframes for payments has changed over the years to meet current PCI Compliance requirements, including to combat malicious javascript and Cross-Site Scripting threats.

“If your iframe hosted paypage hasn’t been updated in the last year or so it’s likely not PCI Compliant,” Christine Speedy, Card Not Present Expert.

A payment gateway is a secure transaction engine that facilitates the transfer of sensitive information to the processor, and is required for all online payment forms. Some gateways provide online payment forms at no additional charge. Vendor selection has a significant impact on risk mitigation, payment processing fees, efficiency, and PCI Compliance burden.

A payment gateway can be proprietary to a specific processor, or agnostic and compatible with multiple processors. While one provider for both services may seem to be the best choice, there are significant reasons the opposite may also be true, including risk mitigation. Bots present a significant risk of exploitation of online payment forms and may result in profit loss if additional steps are not implemented to mitigate risk of ‘card testing’, where criminals use online forms to submit fake transactions to determine if cards are good or bad. Every attempted transaction has an associated cost with it, and adding in chargeback fees from resulting disputes, the result could be tens of thousands in dollars in fees in a matter of hours.

If you don’t want to be the next law firm, CPA firm, hotel or distributor data breach headline, consult with a payments expert that understands the financial and risk ramifications of one payment gateway choice and implementation method over another vs ecommerce consultants or bankers that may have limited in-depth expertise to maximize your profits and mitigate risk exposure.

TIP FOR NON-TECHS: Does your online payment form look good on smart phones and other mobile devices? If not, there’s a pretty good chance your online payment page needs an update and is not PCI Compliant.

RESOURCES:

PCI – Payment Card Industry Data Security Standards
https://www.us-cert.gov/publications/securing-your-web-browser
http://pcisecuritystandards.org

For PCI compliant solutions to collect online payments from your customers, contact Christine Speedy today. Get paid via your preferred methods, including ACH, credit card, wire and Paypal, while increasing security and convenience.

Authorize.net Duplicate Transaction Settlement Error

Posted on October 20, 2016 by Christine Speedy

Authorize.Net experienced an issue during a system update on October 17th that caused a subset of previously settled transactions from September to be sent for settlement again between October 17th and 18th. This issue is no longer occurring.

Authorize.Net is currently working to address any duplicate transactions in order to resolve the duplicate funding to merchants and potential duplicate transactions to their customers. We have already contacted your affected merchants and will continue to do so as we have updates.

If your merchants contact you about this issue, please advise them to NOT take any action on these transactions while we work to address them.

We will follow up with you with any further information, including information on potential reimbursements, as it becomes available.

To locate these transactions, please have your merchants follow these steps:
Log into the Merchant Interface at https://account.authorize.net/.
Click Search from the main toolbar.
Click Search by Batch from the menu on the left.
Select October 18 and October 17 in the From and To drop-down boxes in the Settlement Date section.
Click Search.
Any impacted transactions will have a Submit Date from September 20-25.

We apologize for this error and any inconvenience it may have caused. If you have any questions regarding this email, please contact support.

Sincerely,
Authorize.Net

###

Blogger Note: While uncommon, duplicate transaction and duplicate settlement issues do happen. They can emanate from anywhere in the transaction chain, though the payment gateway, or payment processor are likely more common causes. Because of that, merchants are advised to do nothing and the party that caused the problem usually reverses all the errors on behalf of merchants, typically within a day or two.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Card Not Present, CenPOS, credit card processing

B2B Cloud payment processing technology blog about increasing profits, efficiency and security.

Category Archives: Merchant Services