Category Archives: Merchant Services

ERP and Payments: PCI Compliance Nightmare

Posted on by
Reply

A PCI Compliant ERP solution doesn’t make a merchant PCI Compliant. The features of the payment integration drive customer decisions to use or not use the an ERP payment module. When payment vendor choices are restricted artificially by using technology to control merchant services options, merchants often enter ERP relationships with a level of dissatisfaction right from the start.

Severely restricted payment gateway options, especially for business to business, results in either the merchant using an alternative non-integrated payment solution, thus sacrificing efficiency, or using the integrated solution, and failing to meet PCI 3.0 requirements or other payment needs. How can I make this statement? B2B companies that accept credit cards  typically have a portion of their sales via the telephone. To mitigate risk of fraud, they use paper credit card authorization forms. However, the forms are inherently risky in many ways.

  • Sensitive authentication data, which includes the security code (CVV/CID), can never be stored.
  • Forms offer option to send via email. Unprotected data cannot be sent via messaging technologies such as e-mail, instant messaging, chat, etc. (PCI section 4.2). Even if the form doesn’t offer it, customers sometimes ignore instructions and send via email.

In the absence of a best practice, employees will revert to whatever is necessary to get their job done and reduce the risk of looking bad (fraud losses). If the ERP payment module doesn’t help merchants eliminate credit card authorization forms, the entire operation may be at risk of a potential data breach.

For retail, data breaches have become commonplace. Few ERP Point of Sale (POS) solutions are using Point to Point (P2P) encryption and other best practices to reduce data breach risk. They raced to bring mobile to market, and many now have neither EMV chip terminals nor P2P, both increasing financial risk to merchants.

Why does an ERP restrict options for merchant services? Because it’s part of their revenue stream. When competition is eliminated, there’s almost no chance of having the best solution in the marketplace. The proof is a long string of failures to meet business needs. Failure to offer electronic bill presentment and payment, which would increase cash flow and efficiency. Failure to offer US EMV chip card acceptance solution prior to liability shift. Failure to offer level 3 processing for all sales channels. Failures reduce cash flow, profits, and security as companies attempt to work with the ERP limitations, or find ways to work around them.

The argument that it’s to protect merchants from data breaches is only partially true. For any modern payment gateway integration, the payment activity is usually outside the ERP to reduce PCI scope. That won’t change from one gateway to another, so the risk doesn’t change, provided the third party gateway is level 1 PCI Compliant.

Examples of ERP’s that restrict payment gateway and merchant services choices are Netsuite and Sage. Additionally, consultants are often compensated for payment gateway recommendations. Consulting with an independent payment specialist, like blog author Christine Speedy, can expose pros and cons of different options.

ERP’s holding onto merchant services and gateway revenue streams are short sighted, as these business practices that anger customers. Can you imagine if an ERP wouldn’t communicate with any other software, for example, Magento? ERP’s focused on delivering the best business software for all facets of a business, and enabling the merchant to follow best practices for PCI Compliance must give users the flexibility needed to run their business with their own financial partners.

If an ERP relies so much on their revenue stream from merchant services revenue share that they won’t let you choose your own financial partners, I’d think seriously about whether it’s the best ERP for your business.

Microsoft Dynamics AX EMV terminals certified today

Posted on by
Reply

EMV chip certified solutions are now available for Microsoft Dynamics AX. As they’re still fairly new, it’s important to ask questions about functionality. EMV chip card acceptance certification is complicated, which is why many companies did not complete their certifications by the October 2015 liability shift.

Dynamics AX EMV for Retail tips to compare solutions:

  • How is pin-debit managed? Is EMV chip and pin supported? Can customers bypass entering pin? This is important because whoever supports the highest level of security determines liability for fraud.
  • Is level III data supported? This is important if the customer base includes business to business. For example, building materials distributors have retail and wholesale customers, and qualifying transactions for level 3 interchange rates can significantly improve profits.
  • What are the acquirer options? Can you choose your own, or are you required to use a specific processor?
  • Is P2P supported? Point to point encryption is an extra layer of security to prevent data breaches from malware and other criminal activities.
  • What is the audit trail? Identifying who did what and when is a part of PCI Compliance.
  • Can user functions be limited by job role, required for PCI Compliance?
  • If omnichannel, how will the solution help with all sales channel needs?
verifone MX915 EMV terminal

Verifone MX915 multilane signature capture terminal

ingenico mobile emv icmp

Christine Speedy, 3D Merchant Services owner,  can help guide you through the complexity of choosing the best solution for your business. Which terminal is certified with which processor? From mobile to multilane, Christine’s knowledge and experience will help you implement faster, and take the pain out of consulting with multiple vendors that come up short on solutions.

Steps to Reduce Credit Card Fraud For Distribution Industry

Posted on by
Reply

dealer fraud credit card processingCredit card fraud is still rampant in the US, even after US EMV liability shift convinced many merchants to purchase terminals to support chip cards. Marine, auto, and other high value parts dealers have long had a problem mitigating fraud risk with local and international parts.

  1. For card not present orders, require self-pay with cardholder authentication. Taking cards over the phone, and or requiring a credit card authorization form, will not protect against all forms of counterfeit card fraud. However, consumer authentication shifts liability back to the issuer; the issuer guarantees payment, and because it’s lower risk, dealers can qualify for lower interchange rates, the bulk of merchant fees. Online payment, ecommerce payment, and electronic bill presentment and payment are the 3 methods dealers can use to enable self-payment.
  2. For retail orders, EMV is mandatory. Not by regulation, but by necessity. If a chip card is presented, and merchant supports, they’re 100% protected from counterfeit card fraud, and sometimes lost or stolen cards; if not supported by the merchant, the merchant can be automatically charged back at the issuers discretion and there’s no dispute process for merchants.
  3. Check guarantee. Whether in person or via echeck, check guarantee services are only good if they don’t reject your checks later on. Surprisingly (or maybe not), some services seem to look for ways not to approve your claim, such as information is missing from checks. This can be avoided with technology that forces users to collect the right data, including for remote self-payers.

If all of the above are implemented, dealers are protected from virtually any type of credit card fraud. The following tips will help prevent other types of lost disputes, or serve as supporting documentation if not all the above are implemented.

  1. Get a signed sales order. This can reduce non-fraud claims related to disputes about what was expected. The sales order should clearly state what was sold, refund policy, and cancellation policy, or refer to another document that specifies the information, but is initialed acceptance on the sales order.
  2. Ship to cardholder billing address. If not possible, then get cardholder approval that states bill to and ship to address are different, and they’re approval.
  3. Require all communications to cardholder business email address if selling wholesale. Free email like gmail is not OK.
  4. Require cardholder respond from business email address approving transaction receipt. This is a strong document in the case of a dispute for “I didn’t approve it”, especially when a third party is picking up the part from the dealer.
  5. The marine, automotive and other distribution companies are hit particularly hard with non-qualified transaction penalties when shifting between retail, key entered, and online payments. It’s critical that transactions are presented properly not only to qualify for lower rates, but to protect against lost disputes that require specific evidence for each type of transaction.

Not related to security, but critical for interchange rate qualification, the bulk of credit card processing fees, all services (retail, MOTO, ecommerce) should support level III processing.

In summary, dealers need US EMV and cardholder authentication to maximize risk mitigation from credit card fraud. US EMV requires terminal certification, and gateway certification* to your merchant account provider. Cardholder authentication requires a payment gateway certified for the service.  There are very few companies that meet all these requirements so if your credit card processing salesperson gives you a blank stare when you ask, it’s time to explore other options.

*A payment gateway certified for level III retail to your acquirer is required; countertop terminals are incapable of sending level III data.

3 Profit Boosters for Lumber, Building Materials, Distribution Companies

Posted on by
Reply

Lumber, building materials, and distribution companies increase profits and cash flow almost instantly with these credit card processing and accounts receivable tips.

  1. Use a credit card processing solution that supports level III processing for retail. Prior to the October 2015 EMV liability shift, there were more companies that offered this, but today, to my knowledge, we offer the only solution that has both US EMV and level 3 retail certification.
    level 3 processing interchange rate

    Sample interchange rates for the same credit card transaction; Failing to qualify for level III is costly.

    Benefit: Potential 1% or more profit margin increase.  TIP: No countertop credit card terminal supports level 3 due to the data that must be sent with transactions; no bank currently offers a level 3 retail solution with US EMV. A cloud-based payment gateway is required.

  2. Ensure key entered transactions are sent for authorization with the MOTO (mail order, telephone order) transaction type indicator. If not, the transaction will default to the highest ‘non-qualified’ interchange rate possible for the card type, and in the event of a dispute, merchant must be able to produce a signed receipt.  TIP: Never key enter on a countertop terminal since it is set up for RETAIL. VX520 emv NFC verifone terminalThe best solution manages proper presentment for processing automatically so employees don’t need to understand the nuances of the best way to process any transaction to qualify for lower rates or mitigate risk.
  3. Enable online payments, with level III credit card processing. By empowering customers to pay 24/7, they’ll pay faster to clear up credit lines to buy more. Also, with cardholder authentication, payment can sometimes be guaranteed against fraud and qualify for even lower interchange rates due to lower risk; key entered transactions carry more risk and while risk can be mitigated, payment is not guaranteed. Accepting alternative methods like ACH, wire, and Paypal will also reduce friction, increase efficiency and increase cash flow.
On the surface negotiated rates are often great, but the right tools are critical to qualify transactions for maximum profits.  The building supply industry, including plumbing, electrical, lumber, windows, doors, stone, marble, flooring, insulation, lighting, fencing, roofing, gutters, appliances and more will greatly benefit from 3D Merchant Services solutions and consulting expertise. Free trial to measure the value with existing merchant account.

Batch processing accounts receivable and donations- Caging services solutions

Posted on by
Reply

Replacing ICVerify or other legacy software for batch credit card processing? Whether you’re in the cloud, or headed there, methods of payment processing have changed to meet current and future requirements for PCI Compliance and fraud prevention. For service providers, including non-profit mail processing, payment gateway selection impacts efficiency, merchant fees, and even client PCI Compliance burden.

The first way efficiency can be increased is the batch upload process. It’s basically the same for credit card processing and check processing. Here’s comparisons for payment gateway methodology for batch upload service:

CenPOS Batch Processing File Upload

  1. Save file to configurable directory (listening folder)

CenPOS Batch Processing Response File Retrieval

  1. Retrieve one or multiple files from configurable directory (response folder)

Authorize.net, Payeezy (First Data) and similar Batch Processing File Upload

  1. Log in to your Merchant Interface at https://account.authorize.net or other
  2. Click Upload Transactions.
  3. Click Upload New Transaction File.
  4. Click Browse.
  5. Locate from your system the file that you want to upload.
  6. Click Upload File.

Authorize.net, Payeezy (First Data)and similar Batch Processing Response File Retrieval

  1. Log into the Merchant Interface at https://account.authorize.net or other
  2. Click Tools from the main toolbar.
  3. Click Upload Transactions.
  4. Click View Status of Uploaded Transaction Files.
  5. Select the desired uploaded transaction file from the Select Upload File drop-down list.
  6. Click Submit.

CenPOS increases efficiency to upload and retrieve responses, reduces friction with no login required, and also supports multi-merchant login, enabling users to toggle between accounts, creating efficiency for both the service provider and the merchant.

More BATCH UPLOAD differences authorize.net CenPOS
Custom fields (share across channels) No Yes
Reporting 2 years Indefinite
Telephone support no yes 24/7

Merchant fees are impacted when a transaction does not qualify at the lowest interchange rate possible. For example, business to business companies must submit level III data to qualify for related rates, which are often 90 basis points (0.90%) lower than without. The payment gateway must be certified for level III to each acquirer supported. Only a few payment gateways are level III certified, and even fewer of those offer an acceptable batch upload solution.

PCI Compliance burden is reduced with tokenization, outsourced payment processing, reduced vendors and reporting. The latter is critically important for forensic audits, as well as financial. The average gateway only saves data for two years, and has limited data retrieval capabilities. CenPOS audit reports cover every touch to the platform- who, what, when, and more, with records available for a minimum of 7 years to match IRS requirements, reducing the cost of on-site and remote audits.

To learn more about batch credit card processing, replacing ICVerify, and cloud payment differentiators, Contact Christine Speedy for a free consultation for all your omnichannel global payment needs.