Visa Stored Credential Mandate Overview

Posted on October 5, 2018 by Christine Speedy

How can merchants get compliant with the Visa Stored Credential Transaction framework and mandates effective October 14, 2017? Most companies are under the false impression that their acquirer and or payment gateway manages compliance. Not true. While some technical aspects are managed by the payment gateway, the merchant also has to make some changes for compliance.

What is a Stored Credential? A stored credential is information (including, but not limited to, an account number or payment token) that is stored to process future purchases for a cardholder.

What is the Visa Stored Credential framework and mandate? It outlines the rules related to storing and using stored credentials. Since it’s 15 pages long, I’ll only highlight a few important items here.

Merchant initiated or customer initiated transactions? Make sure your payment gateway is sending the correct code. For example, an ecommerce store checkout would be customer initiated. A recurring billing transaction is merchant initiated.
Get customer consent for terms and conditions of storing and using stored card.
Advise how the cardholder will be notified of any changes to the consent agreement.
For a transaction using a stored credential initiated by the cardholder, the merchant or its agent must validate the cardholder’s identity before processing. The only valid methods are 3-D Secure Verified by Visa and the security code.
Receipt must be provided for the initial cardholder validation ($0 dollar transaction or actual amount.)
All stored credential transactions must be submitted with a value of “10” in the POS Entry Mode Code field; this is for both newly stored cards and all prior transactions using stored credential. This is managed by the payment gateway. (Confirm your gateway is doing this.)

What about the other card brands? Mastercard rolled out their version in June 2018. If you comply with the Visa mandate, you’ll be in compliance with any others at this time.

What if I don’t comply?

You’ll be non-compliant with Visa’s rules and risk Non Compliance Assessments
No benefit from expected improved authorization rate
Increased customer complaints and poor cardholder experience
Cannot use Real Time Visa Account Updater service
Risk issuer generated chargebacks for all transactions using the stored credential within the allowable chargeback timeframe under reason code 72, invalid authorization. A valid authorization is needed to qualify for the lowest interchange rates.

What are the benefits of compliance? Increased authorizations, better customer experience, more profits.

See Improving Authorization Management for Transactions with Stored Credentials https://usa.visa.com/dam/VCOM/global/support-legal/documents/stored-credential-transaction-framework-vbs-10-may-17.pdf . Are you going to manage documenting everything or are you going to use technology to help you manage it?

Partial CenPOS PCI Compliant stored credential authorization form.

Verify if you have a system to manage authorization validity. What the heck does that mean? Many companies have complex needs including pre-authorizations, incremental authorizations, delayed shipping etc. While you may get issuer approvals, that doesn’t mean the authorization is valid. Are you compliant now? Look at your merchant statement ‘pending interchange fees. If you see EIRF or STD or misuse of authorization fee, there’s a problem.

Replace paper credit card authorization forms, and any digital form that you can decrypt and view sensitive card data. Offer your customers a way to self-manage their own wallet with either a hosted online pay page or Electronic Bill Presentment & Payment.

New to online payments? See Visa best practices to prevent brute force attacks. https://usa.visa.com/support/merchant/library/visa-merchant-business-news-digest.html. CenPOS includes recaptcha and client managed velocity and other rules as part of a layered security approach.

Register for 3-D Secure, including Verified by Visa, with your acquirer. Don’t do this until you know which payment gateway will be used and get their instructions if applicable.

The same transaction can process at different rates as shown above, depending on which rules you follow. CenPOS Smart Rate Selector automates compliance to qualify transactions at the lowest rate possible. Which rates are on your merchant statement now?

Where can I buy CenPOS or learn more? You’ve already found one of the top salespeople, Christine Speedy. All agreements are direct with CenPOS, no middle man.

Resources and documentation https://3dmerchant.com/blog/merchant-bulletins-downloads – bookmark it!. Join Christine Speedy’s email list.

DISCLAIMER: condensed and incomplete information! Information may be quickly outdated.

With the fast pace of changing rules, companies need a technology partner to automate compliance. Did you know?

CenPOS has a suite of solutions for companies just like yours, solving common problems and increasing profits virtually overnight.
For those not ready to give up paper, CenPOS creates a printable PCI Compliant credit card authorization form for every stored card.
CenPOS has ERP, ecommerce shopping cart, accounting and other plug-in modules available for quick and easy implementation.
I’ve been selling for CenPOS since day 1. Though I have other payment gateways available in my arsenal, nothing else compares.

Call Christine Speedy for global sales. 954-942-0483, 9-5 ET, CenPOS authorized reseller based out of South Florida and NY. CenPOS is an integrated commerce technology platform driving innovative, omnichannel solutions tailored to meet a merchant’s market needs. Providing a single point of integration, the CenPOS platform combines payment, commerce and value-added functionality enabling merchants to transform their commerce experience, eliminate the need to manage complex integrations, reduce the burden of accepting payments and create deeper customer relationships.

Storing credit card for layaway plan prepayments rules

Posted on September 28, 2018 by Christine Speedy

What are guidelines for storing and using stored credit cards for layaway plans? What is solution for auto payment layaway plan? Credit card processing rules have changed.

The process for storing and using stored cards rules are largely set by the Payment Card Industry Data Security Standards (PCI DSS) and Card network acceptance rules. Huge changes went into effect in 2017, starting with the Visa Stored Credential Mandate, and more are coming.

For a layaway plan, you need a payment gateway that supports sending the correct transaction type indicator. That would be either installment or unscheduled credential on file, depending on the agreement with buyer. This is outlined in Visa Core Rules and Visa Product and Service Rules, section 5.9.9 Prepayments, Repeated Payments, and Deferred Payments. If accepting prepayments merchants must comply with Table 5-20, Requirements for Prepayments and Transactions Using Stored Credentials.

Visa specifies that when Cardholder gives their consent to items in table 5-20, it must be displayed separately from the general purchase terms and conditions. The Merchant must provide, and the Cardholder must consent to all of the following in writing at the time of the first or only partial prepayment:

Description of promised merchandise or services
Terms of service
Timing of delivery to Cardholder
Transaction amount
Total purchase price
Terms of final payment, including the amount and currency
Cancellation and refund policies
Date and time that any cancellation privileges expire without prepayment forfeiture
Any associated charges

In addition, for Installment Transactions, both:

Total purchase price
Terms of future payments, including the dates, amounts, and currency

Plus

How the cardholder will be notified of any changes to the agreement
How the Stored Credential will be used
The expiration date of the agreement, if applicable

In summary, merchants documents for compliance:

Sales agreement
Cardholder Agreement for Prepayment
Cardholder Agreement for Storing & Using Stored Cards

Traditional old credit card authorization forms are dead. Merchants cannot get them on paper, and most digital forms are also not compliant. Requirements are specified in Visa Table 5-20.

Merchants payment technology to comply with rules:

Inform the issuer via a transaction that payment credentials are now stored on file.
Identify transactions with appropriate indicators when using stored credentials. (Recurring, installment, or unscheduled credential on file.)

Not all payment gateways are capable of meeting current compliance rules for all transaction types. How much the payment gateway solution helps automate compliance varies widely. If you need a solution for automotive layaway plan, you need an expert in rules compliance to avoid penalty fees, issuer chargebacks, and other costly problems. For help choosing the best solution for your company, contact us.

Resources and documentation /blog/merchant-bulletins-downloads – bookmark it!. Join Christine Speedy’s email list.

DISCLAIMER: condensed and incomplete information! Information may be quickly outdated. Contact a lawyer for legal advice.

Need a solution? Call Christine Speedy, 954-942-0483, 9-5 ET, CenPOS authorized global reseller. CenPOS is an integrated commerce technology platform driving innovative, omnichannel solutions tailored to meet a merchant’s market needs. Providing a single point of integration, the CenPOS platform combines payment, commerce and value-added functionality enabling merchants to transform their commerce experience, eliminate the need to manage complex integrations, reduce the burden of accepting payments and create deeper customer relationships.

3 Ecommerce Checkout Payment Problems

Posted on September 24, 2018 by Christine Speedy

Use of a PCI compliant payment gateway does not make a company PCI compliant, compliant with card network acceptance rules, or compliant with best practices to maximize profits. In other words, if you follow best practices and comply with all the rules, you’ll have a more secure and profitable company. A key ingredient to compliance is the payment gateway, however, the payment gateway has no specific requirement to ensure your compliance with all the card network rules and best practices, just those that pertain to Payment Card Industry Data Security Standards.Here’s a few costly merchant problems:

Lack of brute force attack tools. These help prevent bots from testing thousands or millions of cards on your checkout form. The merchant is liable for all of the attempted transaction fees on the payment gateway and on the acquiring. A simple first line of defense is adding recaptcha. See Visa best practices to prevent brute force attacks. https://usa.visa.com/support/merchant/library/visa-merchant-business-news-digest.html.
Non-compliance with Visa Stored Credential Mandate, effective October 14, 2017? I’ve written extensively on this, for example here’s a B2B steps to compliance article. There are multiple elements, and many payment gateways do not yet have solutions, especially for ‘Unscheduled credential on file’. Do you have a checkbox in the sequence of checkout opting in to terms? https://usa.visa.com/dam/VCOM/global/support-legal/documents/stored-credential-transaction-framework-vbs-10-may-17.pdf.
Invalid authorizations. This is the most costly as it can lead to consumer generated chargeback, issuer chargeback, non-qualified interchange rates and penalty fees. Here’s a story about the new .25% MasterCard integrity fee. Do you have Standard/STD, EIRF, or Data Rate I on your merchant statement under interchange fees? Then you have an authorization problem.
Cardholder authentication limitations. The security code has historically not been enough evidence to win customer disputes about unauthorized charges. With 3-D secure, fraud liability shifts to the issuer. Effective April 2019 based on region and industry, Visa mandates many merchants use Visa 3D Secure 2.0. Reference Table 5-18: Acquirer Support of Verified by Visa, Visa Public Rules.

The solution to all of the above is replacing outdated payment gateway technology with new technology that will help automate compliance with card network rules, while reducing PCI Compliance burden.

Why comply? Here’s an example of the cost difference between valid and invalid authorization.

Resources and documentation /blog/merchant-bulletins-downloads – bookmark it!. Join Christine Speedy’s email list.

DISCLAIMER: condensed and incomplete information! Information may be quickly outdated.

Need a solution? Call Christine Speedy, 954-942-0483, 9-5 ET, CenPOS authorized global reseller based out of South Florida and New York. CenPOS is an integrated commerce technology platform driving innovative, omnichannel solutions tailored to meet a merchant’s market needs. Providing a single point of integration, the CenPOS platform combines payment, commerce and value-added functionality enabling merchants to transform their commerce experience, eliminate the need to manage complex integrations, reduce the burden of accepting payments and create deeper customer relationships.

Recurly Visa Stored Credential Framework blog omission

Posted on September 10, 2018 by Christine Speedy

A Recurly blog article “How Recurly is Supporting Visa’s Stored Credential Framework” has some misinformation. The cited dates are incorrect and merchant responsibilities are understated. Why is that important? Most payment gateways and technology solution providers are not keeping up with the rapid pace of rules and compliance changes, impacting merchant profits and risk. Therefore, payment technology vendor selection, including payment gateway selection, is critical.

Recurly, like others in the cloud solutions space, is partially dependent on their partners to keep their clients in compliance with a myriad of rules. When should technology partners alert their integrated solutions partners about industry changes affecting their mutual clients? Solutions providers and merchants are getting inaccurate advice, or none at all, from trusted advisors, technology providers, and consultants of all sizes and sources.

“As soon as Visa released the news in their Merchant Business News Digest in August 2017, Recurly began reaching out to our gateway partners to get ahead of the work required to fulfill the mandates.” The real dates were much earlier than cited. Visa typically announces at least one year in advance of due dates for any significant change, which this update is. Updates were in the October 2016 Visa Core Rules and Visa Product and Service Rules rules, citing changes coming in April and October 2017. On April 27, 2017 Visa published further information for merchants via the Stored Credential Framework document, which also references prior articles published on the subject dating back to 2016.

For most merchants, the mandate went into effect October 14, 2017, not April 2018, however, Visa did announce a delay in compliance action to April 2018.

From Recurly, “There is no action needed from our customers.” While technology solutions and payment gateways manage technical aspects for compliance, there’s much that’s left to merchants. Here’s an excerpt from the Stored Credential Framework document:

Merchants and their third-party agents, payment facilitators, or stored digital wallet operators that offer cardholders the opportunity to store their credentials on file must:
• Disclose to cardholders how those credentials will be used.
• Obtain cardholders’ consent to store the credentials.
• Notify cardholders when any changes are made to the terms of use.
• Inform the issuer via a transaction that payment credentials are now stored on file.
• Identify transactions with appropriate indicators when using stored credentials.

I strongly recommend reading Visa Core Rules Table 5-20: Requirements for Prepayments and Transactions Using Stored Credentials and Disclosure to Cardholder and Cardholder Consent. For example, how will you provide proof of cardholder consent (think time and date stamp) upon request? Are you providing the required receipt with proper format for zero dollars when storing a card without running a transaction?

Note: This article is not a review, endorsement or complaint about the quality of Recurly services which I have never used. It is simply identifying errors and omissions related to the stored credential mandate that may impact merchant profits, risk and decision making. I would have written in their blog comments, but it wasn’t available. When choosing a payment gateway, consider how agile they’ve been in meeting deadlines for changes, and how they’ll help reduce compliance burden, among other factors.

Christine Speedy, CenPOS Authorized Reseller, 954-942-0483 is a PCI Council QIR certified professional based out of South Florida, near Fort Lauderdale, and Rochester, NY, with extensive payment gateway experience. Christine can uniquely help merchants and technology providers navigate the complexities of PCI, acquirer, and card brand compliance rules.

MasterCard Processing Integrity Final Auth Alert

Posted on August 24, 2018 by Christine Speedy

Compliance is not just about payment security. Each card brand has a set of rules for payment processing. Follow them and get rewarded with increased authorizations, reduced fraud risk, and lower merchant fees. The cost of non-compliance is heavy and getting worse.

Look at this MasterCard PROCESSING INTEGRITY FINAL ATH Fee on a recent Chase Paymentech merchant statement.

Over $536,000 multiplied by .25% penalty fee for a total of $1,340.10 in avoidable costs. This is due to not properly authorizing and settling transactions, including reversals for unused authorizations. It’s too complicated to get into why this happens, but I’ve written multiple articles related to authorization validity, including one about the Visa Stored Credential Mandate.

The new fee of 0.25%, minimum $0.04 is assessed for each approved final authorization when*:

Authorization expired. The Final Authorization transaction is not cleared within 7 calendar days of authorization date, nor has it been fully reversed.
Authorization mismatch. The Final Authorization amount does not equal the clearing amount.
Unused Authorization. The Final Authorization transaction did not clear and full authorization reversal was not submitted. What’s really painful about this one, is if an order is cancelled, you can lose .25% of the transaction amount so you lost money not making a sale!
Final authorization currency code does not match the clearing currency code.

How can merchants avoid the MasterCard Processing Integrity fee?

Technology to manage the authorization and settlement process is the only way. Leaving it up to employees to figure out when an authorization is expiring and when a reversal is needed is a recipe for compliance fees like the above. Plus, chances are whatever system they’re using doesn’t even support the required data messages that need to go with the transaction.

The payment gateway plays a crucial role in authorization validity. A common misconception is that using a popular gateway, or even one owned by a card brand, or acquirer, will automatically get your transactions compliant. That is not the case.

I have extensive knowledge of many payment gateways. In my opinion, the CenPOS cloud commerce platform with suite of business solutions, including payment gateway, offers the best tools to automate authorization validity so you can avoid the MasterCard processing integrity final authorization fee as well as other penalty fees and assessments by multiple card brands.

Source: MasterCard Transaction Processing Rules 28 June 2018 TPR, Wells Fargo Payment Network Pass-Through Fee Schedule April 2016.

Christine Speedy, CenPOS Global Sales, 954-942-0483 is based out of South Florida, near Fort Lauderdale, and Rochester, NY. CenPOS is an integrated commerce technology platform driving innovative, omnichannel solutions tailored to meet a merchant’s market needs. Providing a single point of integration, the CenPOS platform combines payment, commerce and value-added functionality enabling merchants to transform their commerce experience, eliminate the need to manage complex integrations, reduce the burden of accepting payments and create deeper customer relationships.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Card Not Present, CenPOS, credit card processing

B2B Cloud payment processing technology blog about increasing profits, efficiency and security.

Category Archives: Merchant Services