Visa Authorization Rentals Rules Change

Visa announced sweeping changes to rental industry card acceptance rules in October 2016. Key changes include defining who initiated transaction, transaction data sent, authorization rules, stored card rules, and customer communications. Compliance will increase approvals and mitigate fraud risk;  Failure to comply will increase financial risk and issuer declines while reducing EBIDTA.

Visa Expansion of Special Authorization Allowances

Effective 15 October 2016, 22 April 2017, and 14 October 2017
Revisions have been made to rules related to the processing of Estimated Authorization Requests, Initial Authorization Requests, and Incremental Authorization Requests, as well as Authorization Reversals, Issuer hold releases, and Chargeback rights. These changes impact issuer, merchant, customer, and acquirer- whatever merchants have in place today is not sufficient for the future.

visa rental authorization rules 2017

Partial excerpt from section 5, Visa Core Rules. Applicable merchants should read the entire table and additional sections.

Truck and heavy duty equipment rental authorizations. Aircraft rental, Bicycle rental, Boat rental, Car rental, Equipment rental, Motor home rental, Motorcycle rental, Trailer park or campground rental are all impacted.

A core concept is authorization validity, which impacts merchant rights and potentially credit card processing rate qualification. An invalid authorization equates to no authorization. Card issuers will be within their rights to use reason code 72 and chargeback, or ACH, funds from merchant bank account on the next settlement day, for failure to comply with authorization rules. This is a significant change for most rental companies, as in the past, businesses typically responded to cardholder initiated disputes, a completely different scenario, and win a good portion of them.

With payment processing technology updates, rental companies can increase profits by complying with the new rules, including for guaranteed reservations. EBITDA is improved with increased approvals, lower qualified interchange rates, and fewer chargebacks.

What’s a valid authorization? It’s partially described in Special Authorization Request Allowances and Requirements. Key elements:

  • Stored credential– rules for storing; what associated data is required on file and what is submitted with transaction, including same transaction ID required for all subsequent authorizations after initial approval.
  • Estimated Authorization– indicator the authorization is an initial estimate and final amount is unknown is sent with transaction. TIP:  If the amount could change because the renter did not bring item back in time, or there are other terms in the contract where customer agrees to pay more under certain conditions such as damages or refueling, then the initial transaction is an Estimate.
  • Incremental authorization  – must use same transaction ID as estimate, and submit with incremental authorization indicator
  • Visa now groups transaction types into ‘customer initiated’ and ‘merchant initiated’. For card not present, a transaction is only considered customer initiated, if Verified by Visa is used. Verified by Visa (VbyV) is their brand name for the global 3-D Secure cardholder authentication protocol for customer initiated card not present transactions.

Updated Checkout Flow For Online Rental Booking:

  • Opt-in to no-show policy, terms and conditions
  • Authenticate cardholder
  • Authorize with the estimate indicator
  • Deliver email confirmation with the policy
  • Incremental auths with same Trans ID only.
  • Close transaction by day 31; partial reversal same transaction ID if applicable.
  • If ticket closed, open new estimated auth.

KEY DATES

  • April 22, 2017 – The Merchant must use the Estimated/Initial Authorization Request indicator.
  • 22 April 2017 – The Merchant must use the Incremental Authorization Request indicator and the same Transaction Identifier for all Authorization Requests.

Without action to update rental authorizations in advance of the April dates, financial exposure for prior months may be significant.

Visa Core Rules see Table 5-16: Special Authorization Request Allowances and Requirements and other pages.

Christine Speedy, authorized CenPOS reseller, provides universal payment processing solutions to maximize merchant profits and mitigate risk across multiple sales channels. To get a CenPOS account and Dynamics AX, SAP, Bluebird or other compatible plugin, contact Christine at 954-942-0483. 

Credit Card Expiration Updater & Recurring Billing

Are automated recurring billing transactions declining due to expired credit cards? This article identifies methods to automate credit card expiration updating for installment, fixed recurring, and variable recurring token billing transactions.

All credit cards on file are managed at the payment gateway level for PCI Compliance. The ‘token’ is the alpha numeric character set that replaces sensitive card data. Businesses have access to the token, but not the sensitive cardholder data, after it’s stored. With token management, users can update the credit card expiration date manually. No other fields can be modified. If the CVV – CID security code or card number changes, a new token is created for the new card.

Per rules of card acceptance, the actual expiration date must be used. There have been recurring billing software solutions on the market that simply change the expiration date for recurring transactions with expired cards, for example by changing the date by one year. This enabled transactions to go through with an authorization in some cases because the expiration date was not validated by the issuer. However, for chargeback rights, the expiration date must be provided by the Cardholder and must be correct.

Credit Card Expiration Date Updater Methods

  1. Self credit card updating. An email is generated by the recurring billing platform and or payment gateway alerting the cardholder of an upcoming expiration. The cardholder then self-updates their payment method via a web portal. While effective at reducing phone calls for updating, it still requires action by the busy cardholder, thus, many still go unattended until the point that a transaction fails. This impacts profits with attempted transaction fees, the time to manually reach out to customers, and cancellations; We all know that sometimes a customer pays for a service they do not use effectively, but don’t bother to cancel. Once they have to update their card… the revenue stream can be lost.
  2. Automated credit card updating via the card brands. Merchants must register for the service with their merchant services provider, and must have a payment gateway that supports the updater service. Visa and MasterCard charge a one time fee for registration. There’s also a fee per card updated, which varies by merchant services provider; typically, the provider will mark up for profit.

Credit Card Expiration Date Updater Costs

One-time Visa Account Updater (VAU) Setup fee $250, MasterCard Automatic Billing Updater Setup fee $350 per merchant account. The fee per update varies. For example, we charge $.09 as of this writing and clients have been quoted $.30 by other companies.

Recurring Billing Compliance Alert

Significant changes are coming to recurring billing. After the first authorization, all subsequent recurring billing transactions are to include a unique reference to the initial authorization. This must be managed seamlessly in the background at the payment gateway level. Adding a new field to the transaction process is significant and the challenges are likely on par with the launch of US EMV. Expect problems in the next 12-24 months as gateways struggle to comply with these requirements.

Refer to Visa Public Rules, and search for “recurring”, including section 5.9.9 Prepayments, Repeated Payments, and Deferred Payments, for more details.

CenPOS and Credit Card Expiration Date Updater

CenPOS, an enterprise payment gateway and merchant centric processing platform, supports the account updater services. As your CenPOS representative, I can activate the service on CenPOS for you, however, if your merchant services resides with a third party, you’ll still need to register through them. Before proceeding, contact Christine Speedy at 954-942-0483 for more information.

Online Payment Form Security Alert

Is your online payment form out of date and a security risk? Securing online payment forms requires an annual review at a minimum. Just because a hosted paypage form still works, doesn’t mean it’s secure or PCI Compliant.

PCI Compliance requirements have steadily tightened since 2014 for pay pages and all ecommerce transactions.

Hosted paypage options:

  1. Merchant hosts the form and collects payment on their web site. Beginning with PCI 3.0, significant additional PCI burden applies. Highest risk.
  2. 3rd party payment gateway hosted pay page; Provide a link directly to customers to pay. The form is served by and submitted by the payment gateway. It significantly reduces the potential for malicious activity that could compromise cardholder data. Lowest risk.
  3. An iframe hosted paypage has the appearance of residing on the merchant web site, but the payment data is captured by the 3rd party directly on their web host. The implementation method using iframes for payments has changed over the years to meet current PCI Compliance requirements, including to combat malicious javascript and Cross-Site Scripting threats.

“If your iframe hosted paypage hasn’t been updated in the last year or so it’s likely not PCI Compliant,” Christine Speedy, Card Not Present Expert.

A payment gateway is a secure transaction engine that facilitates the transfer of sensitive information to the processor, and is required for all online payment forms. Some gateways provide online payment forms at no additional charge. Vendor selection has a significant impact on risk mitigation, payment processing fees, efficiency, and PCI Compliance burden.

A payment gateway can be proprietary to a specific processor, or agnostic and compatible with multiple processors. While one provider for both services may seem to be the best choice, there are significant reasons the opposite may also be true, including risk mitigation. Bots present a significant risk of exploitation of online payment forms and may result in profit loss if additional steps are not implemented to mitigate risk of ‘card testing’, where criminals use online forms to submit fake transactions to determine if cards are good or bad. Every attempted transaction has an associated cost with it, and adding in chargeback fees from resulting  disputes, the result could be tens of thousands in dollars in fees in a matter of hours.

If you don’t want to be the next law firm, CPA firm, hotel or distributor data breach headline, consult with a payments expert that understands the financial and risk ramifications of one payment gateway choice and implementation method over another vs ecommerce consultants or bankers that may have limited in-depth expertise to maximize your profits and mitigate risk exposure.

TIP FOR NON-TECHS: Does your online payment form look good on smart phones and other mobile devices? If not, there’s a pretty good chance your online payment page needs an update and is not PCI Compliant.

RESOURCES:

  • PCI – Payment Card Industry Data Security Standards
  • https://www.us-cert.gov/publications/securing-your-web-browser
  • http://pcisecuritystandards.org

For PCI compliant solutions to collect online payments from your customers, contact Christine Speedy today. Get paid via your preferred methods, including ACH, credit card, wire and Paypal, while increasing security and convenience.