Authorize.net Duplicate Transaction Settlement Error

Posted on October 20, 2016 by Christine Speedy

Authorize.Net experienced an issue during a system update on October 17th that caused a subset of previously settled transactions from September to be sent for settlement again between October 17th and 18th. This issue is no longer occurring.

Authorize.Net is currently working to address any duplicate transactions in order to resolve the duplicate funding to merchants and potential duplicate transactions to their customers. We have already contacted your affected merchants and will continue to do so as we have updates.

If your merchants contact you about this issue, please advise them to NOT take any action on these transactions while we work to address them.

We will follow up with you with any further information, including information on potential reimbursements, as it becomes available.

To locate these transactions, please have your merchants follow these steps:
Log into the Merchant Interface at https://account.authorize.net/.
Click Search from the main toolbar.
Click Search by Batch from the menu on the left.
Select October 18 and October 17 in the From and To drop-down boxes in the Settlement Date section.
Click Search.
Any impacted transactions will have a Submit Date from September 20-25.

We apologize for this error and any inconvenience it may have caused. If you have any questions regarding this email, please contact support.

Sincerely,
Authorize.Net

###

Blogger Note: While uncommon, duplicate transaction and duplicate settlement issues do happen. They can emanate from anywhere in the transaction chain, though the payment gateway, or payment processor are likely more common causes. Because of that, merchants are advised to do nothing and the party that caused the problem usually reverses all the errors on behalf of merchants, typically within a day or two.

Payment Account Reference (PAR) Impact On Recurring Billing

Posted on July 28, 2016 by Christine Speedy

Payment Account Reference (PAR) will become a major force in changing in how recurring billing transactions are processed, and risks that merchants will bear. Swiped, key-entered, and e-commerce transactions are all impacted because merchants will need to tie subsequent token transactions to the original transaction that customer authorized. This raises questions as to what technology will be able to support it, and how quickly will companies be able to adopt it?

EMVco updated their EMV Payment Tokenization Specification Technical Framework earlier this year to include a new field for PAR. This field must transcend throughout the payment ecosystem to acquirers, issuers, and merchants by updating all those systems to support it. That means changes to payment terminals, gateways, processing systems, and potentially ERP and other integrated solutions. With the framework in place, the rest of the ecosystem can begin updating systems to take advantage of the benefits.

PAR enables the payment acceptance community to link a cardholder’s payment token with their PAN transactions without needing to use their underlying card account number.

Merchant Liability

Official announcement is not yet available, however, following the logic of similar security updates, the merchant would risk chargeback on any transaction that does not include the PAR value. The issuer or the acquirer could potentially initiate on the premise there’s no proof customer approved, and therefore there’s fraud liability risk. To reduce their risk, the merchant could be held liable. That means 3 months into a service, all prior transactions could be ACH’d right out of merchant bank account, plus there’d be chargeback fees for each transaction. Additionally, with multiple chargebacks with a single cardholder it’s foreseeable merchants could end up in oversight pool for excessive chargebacks.

Timeline for Compliance

Official announcement is not yet available, however, technical framework specifications for developers were released about 6 months ago. Changes impacting processing fees etc. are typically effective October and April of each year.

Why PAR now?

PAR enables the industry to move away from dependence on the PAN as the primary linkage between various payment processing and value-added services, for example, loyalty programs. As EMV grows increasing card present security, fraud tends to move online; PAR is intended to reduce card not present fraud, increase security, and create a consistent global framework for all participants.

Current Recurring Billing Compliance

Today, when a merchant processes a transaction for a card the customer has authorized to keep on file, the ‘recurring‘ transaction type indicator is required to be sent with each authorization request. A payment gateway is a required, since physical terminals are unable to meet requirements. For example, a retail store sends a SALE transaction type, while a company offering SaaS sends Recurring Payment indicator in authorization messages. Business to business merchants run into compliance, and risk of chargeback losses, when a customer agrees authorizes keep card on file, and they key enter the card number. As far as the issuer and acquirer are concerned, it’s a retail sale, and all the rules of acceptance, risk, and interchange rate qualification apply.

Some companies use paper credit card authorization forms, and they key enter into a retail terminal or virtual terminal each and every time; those transactions are NOT sent correctly with RECURRING indicator.

Future Recurring Billing Compliance

Tokens replace sensitive card data and are then used to perform future variable, fixed, or installment recurring billing. PAR cannot be used to initiate payment transactions nor reverse engineered to obtain PAN data. When a token is created, a PAR value will also be created. The PAR must be supplied with all future authorization requests.

Merchants using ‘dumb terminals’, i.e. terminals that are not payment gateway driven, are incapable of supporting such a service. For omnichannel merchants, partnering with a progressive technology company that meets all current and future payment needs is going to be essential to comply with PAR and more payment changes likely to come.

“If your current provider was late to market with EMV, if they don’t support 3D Secure, if they can’t provide one payment gateway for all sales channels, it’s probably time to start looking for another payment technology partner,” Christine Speedy, Global Reseller for CenPOS, a merchant-centric, enterprise payment solutions company.

Stopping Online Credit Card Testers

Posted on May 25, 2016 by Christine Speedy

Online credit card testing by fraudsters can dramatically drive up payment gateway fees. Historically, card not present financial fraud grows exponentially in countries after implementing EMV chip card processing, as thieves seek the weakest link for fake credit card purchases. Thieves use software to rapidly send cardholder data to payment web sites to verify if stolen cards are good, card testing, and since merchants pay a per transaction fee, regardless of approval, the financial impact can be devastating.

Companies with online pay pages are at increased risk. Since October 2015, online fraud attacks were up 11% 2015 Q4 Vs Q3, and up 215 percent from 2015 Q1. 83% of attacks involved botnets. Source: The Global Fraud Attack Index™, a PYMNTS/Forter collaboration. The preferred web pay pages have no login required, and provide detailed decline response reasons. I’m often asked by others in the industry to provide the latter, and for the same reason as for retail, it’s better than no one knows the reason for the decline. If you inform a criminal the expiration date is no good, they just need to figure out the right one.

PREVENTING ONLINE CARD TESTING

A layered approach is required to stop card testers since no single solution will stop fraudsters. Generally, the harder you make it, the more likely they will seek a path of less resistance.

Block known fraudulent incoming IP addresses. The bad guys also use hostile proxy servers, with dynamically changing IP addresses every authorization attempt, but this is still a first step everyone should employ.

For additional assistance, please contact us. I won’t make it easier for criminals by identifying all the tools here in the blog!

Replacing ICVerify with authorize.net for caging service providers

Posted on May 16, 2016 by Christine Speedy

ICVERIFY Software, a PC based payment software solution, is end of life and must be replaced with an internet, or cloud-based, payment gateway. Authorize.net is one replacement option for caging service providers, including donation processing, that doesn’t require changing credit card processing companies, also known as merchant services provider or acquirer. For business to business, I don’t recommend authorize.net, read about another ICVerify alternative here.

What’s the difference between ICVerify and Authorize.net Payment Gateway for Credit Card Processing for fundraising service providers?

There’s no software to install. Users process payments via a virtual terminal by logging in to a secure web page and processing single transactions, or via batch upload.
The merchant, or fundraising non-profit, completes a payment gateway application for each merchant account, just like any other financial account, with an authorized reseller, such as 3D Merchant Services.
Transaction fees are standard. Fees can be paid via credit card or ACH debit. Merchants may have individual merchant accounts that include free gateway services, though unlikely, and there’s two limitations. First, if the merchant (non-profit or other entity) changes their acquirer, any tokens saved for recurring billing will be invalid. Second, it may increase lockbox service provider development and maintenance time for multiple gateway file specifications.
Merchants are billed directly by Authorize.net for gateway fees, including when opened through authorized reseller 3D Merchant Services (Christine Speedy).
Merchants control user access to payment gateway account

Christine Speedy alleviates the pain of switching merchants from ICVerify to authorize.net, including providing a single point of contact for all accounts, managing the application process, providing personal customer service, and offering volume transaction rates for entire client portfolio. Her payment expertise helps minimize fundraising expenses, reduce donor management friction, and reduce PCI Compliance burden. Merchants can call Christine or authorize.net for customer support after an account is opened.

REPLACING ICVERIFY – IMPACT FOR LOCKBOX SERVICE PROVIDER BATCH UPLOAD

Create a CSV file for upload to authorize.net, per file set up specifications
Login to merchant authorize.net account
Upload file
Download results the next day

REPLACING ICVERIFY – IMPACT FOR FUNDRAISERS / MERCHANTS

Open Authorize.net account; contact us for special volume rates
Add users and assign permissions, including users for your service provider
Download transaction reports on demand by logging into online portal via web page. Note, these reports are limited and do not replace, but rather supplement, reports from your lockbox service provider. 24 month record retention and search.
Authorize.net will automatically debit account monthly

Working with a single payment specialist for all fundraising channels maximizes net dollar educes PCI Compliance burden, misinformation, and

This article makes no reference to the value of authorize.net as a vendor selection, only the implementation and maintenance of using it as ICVerify alternative. Contact Christine Speedy at 954-942-0483 for all integrated, standalone and batch upload payment gateway needs from authorize.net and other solutions.

ERP and Payments: PCI Compliance Nightmare

Posted on April 27, 2016 by Christine Speedy

A PCI Compliant ERP solution doesn’t make a merchant PCI Compliant. The features of the payment integration drive customer decisions to use or not use the an ERP payment module. When payment vendor choices are restricted artificially by using technology to control merchant services options, merchants often enter ERP relationships with a level of dissatisfaction right from the start.

Severely restricted payment gateway options, especially for business to business, results in either the merchant using an alternative non-integrated payment solution, thus sacrificing efficiency, or using the integrated solution, and failing to meet PCI 3.0 requirements or other payment needs. How can I make this statement? B2B companies that accept credit cards typically have a portion of their sales via the telephone. To mitigate risk of fraud, they use paper credit card authorization forms. However, the forms are inherently risky in many ways.

Sensitive authentication data, which includes the security code (CVV/CID), can never be stored.
Forms offer option to send via email. Unprotected data cannot be sent via messaging technologies such as e-mail, instant messaging, chat, etc. (PCI section 4.2). Even if the form doesn’t offer it, customers sometimes ignore instructions and send via email.

In the absence of a best practice, employees will revert to whatever is necessary to get their job done and reduce the risk of looking bad (fraud losses). If the ERP payment module doesn’t help merchants eliminate credit card authorization forms, the entire operation may be at risk of a potential data breach.

For retail, data breaches have become commonplace. Few ERP Point of Sale (POS) solutions are using Point to Point (P2P) encryption and other best practices to reduce data breach risk. They raced to bring mobile to market, and many now have neither EMV chip terminals nor P2P, both increasing financial risk to merchants.

Why does an ERP restrict options for merchant services? Because it’s part of their revenue stream. When competition is eliminated, there’s almost no chance of having the best solution in the marketplace. The proof is a long string of failures to meet business needs. Failure to offer electronic bill presentment and payment, which would increase cash flow and efficiency. Failure to offer US EMV chip card acceptance solution prior to liability shift. Failure to offer level 3 processing for all sales channels. Failures reduce cash flow, profits, and security as companies attempt to work with the ERP limitations, or find ways to work around them.

The argument that it’s to protect merchants from data breaches is only partially true. For any modern payment gateway integration, the payment activity is usually outside the ERP to reduce PCI scope. That won’t change from one gateway to another, so the risk doesn’t change, provided the third party gateway is level 1 PCI Compliant.

Examples of ERP’s that restrict payment gateway and merchant services choices are Netsuite and Sage. Additionally, consultants are often compensated for payment gateway recommendations. Consulting with an independent payment specialist, like blog author Christine Speedy, can expose pros and cons of different options.

ERP’s holding onto merchant services and gateway revenue streams are short sighted, as these business practices that anger customers. Can you imagine if an ERP wouldn’t communicate with any other software, for example, Magento? ERP’s focused on delivering the best business software for all facets of a business, and enabling the merchant to follow best practices for PCI Compliance must give users the flexibility needed to run their business with their own financial partners.

If an ERP relies so much on their revenue stream from merchant services revenue share that they won’t let you choose your own financial partners, I’d think seriously about whether it’s the best ERP for your business.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Card Not Present, CenPOS, credit card processing

B2B Cloud payment processing technology blog about increasing profits, efficiency and security.

Category Archives: Payment Gateway