Recurly Visa Stored Credential Framework blog omission

A Recurly blog article “How Recurly is Supporting Visa’s Stored Credential Framework” has some misinformation. The cited dates are incorrect and merchant responsibilities are understated. Why is that important? Most payment gateways and technology solution providers are not keeping up with the rapid pace of rules and compliance changes, impacting merchant profits and risk. Therefore, payment technology vendor selection, including payment gateway selection, is critical.

Recurly, like others in the cloud solutions space, is partially dependent on their partners to keep their clients in compliance with a myriad of rules. When should technology partners alert their integrated solutions partners about industry changes affecting their mutual clients? Solutions providers and merchants are getting inaccurate advice, or none at all, from trusted advisors, technology providers, and consultants of all sizes and sources.

As soon as Visa released the news in their Merchant Business News Digest in August 2017, Recurly began reaching out to our gateway partners to get ahead of the work required to fulfill the mandates.” The real dates were much earlier than cited. Visa typically announces at least one year in advance of due dates for any significant change, which this update is. Updates were in the October 2016 Visa Core Rules and Visa Product and Service Rules rules, citing changes coming in April and October 2017. On April 27, 2017 Visa published further information for merchants via the Stored Credential Framework document, which also references prior articles published on the subject dating back to 2016.

For most merchants, the mandate went into effect October 14, 2017, not April 2018, however, Visa did announce a delay in compliance action to April 2018.

From Recurly, “There is no action needed from our customers.” While technology solutions and payment gateways manage technical aspects for compliance, there’s much that’s left to merchants. Here’s an excerpt from the Stored Credential Framework document:

Merchants and their third-party agents, payment facilitators, or stored digital wallet operators that offer cardholders the opportunity to store their credentials on file must:
• Disclose to cardholders how those credentials will be used.
• Obtain cardholders’ consent to store the credentials.
• Notify cardholders when any changes are made to the terms of use.
• Inform the issuer via a transaction that payment credentials are now stored on file.
• Identify transactions with appropriate indicators when using stored credentials.

I strongly recommend reading Visa Core Rules Table 5-20: Requirements for Prepayments and Transactions Using Stored Credentials and Disclosure to Cardholder and Cardholder Consent. For example, how will you provide proof of cardholder consent (think time and date stamp) upon request? Are you providing the required receipt with proper format for zero dollars when storing a card without running a transaction?

Note: This article is not a review, endorsement or complaint about the quality of Recurly services which I have never used. It is simply identifying errors and omissions related to the stored credential mandate that may impact merchant profits, risk and decision making. I would have written in their blog comments, but it wasn’t available. When choosing a payment gateway, consider how agile they’ve been in meeting deadlines for changes, and how they’ll help reduce compliance burden, among other factors.

Christine Speedy, CenPOS Authorized Reseller, 954-942-0483 is a PCI Council QIR certified professional based out of South Florida, near Fort Lauderdale, and Rochester, NY, with extensive payment gateway experience. Christine can uniquely help merchants and technology providers navigate the complexities of PCI, acquirer, and card brand compliance rules.

Are You Compliant? B2B Credit Card Processing Fact Check

Merchant compliance with various credit card processing rules maximizes profits while mitigating risk. This is especially true for business to business companies. But that task is getting harder and harder with the onslaught of new rules, and virtually impossible if not using a sophisticated cloud solution to help manage compliance.

b2b visa stored credentialIf your B2B company stores credit cards, there’s a pretty good chance you’re not compliant. For example, Visa’s 2017 Stored Credential Transaction framework (PDF download from Visa) outlines merchant responsibilities to obtain customer consent as well as storing credit cards, using stored credentials (token), and managing stored tokens. Failure to comply with Authorization rules, for example preauthorization and final settlement do not match, has far-reaching consequences including higher interchange rates (the bulk of credit card processing fees), penalty fees and new chargeback risks. With so many new rules across multiple card brands that vary based on business and transaction type how can a business quickly ascertain if they’re compliant?

Quick tips to validate compliance:

  1. Is cardholder authentication performed when a new card is stored? When the cardholder data is entered and submitted, the issuer responds with an approval or declined message. A small charge is not an acceptable practice to submit transaction for approval; instead a zero dollar authorization request for authentication is submitted. If authentication is via 3-D Secure -Verified by Visa, MasterCard Secure Code, whereby the customer self-authenticates vs merchant initiating, reduced rates may apply. Under the new rules, two transactions occur at the time a card is stored. Compliant answer is yes.
  2. Is a transaction receipt delivered to customer when you store a credit card? This will be either for an amount or a zero dollar authorization. When stored credit card credential (token) is created, a transaction receipt is generated with the approval or decline and other mandatory fields. Compliant answer is yes.
  3. Does the receipt include “RECURRING” or “REPEAT SALE” for token transactions? Compliant answer is yes.
  4. Review merchant statements, usually the last 1-2 pages with the heading “pending interchange” or “fees” section. Do you see EIRF, STANDARD (STD), or DATA RATE I? Compliant answer is no.
  5. Can you produce documentation of customer consent to store their card (including with 3rd party service) and how it will be used?

If you’re not in compliance, your payment gateway is the most likely culprit, followed by ERP or other software integration limitation. I can fix that.

Reference: Links for all Card brands.

Christine Speedy, CenPOS Sales 954-942-0483, 9-5 ET. Need help getting compliant? Ask me!

B2B Credit Card Processing Hot Tips

Compliance with credit card processing rules maximizes profits while mitigating risk. This is especially true for business to business companies. But it’s getting harder and harder with the onslaught of new rules, and virtually impossible if not using a sophisticated cloud solution to help manage compliance.

If your B2B company stores credit cards, there’s a pretty good chance you’re not compliant. For example, Visa’s 2017 Stored Credential Transaction framework outlines merchant responsibilities to obtain customer consent as well as storing credit cards, using stored credentials (token), and managing stored tokens. Failure to comply with Authorization rules, for example preauthorization and final settlement do not match, has far-reaching consequences including higher interchange rates (the bulk of credit card processing fees), penalty fees and new chargeback risks. With so many new rules across multiple card brands that vary based on business and transaction type how can a business quickly ascertain if they’re compliant?

Most processing details occur seamlessly behind the scenes so merchants have not had a simple way of knowing whether they’re compliant. Until now.

Quick tips to validate compliance:

  • Is a transaction receipt delivered to customer when a stored credit card credential (token) is created? Compliant answer is yes.
  • Is cardholder authentication with a zero dollar authorization or a purchase transaction performed at the time token is created? (A small charge is not an acceptable practice.) Compliant answer is yes.
  • Does the receipt include “RECURRING” or “REPEAT SALE” for token transactions? Compliant answer is yes.
  • Review merchant statements, usually the last 1-2 pages with the heading “pending interchange” or “fees” section. Do you see EIRF, STANDARD (STD), or DATA RATE I? Compliant answer is no.
  • Can you produce documentation of customer consent to store their card (including with 3rd party service) and how it will be used?

If you’re not in compliance, your payment gateway is the most likely culprit, followed by ERP or other software integration limitation. For a Microsoft Dynamics AX, Dynamics 365, and other ERP integrated solutions, call 954-942-0483 9-5 ET.

Reference: Card brand links.

Christine Speedy, CenPOS Sales 954-942-0483. CenPOS is a cloud business solutions provider with end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement.

Insurance Installment Payments: Visa Credit Card Processing Rules Change 2017

Insurance companies must comply with new VISA installment credit card processing rules changes effective October 2017 to maximize business profits and mitigate chargeback risk. Everyone in the payment ecosystem has or will need to make changes to comply, including acquirer, issuer, payment gateway, merchant, and sometimes integrated billing software.

payment gateway SaaS recurringVISA DEADLINE:

  • October 14, 2017 Visa stored credentials compliance mandate.

INSTALLMENT CREDIT CARD PROCESSING BEST PRACTICES:

  • Obtain cardholders’ consent to store the credentials. Opt-in check box stored with payment gateway record is recommended.
  • Have a solution to retrieve consent records on request.
  • Disclose to cardholders how stored credentials will be used.
  • Notify cardholders when any changes are made to the terms of use.
  • When capturing card data for the first time, use a PCI compliant payment gateway to create a random token replacing sensitive data; eliminate paper credit card authorization forms or digital signature forms where payment data is collected on the form, not via a payment gateway.
  • Inform the issuer via a transaction that payment credentials are now stored. For example, perform an Account Number Verification Transaction via a Zero Dollar Authorization with 3-D Secure Verifed by Visa.This is managed by the payment gateway, and requires specific transaction indicator.  TIP: If the solution you’re using performs a $1 authorization, often with a void or reversal after, that’s because the payment gateway, and or the implementation, are out of date and don’t support current requirements. Ask how yours works- assume nothing!
  • Identify subsequent transactions with appropriate indicators when using stored credentials. Payment gateway to identify all future transactions after storing:

With an indicator that shows that the Transaction is using a Stored Credential for either Installment, Recurring or Unscheduled Credential On File.
With the Transaction Identifier of the Initial Transaction.

  • Follow all cardholder disclosure and consent requirements specified in the Visa Rules. Opt-in check box with digital record managed by the payment gateway is recommended to comply with issuer records requests.
  • If performing a preauthorization for any transactions, additional new requirements must be met, including for reversals and reauthorizations.

INSURANCE INSTALLMENT BEST PRACTICES

Increasingly complicated rules vary by card brand, business type and many other factors. This article may oversimplify such complexities. Merchants are advised to:

  • Use tools, including intelligent cloud-based payment gateways, to help comply automatically.
  • Segregate payment acceptance from applications; example, embedded payment object or i-frame.
  • Review Visa Stored Credential Transaction Framework bulletins
  • Review Visa Core Rules and Visa Product and Service Rules
  • Review workflow for the customer payment experience and confirm payment technology workflow is compliant with new rules. There is no automated update; merchants must actively participate in process to ensure compliance.

COMPLIANCE RISKS AND REWARDS:

  • Compliance will increase approvals, customer satisfaction, and profits.
  • Reduce time spent on collections, increase automation, reduce attrition.
  • Cardholder authentication can qualify some transactions for lower interchange rates plus mitigate losses related to “it wasn’t me”, more commonly seen in higher risk insured policy holders.
  • Compliance required to participate in Visa Account Updater service.
  • Non-compliant transactions are essentially invalid authorizations, and issuers will be within their rights to chargeback via Reason Code 72. This is different than a consumer generated chargeback. Issuers are getting slammed with missed payment cardholders and need to get their money back some way; JP Morgan wrote off about $1B in Q1 2017 according to one source. The Wall Street Journal has published several articles over the last year about the surge in subprime credit cardholders missing payments. Overall, we’re looking at a national rate over 4% per quarter- over 16% annually, representing over a trillion dollars. Issuers may want to offset losses from subprime cardholders by collecting monies from merchants for the same.
  • Chargeback Risk includes the initial transaction and all subsequent transactions that are not in compliance for the allowable chargeback period. For example, if non-compliant the issuer could chargeback installments on October 14, November 14, and December 14.

Reference: Visa Stored Credential Transaction Mandates and also Visa Core RulesTable 5-21: Requirements for Prepayments and Transactions Using Stored Credentials.

Before selecting a payment gateway for installments payments, ask these questions:

  • How will it help with new Visa Stored Credential Mandates compliance?
  • Does it support 3-D Secure cardholder authentication, for customer initiated payments?
  • What type of digital record is created at the time of customer opt-in to terms, how is it retrieved, and how long is it retained?
  • Does it support Zero Dollar Authorization?
  • Does the receipt dynamically change based on type of transaction, i.e. cash, credit card single payment, installment payment etc.
  • Does it support level 3 processing for commercial cards (if applicable to business type)?
  • If I change banks or payment processors, how will it affect my customers? My business?

TIP: Most payment gateways will not be compliant on October 14. An easy starting point to reduce the list of vendor choices is to ask the payment gateway what type of digital record is created at the time of creating an installment agreement, and how will it be accessed? Need help to get compliant? Contact Christine Speedy to learn more about solutions for your business that are quick and easy to adopt, increasing efficiency and growing profits virtually overnight.

Christine Speedy, CenPOS authorized reseller, 954-942-0483 is based out of South Florida and NY. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.

Installment Prepayments Credit Card Processing Rules Change 2017

Installment prepayment credit card processing rules change effective October 2017 will impact business profits and chargeback risk. Everyone in the payment ecosystem has or will need to make changes to comply, including acquirer, issuer, payment gateway, merchant, and sometimes software solution.

payment gateway SaaS recurringInstallment prepayment credit card processing best practices:

  • When capturing card data to create a random token replacing sensitive data for the first time, perform an Account Number Verification Transaction via a Zero Dollar Authorization. There’s a payment gateway procedure, including using specific transaction indicator, for this. If the solution you’re using performs a $1 authorization, often with a void or reversal after, that’s because the payment gateway, and or the implementation, are out of date and don’t support current requirements. Ask how yours works and contact us for help now if you cannot do a zero dollar authorization!
  • Payment gateway to identify all future transactions after storing:

With an indicator that shows that the Transaction is using a Stored Credential
– With the Transaction Identifier of the initial Transaction.

  • The sales receipt must include phrase “recurring transaction”
  • A convenience fee cannot be charged on an Installment Transaction.
  • Transactions cannot be key entered into desktop terminals; a cloud based payment gateway is required

Guidelines and rules vary by card brand, business type and many other factors. Additionally, the rules are complicated. This article may oversimplify such complexities. Merchants are advised to use tools, including intelligent payment gateways, to help comply automatically to maximize profits and mitigate risk.

Reference: For example, read Visa Stored Credential Transaction Mandates and also Visa Core RulesTable 5-21: Requirements for Prepayments and Transactions Using Stored Credentials.

Before selecting a payment gateway for installments, ask these questions:

  • How will it help with new Visa Stored Credential Mandates compliance?
  • Does it support 3-D Secure cardholder authentication, for customer initiated payment?
  • What type of digital record is created at the time of customer opt-in to terms, how is it retrieved, and how long is it retained?
  • Does it support Zero Dollar Authorization?
  • Does the receipt dynamically change based on type of transaction, i.e. cash, credit card single payment, installment payment etc.
  • Does it level 3 processing for commercial cards (if applicable to business type)?
  • If I change banks or payment processors, how will it affect my customers? My business?

TIP: An easy starting point to reduce the list of options is to ask any payment gateway what type of digital record is created at the time of creating an installment agreement, and how will you access it? Need help to get compliant? Contact Christine Speedy to learn more about solutions for your business that are quick and easy to adopt, increasing efficiency and growing profits virtually overnight.