According to Visa Core Rules, October 2014 page 266, Merchant Must Not Request the Card Verification Value 2 data on any paper Order Form. So how can a merchant get the CVV for card not present customers? Online payments, request a payment and electronic bill presentment and payment all solve the problem. Below are solutions possible with CenPOS, a merchant centric payment processing platform. Other payment gateways may not have the same functionality.
Online payments, passive:
- Secure hosted pay page is managed by the payment gateway so payment data never touches merchant web servers.
- Customers can store card data for charges to be applied later. In this case, the user registers, creating an account so they can manage payment methods including ACH, credit card and wire. A zero dollar authorization is performed when a credit card is stored, and CVV can be validated. Once validated, it’s never needed again, and therefore is never stored. A random token ID is generated, which both the cardholder and merchant can see, but neither will ever have access to sensitive data again. The cardholder can also update the expiration date, but if the CVV changes with a future card replacement, then a new token must be created.
- Customer can make payments for any amount without logging in.
Request a Payment or Electronic Bill Presentment and Payment (EBPP or EIPP), proactive.
-
Reduces accounts receivable friction.
- Non-Integrated – Merchants use the CenPOS EBPP portal to create the payment request, including optional invoice detail. The customer is sent a text and or email with a payment link.
- Integrated – same as above, except the invoice is sent from accounting or financial software such as ERP.
With EBPP, customers have a portal to pay multiple invoices, view payments, download invoices, and manage payment methods.
At a minimum, merchants with card not present customers should offer online payments as a way to enable customers to securely pay a bill. If a signature is required, have the customer print and sign the receipt, and email that authorization back, which is more valuable than traditional credit card authorization forms.
Need a secure solution but don’t want to change your merchant account? No problem. Contact Christine Speedy for secure, cost effective and efficient solutions.
Thoughtful ideas . I Appreciate the points ! Does anyone know where my assistant could possibly acquire a sample a form form to fill in ?
The point is to not use a paper form.
The only solution that automatically generates a PCI compliant form after the customer self-enters their card data, that I’m aware of is our CenPOS enterprise payment engine.