Hotel Third Party Credit Card Authorization Form Alert

Posted on January 10, 2019 by Christine Speedy

Is your hotel third party authorization form compliant with both Payment Card Industry Data Security Standards (PCI) compliance and card network acceptance rules? Beware solutions that are neither, risking an expensive data breach, lost reputation, and reduced profits. Due to significant rules changes in 2017, hotel management and hospitality advisors must adopt new technology solutions to comply.

Shifting from a paper credit card authorization form to a digitally signed cloud form often fails to meet intended goals to prevent fraud and increase security. For example, some digitally signed third party credit card authorization form solutions authenticate the cardholder with address and security code verification. Authorized merchant employees access and decrypt the signed document, then key-enter the cardholder data into another system for subsequent authorizations. The document containing PAN and security code remains on file for some period of time.

“This method is rife with compliance problems, leaving hotels unprotected from friendly fraud, ‘it wasn’t me, I didn’t authorize’ and data breach risk”, per Christine Speedy, PCI Council QIR certified.

For instance, per PCI Compliance 3.2, the security code, must not be stored after authorization, even if encrypted. Whether the security code can be stored prior to authorization, PCI leaves up to card brands and acquirers. Per Visa Core rules, section 5.4.3.1, merchants cannot even ask for the Card Verification Value 2 (CVV2) from the Cardholder on any written form.

A series of card not present acceptance rules changes are driving an urgent need for hotels to update. These significant changes include the process to store cards, use stored cards, and obtain authorizations. All this means, whatever worked in the past is no longer valid today. In the digitally signed form example, there’s no relation between the initial cardholder authentication transaction and any future authorizations. However, if done properly, the issuer would have returned a response acknowledging the merchant notification that they’d gotten permission to store the card; future authorizations would include that response.

Hackers continue to target the hospitality industry and they’ve been quite successful. With 338 breaches in the 2018 Verizon Data Breach report, the accommodation sector ranks in the top three of most incidents and breaches. InterContinental Hotels Group, Marriott International, Radisson Hotel Group, Hilton, and Hyatt have all had breaches as have suppliers to the industry like Sabre Hospitality. If you know you’re going to be attacked, why not eliminate employee access to cardholder data completely?

How can hotels better protect against card not present credit card fraud? 3-D secure is a global protocol designed to be an additional security layer for online credit and debit card transactions. By combining a web-based authorization form with 3-D Secure cardholder authentication, including Verified by Visa, fraud liability shifts to the issuer, much like EMV chip shifts liability to the issuer. By using a payment gateway to manage initial and subsequent authorizations, with the capability to invoke 3-D secure, merchants mitigate chargeback risk and avoid the time consuming process of fighting to get their money back after they occur. As a bonus, some issuers support reduced interchange rates, the bulk of credit card processing fees, when 3-D Secure is invoked. No cardholder data is ever visible to employees.

With every part of the payment ecosystem needing to make changes- card issuer, acquirer (merchant account processor), payment gateway- it’s inevitable that there will be gaps in compliance. Non-compliance with rules can result in fines, penalty fees, and removal from card acceptance.

Key questions to ask when evaluating hotel third party credit card authorization solutions:

· Is the security code ever stored?

· Is 3-D secure supported?

· Is it compliant with the Visa stored credential mandate, including unscheduled credential on file?

· After the initial authorization, are subsequent authorizations submitted with retail, MOTO (telephone order), or e-commerce transaction type?

· Correct Answers: no, yes, yes, MOTO

Keywords: #creditcardfraud #databreach #lodging #hotels #pcicompliance #creditcardauthorizationform

Call Christine Speedy, PCI Council QIR certified, for PCI compliant web-based third party authorization forms and other hotel payment technology to make your business more profitable and secure. 954-942-0483, 9-5 ET.

Elavon Acquires CenPOS, Enhancing Elavon’s Digital Capabilities, Integrating Payments into CenPOS Software

Posted on January 9, 2019 by Christine Speedy

MINNEAPOLIS–(BUSINESS WIRE)–Elavon, a global payments provider and subsidiary of U.S. Bancorp, has acquired CenPOS, a Miami-based company offering integrated payment software solutions to large enterprises.

“More and more, businesses are choosing their payment provider based on the software solutions they use to manage other parts of their operations. With this acquisition, customers of both companies will benefit from the strengths and opportunities these organizations offer in important industry segments.”

CenPOS focuses on three industry verticals: automotive, travel and entertainment (T&E), and general business-to-business transactions, which aligns well with Elavon’s strengths. In addition, CenPOS’ distribution strategy and product capability complement Elavon’s assets, all of which make the two entities an excellent fit.

Increasingly, business owners expect that the software packages they use to run their businesses will come with payments acceptance and processing embedded in the software offering. Elavon is paving a way to future growth by integrating with these software packages.

“Elavon recognizes the tremendous potential we have to bring greater value to our customers by integrating with software companies like CenPOS,” said Jamie Walker, CEO of Elavon. “More and more, businesses are choosing their payment provider based on the software solutions they use to manage other parts of their operations. With this acquisition, customers of both companies will benefit from the strengths and opportunities these organizations offer in important industry segments.”

“The CenPOS team is elated to join Elavon,” said Jorge Fernandez, CEO, who cofounded CenPOS with German Gonzalez. “Elavon’s suite of payment products, coupled with the stability and array of financial offerings from U.S. Bank, gives CenPOS an unparalleled competitive edge in the market. Likewise, CenPOS’s technology brings new market expertise to Elavon’s current technology solutions.”

U.S. Bank has a long history in payments, with scale and deep experience that offer a unique value to customers. Elavon accepts and processes payments on behalf of more than a million businesses in the United States, Canada, Mexico and Europe. Adding CenPOS to the U.S. Bancorp family will provide even greater scale and payments capabilities.

The acquisition closed on January 8, 2019. Financial terms of the deal were not disclosed.

Elavon provides end-to-end payment processing solutions and services to more than 1.3 million customers in the United States, Europe, Canada, Mexico, and Puerto Rico. As the leading provider for airlines and a top five provider in hospitality, healthcare, retail, and public sector/education, Elavon’s innovative payment solutions are designed to solve pain points for businesses from small to enterprise-sized.

U.S. Bancorp, with 74,000 employees and $465 billion in assets as of September 30, 2018, is the parent company of U.S. Bank, the fifth-largest commercial bank in the United States. The Minneapolis-based bank blends its relationship teams, branches and ATM network with mobile and online tools that allow customers to bank how, when and where they prefer. U.S. Bank is committed to serving its millions of retail, business, wealth management, payment, commercial and corporate, and investment services customers across the country and around the world as a trusted financial partner, a commitment recognized by the Ethisphere Institute, which named the bank a 2018 World’s Most Ethical Company. Visit U.S. Bank at usbank.com or follow on social media to stay up to date with company news.

What Is Auth Code 05 decline?

Posted on January 3, 2019 by Christine Speedy

A credit card Authorization Response Code 05 decline transaction, or Do Not Honor, is card issuer response. What can the merchant do?

In the above example, we can see that the AVS, ZIP and CVV were not validated as OK in the transaction authorization request. As this is a card not present sale manually entered by the merchant, failure to validate the security code is reason enough for an issuer to decline to accept the risk of potential chargeback.

Merchants can avoid the scenario by using an even stronger cardholder authentication using 3-D secure protocols such as with Verified by Visa. For example, instead of key entering, require the cardholder self-enter their cardholder data. With the stronger authentication, merchants can expect more approvals, reduced fees, and chargeback risk shifted to the issuer.

Asking the cardholder to call the issuer and request they approve the transaction is not a best practice and won’t provide the highest level of fraud protection.

Call Christine Speedy, PCI Council QIR certified, for simple solutions to complex payment transaction problems, 954-942-0483, 9-5 ET.

EMVCo Updates EMV 3-D Secure Specification

Posted on December 18, 2018 by Christine Speedy

Enhanced specification further promotes frictionless authentication for e-commerce transactions, providing additional benefits for both merchants and consumers

14 December 2018 – EMVCo today announces the publication of the EMV® 3-D Secure Protocol and Core Functions Specification v2.2.0. The updated specification includes enhancements to promote an optimised consumer experience while supporting new authentication channels when making e-commerce transactions.

EMV 3DS is a messaging protocol that promotes frictionless consumer authentication and enables consumers to authenticate themselves with their card issuer when making card-not-present (CNP) e-commerce purchases. The additional security layer helps prevent unauthorised CNP transactions and protect the merchant from exposure to CNP fraud.
EMV 3DS specification version 2.2.0 builds upon the current specification version 2.1.0 which is available today on the EMV 3DS Test Platform, enabling 3DS product providers to confirm that their solutions will perform in accordance with the specification. Support of v2.1.0 is required in order to implement v2.2.0. Key updates within version 2.2.0 include:
• Improved communication between merchants and issuers, enabling Europe’s Second Payment Services Directive (PSD2) exemptions for Strong Consumer Authentication to be applied. While the previous version of the EMV 3DS Specification enables PSD2 compliance, the latest updates provide additional features for merchants and issuers to maximise the benefit of the available exemptions.
• Two new features to enable authentication for various payment scenarios including mail order and telephone order transactions:
o 3DS Requestor Initiated (3RI) payments – enabling a merchant to initiate a transaction even if the cardholder is offline.
o Decoupled authentication – allowing cardholder authentication to occur even if the cardholder is offline.
• Expansion of existing data elements to promote communication of pre-checkout authentication events and associated data as part of the EMV 3DS transaction from systems such as those supporting the FIDO Alliance standards.
These enhancements are available if all 3DS components involved in the transaction have updated their software to support v2.2.0.

“EMV 3DS exists to promote secure, consistent consumer authentication for e-commerce transactions across all channels and connected devices, while optimising the cardholder’s experience,” comments Stephanie Ericksen, Chair of the EMVCo Executive Committee. “Our work in this area continues to evolve to ensure we respond to new marketplace requirements. EMVCo continues to encourage the payments community to get involved and provide feedback on the EMV 3DS activity.”

Earlier this year EMVCo announced the availability of the full EMV 3DS Test Platform, which enables the functional testing of EMV 3DS solutions. Letters of Approval are currently being issued for those 3DS products that have successfully tested against version 2.1.0. A list of approved products can be found on the EMVCo website. Products submitted for EMV 3DS v2.2.0 compliance testing will also be tested against EMV 3DS v2.1.0 to receive an EMV 3DS v2.2.0 Letter of Approval. Testing support for version 2.2.0 is expected to be available mid-2019. Progress updates will be posted on the EMVCo website.

To stay informed of the latest EMVCo developments and receive advanced access to EMV Specifications and related documents, join the EMVCo Associates Programme or become a Subscriber.

Credit card authorization form template alert

Posted on December 5, 2018 by Christine Speedy

Searching for a credit card authorization form template? Maybe PCI compliant form or Microsoft Word compatible template? Stop! If your web browser is not up to date, just landing on the web site that has the form might introduce malicious code into a company’s systems and network, leading to a future data breach.

Businesses should be replacing traditional credit card authorization forms with other payment methods where the customer self-pays:

Hosted pay page
Push out a payment request via text or email

Per Visa, merchants are never allowed to ask for the security code on paper. Merchants also cannot store the form with full card numbers. They increase risk of fraud and identity theft and nobody likes them!

What are the benefits of customer initiated payments?

Reduced merchant fees for some cards (3-D Secure cardholder authentication such as Verified by Visa must be enabled.)
Increased approvals with cardholder authentication.
Mitigate chargeback risk – with 3-D Secure cardholder authentication, fraud liability shifts to issuer.
More convenient for buyers- 24/7 payments on their schedule, not yours
Buyers are in control of choosing to store payment methods

How do you choose the best solution? Here’s some of our product differentiators:

PCI Compliant credit card authorization form generated automatically, should you have a need to get a signature to terms for storing and using stored cards.
3-D Secure cardholder authentication supported.
Choose any acquirer.
Automated interchange management, including level 3 processing for business to business (B2B) and business to government (B2G), to reduce fees and maximize profits.
If preauthorizations are needed, ongoing authorization management is critical and we do that automatically.

Call Christine Speedy, PCI Council QIR certified, for simple solutions to complex payment transaction problems, 954-942-0483, 9-5 ET. CenPOS authorized reseller based out of South Florida and NY. CenPOS is an integrated commerce technology platform driving innovative, omnichannel solutions tailored to meet a merchant’s market needs. Providing a single point of integration, the CenPOS platform combines payment, commerce and value-added functionality enabling merchants to transform their commerce experience, eliminate the need to manage complex integrations, reduce the burden of accepting payments and create deeper customer relationships.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Card Not Present, CenPOS, credit card processing

B2B Cloud payment processing technology blog about increasing profits, efficiency and security.