Hotel credit card authorization rules compliance fact check

Identify if your hotel is compliant with authorization rules impacting profits and risk in just a few minutes. Card absent rules for card acceptance changed dramatically since April 2017, and in particular for the hotel and lodging industry. Rather than detail the complexities from over one thousand pages of official card acceptance rules, here’s some easy ways to identify if you have a problem.

Any of these fees on merchant statement indicate authorization problems needing correction:

  • Misuse of authorization
  • Standard / STD (any)
  • EIRF
  • Data rate I, (any) i.e. Corporate Data Rate I
  • Chargeback reason: FRAUD TRANS-NO CARDHOLDR AUTHORIZATION
  • Chargeback reason: Compliance

All bullet items have avoidable penalty fees due to authorization issues. Any time that happens, you pay penalty merchant fees and risk chargeback. Even if you usually win chargebacks, it’s an inefficient use of time. This quick fact check is just a tiny piece of rules changes I’ll help you get compliant with.

MasterCard began charging a 0.25% penalty fee, on top of other fees, in 2018 for non-compliance with Final Authorization.

How can merchants fix authorization problems? Transaction management technology, including for managing authorizations. Most problems are due to payment gateway limitations, but could also be outdated or improper payment gateway integration, or some specific piece of software limiting payment gateway functionality. Payment gateways often struggle just like merchants to keep up with the fast pace of changes in payment processing, so while the solution still works, it’s just not helping merchants to maximize profits and minimize risk.

Our suite of cloud commerce solutions solves authorization and data breach risk from credit card authorization form problems:

1.       Sales invoices, deposit needed. Sales can push out deposit request via text or email; customer self-pays, authenticates identity, and stores card (if needed). This is a much more professional interaction. Nobody likes paper credit card authorization forms due to risk of identity theft.

2.      Direct bill accounts. With our quick invoicing, accounting can upload an invoice and we take over the delivery, payment collection, security, authentication etc.

3.     Third party authorization form. Forget the paper. Our online form checks all the boxes you need to get compliant with card acceptance rules, protect against fraud, reduce PCI Compliance scope, and mitigate data breach risk.

Available as SynXis integrated solution or standalone. Keep your current Point of Sale service provider. Our solutions fix problems that haven’t been addressed for a decade- getting cardholder data out of the hands of employees and systems while shifting fraud liability risk to issuers. Plus, our optional 2-Way texting is a game changer for Guest Services, concierge, and sales.

Still not sure?

  • Quick and easy to get started.
  • No capital investment.
  • Proven to boost customer satisfaction via follow up surveys and increased sales.
  • Differentiate your brand with higher security.
  • Highest PCI compliance security certifications
  • GDPR compliant
  • Since the issuer is guarantees payment with cardholder authentication, it’s actually cheaper to process some credit cards!

What are you waiting for?

Call Christine Speedy, PCI Council QIR certified, for hotel Online Credit Card Authorization Form solutions at 954-942-0483, 9-5 ET. CenPOS authorized reseller based out of South Florida and NY. CenPOS is an integrated commerce technology platform driving innovative, omnichannel solutions tailored to meet a merchant’s market needs. Providing a single point of integration, the CenPOS platform combines payment, commerce and value-added functionality enabling merchants to transform their commerce experience, eliminate the need to manage complex integrations, reduce the burden of accepting payments and create deeper customer relationships.

Online credit card authorization form

An online credit card authorization form enables a business to charge a credit card one-time or for recurring purchases. Looking for a PCI Compliant authorization form meeting 2018 and 2019 standards? Read on.

Online credit card authorization form options:

Hosted pay page. The merchant directs customers to web page to pay any invoice or store card for future payment online. For maximum reduced PCI burden, send customers directly to the 3rd party payment gateway web URL. The gateway may or may not be the same as your processor. NOTE: If hosting on your own web site with an embedded payment (iframe) object, acceptable implementation methods for PCI requirements have changed;  any old forms should be updated.

Electronic Bill Presentment & Payment. (EBPP or EIPP) This is basically a proactive version of the above. Log in to a gateway web portal, and send a payment request via text or email which the customer clicks and pays. Whether integrated or standalone, we have options to include the invoice as an attachment. No login required to make a payment, but a customer portal is also included.

All the major payment gateways include a Virtual terminal, hosted pay page, and shopping cart checkout capability, tokenization to store card data for future orders. Some, including CenPOS also offer EBPP. So how do you differentiate your choices?

Critical elements online credit card authorization form:

  1. Must not be able to decrypt and view the security code and or sensitive cardholder data.
  2. If only authorizing and not capturing (settling) final amount immediately, must comply with Visa 5.8.3.1 Authorization Amount Requirements. The Merchant must use the Estimated/Initial Authorization Request indicator for the first transaction,
    then the Incremental Authorization Request indicator for interim if applicable, and Final Authorization Request indicator when closing out the transaction; the same Transaction Identifier must be included for all Authorization Requests. A reversal of extra funds must be completed within 24 hours of final settlement. These are tough questions the average salesperson probably can’t answer. Work with a professional that knows the rules.
  3. Stored cards. Are you storing cards for any type of ongoing charges?
    PCI Compliant credit card authorization form

    Partial PCI Compliant stored credential authorization form.

    Comply with Visa Rules Table 5-20: Requirements for Prepayments and Transactions Using Stored Credentials. There are too many variables to list here so I recommend downloading the rules and getting familiar or call us to save time. When capturing card data for the first time:

    • Obtain express consent per specifications for your refund and cancellation policies, how you’ll use the stored card, when your agreement expires and how the Cardholder will be notified of any changes to the agreement.
    • Perform a cardholder verification either via transaction or zero dollar authorization with the proper indicator.
    • This is a change! Two transactions occur when capturing cardholder data for the first time. Technical part can be handled by a payment gateway that supports it, but other elements are left to you.
    • Provide a stored card receipt to customer.
  4. 3-D Secure cardholder authentication. For example, Verified by Visa. Merchants register for 3-D Secure with their acquirer; always consult with the payment gateway first for instructions and to confirm they’re registered to offer service. Friendly fraud liability, “it wasn’t me, I didn’t authorize it”, shifts to the issuer and some cards with qualify for even lower rates because there is lower risk to the issuer. Because there are many parts to any transaction, including acquirer and issuer communications, plus continually changing rules, it’s possible that it will not be invoked.

Online Credit Card Authorization Forms and Qualified Rates

Most cards, except regulated debit, can qualify for multiple rates depending on how the transaction is submitted. For example, MasterCard World card rates:

Rate Name Rate Qualified Rate Reason
Standard 2.95% + $.10 Not all criteria met for another rate.
Merit I 2.05% + $.10 Key-entered or ecommerce and valid authorization + other criteria met.
Full UCAF 1.87% = $.10 Ecommerce; Cardholder authentication and other criteria met.

To qualify for UCAF, the customer must initiate payment and all the other rules must be met, which is not always easy, especially for B2B. Note, ‘ecommerce’ includes online paypage and other electronic payment channels the customer initiates.

Call Christine Speedy, PCI Council QIR certified, for Online Credit Card Authorization Forms at 954-942-0483, 9-5 ET. CenPOS authorized reseller based out of South Florida and NY. CenPOS is an integrated commerce technology platform driving innovative, omnichannel solutions tailored to meet a merchant’s market needs. Providing a single point of integration, the CenPOS platform combines payment, commerce and value-added functionality enabling merchants to transform their commerce experience, eliminate the need to manage complex integrations, reduce the burden of accepting payments and create deeper customer relationships.

Christine offers more than one solution so that you have the best for your business type and needs.

Hotel Third Party Authorization Form Alert

The best hotel third party authorization forms are fully compliant with card brand rules to mitigate chargeback risk, especially for friendly fraud, where cardholder claims they did not authorize the transaction. Fraud liability can be shifted nearly one hundred percent with best practices, plus risk of data breach from employee and other access to card data can be mitigated. Avoid the paper and digital credit card authorization form problems perpetuated by misinformation from people and incorrect internet postings.

Paper credit card authorization forms are dead.

Per Visa Core rule 5.4.2.5, October 2017, a US merchant or its agent must not Request the Card Verification Value 2 data on any paper Order Form. Update, in October 2018, the rule is now in section 5.4.3.1, Merchant Use of Account Number, Cardholder Signature, Card Verification Value 2 (CVV2), or Stored Credential.  I could go on about all the PCI compliance and data breach risk problems related to credit card authorization forms, but because only 3-D secure cardholder authentication, which requires cardholder initiate payment, shifts friendly fraud liability for card not present transactions, there’s no valid reason not to change procedures. Get the cardholder data out of the hands of employees and networks. Secure document services where sensitive cardholder data can be viewed, or decrypted and viewed, for use in another solution are not PCI Compliant.

Web-based third party authorization forms are best for card absent compliance.

More than just PCI compliance, a myriad of rules changes since 2017, and continuing into 2019, impact every hotel. Everyone must change to comply and it’s not automatic. For example, you’re getting a sales deposit, and will definitely or will possibly charge more later. There’s a new set of transaction data standards which include estimate, incremental, and final authorization. While the technical piece is handled by payment gateways, not all have made the modifications required. Additionally, some elements are left to merchants to manage.

  • Comply with Visa 5.8.3.1 Authorization Amount Requirements.  The Merchant must use the Estimated/Initial Authorization Request indicator for the first transaction,
    then the Incremental Authorization Request indicator for interim if applicable, and Final Authorization Request indicator when closing out the transaction; the same Transaction Identifier must be included for all Authorization Requests. Don’t accept an authorization online and then swipe or dip the same card later unless your card present system can tie back to the initial authorization.
  • Stored cards. Are you storing cards for ongoing charges? Comply with Visa Rules Table 5-20: Requirements for Prepayments and Transactions Using Stored Credentials. There are too many variables to list here so I recommend downloading the rules and getting familiar. Two keys when capturing card data for the first time:
    • Obtain express consent per specifications for your refund and cancellation policies, how you’ll use the stored card, when your agreement expires and how the Cardholder will be notified of any changes to the agreement.
    • Perform a cardholder verification either via transaction or zero dollar authorization with the proper indicator.
    • This is a change! Two transactions occur when capturing cardholder data for the first time. Again, technical part can be handled by a payment gateway that supports it, but other elements are left to you.

Hotel third party authorization form solutions.

Contact me for solution that works standalone or integrated with SynXis. Shift friendly fraud liability and potentially qualify transactions for better rates with your existing merchant account. That’s because non-compliance with various rules can result in higher fees.

Here’s some key elements if the initial authorization is not the final authorization. Terminology:

  • PCI compliance- short for Payment Card Industry Data Security Standards. All businesses are mandated to comply with rules which are outlined on the PCI Security Standards Council web site.
  • 3-D secure (3D Secure) is a global XML-based protocol designed to be an additional security layer for online credit and debit card transactions. Each card brand has their own version. For example, Verified by Visa. Merchants register for 3-D Secure with their acquirer; always consult with the payment gateway first for instructions and to confirm they’re registered to offer service. 3-D Secure is invoked automatically by the payment gateway which then based on issuer response may or may not prompt for additional information to authenticate the cardholder.  Friendly fraud liability, “it wasn’t me, I didn’t authorize it”, shifts to the issuer. Because there are many parts to any transaction, including acquirer and issuer communications, plus continually changing rules, it’s possible that it will not be invoked.
  • Link to Visa and all card brand Rules.

Call Christine Speedy, PCI Council QIR certified, for global sales. 954-942-0483, 9-5 ET, CenPOS authorized reseller based out of South Florida and NY. CenPOS is an integrated commerce technology platform driving innovative, omnichannel solutions tailored to meet a merchant’s market needs. Providing a single point of integration, the CenPOS platform combines payment, commerce and value-added functionality enabling merchants to transform their commerce experience, eliminate the need to manage complex integrations, reduce the burden of accepting payments and create deeper customer relationships.

Visa Stored Credential Mandate Overview

How can merchants get compliant with the Visa Stored Credential Transaction framework and mandates effective October 14, 2017? Most companies are under the false impression that their acquirer and or payment gateway manages compliance. Not true. While some technical aspects are managed by the payment gateway, the merchant also has to make some changes for compliance.

What is a Stored Credential? A stored credential is information (including, but not limited to, an account number or payment token) that is stored to process future purchases for a cardholder.

What is the Visa Stored Credential framework and mandate? It outlines the rules related to storing and using stored credentials. Since it’s 15 pages long, I’ll only highlight a few important items here.

  • Merchant initiated or customer initiated transactions? Make sure your payment gateway is sending the correct code. For example, an ecommerce store checkout would be customer initiated. A recurring billing transaction is merchant initiated.
  • Get customer consent for terms and conditions of storing and using stored card.
  • Advise how the cardholder will be notified of any changes to the consent agreement.
  • For a transaction using a stored credential initiated by the cardholder, the merchant or its agent must validate the cardholder’s identity before processing. The only valid methods are 3-D Secure Verified by Visa and the security code.
  • Receipt must be provided for the initial cardholder validation ($0 dollar transaction or actual amount.)
  • All stored credential transactions must be submitted with a value of “10” in the POS Entry Mode Code field; this is for both newly stored cards and all prior transactions using stored credential. This is managed by the payment gateway. (Confirm your gateway is doing this.)

What about the other card brands? Mastercard rolled out their version in June 2018. If you comply with the Visa mandate, you’ll be in compliance with any others at this time.

What if I don’t comply?

  • You’ll be non-compliant with Visa’s rules and risk Non Compliance Assessments
  • No benefit from expected improved authorization rate
  • Increased customer complaints and poor cardholder experience
  • Cannot use Real Time Visa Account Updater service
  • Risk issuer generated chargebacks for all transactions using the stored credential within the allowable chargeback timeframe under reason code 72, invalid authorization. A valid authorization is needed to qualify for the lowest interchange rates.

What are the benefits of compliance? Increased authorizations, better customer experience, more profits.

See Improving Authorization Management for Transactions with Stored Credentials https://usa.visa.com/dam/VCOM/global/support-legal/documents/stored-credential-transaction-framework-vbs-10-may-17.pdf . Are you going to manage documenting everything or are you going to use technology to help you manage it?

partial stored credit card authorizationform

Partial CenPOS PCI Compliant stored credential authorization form.

Verify if you have a system to manage authorization validity. What the heck does that mean? Many companies have complex needs including pre-authorizations, incremental authorizations, delayed shipping etc. While you may get issuer approvals, that doesn’t mean the authorization is valid. Are you compliant now? Look at your merchant statement ‘pending interchange fees. If you see  EIRF or STD or misuse of authorization fee, there’s a problem.

Replace paper credit card authorization forms, and any digital form that you can decrypt and view sensitive card data. Offer your customers a way to self-manage their own wallet with either a hosted online pay page or Electronic Bill Presentment & Payment.

New to online payments? See Visa best practices to prevent brute force attacks. https://usa.visa.com/support/merchant/library/visa-merchant-business-news-digest.html. CenPOS includes recaptcha and client managed velocity and other rules as part of a layered security approach.

Register for 3-D Secure, including Verified by Visa, with your acquirer. Don’t do this until you know which payment gateway will be used and get their instructions if applicable.

interchange rate qualification

The same transaction can process at different rates as shown above, depending on which rules you follow. CenPOS Smart Rate Selector automates compliance to qualify transactions at the lowest rate possible. Which rates are on your merchant statement now?

Where can I buy CenPOS or learn more? You’ve already found one of the top salespeople, Christine Speedy. All agreements are direct with CenPOS, no middle man.

Resources and documentation https://3dmerchant.com/blog/merchant-bulletins-downloads – bookmark it!.  Join Christine Speedy’s email list.

DISCLAIMER: condensed and incomplete information! Information may be quickly outdated.

With the fast pace of changing rules, companies need a technology partner to automate compliance. Did you know?

  • CenPOS has a suite of solutions for companies just like yours, solving common problems and increasing profits virtually overnight.
  • For those not ready to give up paper, CenPOS creates a printable PCI Compliant credit card authorization form for every stored card.
  • CenPOS has ERP, ecommerce shopping cart, accounting and other plug-in modules available for quick and easy implementation.
  • I’ve been selling for CenPOS since day 1. Though I have other payment gateways available in my arsenal, nothing else compares.

Call Christine Speedy for global sales. 954-942-0483, 9-5 ET, CenPOS authorized reseller based out of South Florida and NY. CenPOS is an integrated commerce technology platform driving innovative, omnichannel solutions tailored to meet a merchant’s market needs. Providing a single point of integration, the CenPOS platform combines payment, commerce and value-added functionality enabling merchants to transform their commerce experience, eliminate the need to manage complex integrations, reduce the burden of accepting payments and create deeper customer relationships.

Insiders Cause More than 50% of Data Breaches, Reveals Netwrix IT Risks Report

In terms of main threat actors, expectation rarely matches reality, because most incidents were caused by insider mistakes rather than hacker attacks, as assumed by most respondents.

IRVINE, Calif., Oct. 2, 2018 /PRNewswire/ — Netwrix Corporation, provider of a visibility platform for data security and risk mitigation in hybrid environments, today announced the release of its global 2018 IT Risks Report. This year, Netwrix conducted an in-depth study of the major IT risks that are significant for most organizations and assessed respondents’ readiness to withstand cyber threats.

The report is based on the feedback of 1,558 organizations of various sizes from many different regions and industries. It summarizes the experiences and plans the organizations have in regard to addressing six IT risks: physical damage, intellectual property theft, data loss, data breach, system disruption and compliance penalties.

The report reveals the following key findings:

  • Most companies consider hacker attacks to be the most dangerous threat, but in fact, insiders cause the majority of security incidents by either malicious or accidental actions.
  • Not all critical security controls are reviewed regularly as required by best practices. The most neglected controls include getting rid of stale and unnecessary data and conducting data classification. These controls are exercised rarely or never by 20% and 14% of organizations, respectively.
  • Although 70% of companies have done IT risk assessment at least once, only 33% re-evaluate their IT risks regularly.
  • 44% of respondents either do not know or are unsure of what their employees are doing with sensitive data.
  • Nonetheless, over 60% of respondents think that their level of visibility is high enough, which lulls them into a false sense of security.
  • Only 17% of organizations have an actionable incident response plan; 42% have only a draft or have no plan at all.

“Our report illustrates that the foremost reason why the organizations fail to address major IT risks lies in a lax approach to security basics. They are giving priority to some controls and are leaving the most important ones out of scope. Haphazard approach to security basics and poor visibility into sensitive data gives IT pros a false sense of security. However, paying more attention to all security basics can help organizations manage IT risks with more success,” said Steve Dickson, CEO of Netwrix.

To learn more about the IT risks organizations face today, please visit: www.netwrix.com/go/it_risks_in_2018.

About Netwrix Corporation

Netwrix Corporation is a software company focused exclusively on providing IT security and operations teams with pervasive visibility into user behavior, system configurations and data sensitivity across hybrid IT infrastructures to protect data regardless of its location. Over 9,000 organizations worldwide rely on Netwrix to detect and proactively mitigate data security threats, pass compliance audits with less effort and expense, and increase the productivity of their IT teams.

Founded in 2006, Netwrix has earned more than 140 industry awards and been named to both the Inc. 5000 and Deloitte Technology Fast 500 lists of the fastest growing companies in the U.S.

For more information, visit www.netwrix.com.