Small Business Merchant Security Mandate

Posted on April 3, 2018 by Christine Speedy

Small businesses are at high risk of a credit card data breach. To stem the tide of breaches, effective January 31, 2017, all level 4 merchants were mandated to only use Qualified Integrator & Reseller (QIR) for Point of Sale (POS) applications or terminal installation, integration or maintenance.The Payment Card Industry Data Security Council provides certification and maintains the official list of certified QIR people. Any entity that installs Point of Sale in conjunction with a payment application must put at least one representative through the QIR training/qualification process.

What’s a level 4 merchant? Visa’s Level 4 merchant category encompasses businesses that process fewer than 20,000 Visa e-commerce transactions per year, and all other merchants processing up to 1 million Visa transactions, regardless of channel, per year. Visa has estimated this covers approximately 5 million merchants.

What is QIR Qualification? From the PCI Council:

QIR qualification is a set of requirements put in place by Visa for acquirers in an effort to ensure that small merchants are able to implement and maintain a secure Point of Sale environment. QIR qualification provides an opportunity for POS Providers (both VARs and ISVs) to receive training and subsequent qualification on the secure installation of PA-DSS validated payment applications into merchant environments so that said merchants can maintain ongoing PCI compliance. Many data breaches from past years could have been avoided if not for incorrect installation/maintenance of payment application and on-site merchant networks, so QIR qualification was implemented to ensure that only skilled/trained installers are installing payments products.

Who must be QIR certified? Anyone who touches something impacting the cardholder data environment, excluding internal employees. That could be the a Value Added Reselller (VAR) to a POS application. Or it could someone installing something from one of thousands of independent software vendors (ISVs) who provide payment applications that fall under the auspices of the PCI Security Standards Council’s Payment Application Data Security Standard (PA-DSS). People, not companies, are QIR certified, but all individuals are listed under company names.

The exam is tough. If you fail, there’s no feedback. Applicants must go back and study more, pay more, and retake the test. Annual continuing education is required to maintain certification. When I completed my exam, there were 452 certified in the world. Today, it’s 450, as two expired and did not complete renewal process.

Not enough companies are in compliance. It was $395 to take the exam and $150 to retake the exam until March 2018, plus ongoing annual recertification fees after year two. The PCI Council recently announced a change so it’s $100 for 3 attempts, plus $100 annually, in an attempt to get more people certified.

In my experience, most people involved in the payments process do not have the knowledge to complete an installation, or provide maintenance, unless they’ve been QIR certified. In my opinion, the longer they’ve been doing it, the more likely they are to use outdated techniques that put merchants at risk of a data breach. The same is true for application developers. There’s a ton of ‘trusted’ companies out there that integrate payments into web sites and other applications. They have a lot of experience. But payment processing is a moving target of complex security changes. Without specific training, including going through process of PA-DSS application certification, too many businesses are at risk.

Why should card not present merchants use QIR certified individuals? The QIR training encompasses all aspects of payments, including servers, networks etc. The QIR trained person is more likely to probe and identify potential weaknesses in any cardholder environment.

Why should level 1, 2, 3 merchants use QIR certified individuals? In my experience, there are weaknesses in businesses of every size. I can find a compliance problem in virtually any business. The key is to minimize risk and have a plan for continuous improvement.

Call Christine Speedy, QIR certified payments professional, right now at 954-942-0483, 9-5 ET.

Credit card surcharge rules and laws 2020

Posted on March 21, 2018 by Christine Speedy

Credit card surcharging is very complex, as the rules cross multiple card brands and terms of acceptance. Here’s an updated review of who can surcharge, what card types, and checklist of how to roll out credit card surcharge at your company. The answers are targeted for business to business merchants, my area of expertise.

What is a credit card surcharge?

Surcharge is any fee charged by a merchant for the use of a card.

Card brands agree on this for surcharging:

Brand level – Surcharge must be the same fixed or variable for all Brands (example, Visa, MasterCard) credit card transactions;
Product level – Surcharge must be the same for all specific Product, for example, signature rewards cards or commercial cards, regardless of issuer or card brand.
Merchant Discount Rate is the fee, expressed as a percentage of the total transaction amount that a Merchant pays to its Acquirer or Service Provider for transacting on a Credit Card brand. In short, it’s typically all the fees on your merchant statement EXCEPT PCI compliance, terminal rental fees or any other special fee that is not paid via the mechanism of the per-transaction merchant
discount fee.
The Surcharge amount must be submitted separately (in the defined surcharge field) from the Transaction amount in the authorization and clearing message.
The receipt must list the surcharge amount separately.
If the original transaction has a partial or full refund, the surcharge amount must all be refunded proportionally.
Surcharge on debit or prepaid cards is prohibited for all merchants.To ensure compliance use a payment gateway that can identify the card brand and type of card to allow surcharges only on eligible cards.
The fee must be relative to their average cost of card acceptance.

How much can a merchant surcharge?

In short, surcharging is allowed to cover costs, not to make a profit. Let’s face it, based on the rules above, to simplify implementation, merchants will surcharge at the brand level because they lack the technology to discern between product types on a per transaction basis. Taking all that into account what can you surcharge?

By rule, must calculate average discount rate for the preceding one month or 12 months. Unless the last month was unusual for your business, you’re better off using the one month method because of rising and or new fees that occur during any rolling 12 month period. Calculate https://3dmerchant.com/blog/credit-card-processing-rates/effective-rate-calculator
Cannot exceed Maximum Surcharge Cap, which is currently 4%. (My B2B readers would unlikely ever be able to charge 4%. If your effective rate is over 3%, pick up the phone and call 954-942-0483 now.)

Just because somebody offers it doesn’t make it right. Some companies are offering “free merchant accounts” by offsetting fees with 3.5% surcharge. The average B2B company has much lower than 3.5% effective rate so that is a violation of card acceptance rules, subject to penalty. See this article with free tool for calculating your average merchant discount or effective rate.

Surcharge checklist:

Notify card brands (Visa etc) in writing at least 30 calendar days before assessing a US Credit Card Surcharge; must state whether will surcharge at the brand level or product level.
1. https://www.visa.com/merchantsurcharging
2. http://www.mastercard.us/merchants/support/surcharge-disclosure.html
3. https://www.discoversurcharge.com
4. Amex- none required
For card not present orders, disclose verbally if telephone; for online orders minimum 10-point Arial font, but in any case no smaller or less prominent than surrounding text.
Receipt must be delivered with the surcharge as a separate line item.

Where are merchants prohibited from surcharging?

Ten states—California, Colorado, Connecticut, Florida, Kansas, Maine, Massachusetts, New York, Oklahoma and Texas—and Puerto Rico have laws on the books that prohibit merchants from charging consumers with surcharges on credit card transactions. However, due to federal and other court rulings, multiple states have backed away from the bans. New York agreed to allow them in January 2019, as long as certain requirements are met, which already exist in the card network rules. Only Kansas, Colorado, Connecticut, and Massachusetts have bans. The legislative intent in many of these states was to protect consumers, and not to restrict B2B surcharging.

In 2015, the 11^th U.S. Circuit Court of Appeals, a federal court, overturned Florida state law as being unconstitutional, allowing surcharges to legally continue in Florida and nine other states that had enacted bans against them. The case was a highly contentious 2-1 decision in which the court’s chief judge said the state surcharge bans (like Florida’s) were “being struck down by a federal court for no good reason.”
In December 2019, Oklahoma attorney general official opinion declaring the state’s no-surcharging law unconstitutionally restricts free speech.

Surcharge Laws Stories:

Texas Updated 2020 – https://faq.sll.texas.gov/questions/9631Senate Bill 560, which went into effect on September 1st, 2017, changed the laws relating to credit card surcharges. Previously, the Office of Consumer Credit Commissioner (OCCC) enforced the law on credit card surcharges, but that is no longer the case.
Florida update https://www.epgdlaw.com/are-credit-card-surcharges-legal-in-florida/
California update
https://oag.ca.gov/consumers/general/credit-card-surcharges
January 10, 2019 NY Update
https://www.natlawreview.com/article/parties-case-challenging-constitutionality-ny-no-credit-card-surcharge-law-jointly
NY Court of Appeals issues interpretation of no surcharge law https://www.consumerfinancemonitor.com/2018/10/26/ny-court-of-appeals-issues-interpretation-of-ny-no-credit-card-surcharge-law/
2018 Florida https://www.nbc-2.com/story/40273084/you-can-legally-be-charged-extra-for-using-a-credit-card
2018 case in California http://delfinomadden.com/credit-card-surcharge-ban/
2017 US Supreme Court & NY https://www.usatoday.com/story/news/politics/2017/01/10/supreme-court-new-york-credit-card-surcharge-price-speech/96391718/
http://fortune.com/2017/03/29/credit-card-charges-supreme-court-freedom-speech/
http://www.orlandosentinel.com/business/consumer/os-nsf-florida-credit-card-surcharges-20160706-story.html
https://www.ncsl.org/research/financial-services-and-commerce/credit-or-debit-card-surcharges-statutes.aspx

State statutes on surcharge laws

https://portal.ct.gov/DCP/Legal/Credit-Card-Surcharge
https://malegislature.gov/Laws/GeneralLaws/PartI/TitleXX/Chapter140d/Section28a

For more information, see Surcharge law resources under Merchant Alerts & Rules Links or contact your acquirer for accurate and current information specific to your situation. Neither Christine Speedy nor this web site provide legal advice. Consult an attorney for all your legal questions.

Does your company want to surcharge? Call Christine Speedy right now at 954-942-0483, 9-5 ET for a compliant solution. Please share your surcharge insights for others and ask any questions below. The information herein is based upon public information available at the time written and may change.

ICverify replacement

Posted on March 19, 2018 by Christine Speedy

The best ICVerify replacement for business to business, including manufacturers and distributors, is CenPOS. If yours just stopped working, you need to replace it now to comply with mandatory Payment Card Industry Data Security Standards (PCI compliance). This article outlines the steps to get started with a new web-based solution.

Don’t be afraid of changing credit card technology. It’s going to be easy. Both you and your customers will benefit.

Merchant fees will be lower. ICVerify is incapable of sending the data needed to qualify for the best rates.
If fraud is a concern, you’ll have greater protection with newer cardholder authentication tools.
Process transactions from all platforms, including laptops, PCs, smartphones and tablets with an internet connection.
Communicate the way your customers want – text or email. Text messages are sent from a regular landline, never individual mobile devices.

To get started:

Contact for consultation on the best way capture the cardholder data from your customers. Because we deal with this over and over again, in less than 5 minutes we can assess the situation and make the best recommendation.
Keep your merchant account or change? If you’re using ICVerify, you’ve probably had your merchant account for a long time. The credit card processing world has gotten more competitive over the years so expect lower merchant discount rates. If you’d like a review to see if alternative might be better and or cheaper, provide three consecutive merchant statements. Three are needed for underwriting, so it saves time later if you decide to change.

Once the initial decision above has been made, you’ll be provided the appropriate month to month payment gateway agreement. Depending on the recommended solution, you’ll be ready to go within 1 to 5 business days. Whatever you need, we can probably do it in the time required.

Do not wait. Acquirers are actively identifying the systems merchants are using to submit transactions, and when they find out you’re still using ICVerify, it will be shut down immediately and you will not be able to process transactions. It’s not PCI Compliant and they will not risk their compliance for you.

Ready to get started with CenPOS? Call Christine Speedy right now at 954-942-0483, 9-5 ET for a consultation. Sometimes available other hours and Saturdays so if you’re west coast, no worries, call any time!

CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.

Which states ban credit card surcharging?

Posted on March 5, 2018 by Christine Speedy

Ten states, including California, Colorado, Connecticut, Florida, Kansas, Maine, Massachusetts, New York, Oklahoma, and Texas, plus Puerto Rico have laws that prohibit merchants from charging consumers with surcharges on credit card transactions. Minnesota prohibits a seller of goods or services that establishes and is responsible for its own customer credit card from imposing a surcharge on a purchaser who elects to use that credit card in lieu of payment by cash, check, or similar means. The language varies by state- B2B transactions may be excluded. Tread carefully, you may want to consult an attorney. Merchants are not allowed to surcharge debit cards in any state.

The EU banned consumer surcharging effective January 2018.

NOTE: Always check the latest post about surcharging for the most accurate information.

Surcharge rules are complex and require special technology to automate compliance management. Contact Christine Speedy, CenPOS authorized reseller, 954-942-0483 for assistance. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.

3 Things CPA’s Must Advise B2B Clients in 2018

Posted on February 21, 2018 by Christine Speedy

Accountants offer professional advice regarding cash flow, accounts receivable, tax preparation and all sorts of other consulting. Credit card processing and all the compliance it encompasses introduced immense new compliance challenges in 2017, and it’s fair to say, most businesses have no idea what they are, or what the repercussions are. A big problem is people think it’s someone else’s responsibility to keep their business compliant. Every single merchant must make internal changes to comply.

Three things every B2B company needs to know about credit card processing right now:

If you store credit cards, you must be compliant with Visa Stored Credential Framework. This is arguably as huge as the retail shift to EMV chip card acceptance. There are significant financial and risk consequences for non-compliance. Some solutions companies reduce the compliance burden more than others, while maximizing profits and cash flow.
PCI Compliance mandate for TLS disablement will disrupt business, mostly starting right now, February 2018. Businesses need to ensure they’re servers, software (if applicable) and browsers are compliant, and also have an plan to help internal and external customers overcome issues trying to login to portals, make online payments etc.
It’s a Visa rules violation to request the card security code on a paper credit card authorization form, or any digital form where the business can decrypt and view it. It can’t be stored, period. Not by the merchant nor service provider, including payment gateway.

Why these 3 things? Because 100% of B2B companies I talk to will fail on at least one, and usually two or three. That includes CPA firms also. 86% of all data breaches in 2016 were from level 4 merchants, defined as “Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.” By complying with the three items on my list, B2B companies will harden their systems and increase profits. The latter occurs because compliance with rules reduces fees.

Example of solutions to solve these problems:

An intelligent payment gateway can automate compliance with many elements of the Visa Stored Credential Framework. Simply passing data as most payment gateways do is not enough.
Engage internal or external IT team to test all systems for TLS compliance, and verify at SSLlabs.com.
Empower customers to self pay via push (text or email), or pull (online hosted pay page) technology so that employees never have access to cardholder data again. Whatever the old justification for using paper forms with full card data, there is a technology solution that has negated the need.

Christine Speedy, CenPOS authorized reseller, 954-942-0483. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Card Not Present, CenPOS, credit card processing

B2B Cloud payment processing technology blog about increasing profits, efficiency and security.