VP2PE and Payment Card Industry Acronyms Revealed

What does it mean to be HIPAA, PCI Level 1, VP2PE, and QIR compliant in the world of credit card processing? Learn the lingo and know what certifications to verify when choosing a payment gateway or any solution that touches payments.

PCI DSS

If you accept credit cards, you must comply with Payment Card Industry Data Security Standards. There’s no exception. Anyone who advises that a solution means you don’t have any responsibility is dead wrong. The PCI Security Standards Council (PCI SSC) mission is to enhance payment account data security by fostering broad adoption of the PCI Security Standards. The organization was founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International. The council sets the standards, the card brands levy penalties and fines for non-compliance.

PCI Level 1 Service Provider

If a third party entity provides services for, or on behalf of a Merchant, and those services control or could impact the security of cardholder data or of transactions that are processed, that entity is a PCI Service Provider for the Merchant and falls within the Merchant’s scope of PCI DSS compliance. For example, if you accept payments online, the payment gateway is a PCI Service Provider. Or if you use a lockbox company, they must be certified. PCI Level 1 is the most common PCI Compliance certification for a service provider. You can verify if a service provider is compliant with Visa here https://www.visa.com/splisting/searchGrsp.do. If the company you’re doing business with is not on the list, ask questions.

PA DSS

If a software application controls or could impact the security of cardholder data or of transactions that are processed, for PCI compliance, merchants must only use Payment Application Data Security Standards that are certified. For example, a lock box company that processes transactions or a retail point of sale system. If payments are segregated from the application, then PA DSS does not apply.  In my experience, this is a weak area for merchants because not all application providers understand their requirements; some will do the standard PCI scan and say they’re PCI Compliant, but in reality, they’re using a homegrown application to process transactions which they have not certified.

HIPAA

There is no Health Insurance Portability and Accountability (HIPAA) certification for service providers and it does not fall under the purview of the PCI Council. However, a PCI Service Provider may choose to engage a third party auditor to attest compliance in order to better serve merchants in industries that require HIPAA compliance.

QIR

Organizations qualified by PCI SSC as Qualified Integrator and Reseller Companies (QIR Companies) are authorized to implement, configure, and/or support validated PA-DSS Payment Applications on behalf of merchants or service providers for purposes of performing Qualified Installations as part of the QIR Program.  Level 4 merchants were a big portion of data breaches so as of January 2017, they’re mandated to only use QIR certified individuals for their implementations and maintenance.  Level 4 are merchants with less than 20,000 Visa or MasterCard e-commerce transactions annually, and all other merchants processing up to 1 million Visa or MasterCard transactions annually. QIR applies to individuals; a company may have multiple people certified.

P2PE

Point-to-point encryption (P2PE) is a standard established by the PCI Security Standards Council. The objective of P2PE is to provide a payment security solution that instantaneously converts confidential payment card (credit and debit card) data and information into indecipherable code at the time the card is swiped to prevent hacking and fraud. It is designed to maximize the security of payment card transactions in an increasingly complex regulatory environment.

VP2PE

VP2PE is not an official acronym of the PCI Council for Validated P2PE, but it is descriptive. The P2PE Standard defines the requirements that a “solution” must meet in order to be accepted as a PCI validated P2PE solution. A “solution” is a complete set of hardware, software, gateway, decryption, device handling, etc.  Validated solutions are listed in the PCI Council web site. They reduce PCI compliance scope and burden for merchants. For example, about 35 questions vs 359, and 4 sections instead of 12.

Today there are only 42 companies with 49 validated solutions in the entire world. Some of the solutions are only valid with a particular acquirer. For merchants seeking an agnostic VP2PE solution, the list gets very small.

CenPOS

CenPOS, a payment technology provider, has a Health Insurance Portability and Accountability (HIPAA) attestation from a third party external auditor across a broad range of payment solutions offered by the company. CenPOS is listed as a registered Level 1 Service Provider on the Visa web site; and is listed on the PCI Council web site VP2PE solutions and QIR sections. The CenPOS Validated P2PE solution is compatible with many acquirers. You can also find me, Christine Speedy, under QIR certifications when searching by name. (CenPOS is not a software application so is not listed as PA DSS.

Christine Speedy, CenPOS Sales 954-942-0483, 9-5 ET is based out of South Florida and NY. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships. When you call Christine, there is no middle man; all agreements are direct with CenPOS. As one of the very first to sell for CenPOS, I have deep experience to help merchants understand benefits and get live fast.

icverify replacement 2018

icverify first data payment systems end of lifeNeed to replace ICVerify Software? It’s still in use in 2018, even though it was end of life back in 2015.  This means any company using is not PCI Compliant and likely has a non-PCI compliance fee of $19.95 per month on their monthly merchant statements. Alternatives are abundant for card not present and retail credit card processing, but none are comparable to CenPOS for meeting business to business (B2B) companies. authorize.net and others may be suitable options for other business types; Call 954-942-0483 9-5 ET for a consultation.

What does ICVERIFY Software end of life mean?

First Data sales, product development and support have ended. Continued use of the product will invalidate a merchants PCI Compliance.

What happens if my ICVERIFY Software stops working?

You will get zero support. If you cannot open due malfunction, you’ll have no access to records. If you’re acquirer shuts down your ability to send transaction data, and this is happening frequently because it’s not PCI Compliant, they will not turn it back on. If your acquirer finds out you’re using ICVerify in 2018, you will get shut down. It’s imperative to migrate to new solution as soon as possible.

What are alternative solutions to ICVERIFY?

A cloud payment gateway is required. There’s no software to install. You can use a payment gateway via integrated or non-integrated options, which include mobile app and virtual terminal via secure web site. ICVERIFY was a buy once and use forever product. Payment gateways have per transaction fees. Many businesses make the mistake of using the one with the cheapest fee or the one that their developer or consultant is familiar with because they’ve used it for a decade or more. Are you using the same cell phone you did 10 years ago? The cheapest fee could result in the highest actual credit card processing interchange rate qualifications or inefficiency. For example, most gateways do nothing to help merchants reauthorize after an authorization expires. That matters because even though the issuer usually approves the transaction for up to 30 days, it won’t qualify for the best rate, which could be half the cost of the non-qualified rate.

What is best alternative payment gateway to ICVERIFY for a B2B company?

I’m not going to waste your time listing all the cloud payment gateways on the planet like First Data Payeezy, authorize.net, Payflow Pro, Paytrace, Cybersource, Orbital, 3Delta Systems, or 3DSI and their differences. Each has bits and pieces but none has the whole package of solutions B2B companies need. CenPOS is the only solution I know of today that will get merchants compliant with all these critical items:

  1. Comply with 2017 and 2018 Visa stored credential framework and mandate deadlines. It’s complicated. CenPOS automates compliance with things like sending the merchant initiated or customer initiated use of stored credential flag.
  2. Eliminate paper credit card authorization forms with multiple digital ways to accept payments and store cards, including text and email. Sure, some gateways offer a hosted pay page, but can they generate a PCI Compliant authorization form automatically for those that still like paper?
  3. Automate authorization management, including requirement for preauthorization and settlement match and renew expired authorizations for card not present transactions.
  4. Automate compliance to qualify transactions properly for level 3 interchange rates for corporate, purchasing and business cards. Supporting level 3 is not enough, it’s complicated.
  5. Mitigate fraud risk with a layered approach, including supporting 3-D Secure, which shifts fraud liability to issuer.
  6. Encrypted Virtual Keypad (EVK) to reduce PCI Compliance scope and burden. (No card data touches your system for phone orders; avoid key logger dangers.)
  7. Audit trail as required for PCI. Every user, every touch. Available minimum 7 years.

What else makes CenPOS the best alternative payment gateway to ICVERIFY for a B2B company?

  • Graphically pleasing, easy to use. It’s like marrying the coolness of Apple design with an Amazon buying experience. People love it. Customers are happier (proven by our clients conducting their own studies).
  • Wire transaction support with electronic bill presentment and payment services. Stop the madness associated with matching deposits to invoices and getting paid the wrong amount.
  • Reports. Dynamic search and view online or download; robust custom reports, alerts and distribution. So much faster to research anything!
  • No capital investment. We make companies more profitable virtually overnight.
  • Deposits equal receivables, not net of fees. Other services are mixed. For example, authorize.net echeck service takes it’s fees out of your deposit so then you have to do some accounting magic to reconcile.

What if ours is not a B2B company? Call for a consultation. We offer multiple payment gateway options.

Ready to get started with CenPOS? Contact Christine Speedy right now at 954-942-0483.

Christine Speedy, CenPOS authorized reseller, 954-942-0483 is based out of South Florida and NY. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.

A B2B supplier’s guide to optimizing commercial card payments review

Mastercard and The Strawhecker Group released A B2B supplier’s guide
to optimizing commercial card payments. Selecting the right merchant acquirer and payment gateway, and optimizing interchange, can help reduce suppliers’ collection efforts and costs associated with commercial card payments. By Marie Elizabeth Aloisi and Peter Michaud. Christine Speedy, blog author, reviews the guide. In my opinion some elements, present an incomplete picture for merchants, especially the business suppliers accepting commercial payments that is the target of the paper.

The executive summary cites research that suppliers can reduce the cost of collecting funds from customers by 31% if they accept credit cards. I googled to find that commercial credit card research data, and though this is not the referenced Mastercard and Kaiser Associates, Commercial Card Acceptance Cost-Benefit Study, of November 2016, it has similar data:

  • This study estimated card acceptance at the point-of-sale to be 37% less costly than using other payment collections methods – yielding savings of $12 on a $500 transaction
  • Card acceptance provides a similar sized net benefit regardless of the funds transfer tool it replaces – e.g. check vs. ACH vs. wire
  • The bulk of value from commercial card acceptance lies in its use as a pre-payment tool – providing revenue assurance against bad debts

 

I have a problem with the next line in the report, “That’s because getting paid by check—or even ACH or wire—involves many manual steps, onerous costs, and potential errors that are a burden to a supplier’s accounting, finance, and treasury functions.”  Checks are still the most onerous even with a scanner, but with electronic bill presentment and payment, any other payment method can be automated for increased efficiency. Our cloud payment processing solutions, including integrated with ERP, automate all types of payment processing, including check/ACH, wire, credit card, and can update journals etc.

The paper goes on to explain why working with your acquirer is critical. While it mentions suppliers can benefit from advanced gateways, most acquirers offer a limited number of payment gateways to merchants. In fact, they may offer suppliers only one solution – they’re own- and it may not be the best for the supplier, it’s just the only one they offer. Independent payment gateways, like CenPOS that I offer, can provide significant advantages to maximize profits, efficiency and flexibility. For example, fulfilling the need to simplify wire transactions and match to invoices.

The three best practices cited to work with acquirers are to automate payments, optimize interchange and negotiate pricing. 

The devil is in the details not cited. For example, “suppliers can only take advantage of lower interchange rates if the payment gateway is set up to pass Data Rate 3 information along with the transaction.” This is true. But the bigger problem is compliance with all the other rules required to qualify the transaction for Data Rate 3. For example, suppliers often do a preauthorization, which expires before settlement (but can still settle) or is not the same as the final settlement amount. These common transaction types will nullify qualifying for the best interchange rates, including MasterCard Data Rate 3. There are many more rules that make it tough to qualify and if the payment gateway does not automatically manage for suppliers, passing Data Rate 3 info doesn’t matter. The reality is most payment gateways do not have a solution to help suppliers comply.

Again, if the acquirer doesn’t have the best solution, should suppliers rely on their advice? A supplier client of mine went to their acquirer (top 5 in USA) and told them what I was offering. They would keep their acquirer but switch to my payment gateway; they’d use our electronic bill presentment and payment solution to eliminate paper credit card authorization forms and employees getting cardholder data over the phone. Customers would self-manage their payment methods, including storing & tokenizing if they chose to. Their acquirer did not want them to use any solution other than their own.  They offered them a substantially worse solution- the silliest I’ve ever heard. The acquirer would give them a new merchant account with virtual terminal exclusively for one large client that they knew was using a commercial card. What about all the other clients? What about eliminating employee access to cardholder data and storing data on paper? Advising to use substandard solutions happens all the time.

In summary, Mastercard and The Strawhecker Group put out some great research data for suppliers. I’m a huge fan of the people at The Strawhecker Group and their work. Suppliers should look to cloud payment processing solution providers like myself at CenPOS for advice. Suppliers need the best payment gateway because without it, the rest doesn’t matter. Combining a robust payment gateway, business solutions, and the flexibility to change acquirers without business disruption can provide significant advantages.

All comments and statements herein are strictly my personal opinion and do not represent that of any company.

Christine Speedy, CenPOS sales 954-942-0483. CenPOS is a cloud business solutions provider with end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement.

B2B Credit Card Processing Hot Tips

Compliance with credit card processing rules maximizes profits while mitigating risk. This is especially true for business to business companies. But it’s getting harder and harder with the onslaught of new rules, and virtually impossible if not using a sophisticated cloud solution to help manage compliance.

If your B2B company stores credit cards, there’s a pretty good chance you’re not compliant. For example, Visa’s 2017 Stored Credential Transaction framework outlines merchant responsibilities to obtain customer consent as well as storing credit cards, using stored credentials (token), and managing stored tokens. Failure to comply with Authorization rules, for example preauthorization and final settlement do not match, has far-reaching consequences including higher interchange rates (the bulk of credit card processing fees), penalty fees and new chargeback risks. With so many new rules across multiple card brands that vary based on business and transaction type how can a business quickly ascertain if they’re compliant?

Most processing details occur seamlessly behind the scenes so merchants have not had a simple way of knowing whether they’re compliant. Until now.

Quick tips to validate compliance:

  • Is a transaction receipt delivered to customer when a stored credit card credential (token) is created? Compliant answer is yes.
  • Is cardholder authentication with a zero dollar authorization or a purchase transaction performed at the time token is created? (A small charge is not an acceptable practice.) Compliant answer is yes.
  • Does the receipt include “RECURRING” or “REPEAT SALE” for token transactions? Compliant answer is yes.
  • Review merchant statements, usually the last 1-2 pages with the heading “pending interchange” or “fees” section. Do you see EIRF, STANDARD (STD), or DATA RATE I? Compliant answer is no.
  • Can you produce documentation of customer consent to store their card (including with 3rd party service) and how it will be used?

If you’re not in compliance, your payment gateway is the most likely culprit, followed by ERP or other software integration limitation. For a Microsoft Dynamics AX, Dynamics 365, and other ERP integrated solutions, call 954-942-0483 9-5 ET.

Reference: Card brand links.

Christine Speedy, CenPOS Sales 954-942-0483. CenPOS is a cloud business solutions provider with end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement.

Can I send a customer with multiple unpaid invoices one email with a payment link for Quickbooks?

Yes, your customers can pay one invoice sent from an email without logging in to the invoice portal, or they can login and selected multiple invoices to pay. Our integrated payments module reduces customer friction to pay bills for Quickbooks Pro and Enterprise users and supports a variety of payment types and methods.

paying multiple invoices quickbooksNote, you must have your own desktop or hosted version of Quickbooks. Quickbooks online does not support the ability to add 3rd party modules.

Quickbooks Merchant Services Vs CenPOS Payment Gateway & Platform:

  • Quickbooks Intuit Merchant Services nets fees from every transaction; CenPOS fees are charged once per month.
  •  Intuit Merchant Services must use their acquirer. With CenPOS, choose any acquirer.
  • Quickbooks ACH nets their fees from every transaction. CenPOS fees are charged once per month.
  • Quickbooks sends monthly statements; CenPOS sends invoice reminders on your schedule with simple click to pay.
  • CenPOS supports level 3 processing and cardholder authentication to help you manage the cost of accepting credit cards and mitigate risk of chargebacks.

Christine Speedy, CenPOS business development 954-942-0483. CenPOS is a cloud based business solutions provider. Our cross-generational platform enables clients to expand their payment acceptance strategies, improve customer engagement, and increase business productivity.