Hosted Pay Page vs EBPP – EIPP

How can a hosted pay page or electronic bill presentment and payment (EBPP), also known as electronic invoice presentment and payment (EIPP) improve your customer experience? Cardholders are increasingly weary about giving out card data over the phone, or worse, via fax, which also has PCI Compliance implications. Reducing friction to collect payments, while putting cardholders in control of their data, is proven to increase sales and cashflow.

A hosted pay page enables customers to passively pay bills online via a secure web page. Payment types may include credit cards, Paypal, ACH (echeck), and other methods. The burden for entering all fields is on the customer. Many payment gateways offer this service free.

hosted paypage online payments

A hosted pay page empowers customers to make secure payments online.

With EBPP, the payment request is delivered to the customer via email or text. Instead of asking customers to find the pay page, the customer is given a link to pay a specific bill or invoice, or multiple invoices, and some of the data may be prefilled. Empowering customers to review and pay multiple invoices on demand by logging into a secure portal is also a significant benefit. With our recommended solution, repeat customers with stored payment methods can pay an invoice in 2 clicks, no login required. Customers prefer EBPP vs hosted pay page. Payment types may include credit cards, Paypal, ACH (echeck), wire, and other methods.

eipp payment request

Body of email containing pre-filled payment info, and link to securely pay online.

Merchants can reduce risk of lost credit card disputes and resulting chargebacks with a multifaceted approach:

  • Ecommerce merchant account is required
  • Verify address & zip code
  • Verify CVV / CID security code; if using token billing, prior validation is OK. You do not need to verify after the first transaction.
  • 3-D Secure: Verified by Visa (Vbyv) and MasterCard SecureCode – cardholder authentication shifts fraud liability back to issuer.  Not all issuers support and implementation varies by payment gateway and other factors. Check the rules to see how it fits in your fraud prevention program.
  • How can a merchant enable customers to remotely pay an invoice, while maximizing security to prevent chargebacks from disputes? A critical step is managing the transaction representment to the issuer. It must be sent with the correct indicator and comply with all rules, including authorization validity
  • Require all B2B customers to confirm copy of the emailed receipt via a company email address. This is overkill for for most, but effective as part of an exception plan.
  • Optional custom procedures may be added based on risk tolerance.

In summary, either method of online payments increases security and enables customers to pay 24/7 to increase cash flow. EBPP or EIPP solutions have significant additional benefits and the cost to implement has dropped significantly, with many businesses experiencing an instant ROI.

UPDATE:  To comply with Visa disclosure and consent rules, only use solutions with a checkbox to opt-in to terms.

Christine Speedy, CenPOS global sales and integrated solutions reseller, 954-942-0483. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.

Wholesale Distribution Industry Profits Impacted by Payment Processing Partners

Popular Industry Association Business Service Partners Fail To Keep Up With Changing Payment Needs

December 7, 2015–  Wholesale distributors may rely on association negotiated payment processing for reduced rates, but associations are admittedly not payment experts. In fact, other than comparing rates on paper, that lack of expertise and or lack of desire to make a change, could result in compressed profits as we head into 2016 and beyond. EMV chip card acceptance affects both retail and card present businesses.

“The EMV chip card terminal directly impacts interchange rate qualification, and none of the most popular terminals recommended today meet critical wholesale distributor requirements,” says Christine Speedy, B2B payments expert.

Why? Managing the entire payment process is crucial to impact the biggest component of fees – card interchange.  Interchange rates are non-negotiable, but they can be influenced. There are hundreds of fees that can be tacked on based on each transaction type. Due to complexities, distributors must have an intelligent solution to manage the payment process and ensure compliance with all the rules.

PURCHASING CARDS

To qualify for the lowest interchange rates, transactions must meet all the rules for the specific card and transaction method. For distributors, processing level III data for Corporate, Purchasing, and Business cards is critical. Their card use is growing and savings of 90 basis points or more for some cards is an attractive margin difference worth achieving.

mastercard rates level-lll

Sample interchange rates for the same credit card transaction; Failing to follow rules results in costly extra fees.

Countertop terminals like the popular First Data FD Series, Verifone VX series, or Ingenico iCT series, with downloaded programming, cannot support level III. The US EMV ecosystem requires a web-based payment gateway with EMV terminal and level III retail certification. For example, CenPOS has certified the Verifone MX915 to First Data, Chase Paymentech and Tsys, the latter which enables use with most processors. Merchants can use CenPOS via a web browser virtually instantly or an integrated application.

EMV COMPLIANCE DATES

While EMV is not a mandate, effective October 1, the party that does not support EMV (short for Europay, MasterCard, Visa) chip card acceptance is liable for counterfeit card, and sometimes lost or stolen card transactions. Because card issuers previously absorbed most of these losses without any notification to the merchant, businesses can expect losses if action is not taken. Additionally, non-EMV compliance fees have already been announced with at least one provider, NPC, implementing them starting January 1, 2016.

CARD NOT PRESENT

Many distributors primarily accept payments via other methods, including card not present (CNP) credit card. With CNP fraud already climbing for wholesalers, it’s only going to get worse. Implementing 3-D Secure (Vbyv / Verified by Visa and others) shifts some fraud liability from the merchant to the issuer. This service is available only via certain gateways and can only be used when the customer pays online via a shopping cart, einvoice, or paypage. Distributors may need to change their payment methods to maximize protection against fraud.

RECOMMENDATION

Wholesale distributors need to partner with a payments expert to mitigate risk as well as manage interchange rate qualification. Selecting vendors based on new criteria can increase profits virtually overnight.

Christine Speedy, CenPOS global sales and integrated solutions reseller, 954-942-0483. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS? secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant?s banking relationships.

Magento B2B Payment Gateway Developer Selection – CenPOS vs Authorize.net vs

Which is the best payment gateway for Magento developers B2B clients?

The answer lies in Magento top user concerns, which are security & PCI Compliance, cost, customer experience and flexibility with other systems including ERP and accounting.

Security and PCI Compliance: PCI should be a non-issue as any payment gateway being suggested for a B2B company should be level 1 PCI Compliant. However, developers can help merchants reduce PCI Compliance burden by partnering with a B2B payment gateway specialist who can recommend payment gateway solutions compatible with all business needs, not just Magento. For example, does the business also send invoices from an ERP? Do salesmen or credit managers get credit card numbers via fax or phone? Magento developers are not experts in payments and cannot be expected to ask the right questions to help solve unrelated compliance problems.

Internal and external fraud protection are critical. At a minimum, the payment gateway must support 3-D Secure, including Verified by Visa and MasterCard SecureCode to shift liability for certain types of fraud from merchant to card issuer.

Payment Gateway Cost: The worst mistake is recommending or selection a payment gateway based on per transaction cost. The payment gateway plays a critical role in interchange rate qualification, which comprises over 95% of merchant fees. Gateway capabilities, and lack thereof, can literally double the cost of credit card acceptance for B2B. The most important base criteria is it must support Level 3 processing. There are many nuances to qualifying transactions correctly, that most credit card processor salesmen don’t understand, so there’s little expectation a developer would have the global financial expertise to recommend the best choice.

Treasury Management: Where are your customers? Where are your offices? What currency do you want to collect and bill in? Authorize.net has virtually nothing to help manage cross-border sales. CenPOS has a multitude of treasury solutions that can be customized.

For example, a company bills everything from the US, but also has operations in Canada and the European Union. Authorize.net will process every transaction in USD. The company pays cross-border fees on foreign issued cards, which now exceed 1% in some cases, and then pays again to repatriate revenue back to the EU or Canadian operations. CenPOS automatically identifies and processes the transaction in the local issuer currency, avoiding costly cross-border fees and more expensive US interchange rates, and deposits in the regional account. It does this seamlessly with no special developer programming.

Customer Experience: Will the gateway enhance or detract? In most cases, there’s very little difference in the checkout experience, but for B2B, there’s a bigger picture. What if the customer buys via multiple channels? Sharing tokens across multiple channels, including for emailed invoices may be important. A holistic look at all sales channels and payment methods is essential, but it’s not a good use of a developers time, thus deferring to payment expert will yield a better ROI for developer and better result for the business.

Flexibility: Payment acceptance types, global availability, omnichannel integrations, flexibility and scalability are all factors in choosing not only the best B2B payment gateway for Magento, but also for the entire organization. For example, if there’s also a retail component, US businesses also need an EMV solution that supports level 3 processing for retail. If the distributor is global, how many countries is the gateway available in?

Back Office Efficiency: If you’ve ever done research in Authorize.net reports, and then in CenPOS, you’ll appreciate the massive difference between download and search vs dynamic drill down within CenPOS online reports. CenPOS reports were designed with input from today’s businesses, not those of over a decade ago. Too many differences to mention here.

There’s a plethora of misinformation across multiple industries ranging from consultants to developers. Defaulting to Authorize.net or Payflow Pro because they’re two of the oldest payment gateways, is an injustice to the end user. Payment gateway selection plays a crucial role in business profits, security and efficiency. By partnering with a payments expert, clients are provided the best solution, and Magento developers can grow revenues with specialty implementation and add-on services the expert recommends.  

“I have some knowledge of Magento, including as a developer in it’s early years, but I’m not a Magento expert,” says Christine Speedy, owner of 3D Merchant Services and B2B payment gateway expert. “Likewise, there are great B2B Magento developers, that are not payment gateway experts. By partnering, we can offer businesses more appropriate solutions to maximize profits and security, while also mutually benefiting. “

What credit card data can a merchant store? PCI Compliance revisited.

There’s a lot of misinformation about collecting and storing credit card data, especially in business to business (B2B) environments for card not present transactions. Best card not present practices and how Payment Card Industry Data Security Standards (PCI DSS) requirement 3, protect stored cardholder data, applies are reviewed in this article.

Getting paid for one time it’s not OK to store cardholder data after authorization. The only cardholder data that may be stored after authorization is the primary account number or PAN (rendered unreadable), expiration date, cardholder name, and service code.

Merchants are not permitted to store full track data, which includes the cardholder number (primary account number or PAN) and expiration date or other sensitive authentication data after authorization.

Per Payment Card Industry Data Security Standards (PCI DSS) Requirement 3, protect stored cardholder data, The only cardholder data that may be stored after authorization is the primary account number or PAN (rendered unreadable), expiration date, cardholder name, and service code.

This applies even if the data is protected by:

Encryption
Password protection
Data scrambling/obfuscation
Masking
Proprietary data formats
Other mechanisms

What’s the exception?
Businesses may have a need to store track data (temporarily) for troubleshooting purposes. Why? Track misreads, network errors, encryption issues, etc. This is not a daily business practice, but a temporary solution. PCI requires documentation Ensure documented procedures include:

Collecting sensitive authentication data only when needed to solve a specific problem
Collecting the minimum amount of data needed to solve the specific problem
Storing any such data in a specific, secure location with limited access
Do not retain more data than needed
Encrypt data when stored/transmitted
Securely delete data immediately when troubleshooting is complete
Include a destruction practice
Verify data cannot be retrieved once troubleshooting is complete

Typical location of card verification value or codes include:

Paper
Databases
Flat files
Log files
Debug files

Systems that commonly store card verification value or code data:

Authorization servers
Web servers
Kiosk

Card verification value or codes are NOT required for recurring card-not-present transactions.? If your system requires you to key enter the CVV each time, this is a red flag. Ensure your systems is sending transactions with the proper flag for unscheduled credential on file. Reasons why you would have to enter every time:
Using a desktop terminal and key entering each time. The transactions are not being sent with correct indicator.
It’s also a PCI DSS requirement that unprotected PANs must not be sent or received via any end-user messaging technologies (such as e-mail, instant messaging, and chat). However, users may not be aware of this, and may be e-mailing PANs internally or even externally without the organization’s knowledge

What Dealers Need To Know About EMV Chip Card Acceptance

The shift to US EMV chip card acceptance in 2015 changed everything changed. All the improvements made to reduce credit card processing fees, mitigate risk and more, went right out the window due to varying certifications. Things you take for granted are likely no longer true, but nobody will tell you about them.

  1. Level III processing. This enables dealers to qualify for lower interchange rates on applicable cards, with significant savings. Desktop terminals can’t support it, so dealers moved to payment gateway based solutions, typically paired with a basic swiper. Payment gateways with completed certification of US EMV terminals to various acquirers typically have not certified level III processing for retail.
  2. Chip and Pin. Whoever supports the highest level of security wins in the case of a fraudulent chip transaction; if the merchant supports chip, but not pin, and the issuer supports both, the merchant loses. Payment gateways with completed certification of US EMV terminals to various acquirers often have not certified chip and pin.
  3. OMNICHANNEL PAYMENT ACCEPTANCE – There are three types of merchant accounts: retail, MOTO (mail order, telephone order) and ecommerce, and there are multiple types of transactions including retail sale, recurring etc. Every transaction must sent the correct information, which impacts interchange rate qualification, depending on the card type, and applicable rules for dispute resolution (risk mitigation). Typically a dealer has had a retail and a MOTO merchant account for each location, and possibly a third for ecommerce.