Magento B2B Payment Gateway Developer Selection – CenPOS vs Authorize.net vs

Posted on by
Reply

Which is the best payment gateway for Magento developers B2B clients?

The answer lies in Magento top user concerns, which are security & PCI Compliance, cost, customer experience and flexibility with other systems including ERP and accounting.

Security and PCI Compliance: PCI should be a non-issue as any payment gateway being suggested for a B2B company should be level 1 PCI Compliant. However, developers can help merchants reduce PCI Compliance burden by partnering with a B2B payment gateway specialist who can recommend payment gateway solutions compatible with all business needs, not just Magento. For example, does the business also send invoices from an ERP? Do salesmen or credit managers get credit card numbers via fax or phone? Magento developers are not experts in payments and cannot be expected to ask the right questions to help solve unrelated compliance problems.

Internal and external fraud protection are critical. At a minimum, the payment gateway must support 3-D Secure, including Verified by Visa and MasterCard SecureCode to shift liability for certain types of fraud from merchant to card issuer.

Payment Gateway Cost: The worst mistake is recommending or selection a payment gateway based on per transaction cost. The payment gateway plays a critical role in interchange rate qualification, which comprises over 95% of merchant fees. Gateway capabilities, and lack thereof, can literally double the cost of credit card acceptance for B2B. The most important base criteria is it must support Level 3 processing. There are many nuances to qualifying transactions correctly, that most credit card processor salesmen don’t understand, so there’s little expectation a developer would have the global financial expertise to recommend the best choice.

Treasury Management: Where are your customers? Where are your offices? What currency do you want to collect and bill in? Authorize.net has virtually nothing to help manage cross-border sales. CenPOS has a multitude of treasury solutions that can be customized.

For example, a company bills everything from the US, but also has operations in Canada and the European Union. Authorize.net will process every transaction in USD. The company pays cross-border fees on foreign issued cards, which now exceed 1% in some cases, and then pays again to repatriate revenue back to the EU or Canadian operations. CenPOS automatically identifies and processes the transaction in the local issuer currency, avoiding costly cross-border fees and more expensive US interchange rates, and deposits in the regional account. It does this seamlessly with no special developer programming.

Customer Experience: Will the gateway enhance or detract? In most cases, there’s very little difference in the checkout experience, but for B2B, there’s a bigger picture. What if the customer buys via multiple channels? Sharing tokens across multiple channels, including for emailed invoices may be important. A holistic look at all sales channels and payment methods is essential, but it’s not a good use of a developers time, thus deferring to payment expert will yield a better ROI for developer and better result for the business.

Flexibility: Payment acceptance types, global availability, omnichannel integrations, flexibility and scalability are all factors in choosing not only the best B2B payment gateway for Magento, but also for the entire organization. For example, if there’s also a retail component, US businesses also need an EMV solution that supports level 3 processing for retail. If the distributor is global, how many countries is the gateway available in?

Back Office Efficiency: If you’ve ever done research in Authorize.net reports, and then in CenPOS, you’ll appreciate the massive difference between download and search vs dynamic drill down within CenPOS online reports. CenPOS reports were designed with input from today’s businesses, not those of over a decade ago. Too many differences to mention here.

There’s a plethora of misinformation across multiple industries ranging from consultants to developers. Defaulting to Authorize.net or Payflow Pro because they’re two of the oldest payment gateways, is an injustice to the end user. Payment gateway selection plays a crucial role in business profits, security and efficiency. By partnering with a payments expert, clients are provided the best solution, and Magento developers can grow revenues with specialty implementation and add-on services the expert recommends.  

“I have some knowledge of Magento, including as a developer in it’s early years, but I’m not a Magento expert,” says Christine Speedy, owner of 3D Merchant Services and B2B payment gateway expert. “Likewise, there are great B2B Magento developers, that are not payment gateway experts. By partnering, we can offer businesses more appropriate solutions to maximize profits and security, while also mutually benefiting. “

What credit card data can a merchant store? PCI Compliance revisited.

Posted on by
Reply

There’s a lot of misinformation about collecting and storing credit card data, especially in business to business (B2B) environments for card not present transactions. Best card not present practices and how Payment Card Industry Data Security Standards (PCI DSS) requirement 3, protect stored cardholder data, applies are reviewed in this article.

Getting paid for one time it’s not OK to store cardholder data after authorization. The only cardholder data that may be stored after authorization is the primary account number or PAN (rendered unreadable), expiration date, cardholder name, and service code.

Merchants are not permitted to store full track data, which includes the cardholder number (primary account number or PAN) and expiration date or other sensitive authentication data after authorization.

Per Payment Card Industry Data Security Standards (PCI DSS) Requirement 3, protect stored cardholder data, The only cardholder data that may be stored after authorization is the primary account number or PAN (rendered unreadable), expiration date, cardholder name, and service code.

This applies even if the data is protected by:

Encryption
Password protection
Data scrambling/obfuscation
Masking
Proprietary data formats
Other mechanisms

What’s the exception?
Businesses may have a need to store track data (temporarily) for troubleshooting purposes. Why? Track misreads, network errors, encryption issues, etc. This is not a daily business practice, but a temporary solution. PCI requires documentation Ensure documented procedures include:

Collecting sensitive authentication data only when needed to solve a specific problem
Collecting the minimum amount of data needed to solve the specific problem
Storing any such data in a specific, secure location with limited access
Do not retain more data than needed
Encrypt data when stored/transmitted
Securely delete data immediately when troubleshooting is complete
Include a destruction practice
Verify data cannot be retrieved once troubleshooting is complete

Typical location of card verification value or codes include:

Paper
Databases
Flat files
Log files
Debug files

Systems that commonly store card verification value or code data:

Authorization servers
Web servers
Kiosk

Card verification value or codes are NOT required for recurring card-not-present transactions.? If your system requires you to key enter the CVV each time, this is a red flag. Ensure your systems is sending transactions with the proper flag for unscheduled credential on file. Reasons why you would have to enter every time:
Using a desktop terminal and key entering each time. The transactions are not being sent with correct indicator.
It’s also a PCI DSS requirement that unprotected PANs must not be sent or received via any end-user messaging technologies (such as e-mail, instant messaging, and chat). However, users may not be aware of this, and may be e-mailing PANs internally or even externally without the organization’s knowledge

What Dealers Need To Know About EMV Chip Card Acceptance

Posted on by
Reply

The shift to US EMV chip card acceptance in 2015 changed everything changed. All the improvements made to reduce credit card processing fees, mitigate risk and more, went right out the window due to varying certifications. Things you take for granted are likely no longer true, but nobody will tell you about them.

  1. Level III processing. This enables dealers to qualify for lower interchange rates on applicable cards, with significant savings. Desktop terminals can’t support it, so dealers moved to payment gateway based solutions, typically paired with a basic swiper. Payment gateways with completed certification of US EMV terminals to various acquirers typically have not certified level III processing for retail.
  2. Chip and Pin. Whoever supports the highest level of security wins in the case of a fraudulent chip transaction; if the merchant supports chip, but not pin, and the issuer supports both, the merchant loses. Payment gateways with completed certification of US EMV terminals to various acquirers often have not certified chip and pin.
  3. OMNICHANNEL PAYMENT ACCEPTANCE – There are three types of merchant accounts: retail, MOTO (mail order, telephone order) and ecommerce, and there are multiple types of transactions including retail sale, recurring etc. Every transaction must sent the correct information, which impacts interchange rate qualification, depending on the card type, and applicable rules for dispute resolution (risk mitigation). Typically a dealer has had a retail and a MOTO merchant account for each location, and possibly a third for ecommerce.

 

What is credit card authorization decline reason code 05?

Posted on by
Reply

The decline code 000005 is a generic bank decline that simply means Do Not Honor. The issuing bank is declining to authorize the card. The cause can sometimes be insufficient funds, although that is usually a decline 000051. Please have your customer contact their bank for a more detailed explanation of the decline. We recommend not attempting this transaction again for twenty-four hours after the initial decline

4 Credit Card Processing Tips for Consultants & Accountants

Posted on by
Reply

profits Following several years of regulatory and technology credit card processing changes, 2015 has been another big year of changes. As we close out 2015, what are you advising clients to maximize profits? Every consultant to distributors, especially for building materials, including lumber and millwork, electrical, marble & stone, and plumbing supply, needs to update their merchant services knowledge. These businesses tend to have both a retail and a ‘to the trade’ component, making old solutions potentially outdated, risky, and costly.

  1. EMV liability shift October 2015, shifted liability for counterfeit card, and sometimes lost and stolen card, transaction losses from the issuer to the merchant, if the merchant does not support EMV chip card acceptance. Since businesses never saw this fraud, the financial risk is unknown, but guesses put it in the 1-2% of sales range. The first acquirer (Vantiv) announced penalties effective January 1 if a retail operation does not support EMV chip card transactions. These fees will grow throughout the payment chain in 2016, and be passed down to the merchant. If profit margins are important, EMV compliance is not optional. Between growth in credit card fraud losses and new penalties, distributors need to make the change ASAP.
  2. EMV terminal selection. Retail Distributors fall into two categories: Those who use countertop terminals, and those who use anything else, including mag swipe reader or signature capture terminal. Only the latter are even capable of supporting level 3 data, critical for qualifying for level 3 interchange rates, which makes up more than 95% of credit card processing, or merchant, fees. Yet, the vast majority of recommended EMV solutions are incapable of level 3, and or there is no certification for it. While updating, add NFC for ApplePay and newer payment methods, and P2PE, which encrypts at the terminal head, further mitigating data breach risk.  The best EMV terminal selection for distributors may reduce merchant fees an average of 32% and mitigate data breach risk. Conversely, the wrong choice will directly reduce profit margins. 
  3. PCI Compliance. Internal and external data breaches are a serious growing problem (Lowes and Home Depot both admitted), and best practices are being shared among peers that are ‘risky’ at best. Top areas of concern are paper credit card authorization forms and electronically storing card data (without certified compliant tokenization such as a payment gateway). Both should be eliminated. Online pay pages and other technology solutions have negated the need for employees to ever have access to credit card data, not even for a minute. Has your own company eliminated them?
  4. Quickbooks. For operations that used Intuit Merchant Services because there was no other integrated choice, that’s no longer an issue. Third party integrations empower businesses to use any acquirer. Look for one that supports all payment methods needed (ACH, check, wire, credit card etc). If processing more than $500k annually, fees may drop up to 50%.

CHRISTINE’S RECOMMENDATIONS FOR CLIENT ADVICE TO DISTRIBUTORS:

  • Implement EMV ASAP to avoid penalties and fraud losses.
  • Only implement an EMV solution certified for level 3 processing to maximize profit margins.
  • Get PCI 3.0 Compliant to mitigate risk of financial losses from a data breach- Replace all practices that include credit card access by any employee, even for a minute, with a technology solution.
  • Replace Intuit Merchant Services to maximize profit margins.

Note: this advice is applicable to any business that has a customer base which includes some business to business and retail, even if retail is a small part of the overall payment types accepted.