Updated Card Absent Chargeback Rule – 540 days

Posted on by
Reply

Business to business, automotive  and parts dealers, are especially stung by chargebacks for disputes relating to the quality of merchandise or services received. Effective for transactions processed on or after April 18, 2015, is a new clause that can increase the chargeback period from 120 days to 540 days for US and Canada.

Both Visa and MasterCard have implemented the new rule. I didn’t find a similar rule in a quick research of Discover and American Express, but my research was not exhaustive.  The rules are not identical and readers are advised to read the rules thoroughly, as this article does not include the full context for when the rule applies.

Visa Core Rules and MasterCard Chargeback Guide October 30, 2014:

  • Visa Chargeback Reason Code 53 – Not as Described or Defective Merchandise
  • MasterCard Reason Code 4853—Cardholder Dispute—Defective/Not as Described

One goal of the MasterCard rule appears to be providing customer recourse for ongoing interrupted services. The customer paid for something, they complained and worked it out within 120 days, but then there were recurring quality issues.

They both make it clear that a customer does not have to return goods and services in order to dispute at a later date. This is a change from the old rule.

How can merchants protect themselves in a dispute for these reasons?

  • Written return policy and proof of acknowledgement
  • All guarantees in writing acknowledged
  • Signed sales orders; include specific deliverables and policies at the time of agreement
  • All written communications, including emails, prior to and after the sale as part of the dispute process.
  • Save a log of phone calls with who, what, when, to submit as evidence.
  • For online payments, require check box to acceptance of your terms of sale

Note: the 540 day rule has been in existence, however, the rules have been updated with more specificity, certainly for Visa.

Marble and Stone omnichannel payment solutions

Posted on by
Reply

Marble and stone manufacturers and distributors that use traditional payment technology will suffer from higher credit card processing fees, PCI Compliance problems, and increased fraud risk. This article identifies the main problems and how to fix them.

PCI Compliance Problems

It’s a fact there will be card not present transactions. Credit card authorization forms have been a primary tool to mitigate fraud risk, but they’re a PCI compliance nightmare:

  • Merchants cannot request CVV2 on any paper form, even if it will be destroyed later. (Visa Core Rules October 2014). Without CVV2, the merchant will lose any future fraudulent card dispute.
  • Forms contain sensitive data. It’s virtually impossible to keep the signature on file and be PCI Compliant.
  • Employees have access to credit card numbers
  • The receiving fax needs to be secured, and if digital, any memory securely wiped when the machine is replaced.

PCI Compliance Solutions

  • PCI compliant credit card authorization form for variable recurring billing
  • Tokenization to store card data outside ERP and other software to reduce scope and burden
  • Customers self-payment solutions so employees have no access to card data. Options include online hosted pay page and electronic bill presentment & payment (See also How to get CVV2 and be PCI Compliant)

Mixed Retail and Card Not Present Transaction Interchange Rate Problems

When a merchant has a retail merchant account, magnetic stripe data is expected with the transaction. When it’s not included, the merchant pays higher non-qualified interchange fees.  There are no desktop terminals, and few cloud based solutions that support level III processing for retail transactions. This is significant because most cards that qualify are MasterCard and the average savings is .75%.

When a merchant has a MOTO (mail and phone order) merchant account, and then swipes a card, they get the benefit of a signed receipt, but not the benefit of lower swiped merchant fees.

Mixed Retail and Card Not Present Transaction Interchange Rate Solutions

Marble and Stone merchants MUST have a solution with interchange rate optimization that solves the above and numerous other issues related to omnichannel credit card processing.

Multiple Locations, Centralized Billing Problems

With centralized billing, when there’s a dispute, the merchant needs to present the signed receipt. It’s time consuming and inefficient to store and locate paper receipts.

Multiple Locations, Centralized Billing Solutions

Signature capture terminals are essential. Mobile is not an acceptable substitute for signature capture, because marble and stone merchants benefit from pin debit and other optimization capabilities that are only possible with multi-lane terminals. EMV, NFC and P2PE are recommended.

CenPOS is the only payment gateway and payment engine that solves every problem listed above. CenPOS has solved these problems for years, while Authorize.net, Paypal, Payflow Pro, and even newer alternative gateways have not caught up. Contact Christine Speedy 954-942-0483 for sales and ERP or other software integrations.

 

 

 

 

How to get CVV2 and be PCI Compliant: request a payment

Posted on by
2
Credit card authorization form pci

Credit card authorization form example is not PCI Compliant.

According to Visa Core Rules, October 2014 page 266, Merchant Must Not Request the Card Verification Value 2 data on any paper Order Form. So how can a merchant get the CVV for card not present customers?  Online payments, request a payment and electronic bill presentment and payment all solve the problem. Below are solutions possible with CenPOS, a merchant centric payment processing platform. Other payment gateways may not have the same functionality.

Online payments, passive:

hosted paypage online payments

  • Secure hosted pay page is managed by the payment gateway so payment data never touches merchant web servers.
  • Customers can store card data for charges to be applied later. In this case, the user registers, creating an account so they can manage payment methods including ACH, credit card and wire. A zero dollar authorization is performed when a credit card is stored, and CVV can be validated. Once validated, it’s never needed again, and therefore is never stored.  A random token ID is generated, which both the cardholder and merchant can see, but neither will ever have access to sensitive data again. The cardholder can also update the expiration date, but if the CVV changes with a future card replacement, then a new token must be created.
  • Customer can make payments for any amount without logging in.

Request a Payment or Electronic Bill Presentment and Payment (EBPP or EIPP), proactive.

  • Reduces accounts receivable friction.

EBPP Electronic Bill Presentment & Payment

  • Non-Integrated – Merchants use the CenPOS EBPP portal to create the payment request, including optional invoice detail. The customer is sent a text and or email with a payment link.
  • Integrated – same as above, except the invoice is sent from accounting or financial software such as ERP.

With EBPP, customers have a portal to pay multiple invoices, view payments, download invoices, and manage payment methods.

At a minimum, merchants with card not present customers should offer online payments as a way to enable customers to securely pay a bill. If a signature is required, have the customer print and sign the receipt, and email that authorization back, which is more valuable than traditional credit card authorization forms.

Need a secure solution but don’t want to change your merchant account? No problem. Contact Christine Speedy for secure, cost effective and efficient solutions.

PCI Compliance: Card Not Present Merchant Quick Checklist

Posted on by
Reply

Do you (even occasionally or temporarily) create, receive, or otherwise come to possess any paper records or receipts that contain cardholder data? The number one rule card not present merchants violate is a Merchant Must Not Request the Card Verification Value 2 data on any paper Order Form.

Do you make sure that you NEVER, EVER store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions after authorization (even if encrypted)?

Are strong cryptography and security protocols, such as SSL/TLS, IPSec, or SSH used to safeguard cardholder data during transmission over open, public networks?

For SSL/TLS implementations, does HTTPS appear as part of the browser Universal Record Locator (URL), and is cardholder data required only when HTTPS appears in the URL?

Are policies, procedures, and practices in place to make sure that you NEVER, EVER send unencrypted PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat)?

Do your access limitations require restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities?

Do your access limitations require assignment of privileges to be based on individual personnel’s job classification and function?

Is your security policy established, published, maintained, and disseminated to all relevant personnel (for the purposes of Requirement 12, “personnel” refers to full-time and part-time employees, temporary employees and personnel, and contractors and consultants who are “resident” on the entity’s site or otherwise have access to the company’s site cardholder data environment)?

Is a formal security awareness program in place to make all personnel aware of the importance of cardholder data security?

Verifone MX915 multilane signature capture terminal EMV POS solution

Posted on by
1
Verifone MX915 signature capture terminal

Verifone MX915 signature capture terminal.

CenPOS now supports the Verifone MX915 signature capture terminal with a variety of point of sale solutions. While most new terminals in the market are EMV ready, CenPOS is EMV live with this Verifone multilane terminal.

To boost EMV adoption, MasterCard offers incentives beyond the EMV liability shift.  To participate, merchants must deploy hybrid EMV terminals (support of both contact and contactless interfaces), and 75% of card present transactions must be on them .(reference MasterCard white paper http://www.mastercardadvisors.com/_assets/pdf/emv_us_aquirers.pdf)

The Verifone can be used standalone with a computer, high speed internet and the CenPOS virtual terminal, or integrated with POS systems, including open source ERP retail POS solutions like OpenBravo. Merchants desiring integrated connectors should contact 3D Merchant services; the connectors are generally not available in POS add-on marketplaces.

Why CenPOS?

  • Processor neutral
  • Least cost routing and interchange optimization reduces merchant fees
  • Reduce PCI Compliance burden
  • One gateway for all sales channels
  • Tokenization supported all sales channels, even retail and mobile
  • Level III processing in retail – if you have commercial account customers, this will save a bundle in fees
  • Scalable: Enterprise user and role management
  • Cloud based reporting for centralized accounting
  • Merchant defined risk & fraud management tools