B2B Credit Card Processing Hot Tips

Compliance with credit card processing rules maximizes profits while mitigating risk. This is especially true for business to business companies. But it’s getting harder and harder with the onslaught of new rules, and virtually impossible if not using a sophisticated cloud solution to help manage compliance.

If your B2B company stores credit cards, there’s a pretty good chance you’re not compliant. For example, Visa’s 2017 Stored Credential Transaction framework outlines merchant responsibilities to obtain customer consent as well as storing credit cards, using stored credentials (token), and managing stored tokens. Failure to comply with Authorization rules, for example preauthorization and final settlement do not match, has far-reaching consequences including higher interchange rates (the bulk of credit card processing fees), penalty fees and new chargeback risks. With so many new rules across multiple card brands that vary based on business and transaction type how can a business quickly ascertain if they’re compliant?

Most processing details occur seamlessly behind the scenes so merchants have not had a simple way of knowing whether they’re compliant. Until now.

Quick tips to validate compliance:

  • Is a transaction receipt delivered to customer when a stored credit card credential (token) is created? Compliant answer is yes.
  • Is cardholder authentication with a zero dollar authorization or a purchase transaction performed at the time token is created? (A small charge is not an acceptable practice.) Compliant answer is yes.
  • Does the receipt include “RECURRING” or “REPEAT SALE” for token transactions? Compliant answer is yes.
  • Review merchant statements, usually the last 1-2 pages with the heading “pending interchange” or “fees” section. Do you see EIRF, STANDARD (STD), or DATA RATE I? Compliant answer is no.
  • Can you produce documentation of customer consent to store their card (including with 3rd party service) and how it will be used?

If you’re not in compliance, your payment gateway is the most likely culprit, followed by ERP or other software integration limitation. For a Microsoft Dynamics AX, Dynamics 365, and other ERP integrated solutions, call 954-942-0483 9-5 ET.

Reference: Card brand links.

Christine Speedy, CenPOS Sales 954-942-0483. CenPOS is a cloud business solutions provider with end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement.

Mastercard Simplifies Managing Your Digital Footprint with Launch of Consumer Control

New solution will help the 60 percent of people who say they don’t know where their card credentials are stored

PURCHASE, N.Y. –October 23, 2017 – Do you know all the places you’ve stored your payment card details? From shopping sites to billers, keeping track of where your card credentials are held can be a daunting task. Today, Mastercard Consumer Control was introduced to address just this. The solution provides consumers a central view of where their cards are stored across all digital channels, as well as the ability to control how, when and where those cards are used.

This solution enables consumers to look no further than their own trusted bank or credit union to take control of their digital payment footprint – across devices and channels. Through this solution, issuers can help their cardholders more easily add their cards to their preferred shopping sites and payment devices, and optimize spend across the digital ecosystem.

“As digital payments continue to evolve, cardholders have more and more options to enable new types of devices for payment, and to pay in new ways online and in-app,” said Jessica Turner, executive vice president Digital Payments & Labs, Mastercard. “In our ongoing commitment to deliver consumer-centric solutions, Mastercard is introducing a series of APIs that will give the consumer direct control to view where their card is stored and manage spend across all digital channels – all from right within their mobile banking app or website.”

Your Bank Your Control

According to the findings of a recent Mastercard study, about three-quarters (73%) of Americans are interested in digital management of their credit/debit card information, and they want it from their bank or credit union. Mastercard Consumer Control uniquely empowers issuing partners to deliver a bank-branded, all-digital payment solution to provide consumers full oversight of their digital payment footprint. The solution helps issuers differentiate their mobile banking offering by adding powerful new functionalities. First Tech Federal Credit Union will be among the first issuers to support Mastercard Consumer Control.

The Simplest, Most Secure Path Forward

Mastercard is also partnering with token service providers, merchants and device manufacturers like Fitbit (NYSE: FIT), Fitpay and Garmin to enhance the overall consumer experience while delivering a streamlined solution across card on file and IoT devices. Layering services including tokenization with bank identification and verification of cardholders, Mastercard Consumer Control also leverages the most advanced security methods today. And with more than three quarters (78%) of survey respondents hesitant to store their financial information online, this added peace of mind is critical.

Consumer Control is one of the more than 35 APIs available through our Mastercard Developers portal. Mastercard envisions a future powered by an API for everything – one that inspires innovators to bring their ideas to life by plugging our technology into their solutions without having to start from scratch. Through our Payments, Data Services and Security APIs, we enable customers and partners to easily integrate Mastercard proprietary technology, products and services into their digital solutions. In the last year alone, the Mastercard API Platform has seen a 400% increase in usage.

About Mastercard

Mastercard (NYSE: MA), www.mastercard.com, is a technology company in the global payments industry. We operate the world’s fastest payments processing network, connecting consumers, financial institutions, merchants, governments and businesses in more than 210 countries and territories. Mastercard products and solutions make everyday commerce activities – such as shopping, traveling, running a business and managing finances – easier, more secure and more efficient for everyone. Follow us on Twitter @MastercardNews, join the discussion on the Beyond the Transaction Blog and subscribe for the latest news.

VISA FRAUD DISPUTE RULES CHANGES IMPACT CARD NOT PRESENT

April 5, 2017—This alert contains critical information regarding new and revised Visa card acceptance rules effective now and coming in the future for merchants. Business to business companies may be at higher risk of associated chargeback losses or declines due to the average size of order. Effective April 22, 2017, Revisions have been made to split the “Other Fraud” Dispute condition under Enhanced Dispute Resolution into separate conditions for Card-Present and Card-Absent Transactions, and to incorporate changes to the payment flow related to Disputes.

Christine’s Analysis: Merchants need to support both EMV chip for Card-Present and Verified by Visa for card not present. Verified by Visa is their brand for 3-D Secure, a global security protocol for cardholder authentication across all card brands. For example, a  cardholder might be asked to enter a PIN number or answer some other type of authentication question. Cardholder authentication for Card-Absent Transactions shifts liability for “it wasn’t me” disputes to the issuer. This card-absent cardholder authentication process requires cardholders self-initiate payments, eliminating collecting card numbers via phone or paper credit card authorization forms. Merchants are rewarded for using cardholder authentication with reduced interchange rates and increased approvals.

Christine’s TIP: Per Visa rule 5.4.2.5, a US merchant or its agent must not Request the Card Verification Value 2 data on any paper Order Form. Replace paper forms with digital, PCI Compliant forms and online payment solutions with cardholder authentication ASAP.

Online payment solutions include a hosted pay page like the one shown below.

hosted paypage online payments

A hosted pay page empowers customers to make secure payments online using a 3rd party provider (Payment Gateway also known as a Payment Facilitator.)

Other solutions include pushing out payment requests, such as via a text or email. electronic invoice presentment and payment eippWith new and revised rules impacting the entire payment ecosystem including issuer, acquirer, gateway, merchant, and potentially other software like ERP’s and ecommerce shopping carts, merchants should verify all parts their payment ecosystem supports them. Desktop terminals are not capable of supporting all the rules for card absent needs; a cloud-based payment gateway is required whether non-integrated, or integrated ecommerce shopping cart, ERP or other software.

Does your online payment solution support Verified by Visa, or do you need a solution? Contact Christine Speedy at 954-942-0483 for a fast and easy solution, compatible with your existing credit card processor.

EMV handbook for merchants by Verifone

emv guide verifone merchant terminalVerifone’s EMV handbook is a comprehensive guide for both retail and card not present merchants. It’s hardware agnostic and the Question and Answer section is especially useful.

Two questions on page 17 about hardware need to be read together. To clarify the liability shift going into effect October 1, the merchant’s hardware (terminal) needs to be more than capable of processing chip card transactions.  It needs to be certified on the processor platform and EMV must be enabled on the merchant account. This is an important distinction.

There may be thousands of terminals in use technically capable of accepting chip cards, but either the terminal is not yet certified for EMV chip card transactions, or the processor has not certified the terminal to their platform.

Beware purchasing terminals that will ‘get you ready’ to be EMV compliant. Will the seller guarantee the terminal will be certified for the acquirer platform you need? For example, acquirers usually have multiple platforms but not all merchants can switch between them. With the liability shift just weeks away, merchants wanting to be EMV compliant should not wait another minute:

  • Buy only EMV certified terminals acquirer confirms can be enabled.
  • Verify firmware and or software is current before buying
  • Request an EMV TID from acquirer
  • Download file, usually required for countertop terminals
  • Install new software driver, if applicable, for virtual terminals

Christine SpeedyThanks for reading! If your business needs EMV certified terminals or Card Not Present risk mitigation solutions today, contact me at 954-942-0483 or 3Dmerchant.com/contact. I specialize in business to business and mid-market payment solutions.

PCI Compliance: Card Not Present Merchant Quick Checklist

Do you (even occasionally or temporarily) create, receive, or otherwise come to possess any paper records or receipts that contain cardholder data? The number one rule card not present merchants violate is a Merchant Must Not Request the Card Verification Value 2 data on any paper Order Form.

Do you make sure that you NEVER, EVER store the card-validation code or value (three-digit or four-digit number printed on the front or back of a payment card) used to verify card-not-present transactions after authorization (even if encrypted)?

Are strong cryptography and security protocols, such as SSL/TLS, IPSec, or SSH used to safeguard cardholder data during transmission over open, public networks?

For SSL/TLS implementations, does HTTPS appear as part of the browser Universal Record Locator (URL), and is cardholder data required only when HTTPS appears in the URL?

Are policies, procedures, and practices in place to make sure that you NEVER, EVER send unencrypted PANs by end-user messaging technologies (for example, e-mail, instant messaging, chat)?

Do your access limitations require restriction of access rights to privileged user IDs to least privileges necessary to perform job responsibilities?

Do your access limitations require assignment of privileges to be based on individual personnel’s job classification and function?

Is your security policy established, published, maintained, and disseminated to all relevant personnel (for the purposes of Requirement 12, “personnel” refers to full-time and part-time employees, temporary employees and personnel, and contractors and consultants who are “resident” on the entity’s site or otherwise have access to the company’s site cardholder data environment)?

Is a formal security awareness program in place to make all personnel aware of the importance of cardholder data security?