Recurly Visa Stored Credential Framework blog omission

A Recurly blog article “How Recurly is Supporting Visa’s Stored Credential Framework” has some misinformation. The cited dates are incorrect and merchant responsibilities are understated. Why is that important? Most payment gateways and technology solution providers are not keeping up with the rapid pace of rules and compliance changes, impacting merchant profits and risk. Therefore, payment technology vendor selection, including payment gateway selection, is critical.

Recurly, like others in the cloud solutions space, is partially dependent on their partners to keep their clients in compliance with a myriad of rules. When should technology partners alert their integrated solutions partners about industry changes affecting their mutual clients? Solutions providers and merchants are getting inaccurate advice, or none at all, from trusted advisors, technology providers, and consultants of all sizes and sources.

As soon as Visa released the news in their Merchant Business News Digest in August 2017, Recurly began reaching out to our gateway partners to get ahead of the work required to fulfill the mandates.” The real dates were much earlier than cited. Visa typically announces at least one year in advance of due dates for any significant change, which this update is. Updates were in the October 2016 Visa Core Rules and Visa Product and Service Rules rules, citing changes coming in April and October 2017. On April 27, 2017 Visa published further information for merchants via the Stored Credential Framework document, which also references prior articles published on the subject dating back to 2016.

For most merchants, the mandate went into effect October 14, 2017, not April 2018, however, Visa did announce a delay in compliance action to April 2018.

From Recurly, “There is no action needed from our customers.” While technology solutions and payment gateways manage technical aspects for compliance, there’s much that’s left to merchants. Here’s an excerpt from the Stored Credential Framework document:

Merchants and their third-party agents, payment facilitators, or stored digital wallet operators that offer cardholders the opportunity to store their credentials on file must:
• Disclose to cardholders how those credentials will be used.
• Obtain cardholders’ consent to store the credentials.
• Notify cardholders when any changes are made to the terms of use.
• Inform the issuer via a transaction that payment credentials are now stored on file.
• Identify transactions with appropriate indicators when using stored credentials.

I strongly recommend reading Visa Core Rules Table 5-20: Requirements for Prepayments and Transactions Using Stored Credentials and Disclosure to Cardholder and Cardholder Consent. For example, how will you provide proof of cardholder consent (think time and date stamp) upon request? Are you providing the required receipt with proper format for zero dollars when storing a card without running a transaction?

Note: This article is not a review, endorsement or complaint about the quality of Recurly services which I have never used. It is simply identifying errors and omissions related to the stored credential mandate that may impact merchant profits, risk and decision making. I would have written in their blog comments, but it wasn’t available. When choosing a payment gateway, consider how agile they’ve been in meeting deadlines for changes, and how they’ll help reduce compliance burden, among other factors.

Christine Speedy, CenPOS Authorized Reseller, 954-942-0483 is a PCI Council QIR certified professional based out of South Florida, near Fort Lauderdale, and Rochester, NY, with extensive payment gateway experience. Christine can uniquely help merchants and technology providers navigate the complexities of PCI, acquirer, and card brand compliance rules.

Equipment Rental Credit Card Processing Rules Change

Bobcat, Caterpillar, and other companies that offer rental equipment, all are impacted by new credit card processing rules for rentals. equipment rentals credit card processing

While businesses expect their software, including ERP, Point of Sale, and ecommerce shopping carts to help them manage compliance with credit card acceptance rules, the reality is that many don’t. Compliance increases profits; non-compliance increases new chargeback risks, interchange fees, penalty fees and authorization declines.

Traditional desktop terminals don’t support the new transaction data requirements. If merchant is not using EMV chip device, now is the time to upgrade to a cloud-based solution and fix two problems at once. Rental merchants cannot meet both card acceptance and Payment Card Industry Data Security Standards compliance requirements using traditional paper credit card authorization forms. Cloud technology and a compliant payment gateway are needed. For example, pair the Verifone MX 915 with the CenPOS validated Point to Point Encryption (P2PE) solution and use either a standalone or integrated to ERP such as Microsoft Dynamics AX.

Key elements for compliance:

  • Initial authorization transaction must send new transaction indicator that it’s an estimate; the final amount could change for example because the renter kept it longer or damaged the equipment. This is technically managed by the payment gateway.
  • If applicable, send incremental authorizations with related indicator.
  • If storing the card, the Visa Stored Credential mandate outlines the specific requirements for agreement with customer, cardholder authentication, and procedures to use a stored card on file. For example, perform cardholder authentication with either security code or 3-D Secure. 3-D Secure can only be invoked if the customer self-pays; it shifts friendly fraud liability to the issuer and merchants can also qualify some cards for even lower interchange rates.
  • Update language in agreements for opt-in to terms and conditions as required by Visa.

Card issuers and acquirers were mandated to be compliant in 2017, and merchants by October 2017, however, there’s no mandate for payment gateways. Even if an existing payment gateway supports the new requirements, merchants must make changes. Visa is the most complex, however other brands have similar rules.

From tokenization to Express Checkout, CenPOS creates a seamless commerce experience throughout the enterprise. Innovations, including Express Checkout via text or email, help businesses maximize profit in all departments. CenPOS takes the heavy lifting out of payment acceptance offering a range of solutions that simplify every aspect of implementing, operating and maintaining a payment system enabling merchants to focus on their business. CenPOS Express Checkout via text or email includes 3-D Secure capability as part of a layered security approach.

CenPOS is an integrated commerce technology platform driving innovative, omnichannel solutions tailored to meet a merchant’s market needs. Providing a single point of integration, the CenPOS platform combines payment, commerce and value-added functionality enabling merchants to transform their commerce experience, eliminate the need to manage complex integrations, reduce the burden of accepting payments and create deeper customer relationships. Powered by its enterprise-class, end-to-end transaction engine, CenPOS’ secure, cloud-based solutions seamlessly integrate with a merchants existing infrastructure minimizing disruption and saving time and money. Committed to a merchant-centric approach CenPOS provides a one-to-one level of service and support, enabling merchants to focus on their core business.

Headquartered in Miami, Florida, CenPOS is reshaping the future of commerce through technology innovation and the secure, flexible and simple solutions this enables. Christine Speedy, CenPOS Global Sales, 954-942-0483.

Reference:

https://usa.visa.com/dam/VCOM/global/support-legal/documents/stored-credential-transaction-framework-vbs-10-may-17.pdf

See also core rules, especially section 5 https://usa.visa.com/dam/VCOM/download/about-visa/visa-rules-public.pdf