Hotel Third Party Credit Card Authorization Form Alert

Is your hotel third party authorization form compliant with both Payment Card Industry Data Security Standards (PCI) compliance and card network acceptance rules? Beware solutions that are neither, risking an expensive data breach, lost reputation, and reduced profits. Due to significant rules changes in 2017, hotel management and hospitality advisors must adopt new technology solutions to comply.

Shifting from a paper credit card authorization form to a digitally signed cloud form often fails to meet intended goals to prevent fraud and increase security. For example, some digitally signed third party credit card authorization form solutions authenticate the cardholder with address and security code verification. Authorized merchant employees access and decrypt the signed document, then key-enter the cardholder data into another system for subsequent authorizations. The document containing PAN and security code remains on file for some period of time.

“This method is rife with compliance problems, leaving hotels unprotected from friendly fraud, ‘it wasn’t me, I didn’t authorize’ and data breach risk”, per Christine Speedy, PCI Council QIR certified.

For instance, per PCI Compliance 3.2, the security code, must not be stored after authorization, even if encrypted. Whether the security code can be stored prior to authorization, PCI leaves up to card brands and acquirers. Per Visa Core rules, section 5.4.3.1, merchants cannot even ask for the Card Verification Value 2 (CVV2) from the Cardholder on any written form.

A series of card not present acceptance rules changes are driving an urgent need for hotels to update. These significant changes include the process to store cards, use stored cards, and obtain authorizations. All this means, whatever worked in the past is no longer valid today. In the digitally signed form example, there’s no relation between the initial cardholder authentication transaction and any future authorizations. However, if done properly, the issuer would have returned a response acknowledging the merchant notification that they’d gotten permission to store the card; future authorizations would include that response.

Hackers continue to target the hospitality industry and they’ve been quite successful. With 338 breaches in the 2018 Verizon Data Breach report, the accommodation sector ranks in the top three of most incidents and breaches. InterContinental Hotels Group, Marriott International, Radisson Hotel Group, Hilton, and Hyatt have all had breaches as have suppliers to the industry like Sabre Hospitality. If you know you’re going to be attacked, why not eliminate employee access to cardholder data completely?

How can hotels better protect against card not present credit card fraud? 3-D secure is a global protocol designed to be an additional security layer for online credit and debit card transactions. By combining a web-based authorization form with 3-D Secure cardholder authentication, including Verified by Visa, fraud liability shifts to the issuer, much like EMV chip shifts liability to the issuer. By using a payment gateway to manage initial and subsequent authorizations, with the capability to invoke 3-D secure, merchants mitigate chargeback risk and avoid the time consuming process of fighting to get their money back after they occur. As a bonus, some issuers support reduced interchange rates, the bulk of credit card processing fees, when 3-D Secure is invoked. No cardholder data is ever visible to employees.

With every part of the payment ecosystem needing to make changes- card issuer, acquirer (merchant account processor), payment gateway- it’s inevitable that there will be gaps in compliance. Non-compliance with rules can result in fines, penalty fees, and removal from card acceptance. 

Key questions to ask when evaluating hotel third party credit card authorization solutions:

·      Is the security code ever stored?

·      Is 3-D secure supported?

·      Is it compliant with the Visa stored credential mandate, including unscheduled credential on file?

·      After the initial authorization, are subsequent authorizations submitted with retail, MOTO (telephone order), or e-commerce transaction type?

·      Correct Answers: no, yes, yes, MOTO

Keywords: #creditcardfraud #databreach #lodging #hotels #pcicompliance #creditcardauthorizationform

Call Christine Speedy, PCI Council QIR certified, for PCI compliant web-based third party authorization forms and other hotel payment technology to make your business more profitable and secure. 954-942-0483, 9-5 ET.

Credit card authorization form template alert

Searching for a credit card authorization form template? Maybe PCI compliant form or Microsoft Word compatible template? Stop! If your web browser is not up to date, just landing on the web site that has the form might introduce malicious code into a company’s systems and network, leading to a future data breach.

Businesses should be replacing traditional credit card authorization forms with other payment methods where the customer self-pays:

  • Hosted pay page
  • Push out a payment request via text or email

Per Visa, merchants are never allowed to ask for the security code on paper.  Merchants also cannot store the form with full card numbers. They increase risk of fraud and identity theft and nobody likes them!

What are the benefits of customer initiated payments?

  • Reduced merchant fees for some cards (3-D Secure cardholder authentication such as Verified by Visa must be enabled.)
  • Increased approvals with cardholder authentication.
  • Mitigate chargeback risk – with 3-D Secure cardholder authentication, fraud liability shifts to issuer.
  • More convenient for buyers- 24/7 payments on their schedule, not yours
  • Buyers are in control of choosing to store payment methods

How do you choose the best solution? Here’s some of our product differentiators:

  • PCI Compliant credit card authorization form generated automatically, should you have a need to get a signature to terms for storing and using stored cards.
  • 3-D Secure cardholder authentication supported.
  • Choose any acquirer.
  • Automated interchange management, including level 3 processing for business to business (B2B) and business to government (B2G), to reduce fees and maximize profits.
  • If preauthorizations are needed, ongoing authorization management is critical and we do that automatically.

Call Christine Speedy, PCI Council QIR certified, for simple solutions to complex payment transaction problems, 954-942-0483, 9-5 ET. CenPOS authorized reseller based out of South Florida and NY. CenPOS is an integrated commerce technology platform driving innovative, omnichannel solutions tailored to meet a merchant’s market needs. Providing a single point of integration, the CenPOS platform combines payment, commerce and value-added functionality enabling merchants to transform their commerce experience, eliminate the need to manage complex integrations, reduce the burden of accepting payments and create deeper customer relationships.

Hotel credit card authorization rules compliance fact check

Identify if your hotel is compliant with authorization rules impacting profits and risk in just a few minutes. Card absent rules for card acceptance changed dramatically since April 2017, and in particular for the hotel and lodging industry. Rather than detail the complexities from over one thousand pages of official card acceptance rules, here’s some easy ways to identify if you have a problem.

Any of these fees on merchant statement indicate authorization problems needing correction:

  • Misuse of authorization
  • Standard / STD (any)
  • EIRF
  • Data rate I, (any) i.e. Corporate Data Rate I
  • Chargeback reason: FRAUD TRANS-NO CARDHOLDR AUTHORIZATION
  • Chargeback reason: Compliance

All bullet items have avoidable penalty fees due to authorization issues. Any time that happens, you pay penalty merchant fees and risk chargeback. Even if you usually win chargebacks, it’s an inefficient use of time. This quick fact check is just a tiny piece of rules changes I’ll help you get compliant with.

MasterCard began charging a 0.25% penalty fee, on top of other fees, in 2018 for non-compliance with Final Authorization.

How can merchants fix authorization problems? Transaction management technology, including for managing authorizations. Most problems are due to payment gateway limitations, but could also be outdated or improper payment gateway integration, or some specific piece of software limiting payment gateway functionality. Payment gateways often struggle just like merchants to keep up with the fast pace of changes in payment processing, so while the solution still works, it’s just not helping merchants to maximize profits and minimize risk.

Our suite of cloud commerce solutions solves authorization and data breach risk from credit card authorization form problems:

1.       Sales invoices, deposit needed. Sales can push out deposit request via text or email; customer self-pays, authenticates identity, and stores card (if needed). This is a much more professional interaction. Nobody likes paper credit card authorization forms due to risk of identity theft.

2.      Direct bill accounts. With our quick invoicing, accounting can upload an invoice and we take over the delivery, payment collection, security, authentication etc.

3.     Third party authorization form. Forget the paper. Our online form checks all the boxes you need to get compliant with card acceptance rules, protect against fraud, reduce PCI Compliance scope, and mitigate data breach risk.

Available as SynXis integrated solution or standalone. Keep your current Point of Sale service provider. Our solutions fix problems that haven’t been addressed for a decade- getting cardholder data out of the hands of employees and systems while shifting fraud liability risk to issuers. Plus, our optional 2-Way texting is a game changer for Guest Services, concierge, and sales.

Still not sure?

  • Quick and easy to get started.
  • No capital investment.
  • Proven to boost customer satisfaction via follow up surveys and increased sales.
  • Differentiate your brand with higher security.
  • Highest PCI compliance security certifications
  • GDPR compliant
  • Since the issuer is guarantees payment with cardholder authentication, it’s actually cheaper to process some credit cards!

What are you waiting for?

Call Christine Speedy, PCI Council QIR certified, for hotel Online Credit Card Authorization Form solutions at 954-942-0483, 9-5 ET. CenPOS authorized reseller based out of South Florida and NY. CenPOS is an integrated commerce technology platform driving innovative, omnichannel solutions tailored to meet a merchant’s market needs. Providing a single point of integration, the CenPOS platform combines payment, commerce and value-added functionality enabling merchants to transform their commerce experience, eliminate the need to manage complex integrations, reduce the burden of accepting payments and create deeper customer relationships.

Online credit card authorization form

An online credit card authorization form enables a business to charge a credit card one-time or for recurring purchases. Looking for a PCI Compliant authorization form meeting 2018 and 2019 standards? Read on.

Online credit card authorization form options:

Hosted pay page. The merchant directs customers to web page to pay any invoice or store card for future payment online. For maximum reduced PCI burden, send customers directly to the 3rd party payment gateway web URL. The gateway may or may not be the same as your processor. NOTE: If hosting on your own web site with an embedded payment (iframe) object, acceptable implementation methods for PCI requirements have changed;  any old forms should be updated.

Electronic Bill Presentment & Payment. (EBPP or EIPP) This is basically a proactive version of the above. Log in to a gateway web portal, and send a payment request via text or email which the customer clicks and pays. Whether integrated or standalone, we have options to include the invoice as an attachment. No login required to make a payment, but a customer portal is also included.

All the major payment gateways include a Virtual terminal, hosted pay page, and shopping cart checkout capability, tokenization to store card data for future orders. Some, including CenPOS also offer EBPP. So how do you differentiate your choices?

Critical elements online credit card authorization form:

  1. Must not be able to decrypt and view the security code and or sensitive cardholder data.
  2. If only authorizing and not capturing (settling) final amount immediately, must comply with Visa 5.8.3.1 Authorization Amount Requirements. The Merchant must use the Estimated/Initial Authorization Request indicator for the first transaction,
    then the Incremental Authorization Request indicator for interim if applicable, and Final Authorization Request indicator when closing out the transaction; the same Transaction Identifier must be included for all Authorization Requests. A reversal of extra funds must be completed within 24 hours of final settlement. These are tough questions the average salesperson probably can’t answer. Work with a professional that knows the rules.
  3. Stored cards. Are you storing cards for any type of ongoing charges?

    PCI Compliant credit card authorization form

    Partial PCI Compliant stored credential authorization form.

    Comply with Visa Rules Table 5-20: Requirements for Prepayments and Transactions Using Stored Credentials. There are too many variables to list here so I recommend downloading the rules and getting familiar or call us to save time. When capturing card data for the first time:

    • Obtain express consent per specifications for your refund and cancellation policies, how you’ll use the stored card, when your agreement expires and how the Cardholder will be notified of any changes to the agreement.
    • Perform a cardholder verification either via transaction or zero dollar authorization with the proper indicator.
    • This is a change! Two transactions occur when capturing cardholder data for the first time. Technical part can be handled by a payment gateway that supports it, but other elements are left to you.
    • Provide a stored card receipt to customer.
  4. 3-D Secure cardholder authentication. For example, Verified by Visa. Merchants register for 3-D Secure with their acquirer; always consult with the payment gateway first for instructions and to confirm they’re registered to offer service. Friendly fraud liability, “it wasn’t me, I didn’t authorize it”, shifts to the issuer and some cards with qualify for even lower rates because there is lower risk to the issuer. Because there are many parts to any transaction, including acquirer and issuer communications, plus continually changing rules, it’s possible that it will not be invoked.

Online Credit Card Authorization Forms and Qualified Rates

Most cards, except regulated debit, can qualify for multiple rates depending on how the transaction is submitted. For example, MasterCard World card rates:

Rate Name Rate Qualified Rate Reason
Standard 2.95% + $.10 Not all criteria met for another rate.
Merit I 2.05% + $.10 Key-entered or ecommerce and valid authorization + other criteria met.
Full UCAF 1.87% = $.10 Ecommerce; Cardholder authentication and other criteria met.

To qualify for UCAF, the customer must initiate payment and all the other rules must be met, which is not always easy, especially for B2B. Note, ‘ecommerce’ includes online paypage and other electronic payment channels the customer initiates.

Call Christine Speedy, PCI Council QIR certified, for Online Credit Card Authorization Forms at 954-942-0483, 9-5 ET. CenPOS authorized reseller based out of South Florida and NY. CenPOS is an integrated commerce technology platform driving innovative, omnichannel solutions tailored to meet a merchant’s market needs. Providing a single point of integration, the CenPOS platform combines payment, commerce and value-added functionality enabling merchants to transform their commerce experience, eliminate the need to manage complex integrations, reduce the burden of accepting payments and create deeper customer relationships.

Christine offers more than one solution so that you have the best for your business type and needs.

Hotel Third Party Authorization Form Alert

The best hotel third party authorization forms are fully compliant with card brand rules to mitigate chargeback risk, especially for friendly fraud, where cardholder claims they did not authorize the transaction. Fraud liability can be shifted nearly one hundred percent with best practices, plus risk of data breach from employee and other access to card data can be mitigated. Avoid the paper and digital credit card authorization form problems perpetuated by misinformation from people and incorrect internet postings.

Paper credit card authorization forms are dead.

Per Visa Core rule 5.4.2.5, October 2017, a US merchant or its agent must not Request the Card Verification Value 2 data on any paper Order Form. Update, in October 2018, the rule is now in section 5.4.3.1, Merchant Use of Account Number, Cardholder Signature, Card Verification Value 2 (CVV2), or Stored Credential.  I could go on about all the PCI compliance and data breach risk problems related to credit card authorization forms, but because only 3-D secure cardholder authentication, which requires cardholder initiate payment, shifts friendly fraud liability for card not present transactions, there’s no valid reason not to change procedures. Get the cardholder data out of the hands of employees and networks. Secure document services where sensitive cardholder data can be viewed, or decrypted and viewed, for use in another solution are not PCI Compliant.

Web-based third party authorization forms are best for card absent compliance.

More than just PCI compliance, a myriad of rules changes since 2017, and continuing into 2019, impact every hotel. Everyone must change to comply and it’s not automatic. For example, you’re getting a sales deposit, and will definitely or will possibly charge more later. There’s a new set of transaction data standards which include estimate, incremental, and final authorization. While the technical piece is handled by payment gateways, not all have made the modifications required. Additionally, some elements are left to merchants to manage.

  • Comply with Visa 5.8.3.1 Authorization Amount Requirements.  The Merchant must use the Estimated/Initial Authorization Request indicator for the first transaction,
    then the Incremental Authorization Request indicator for interim if applicable, and Final Authorization Request indicator when closing out the transaction; the same Transaction Identifier must be included for all Authorization Requests. Don’t accept an authorization online and then swipe or dip the same card later unless your card present system can tie back to the initial authorization.
  • Stored cards. Are you storing cards for ongoing charges? Comply with Visa Rules Table 5-20: Requirements for Prepayments and Transactions Using Stored Credentials. There are too many variables to list here so I recommend downloading the rules and getting familiar. Two keys when capturing card data for the first time:
    • Obtain express consent per specifications for your refund and cancellation policies, how you’ll use the stored card, when your agreement expires and how the Cardholder will be notified of any changes to the agreement.
    • Perform a cardholder verification either via transaction or zero dollar authorization with the proper indicator.
    • This is a change! Two transactions occur when capturing cardholder data for the first time. Again, technical part can be handled by a payment gateway that supports it, but other elements are left to you.

Hotel third party authorization form solutions.

Contact me for solution that works standalone or integrated with SynXis. Shift friendly fraud liability and potentially qualify transactions for better rates with your existing merchant account. That’s because non-compliance with various rules can result in higher fees.

Here’s some key elements if the initial authorization is not the final authorization. Terminology:

  • PCI compliance- short for Payment Card Industry Data Security Standards. All businesses are mandated to comply with rules which are outlined on the PCI Security Standards Council web site.
  • 3-D secure (3D Secure) is a global XML-based protocol designed to be an additional security layer for online credit and debit card transactions. Each card brand has their own version. For example, Verified by Visa. Merchants register for 3-D Secure with their acquirer; always consult with the payment gateway first for instructions and to confirm they’re registered to offer service. 3-D Secure is invoked automatically by the payment gateway which then based on issuer response may or may not prompt for additional information to authenticate the cardholder.  Friendly fraud liability, “it wasn’t me, I didn’t authorize it”, shifts to the issuer. Because there are many parts to any transaction, including acquirer and issuer communications, plus continually changing rules, it’s possible that it will not be invoked.
  • Link to Visa and all card brand Rules.

Call Christine Speedy, PCI Council QIR certified, for global sales. 954-942-0483, 9-5 ET, CenPOS authorized reseller based out of South Florida and NY. CenPOS is an integrated commerce technology platform driving innovative, omnichannel solutions tailored to meet a merchant’s market needs. Providing a single point of integration, the CenPOS platform combines payment, commerce and value-added functionality enabling merchants to transform their commerce experience, eliminate the need to manage complex integrations, reduce the burden of accepting payments and create deeper customer relationships.