Can you recommend a PCI Compliant policy for storing credit cards?

Distributors and manufacturers can overcome PCI Compliance issues with better awareness of rules, and cost efficient solutions to ease PCI burden. A review of key problems and solutions will help companies with internal credit card authorization and storage policies. For credit card processing, a virtual terminal or integrated gateway, is the only cost efficient and secure option for these business types.

It’s never Ok to store credit card forms that have the CVV2, or security code, on them. It’s also never Ok to store CVV2 electronically in any format, encrypted or not. This is both a card acceptance and PCI Compliance 3.0, section 3 Protect Cardholder Data, problem. For any recurring charges, including variable, merchants only need to validate the CVV one time for a fraud check, and then never again. This is easily accomplished with a zero dollar authorization, however not all gateways support this feature.

The best paper credit card authorization form, is one that doesn’t have full card data, or better yet, doesn’t exist at all. If sales reps in the field are getting card numbers to be charged later, consider a mobile payment app that let’s them swipe and create a token, using a P2P encrypted reader. That way card data is never exposed at any point in time. Instead of getting card numbers over the phone, empower customers to self pay or store card data using online payment solutions, including either a hosted online pay page or electronic bill presentment and payment (EBPP). Use this to also eliminate credit card data in emails, which is another PCI Compliance problem.

Need to keep a card stored on file that you initiate charges on? It’s indefensible with today’s technology to have credit card data on paper, and it’s risky to use your own encrypted media. Tokenization, a payment gateway service for merchants to remove sensitive data from their environments, is the best practice for security and PCI Compliance.

Some businesses want a signature on file. A sales receipt is generated with almost any online payment solution and merchants can require a customer to print and sign it, or to simply forward the email receipt from company email address with typed name approving it. For recurring billing, choose a payment gateway that generates a PCI Compliant recurring billing authorization form. They’re useless if stolen, and contain all the right language for credit card authorization. It should be supplemented by a signed document with your own custom business terms and conditions, and limitations for duration and maximum charge amounts allowed. Merchants might also get a signed sales order with all terms and conditions, plus the token ID the customer has agreed you’ll charge to.

Third-party credit card authorization doesn’t exist as far as card issuers are concerned. It’s specifically written in the cardholder terms that they cannot allow any third party to use their card. Any form a merchant creates authorizing other parties is at risk for future disputes. The merchant can eliminate the risk by having the company issue purchasing cards for each buyer, or mitigate risk by sending the sales receipt automatically to the cardholder and asking the buyer to confirm receipt per T’s & C’s.

A huge problem is managing old stored data created prior to new PCI Compliance rules. The reality is, the merchant is not PCI Compliant as long as the old stuff exists. That likely means someone will need to be assigned to identify all the past ways that credit card numbers were captured. For electronic, IT will need to get involved to securely remove old data. There are tools to search emails and servers for card data as well.

PCI 3.0, in effect now, requires merchants not only are PCI compliant at a point in time, but that there’s a plan in place for monitoring and inspecting. Whoever is cleaning up the old problems should document who, what, where, how and when activities were identified and or completed, and continually add this to the master PCI file.

References:

Payment Card Industry (PCI) Data Security Standard, v3.1, pg 36 CVV
Visa Core Rules, October 2014 page 266, Merchant Must Not Request the Card Verification Value 2 data on any paper Order Form

 

Marble and Stone omnichannel payment solutions

Marble and stone manufacturers and distributors that use traditional payment technology will suffer from higher credit card processing fees, PCI Compliance problems, and increased fraud risk. This article identifies the main problems and how to fix them.

PCI Compliance Problems

It’s a fact there will be card not present transactions. Credit card authorization forms have been a primary tool to mitigate fraud risk, but they’re a PCI compliance nightmare:

  • Merchants cannot request CVV2 on any paper form, even if it will be destroyed later. (Visa Core Rules October 2014). Without CVV2, the merchant will lose any future fraudulent card dispute.
  • Forms contain sensitive data. It’s virtually impossible to keep the signature on file and be PCI Compliant.
  • Employees have access to credit card numbers
  • The receiving fax needs to be secured, and if digital, any memory securely wiped when the machine is replaced.

PCI Compliance Solutions

  • PCI compliant credit card authorization form for variable recurring billing
  • Tokenization to store card data outside ERP and other software to reduce scope and burden
  • Customers self-payment solutions so employees have no access to card data. Options include online hosted pay page and electronic bill presentment & payment (See also How to get CVV2 and be PCI Compliant)

Mixed Retail and Card Not Present Transaction Interchange Rate Problems

When a merchant has a retail merchant account, magnetic stripe data is expected with the transaction. When it’s not included, the merchant pays higher non-qualified interchange fees.  There are no desktop terminals, and few cloud based solutions that support level III processing for retail transactions. This is significant because most cards that qualify are MasterCard and the average savings is .75%.

When a merchant has a MOTO (mail and phone order) merchant account, and then swipes a card, they get the benefit of a signed receipt, but not the benefit of lower swiped merchant fees.

Mixed Retail and Card Not Present Transaction Interchange Rate Solutions

Marble and Stone merchants MUST have a solution with interchange rate optimization that solves the above and numerous other issues related to omnichannel credit card processing.

Multiple Locations, Centralized Billing Problems

With centralized billing, when there’s a dispute, the merchant needs to present the signed receipt. It’s time consuming and inefficient to store and locate paper receipts.

Multiple Locations, Centralized Billing Solutions

Signature capture terminals are essential. Mobile is not an acceptable substitute for signature capture, because marble and stone merchants benefit from pin debit and other optimization capabilities that are only possible with multi-lane terminals. EMV, NFC and P2PE are recommended.

CenPOS is the only payment gateway and payment engine that solves every problem listed above. CenPOS has solved these problems for years, while Authorize.net, Paypal, Payflow Pro, and even newer alternative gateways have not caught up. Contact Christine Speedy 954-942-0483 for sales and ERP or other software integrations.

 

 

 

 

How to get CVV2 and be PCI Compliant: request a payment

Credit card authorization form pci

Credit card authorization form example is not PCI Compliant.

According to Visa Core Rules, October 2014 page 266, Merchant Must Not Request the Card Verification Value 2 data on any paper Order Form. So how can a merchant get the CVV for card not present customers?  Online payments, request a payment and electronic bill presentment and payment all solve the problem. Below are solutions possible with CenPOS, a merchant centric payment processing platform. Other payment gateways may not have the same functionality.

Online payments, passive:

hosted paypage online payments

  • Secure hosted pay page is managed by the payment gateway so payment data never touches merchant web servers.
  • Customers can store card data for charges to be applied later. In this case, the user registers, creating an account so they can manage payment methods including ACH, credit card and wire. A zero dollar authorization is performed when a credit card is stored, and CVV can be validated. Once validated, it’s never needed again, and therefore is never stored.  A random token ID is generated, which both the cardholder and merchant can see, but neither will ever have access to sensitive data again. The cardholder can also update the expiration date, but if the CVV changes with a future card replacement, then a new token must be created.
  • Customer can make payments for any amount without logging in.

Request a Payment or Electronic Bill Presentment and Payment (EBPP or EIPP), proactive.

  • Reduces accounts receivable friction.

EBPP Electronic Bill Presentment & Payment

  • Non-Integrated – Merchants use the CenPOS EBPP portal to create the payment request, including optional invoice detail. The customer is sent a text and or email with a payment link.
  • Integrated – same as above, except the invoice is sent from accounting or financial software such as ERP.

With EBPP, customers have a portal to pay multiple invoices, view payments, download invoices, and manage payment methods.

At a minimum, merchants with card not present customers should offer online payments as a way to enable customers to securely pay a bill. If a signature is required, have the customer print and sign the receipt, and email that authorization back, which is more valuable than traditional credit card authorization forms.

Need a secure solution but don’t want to change your merchant account? No problem. Contact Christine Speedy for secure, cost effective and efficient solutions.