Installment Prepayments Credit Card Processing Rules Change 2017

Installment prepayment credit card processing rules change effective October 2017 will impact business profits and chargeback risk. Everyone in the payment ecosystem has or will need to make changes to comply, including acquirer, issuer, payment gateway, merchant, and sometimes software solution.

payment gateway SaaS recurringInstallment prepayment credit card processing best practices:

  • When capturing card data to create a random token replacing sensitive data for the first time, perform an Account Number Verification Transaction via a Zero Dollar Authorization. There’s a payment gateway procedure, including using specific transaction indicator, for this. If the solution you’re using performs a $1 authorization, often with a void or reversal after, that’s because the payment gateway, and or the implementation, are out of date and don’t support current requirements. Ask how yours works and contact us for help now if you cannot do a zero dollar authorization!
  • Payment gateway to identify all future transactions after storing:

With an indicator that shows that the Transaction is using a Stored Credential
– With the Transaction Identifier of the initial Transaction.

  • The sales receipt must include phrase “recurring transaction”
  • A convenience fee cannot be charged on an Installment Transaction.
  • Transactions cannot be key entered into desktop terminals; a cloud based payment gateway is required

Guidelines and rules vary by card brand, business type and many other factors. Additionally, the rules are complicated. This article may oversimplify such complexities. Merchants are advised to use tools, including intelligent payment gateways, to help comply automatically to maximize profits and mitigate risk.

Reference: For example, read Visa Stored Credential Transaction Mandates and also Visa Core RulesTable 5-21: Requirements for Prepayments and Transactions Using Stored Credentials.

Before selecting a payment gateway for installments, ask these questions:

  • How will it help with new Visa Stored Credential Mandates compliance?
  • Does it support 3-D Secure cardholder authentication, for customer initiated payment?
  • What type of digital record is created at the time of customer opt-in to terms, how is it retrieved, and how long is it retained?
  • Does it support Zero Dollar Authorization?
  • Does the receipt dynamically change based on type of transaction, i.e. cash, credit card single payment, installment payment etc.
  • Does it level 3 processing for commercial cards (if applicable to business type)?
  • If I change banks or payment processors, how will it affect my customers? My business?

TIP: An easy starting point to reduce the list of options is to ask any payment gateway what type of digital record is created at the time of creating an installment agreement, and how will you access it? Need help to get compliant? Contact Christine Speedy to learn more about solutions for your business that are quick and easy to adopt, increasing efficiency and growing profits virtually overnight.


Is it any surprise that actual Payment Card Industry (PCI) Data Security Standard (DSS) assessments by Verizon’s team of Qualified Security Assessors (QSAs) shows growth of compliance is stagnant? Even worse, organizations that suffered data breaches were much less likely to be compliant than a normal population of PCI clients? About 20 percent of organizations passed less than half of the DSS requirements, while 60 percent scored above the 80 percent mark. For all those merchants sounding off about an annual PCI Compliance Fee, the evidence is clear that merchants still have a long ways to go. 100% PCI DSS compliance is the only acceptable statistic.

Organizations struggled most with the following PCI requirements:

  • 3 (protect stored cardholder data)
  • 10 (track and monitor access)
  • 11 (regularly test systems and processes)
  • 12 (maintain security policies)

The first two of these can easily be resolved with our hosted payment processing technology, CenPOS. If you’re going to store cardholder data, it needs to be encrypted. One of the major problems with this has been ready access to solutions for storing cardholder data for variable billing. Most gateways have a PCI Compliant solution to store encrypted card data for recurring billing,  charging the same amount on a fixed schedule. However, CenPOS is unique to offer storing card data for billing a variable amount, token billing. Additionally, it is the only technology this writer is aware of that also includes interchange optimization, of major importance to companies trying to control credit card processing fees.

encrypt cardholder data token billing variable amount

Tokens are issed for stored card data, worthless if stolen.

Requirement 10 (Tracking and Monitoring) is a major component of CenPOS. Every user has a unique login and management can micro manage permissions. Where others create a few tiered levels of permission such as cashier, finance, and administrator, CenPOS offers a plethora of options, plus management tracking and research tools.

  • User Permissions: Control precise transaction types allowed, set maximum thresholds, set alerts based on responses, amounts and other criteria. Extensive Permissions enable maximum merchant protection from lower level employees, plus there are tools for secondary oversight at the admin level to mitigate risk of high level employee fraud.
  • Tracking and Monitoring: The requirement calls for the tracking and monitoring of all access to network resources and cardholder data, the main objective is to maintain system logs and have procedures that ensure proper utilization, protection, and retention. According to the Verizon Report, this has historically been one of the most challenging, but is critical to forensic investigations if needed. CenPOS logs everything related to the payments process including user ID, time stamps and every other element of interaction with the system. Merchants must have their own internal logging system for their network.

Requirement 11 (Regular Testing) had the least compliance in the Verizon report. “Organizations continue to have difficulty meeting the sub-requirements regarding network vulnerability scanning (11.2), penetration testing (11.3), and file integrity monitoring (11.5).”  Our recommendation is that merchants hire a qualified outside vendor to assist them with this requirement. We have no direct affiliation with such companies but know several with good reputations should you need a resource.

Requirement 12 (Security Policies) While the best laid written plans may exist, there is still the human factor. Weaknesses identified include poorly written policies, including so long that they are stuffed in a desk never to be read again, and those that are too vague. Note that the requirements are directly related to the services in scope of the organization’s PCI DSS. The more the merchant reduces their scope, the more the burden is on their service provider instead of their internal personnel. CenPOS reduces the merchant scope in several ways, including but not limited to:

  • Web payments on a hosted pay page, not the merchants web page
  • Electronic Bill Presentment and Payment- same as above.
  • Storing all card data, encrypted, on CenPOS servers, eliminating file drawer and merchant stored data


Learn more about how CenPOS can help you with PCI DSS Compliance.




Security is everyone’s business: retail credit card processing

A brief security note for customers using one of our retail solutions.

Do not store passwords and login information on your desk or in any unlocked area.

What if the machine does not recognize the magnetic strip?  If the machine says “re-swipe”, then

  • Check to make sure terminal is swiping properly (test any card by swiping without charging)
  • Try swiping at a different rate of speed.
  • Check for valid card security features (hologram etc, imprinted security code etc)
  • If the card appears to be OK, and you have permission to key enter, enter the transaction information and then have the customer sign the printed receipt as usual.
  • Verify the signature and card data on the receipt match the actual card.

Note: if the 4 digits do not match- it is ALWAYS a fraudulent card.

If suspicious, hold onto the card and call your Voice Auth phone number. “I have a code 10 authorization request”. Cash rewards up to $1000 are available to merchants and employees for recovered cards, including $100 from Visa for a last 4 digit mismatch, if this procedure is followed.

Do not store card data outside the system for any reason. Use the Repeat Sale button if you need to securely store card data to re-bill at a later date. The encrypted card data is stored on PCI Compliant servers, never at the merchant location, and you can charge the account again with the token that will be issued.