Online Payment Form Security Alert

Is your online payment form out of date and a security risk? Securing online payment forms requires an annual review at a minimum. Just because a hosted paypage form still works, doesn’t mean it’s secure or PCI Compliant.

PCI Compliance requirements have steadily tightened since 2014 for pay pages and all ecommerce transactions.

Hosted paypage options:

  1. Merchant hosts the form and collects payment on their web site. Beginning with PCI 3.0, significant additional PCI burden applies. Highest risk.
  2. 3rd party payment gateway hosted pay page; Provide a link directly to customers to pay. The form is served by and submitted by the payment gateway. It significantly reduces the potential for malicious activity that could compromise cardholder data. Lowest risk.
  3. An iframe hosted paypage has the appearance of residing on the merchant web site, but the payment data is captured by the 3rd party directly on their web host. The implementation method using iframes for payments has changed over the years to meet current PCI Compliance requirements, including to combat malicious javascript and Cross-Site Scripting threats.

“If your iframe hosted paypage hasn’t been updated in the last year or so it’s likely not PCI Compliant,” Christine Speedy, Card Not Present Expert.

A payment gateway is a secure transaction engine that facilitates the transfer of sensitive information to the processor, and is required for all online payment forms. Some gateways provide online payment forms at no additional charge. Vendor selection has a significant impact on risk mitigation, payment processing fees, efficiency, and PCI Compliance burden.

A payment gateway can be proprietary to a specific processor, or agnostic and compatible with multiple processors. While one provider for both services may seem to be the best choice, there are significant reasons the opposite may also be true, including risk mitigation. Bots present a significant risk of exploitation of online payment forms and may result in profit loss if additional steps are not implemented to mitigate risk of ‘card testing’, where criminals use online forms to submit fake transactions to determine if cards are good or bad. Every attempted transaction has an associated cost with it, and adding in chargeback fees from resulting  disputes, the result could be tens of thousands in dollars in fees in a matter of hours.

If you don’t want to be the next law firm, CPA firm, hotel or distributor data breach headline, consult with a payments expert that understands the financial and risk ramifications of one payment gateway choice and implementation method over another vs ecommerce consultants or bankers that may have limited in-depth expertise to maximize your profits and mitigate risk exposure.

TIP FOR NON-TECHS: Does your online payment form look good on smart phones and other mobile devices? If not, there’s a pretty good chance your online payment page needs an update and is not PCI Compliant.

RESOURCES:

  • PCI – Payment Card Industry Data Security Standards
  • https://www.us-cert.gov/publications/securing-your-web-browser
  • http://pcisecuritystandards.org

For PCI compliant solutions to collect online payments from your customers, contact Christine Speedy today. Get paid via your preferred methods, including ACH, credit card, wire and Paypal, while increasing security and convenience.

Steps to Reduce Credit Card Fraud For Distribution Industry

dealer fraud credit card processingCredit card fraud is still rampant in the US, even after US EMV liability shift convinced many merchants to purchase terminals to support chip cards. Marine, auto, and other high value parts dealers have long had a problem mitigating fraud risk with local and international parts.

  1. For card not present orders, require self-pay with cardholder authentication. Taking cards over the phone, and or requiring a credit card authorization form, will not protect against all forms of counterfeit card fraud. However, consumer authentication shifts liability back to the issuer; the issuer guarantees payment, and because it’s lower risk, dealers can qualify for lower interchange rates, the bulk of merchant fees. Online payment, ecommerce payment, and electronic bill presentment and payment are the 3 methods dealers can use to enable self-payment.
  2. For retail orders, EMV is mandatory. Not by regulation, but by necessity. If a chip card is presented, and merchant supports, they’re 100% protected from counterfeit card fraud, and sometimes lost or stolen cards; if not supported by the merchant, the merchant can be automatically charged back at the issuers discretion and there’s no dispute process for merchants.
  3. Check guarantee. Whether in person or via echeck, check guarantee services are only good if they don’t reject your checks later on. Surprisingly (or maybe not), some services seem to look for ways not to approve your claim, such as information is missing from checks. This can be avoided with technology that forces users to collect the right data, including for remote self-payers.

If all of the above are implemented, dealers are protected from virtually any type of credit card fraud. The following tips will help prevent other types of lost disputes, or serve as supporting documentation if not all the above are implemented.

  1. Get a signed sales order. This can reduce non-fraud claims related to disputes about what was expected. The sales order should clearly state what was sold, refund policy, and cancellation policy, or refer to another document that specifies the information, but is initialed acceptance on the sales order.
  2. Ship to cardholder billing address. If not possible, then get cardholder approval that states bill to and ship to address are different, and they’re approval.
  3. Require all communications to cardholder business email address if selling wholesale. Free email like gmail is not OK.
  4. Require cardholder respond from business email address approving transaction receipt. This is a strong document in the case of a dispute for “I didn’t approve it”, especially when a third party is picking up the part from the dealer.
  5. The marine, automotive and other distribution companies are hit particularly hard with non-qualified transaction penalties when shifting between retail, key entered, and online payments. It’s critical that transactions are presented properly not only to qualify for lower rates, but to protect against lost disputes that require specific evidence for each type of transaction.

Not related to security, but critical for interchange rate qualification, the bulk of credit card processing fees, all services (retail, MOTO, ecommerce) should support level III processing.

In summary, dealers need US EMV and cardholder authentication to maximize risk mitigation from credit card fraud. US EMV requires terminal certification, and gateway certification* to your merchant account provider. Cardholder authentication requires a payment gateway certified for the service.  There are very few companies that meet all these requirements so if your credit card processing salesperson gives you a blank stare when you ask, it’s time to explore other options.

*A payment gateway certified for level III retail to your acquirer is required; countertop terminals are incapable of sending level III data.

3 Ways CenPOS Beats Skipjack For Online Payments Gateway Review

This answer about payment gateways is specifically for an auto industry parts distributor shipping nationally, though many wholesale distributors have the same needs. After outlining the situation and concerns, we’ll explore 3 key differences. The object is not to dissect every difference, nor to even compare just to Skipjack, but to give merchants  information to help make educated choices about any credit card processing or check processing gateway.

SITUATION OVERVIEW

About The Company (merchant):

  • Wholesale, retail and recycled auto and truck parts
  • USA sales only
  • Retail storefront for the occasional local buyer- minimal walk-ins
  • Online parts inventory search, no ecommerce
  • Most customers buy one time only
  • Most repeat customers are on account and pay by check per terms

About The Current Payments Process:

METHOD 1: Most common

  • Customer selects a part from the live inventory online
  • Calls on the phone for a quote
  • Merchant faxes forms to complete including special ordering terms and a credit card authorization form.
  • Customer faxes back the forms
  • Merchant key enters all the bill to and ship to information etc.

METHOD 2:

  • Customer selects a part from the live inventory online
  • Emails request for a quote
  • Merchant emails response with forms to complete including special ordering terms and a credit card authorization form.
  • Customer faxes back the form
  • Merchant key enters all the bill to and ship to information etc.

METHOD 3: On account customers

  • Customer selects a part from the live inventory online
  • Emails request for a quote
  • Merchant emails response with forms to complete including special ordering terms
  • Customer faxes back the approval form
  • Merchant key enters order information on a stored customer (bill to & ship to, no payment data)
  • Merchant prints invoice and sends in the mail
  • Customer pays by check in the mail

Customers can also download the order forms on demand from the web site.

MERCHANT TOP CONCERN:

  • Time consuming- staffing costs are high,  customer satisfaction declines the longer the wait, sales may be lost due to wait time or inconvenience.

OTHER CONCERNS:

  • Security- To protect against future disputes, the forms with credit card information are stored proving customer had agreed to the terms. It’s virtually impossible to prove PCI Compliance with these procedures, and it presents substantial financial risk to the owner, plus personal risk of felony charges, with up to one year in jail, for the business owner if identity theft occurred. Most small businesses go bankrupt after a data breach.
  • Cost of adding any new services and the impact on profit margins

THREE WAYS CENPOS OUTPERFORMS SKIPJACK

  1. Human Resources: a) CenPOS empowers customers to make online payments for any outstanding invoice without any customization required. This greatly reduces sales time on the phone. b) The E-invoice option eliminates all activities related to stuffing envelopes with invoices, mailing, and tracking who’s paid so reminders can be sent, and faxing invoices that are lost.  Collections are automated and proven to increase cash-flow and reduce float. c) CenPOS reports includes HR planning tools by plotting transactions, by user, on a time grid to help management staff better.
  2. Security: CenPOS shifts all payment collection to Multi-channel payments with one hub AND automated presentment. Skipjack cannot change the transaction indicator from retail to MOTO or vise versa. All payments are sent with whatever the merchant account is set up for. CenPOS saves merchants money.
  3. Cost: CenPOS uniquely can lower the cost of credit card acceptance by reducing interchange fees, the bulk of credit card processing fees, charge-back fees and losses associated with fraud and or disputes. CenPOS is an intelligent gateway that alters actions based on a number of rules, including merchant created rules. a) CenPOS uniquely optimizes transactions for qualified interchange rates, and empowers merchants to make decisions about risk. For example, CenPOS will automatically prompt for level 3 data on a corporate or purchasing card. SkipJack will not. The interchange difference can be over 1%.  b) CenPOS will dynamically switch transactions from retail to MOTO for presentment to the card issuing bank, qualifying transactions for the best interchange rate for both methods. SkipJack cannot. c) CenPOS creates efficiencies for marketing, sales, and accounting that have a direct impact on internal costs. SkipJack does not have the reconciliation tools, HR planning reports, EBPP (electronic bill presentment & payment) and a long list of other solutions that impact business costs.

Skipjack is a registered trademark of Skipjack Financial Services, Inc.

CenPOS works with your existing processor. CenPOS is fast, easy, and requires no capital investment to implement. Call 954-942-0483 or click here for more information.

How to resolve Error 101 Invalid User on pay page

If the CenPOS embedded payment object, or secure pop up page linked to, was previously working, but now has an error 101 invalid user, update the webpay user.

error 101 invalid user

Login to the Virtual Terminal.

  • Administrator>Users
  • Select User by clicking once
  • click the Change Pass button at the bottom of your screen
  • Create a new password
  • Logout
  • Test: Login to the Virtual Terminal with the new password
  • Login to the Webpay administration URL
  • Modify User Information with new password
  • Submit
  • Logout
  • Refresh the secure pay page
virtual terminal and web payment page for law firm

Image shows example of a customizeable secure payment page on a law firm web site. Fully configurable for your specific needs,

 

About CenPOS “Creating efficiencies through payment innovation”
Founded in 2009, Miami-based CenPOS is a SaaS payment technology provider. CenPOS is an intelligent payment processing network that streamlines the payment experience for businesses and consumers by using state-of-the-art technology to replace inefficient, outdated payment systems.

About Christine Speedy, blog author. Christine is an authorized CenPOS reseller and has been helping merchants improve the customer experience since CenPOS launched. Global Sales: Christine Speedy (954) 942-0483.