Can you recommend a PCI Compliant policy for storing credit cards?

Distributors and manufacturers can overcome PCI Compliance issues with better awareness of rules, and cost efficient solutions to ease PCI burden. A review of key problems and solutions will help companies with internal credit card authorization and storage policies. For credit card processing, a virtual terminal or integrated gateway, is the only cost efficient and secure option for these business types.

It’s never Ok to store credit card forms that have the CVV2, or security code, on them. It’s also never Ok to store CVV2 electronically in any format, encrypted or not. This is both a card acceptance and PCI Compliance 3.0, section 3 Protect Cardholder Data, problem. For any recurring charges, including variable, merchants only need to validate the CVV one time for a fraud check, and then never again. This is easily accomplished with a zero dollar authorization, however not all gateways support this feature.

The best paper credit card authorization form, is one that doesn’t have full card data, or better yet, doesn’t exist at all. If sales reps in the field are getting card numbers to be charged later, consider a mobile payment app that let’s them swipe and create a token, using a P2P encrypted reader. That way card data is never exposed at any point in time. Instead of getting card numbers over the phone, empower customers to self pay or store card data using online payment solutions, including either a hosted online pay page or electronic bill presentment and payment (EBPP). Use this to also eliminate credit card data in emails, which is another PCI Compliance problem.

Need to keep a card stored on file that you initiate charges on? It’s indefensible with today’s technology to have credit card data on paper, and it’s risky to use your own encrypted media. Tokenization, a payment gateway service for merchants to remove sensitive data from their environments, is the best practice for security and PCI Compliance.

Some businesses want a signature on file. A sales receipt is generated with almost any online payment solution and merchants can require a customer to print and sign it, or to simply forward the email receipt from company email address with typed name approving it. For recurring billing, choose a payment gateway that generates a PCI Compliant recurring billing authorization form. They’re useless if stolen, and contain all the right language for credit card authorization. It should be supplemented by a signed document with your own custom business terms and conditions, and limitations for duration and maximum charge amounts allowed. Merchants might also get a signed sales order with all terms and conditions, plus the token ID the customer has agreed you’ll charge to.

Third-party credit card authorization doesn’t exist as far as card issuers are concerned. It’s specifically written in the cardholder terms that they cannot allow any third party to use their card. Any form a merchant creates authorizing other parties is at risk for future disputes. The merchant can eliminate the risk by having the company issue purchasing cards for each buyer, or mitigate risk by sending the sales receipt automatically to the cardholder and asking the buyer to confirm receipt per T’s & C’s.

A huge problem is managing old stored data created prior to new PCI Compliance rules. The reality is, the merchant is not PCI Compliant as long as the old stuff exists. That likely means someone will need to be assigned to identify all the past ways that credit card numbers were captured. For electronic, IT will need to get involved to securely remove old data. There are tools to search emails and servers for card data as well.

PCI 3.0, in effect now, requires merchants not only are PCI compliant at a point in time, but that there’s a plan in place for monitoring and inspecting. Whoever is cleaning up the old problems should document who, what, where, how and when activities were identified and or completed, and continually add this to the master PCI file.

References:

Payment Card Industry (PCI) Data Security Standard, v3.1, pg 36 CVV
Visa Core Rules, October 2014 page 266, Merchant Must Not Request the Card Verification Value 2 data on any paper Order Form

 

Balancing card not present risk with customer convenience

Accepting credit cards for card not present customers can be risky, and merchants have long sought solutions to protect themselves from future disputes. The problem is most of those methods are PCI Compliance nightmares, often storing card data in the clear on paper credit card authorization forms. Enabling customers to self pay is one way to mitigate risk.

HOSTED PAY PAGE – ONLINE PAYMENTS

accept payments onlineWith a hosted pay page solution, customers are directed to a secure web page. The ‘host web server’ is the payment gateway, thus reducing merchant PCI Compliance burden. Gateways have different fraud tools for merchants, beyond the usual address and CVV security verification. Examples of hosted pay page solutions:

  1. Link to custom payment processor URL (First Data)
  2. Embedded payment object on merchant web page; the merchant should have an SSL certificate, even though the payment object itself is on a different server. This is usually achieved with an iframe. (CenPOS)
  3. Link to a custom payment gateway URL (CenPOS); this provides continuity when merchants change processors

ELECTRONIC BILL PRESENTMENT & PAYMENT (EBPP)

EBPP Electronic Bill Presentment & PaymentCustomers are sent an electronic invoice, which they can pay remotely. Both merchants and customers have a portal to manage various functions. EBPP used to be costly, upwards of $100,000, but now, there’s solutions for all price ranges based on merchant needs. Examples of EBPP solutions:

  1. Standalone– merchants login to a web based portal and generate an invoice which is delivered electronically to customers. (Paypal, CenPOS)
  2. Integrated, accounting software managed – customers receive electronic invoices with data originating from accounting, ERP, or other software, and the ERP managing the delivery of the invoice, reminders etc (Quickbooks & Intuit merchant services, ERP/CenPOS).
  3. Integrated, gateway managed – customers receive electronic invoices with data originating from accounting, ERP, or other software (Quickbooks & Intuit merchant services, Quickbooks & 3rd party gateway integration/ any merchant account), and the gateway managing the delivery of the invoice, collection reminders etc.

EBPP BENEFITS VS HOSTED PAY PAGE

  • Pushes out to customer- less friction to complete the payment and or sale
  • Reduce risk with additional evidence trail for dispute defense; records of invoice delivery and customer opted to pay strengthen defense; card brand rules include chargeback protection without a signature if bill to address matches the company address and the employee email address was used. (See Visa Merchant Rules for details)
  • Automated reminders if they don’t pay (solutions vary widely how this works)
  • Customer visibility to credit outstanding; ability to self-free up credit to buy more
  • Reduced calls to accounts receivable for questions about what invoices are outstanding

HOSTED PAY PAGE & EBBP VENDOR SELECTION

There are wide differences in payment gateways, and the related solutions. The best solution varies depending on the business type.

Critical needs for business to business:

  • Level III processing supported for all payment channels
  • Collections automation
  • Flexibility – the average merchant changes processors every three years; choose a gateway independent of the processor to avoid business disruptions
  • 3 D Secure (Vbyv and MasterCard Secure) – card not present fraud is expected to rise dramatically with US EMV adoption
  • Tokenization – empower customers to self store and manage payment methods
  • Card Updater – if applicable for recurring service

CenPOS is a merchant centric, end to end payment engine that meets all omnichannel and critical business to business needs. For sales and integrations, contact Christine Speedy 954-942-0483.