Can you recommend a PCI Compliant policy for storing credit cards?

Distributors and manufacturers can overcome PCI Compliance issues with better awareness of rules, and cost efficient solutions to ease PCI burden. A review of key problems and solutions will help companies with internal credit card authorization and storage policies. For credit card processing, a virtual terminal or integrated gateway, is the only cost efficient and secure option for these business types.

It’s never Ok to store credit card forms that have the CVV2, or security code, on them. It’s also never Ok to store CVV2 electronically in any format, encrypted or not. This is both a card acceptance and PCI Compliance 3.0, section 3 Protect Cardholder Data, problem. For any recurring charges, including variable, merchants only need to validate the CVV one time for a fraud check, and then never again. This is easily accomplished with a zero dollar authorization, however not all gateways support this feature.

The best paper credit card authorization form, is one that doesn’t have full card data, or better yet, doesn’t exist at all. If sales reps in the field are getting card numbers to be charged later, consider a mobile payment app that let’s them swipe and create a token, using a P2P encrypted reader. That way card data is never exposed at any point in time. Instead of getting card numbers over the phone, empower customers to self pay or store card data using online payment solutions, including either a hosted online pay page or electronic bill presentment and payment (EBPP). Use this to also eliminate credit card data in emails, which is another PCI Compliance problem.

Need to keep a card stored on file that you initiate charges on? It’s indefensible with today’s technology to have credit card data on paper, and it’s risky to use your own encrypted media. Tokenization, a payment gateway service for merchants to remove sensitive data from their environments, is the best practice for security and PCI Compliance.

Some businesses want a signature on file. A sales receipt is generated with almost any online payment solution and merchants can require a customer to print and sign it, or to simply forward the email receipt from company email address with typed name approving it. For recurring billing, choose a payment gateway that generates a PCI Compliant recurring billing authorization form. They’re useless if stolen, and contain all the right language for credit card authorization. It should be supplemented by a signed document with your own custom business terms and conditions, and limitations for duration and maximum charge amounts allowed. Merchants might also get a signed sales order with all terms and conditions, plus the token ID the customer has agreed you’ll charge to.

Third-party credit card authorization doesn’t exist as far as card issuers are concerned. It’s specifically written in the cardholder terms that they cannot allow any third party to use their card. Any form a merchant creates authorizing other parties is at risk for future disputes. The merchant can eliminate the risk by having the company issue purchasing cards for each buyer, or mitigate risk by sending the sales receipt automatically to the cardholder and asking the buyer to confirm receipt per T’s & C’s.

A huge problem is managing old stored data created prior to new PCI Compliance rules. The reality is, the merchant is not PCI Compliant as long as the old stuff exists. That likely means someone will need to be assigned to identify all the past ways that credit card numbers were captured. For electronic, IT will need to get involved to securely remove old data. There are tools to search emails and servers for card data as well.

PCI 3.0, in effect now, requires merchants not only are PCI compliant at a point in time, but that there’s a plan in place for monitoring and inspecting. Whoever is cleaning up the old problems should document who, what, where, how and when activities were identified and or completed, and continually add this to the master PCI file.


Payment Card Industry (PCI) Data Security Standard, v3.1, pg 36 CVV
Visa Core Rules, October 2014 page 266, Merchant Must Not Request the Card Verification Value 2 data on any paper Order Form


Balancing card not present risk with customer convenience

Accepting credit cards for card not present customers can be risky, and merchants have long sought solutions to protect themselves from future disputes. The problem is most of those methods are PCI Compliance nightmares, often storing card data in the clear on paper credit card authorization forms. Enabling customers to self pay is one way to mitigate risk.


accept payments onlineWith a hosted pay page solution, customers are directed to a secure web page. The ‘host web server’ is the payment gateway, thus reducing merchant PCI Compliance burden. Gateways have different fraud tools for merchants, beyond the usual address and CVV security verification. Examples of hosted pay page solutions:

  1. Link to custom payment processor URL (First Data)
  2. Embedded payment object on merchant web page; the merchant should have an SSL certificate, even though the payment object itself is on a different server. This is usually achieved with an iframe. (CenPOS)
  3. Link to a custom payment gateway URL (CenPOS); this provides continuity when merchants change processors


EBPP Electronic Bill Presentment & PaymentCustomers are sent an electronic invoice, which they can pay remotely. Both merchants and customers have a portal to manage various functions. EBPP used to be costly, upwards of $100,000, but now, there’s solutions for all price ranges based on merchant needs. Examples of EBPP solutions:

  1. Standalone– merchants login to a web based portal and generate an invoice which is delivered electronically to customers. (Paypal, CenPOS)
  2. Integrated, accounting software managed – customers receive electronic invoices with data originating from accounting, ERP, or other software, and the ERP managing the delivery of the invoice, reminders etc (Quickbooks & Intuit merchant services, ERP/CenPOS).
  3. Integrated, gateway managed – customers receive electronic invoices with data originating from accounting, ERP, or other software (Quickbooks & Intuit merchant services, Quickbooks & 3rd party gateway integration/ any merchant account), and the gateway managing the delivery of the invoice, collection reminders etc.


  • Pushes out to customer- less friction to complete the payment and or sale
  • Reduce risk with additional evidence trail for dispute defense; records of invoice delivery and customer opted to pay strengthen defense; card brand rules include chargeback protection without a signature if bill to address matches the company address and the employee email address was used. (See Visa Merchant Rules for details)
  • Automated reminders if they don’t pay (solutions vary widely how this works)
  • Customer visibility to credit outstanding; ability to self-free up credit to buy more
  • Reduced calls to accounts receivable for questions about what invoices are outstanding


There are wide differences in payment gateways, and the related solutions. The best solution varies depending on the business type.

Critical needs for business to business:

  • Level III processing supported for all payment channels
  • Collections automation
  • Flexibility – the average merchant changes processors every three years; choose a gateway independent of the processor to avoid business disruptions
  • 3 D Secure (Vbyv and MasterCard Secure) – card not present fraud is expected to rise dramatically with US EMV adoption
  • Tokenization – empower customers to self store and manage payment methods
  • Card Updater – if applicable for recurring service

CenPOS is a merchant centric, end to end payment engine that meets all omnichannel and critical business to business needs. For sales and integrations, contact Christine Speedy 954-942-0483.


Video: PCI Compliant credit card authorization forms

[leadplayer_vid id=”54B6A1C6BEACD”]

Token billing solves the problem of storing credit card data for recurring billing customers, but that doesn’t fix the merchant problem of replacing credit card authorization forms.

Video Transcript: Meet Mary.  She manages accounts receivable. The problem is credit card security. Customer approval is needed for accounts on file. Image credit card authorization form. But there’s no secure way to store the authorization without also storing the credit card number and security code.

Until now. Introducing 3D Merchant Services. Cloud payment solutions that work with YOUR financial partners. Here’s how it works. Create a token. Image iphone, computer with virtual terminal screen, batch upload, point of sale, and integrated solutions. Anywhere.  Or have customers create and manage their own. Electronic bill presentment and payment, ecommerce, online payments. And then, for every token created, a prefilled form is automatically created! PCI DSS compliant.

Charge cards in seconds. Rocket blasting. ACH? Ditto. Efficient, secure, processor neutral, Level III processing, YES.

Call 3D Merchant Services 954-942-0483 for a demo and free trial.

Author: Christine Speedy. “PCI compliance is virtually impossible without a technology solution.  The right payment gateway selection is critical to merchant success and reduced PCI burden.”


Identify transaction using token vs without token : CenPOS FAQ

tokenization for credit card sale cenpos

Segment of receipt that identifies whether a token was used for credit card transaction via CenPOS.

Is there a CenPOS report that I can print that shows if a token was used rather than a credit card number was keyed?  Yes, by pulling a Repeat Sale report. All transactions using a token are sent with the “Repeat Sale” process indicator, in accordance with card acceptance rules. For on demand reports, login to the virtual terminal.

  • Choose Reports> Reprint to include all attempted transactions.
  • Choose Reports> Transactions to include only settled transactions.
cenpos reports field change view

If you don’t see the “Processed” column in reports, click the show/hide columns button shown  at far right.

report fields checkboxes cenpos

To view only transactions in which a token was used, enter "repeat" in the filter field

To view only transactions in which a token was used, enter “repeat” in the filter field.

Use the icons in the upper right of report to print or export and paste into excel. Do you need this report regularly? With the executive dashboard report writer, create a report with any criteria and have it automatically delivered to any email group on any schedule.


3Delta Systems vs CenPOS for omnichannel credit card processing with level III data

How do these secure payment platforms compare for omnichannel merchants credit card and debit card processing? This is a follow up article to the last review which highlighted electronic bill presentment and payment.

Payment Gateway Features As Listed on 3 Delta Systems 8/5/2014

Payment Channels Supported 3 Delta Systems
 Online Payments checkmark yes checkmark yes
 Batch Upload checkmark yes checkmark yes
 EBPP- electronic bill presentment & payment checkmark yes checkmark yes
Retail Swipe checkmark yes
 Mobile checkmark yes

3Delta and CenPOS are both integrated into various software and ERP solutions, and both support level III processing, critical for business to business (B2B) merchants. ACH and RDC are also supported for check processing.

CenPOS notes: Tokens created on the CenPOS platform are shared across all channels and optionally across all merchant locations, per merchant defined rules. Level III processing is available via all channels except mobile, due to the limited screen space on mobile devices. Signature capture is supported for retail. Integrations available

Processors* 3Delta CenPOS
 First Data Merchant Services – North checkmark yes **
First Data Merchant Services – South checkmark yes
First Data Merchant Services – Nashville checkmark yes
Global Payments – East checkmark yes
Paymentech checkmark yes checkmark yes
TSYS* checkmark yes checkmark yes
Vantiv checkmark yes checkmark yes
WorldPay checkmark yes checkmark yes
Elavon checkmark yes
Moneris (includes Canada) checkmark yes
Valitor (Europe +) checkmark yes
Grupo Evertec Panama checkmark yes

* Using TSYS, merchants can connect to most USA processors, even if not shown, or if shown with a red ‘No’ symbol.

** Connectivity to First Data varies by merchant need

CenPOS is certified for level III processing for all processors listed; not applicable for Valitor and EPX- level III processing rates not available outside US.

About 3 Delta Systems Inc. – based in Chantilly, VA – is a payment solutions company whose innovative, Internet-based systems for processing credit cards and purchase cards deliver peace of mind to B2B and B2G customers by increasing their productivity, cutting operating costs, lowering business risk and strengthening security.

About CenPOS – “Creating efficiencies through payment innovation”
CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS’ secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships. Call (954) 942-0483 for authorized reseller Christine Speedy.