3 Ecommerce Checkout Payment Problems

Posted on September 24, 2018 by Christine Speedy

Use of a PCI compliant payment gateway does not make a company PCI compliant, compliant with card network acceptance rules, or compliant with best practices to maximize profits. In other words, if you follow best practices and comply with all the rules, you’ll have a more secure and profitable company. A key ingredient to compliance is the payment gateway, however, the payment gateway has no specific requirement to ensure your compliance with all the card network rules and best practices, just those that pertain to Payment Card Industry Data Security Standards.Here’s a few costly merchant problems:

Lack of brute force attack tools. These help prevent bots from testing thousands or millions of cards on your checkout form. The merchant is liable for all of the attempted transaction fees on the payment gateway and on the acquiring. A simple first line of defense is adding recaptcha. See Visa best practices to prevent brute force attacks. https://usa.visa.com/support/merchant/library/visa-merchant-business-news-digest.html.
Non-compliance with Visa Stored Credential Mandate, effective October 14, 2017? I’ve written extensively on this, for example here’s a B2B steps to compliance article. There are multiple elements, and many payment gateways do not yet have solutions, especially for ‘Unscheduled credential on file’. Do you have a checkbox in the sequence of checkout opting in to terms? https://usa.visa.com/dam/VCOM/global/support-legal/documents/stored-credential-transaction-framework-vbs-10-may-17.pdf.
Invalid authorizations. This is the most costly as it can lead to consumer generated chargeback, issuer chargeback, non-qualified interchange rates and penalty fees. Here’s a story about the new .25% MasterCard integrity fee. Do you have Standard/STD, EIRF, or Data Rate I on your merchant statement under interchange fees? Then you have an authorization problem.
Cardholder authentication limitations. The security code has historically not been enough evidence to win customer disputes about unauthorized charges. With 3-D secure, fraud liability shifts to the issuer. Effective April 2019 based on region and industry, Visa mandates many merchants use Visa 3D Secure 2.0. Reference Table 5-18: Acquirer Support of Verified by Visa, Visa Public Rules.

The solution to all of the above is replacing outdated payment gateway technology with new technology that will help automate compliance with card network rules, while reducing PCI Compliance burden.

Why comply? Here’s an example of the cost difference between valid and invalid authorization.

Resources and documentation /blog/merchant-bulletins-downloads – bookmark it!. Join Christine Speedy’s email list.

DISCLAIMER: condensed and incomplete information! Information may be quickly outdated.

Need a solution? Call Christine Speedy, 954-942-0483, 9-5 ET, CenPOS authorized global reseller based out of South Florida and New York. CenPOS is an integrated commerce technology platform driving innovative, omnichannel solutions tailored to meet a merchant’s market needs. Providing a single point of integration, the CenPOS platform combines payment, commerce and value-added functionality enabling merchants to transform their commerce experience, eliminate the need to manage complex integrations, reduce the burden of accepting payments and create deeper customer relationships.

Visa, Mastercard reach $6.2B settlement in class-action lawsuit

Posted on September 18, 2018 by Christine Speedy

The largest-ever class action settlement of an antitrust case appears to be nearing an end. Visa Inc, MasterCard Inc, and banks including Bank of America, J.P. Morgan Chase and Citigroup, have agreed to pay $6.2 billion as part of the settlement.

The class-action lawsuit was filed in 2005 by merchants who alleged card companies set credit-card fees and card-acceptance rules that benefit the banks, which owned Visa and MasterCard at the time. Both are now public companies. It was previously settled in US District Court but thrown out on appeals. After throwing out the the settlement, the court divided the merchants’ claims into two separate classes, one for monetary damages and the other for Visa and Mastercard’s business practices. This settlement is for the class focused on monetary damages.

What do merchants need to do? Nothing. The settlement must still be approved by a court. Further information will be released at a later date.

Recurly Visa Stored Credential Framework blog omission

Posted on September 10, 2018 by Christine Speedy

A Recurly blog article “How Recurly is Supporting Visa’s Stored Credential Framework” has some misinformation. The cited dates are incorrect and merchant responsibilities are understated. Why is that important? Most payment gateways and technology solution providers are not keeping up with the rapid pace of rules and compliance changes, impacting merchant profits and risk. Therefore, payment technology vendor selection, including payment gateway selection, is critical.

Recurly, like others in the cloud solutions space, is partially dependent on their partners to keep their clients in compliance with a myriad of rules. When should technology partners alert their integrated solutions partners about industry changes affecting their mutual clients? Solutions providers and merchants are getting inaccurate advice, or none at all, from trusted advisors, technology providers, and consultants of all sizes and sources.

“As soon as Visa released the news in their Merchant Business News Digest in August 2017, Recurly began reaching out to our gateway partners to get ahead of the work required to fulfill the mandates.” The real dates were much earlier than cited. Visa typically announces at least one year in advance of due dates for any significant change, which this update is. Updates were in the October 2016 Visa Core Rules and Visa Product and Service Rules rules, citing changes coming in April and October 2017. On April 27, 2017 Visa published further information for merchants via the Stored Credential Framework document, which also references prior articles published on the subject dating back to 2016.

For most merchants, the mandate went into effect October 14, 2017, not April 2018, however, Visa did announce a delay in compliance action to April 2018.

From Recurly, “There is no action needed from our customers.” While technology solutions and payment gateways manage technical aspects for compliance, there’s much that’s left to merchants. Here’s an excerpt from the Stored Credential Framework document:

Merchants and their third-party agents, payment facilitators, or stored digital wallet operators that offer cardholders the opportunity to store their credentials on file must:
• Disclose to cardholders how those credentials will be used.
• Obtain cardholders’ consent to store the credentials.
• Notify cardholders when any changes are made to the terms of use.
• Inform the issuer via a transaction that payment credentials are now stored on file.
• Identify transactions with appropriate indicators when using stored credentials.

I strongly recommend reading Visa Core Rules Table 5-20: Requirements for Prepayments and Transactions Using Stored Credentials and Disclosure to Cardholder and Cardholder Consent. For example, how will you provide proof of cardholder consent (think time and date stamp) upon request? Are you providing the required receipt with proper format for zero dollars when storing a card without running a transaction?

Note: This article is not a review, endorsement or complaint about the quality of Recurly services which I have never used. It is simply identifying errors and omissions related to the stored credential mandate that may impact merchant profits, risk and decision making. I would have written in their blog comments, but it wasn’t available. When choosing a payment gateway, consider how agile they’ve been in meeting deadlines for changes, and how they’ll help reduce compliance burden, among other factors.

Christine Speedy, CenPOS Authorized Reseller, 954-942-0483 is a PCI Council QIR certified professional based out of South Florida, near Fort Lauderdale, and Rochester, NY, with extensive payment gateway experience. Christine can uniquely help merchants and technology providers navigate the complexities of PCI, acquirer, and card brand compliance rules.

FRAUDSTERS TARGETING CALL CENTER CHAT AND NON-VOICE CHANNELS

Posted on August 15, 2018 by Christine Speedy

Visa Security Alert to the risk of online chat solutions and non-voice channel services within call centers and merchant online environments, which are expected to increase along with artificial intelligence. There are known instances where threat actors compromised online chat service providers and were able to distribute malware to merchant clients designed to intercept payment card data during checkout.

Read the story here in the Visa library for merchants. https://usa.visa.com/support/merchant/library.html

The Visa alert also points out the importance of verifying your technology partners are secure and compliant. This is especially interesting in the context of this article.

The Visa Global Registry of Service Providers is Visa’s designated source for information on registered and PCI DSS-validated agents that provide payment-related services to Visa clients and merchants. Service providers that store, process or transmit Visa payment data must be registered with Visa and demonstrate PCI DSS compliance. All of the links in this article can be found on the merchant rules and PCI compliance links

Christine Speedy, CenPOS Global Sales, 954-942-0483 is a PCI Council QIR certified professional based out of South Florida, near Fort Lauderdale, and Rochester, NY.

Equipment Rental Credit Card Processing Rules Change

Posted on June 7, 2018 by Christine Speedy

Bobcat, Caterpillar, and other companies that offer rental equipment, all are impacted by new credit card processing rules for rentals.

While businesses expect their software, including ERP, Point of Sale, and ecommerce shopping carts to help them manage compliance with credit card acceptance rules, the reality is that many don’t. Compliance increases profits; non-compliance increases new chargeback risks, interchange fees, penalty fees and authorization declines.

Traditional desktop terminals don’t support the new transaction data requirements. If merchant is not using EMV chip device, now is the time to upgrade to a cloud-based solution and fix two problems at once. Rental merchants cannot meet both card acceptance and Payment Card Industry Data Security Standards compliance requirements using traditional paper credit card authorization forms. Cloud technology and a compliant payment gateway are needed. For example, pair the Verifone MX 915 with the CenPOS validated Point to Point Encryption (P2PE) solution and use either a standalone or integrated to ERP such as Microsoft Dynamics AX.

Key elements for compliance:

Initial authorization transaction must send new transaction indicator that it’s an estimate; the final amount could change for example because the renter kept it longer or damaged the equipment. This is technically managed by the payment gateway.
If applicable, send incremental authorizations with related indicator.
If storing the card, the Visa Stored Credential mandate outlines the specific requirements for agreement with customer, cardholder authentication, and procedures to use a stored card on file. For example, perform cardholder authentication with either security code or 3-D Secure. 3-D Secure can only be invoked if the customer self-pays; it shifts friendly fraud liability to the issuer and merchants can also qualify some cards for even lower interchange rates.
Update language in agreements for opt-in to terms and conditions as required by Visa.

Card issuers and acquirers were mandated to be compliant in 2017, and merchants by October 2017, however, there’s no mandate for payment gateways. Even if an existing payment gateway supports the new requirements, merchants must make changes. Visa is the most complex, however other brands have similar rules.

From tokenization to Express Checkout, CenPOS creates a seamless commerce experience throughout the enterprise. Innovations, including Express Checkout via text or email, help businesses maximize profit in all departments. CenPOS takes the heavy lifting out of payment acceptance offering a range of solutions that simplify every aspect of implementing, operating and maintaining a payment system enabling merchants to focus on their business. CenPOS Express Checkout via text or email includes 3-D Secure capability as part of a layered security approach.

CenPOS is an integrated commerce technology platform driving innovative, omnichannel solutions tailored to meet a merchant’s market needs. Providing a single point of integration, the CenPOS platform combines payment, commerce and value-added functionality enabling merchants to transform their commerce experience, eliminate the need to manage complex integrations, reduce the burden of accepting payments and create deeper customer relationships. Powered by its enterprise-class, end-to-end transaction engine, CenPOS’ secure, cloud-based solutions seamlessly integrate with a merchants existing infrastructure minimizing disruption and saving time and money. Committed to a merchant-centric approach CenPOS provides a one-to-one level of service and support, enabling merchants to focus on their core business.

Headquartered in Miami, Florida, CenPOS is reshaping the future of commerce through technology innovation and the secure, flexible and simple solutions this enables. Christine Speedy, CenPOS Global Sales, 954-942-0483.

Reference:

https://usa.visa.com/dam/VCOM/global/support-legal/documents/stored-credential-transaction-framework-vbs-10-may-17.pdf

See also core rules, especially section 5 https://usa.visa.com/dam/VCOM/download/about-visa/visa-rules-public.pdf

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Card Not Present, CenPOS, credit card processing

B2B Cloud payment processing technology blog about increasing profits, efficiency and security.

Tag Archives: visa