Are You Compliant? B2B Credit Card Processing Fact Check

Posted on May 7, 2018 by Christine Speedy

Merchant compliance with various credit card processing rules maximizes profits while mitigating risk. This is especially true for business to business companies. But that task is getting harder and harder with the onslaught of new rules, and virtually impossible if not using a sophisticated cloud solution to help manage compliance.

If your B2B company stores credit cards, there’s a pretty good chance you’re not compliant. For example, Visa’s 2017 Stored Credential Transaction framework (PDF download from Visa) outlines merchant responsibilities to obtain customer consent as well as storing credit cards, using stored credentials (token), and managing stored tokens. Failure to comply with Authorization rules, for example preauthorization and final settlement do not match, has far-reaching consequences including higher interchange rates (the bulk of credit card processing fees), penalty fees and new chargeback risks. With so many new rules across multiple card brands that vary based on business and transaction type how can a business quickly ascertain if they’re compliant?

Quick tips to validate compliance:

Is cardholder authentication performed when a new card is stored? When the cardholder data is entered and submitted, the issuer responds with an approval or declined message. A small charge is not an acceptable practice to submit transaction for approval; instead a zero dollar authorization request for authentication is submitted. If authentication is via 3-D Secure -Verified by Visa, MasterCard Secure Code, whereby the customer self-authenticates vs merchant initiating, reduced rates may apply. Under the new rules, two transactions occur at the time a card is stored. Compliant answer is yes.
Is a transaction receipt delivered to customer when you store a credit card? This will be either for an amount or a zero dollar authorization. When stored credit card credential (token) is created, a transaction receipt is generated with the approval or decline and other mandatory fields. Compliant answer is yes.
Does the receipt include “RECURRING” or “REPEAT SALE” for token transactions? Compliant answer is yes.
Review merchant statements, usually the last 1-2 pages with the heading “pending interchange” or “fees” section. Do you see EIRF, STANDARD (STD), or DATA RATE I? Compliant answer is no.
Can you produce documentation of customer consent to store their card (including with 3rd party service) and how it will be used?

If you’re not in compliance, your payment gateway is the most likely culprit, followed by ERP or other software integration limitation. I can fix that.

Reference: Links for all Card brands.

Need help getting compliant?

Call Christine Speedy, , for simple solutions to complex payment transaction problems, 954-942-0483, 9-5 ET. CenPOS authorized reseller based out of South Florida and NY. CenPOS is an integrated commerce technology platform driving innovative, omnichannel solutions tailored to meet a merchant’s market needs. Providing a single point of integration, the CenPOS platform combines payment, commerce and value-added functionality enabling merchants to transform their commerce experience, eliminate the need to manage complex integrations, reduce the burden of accepting payments and create deeper customer relationships.

3 Things CPA’s Must Advise B2B Clients in 2018

Posted on February 21, 2018 by Christine Speedy

Accountants offer professional advice regarding cash flow, accounts receivable, tax preparation and all sorts of other consulting. Credit card processing and all the compliance it encompasses introduced immense new compliance challenges in 2017, and it’s fair to say, most businesses have no idea what they are, or what the repercussions are. A big problem is people think it’s someone else’s responsibility to keep their business compliant. Every single merchant must make internal changes to comply.

Three things every B2B company needs to know about credit card processing right now:

If you store credit cards, you must be compliant with Visa Stored Credential Framework. This is arguably as huge as the retail shift to EMV chip card acceptance. There are significant financial and risk consequences for non-compliance. Some solutions companies reduce the compliance burden more than others, while maximizing profits and cash flow.
PCI Compliance mandate for TLS disablement will disrupt business, mostly starting right now, February 2018. Businesses need to ensure they’re servers, software (if applicable) and browsers are compliant, and also have an plan to help internal and external customers overcome issues trying to login to portals, make online payments etc.
It’s a Visa rules violation to request the card security code on a paper credit card authorization form, or any digital form where the business can decrypt and view it. It can’t be stored, period. Not by the merchant nor service provider, including payment gateway.

Why these 3 things? Because 100% of B2B companies I talk to will fail on at least one, and usually two or three. That includes CPA firms also. 86% of all data breaches in 2016 were from level 4 merchants, defined as “Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants — regardless of acceptance channel — processing up to 1M Visa transactions per year.” By complying with the three items on my list, B2B companies will harden their systems and increase profits. The latter occurs because compliance with rules reduces fees.

Example of solutions to solve these problems:

An intelligent payment gateway can automate compliance with many elements of the Visa Stored Credential Framework. Simply passing data as most payment gateways do is not enough.
Engage internal or external IT team to test all systems for TLS compliance, and verify at SSLlabs.com.
Empower customers to self pay via push (text or email), or pull (online hosted pay page) technology so that employees never have access to cardholder data again. Whatever the old justification for using paper forms with full card data, there is a technology solution that has negated the need.

Christine Speedy, CenPOS authorized reseller, 954-942-0483. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.

Delay in Compliance Action for Visa Stored Credential Framework

Posted on November 17, 2017 by Christine Speedy

From the Visa Merchant Business News Digest, October 17, 2017.

In the 1 September 2016 edition of the Visa Business News, Visa introduced new rules related to credential-on-file transactions, including merchant disclosure requirements and transaction identifier requirements went into effect for merchants and acquirers on 14 October 2017.

However, based on stakeholder feedback, and after assessing market readiness and taking into account the holiday season system freeze, Visa will extend the time to make the necessary system changes until 30 April 2018.

While the rule is still effective as of 14 October 2017, Visa will not take any compliance action or assess non-compliance assessments to non-compliant entities prior to 30 April 2018. Entities that comply with the rule by 30 April 2018 will not be required to submit a waiver request to Visa.

https://usa.visa.com/support/merchant/library/visa-merchant-business-news-digest.html

End Visa bulletin.

The stored credential framework applies to all merchants that store credit cards. Note, while some stakeholders were not ready as per the above statements, CenPOS was. CenPOS replaces other payment gateways, for example authorize.net, as well as solutions such as BillTrust, while enabling customers to keep their acquirers and other partners.

See more info here https://usa.visa.com/dam/VCOM/global/support-legal/documents/stored-credential-transaction-framework-vbs-10-may-17.pdf

Visa ID Intelligence Moves Payment Security Beyond Passwords

Posted on October 17, 2017 by Christine Speedy

Biometrics and other authentication technologies help the payment industry create seamless and secure commerce experiences

SAN FRANCISCO–(BUSINESS WIRE)–Oct. 19, 2017– Visa (NYSE:V) today announced Visa ID Intelligence, a platform that allows issuers, acquirers and merchants to quickly adopt emerging authentication technologies and create more secure and convenient ways for consumers to shop, pay and bank on their connected devices. Available through Visa Developer Platform, Visa ID Intelligence offers a curated selection of leading third-party authentication technologies with simple integration using Visa APIs and SDKs—allowing clients to create, test and adopt new authentication solutions.

The Internet of Things is expected to grow to 20 billion connected devices by 2020, exponentially expanding the devices and environments in which commerce can take place—from wearables, such as rings and watches, to home personal assistants and connected cars. Many of these devices are voice activated and not designed for typical passwords—requiring a new approach to authentication, such as face, fingerprint or voice recognition, document verification, or device and user identification. A 2017 Visa survey showed that 69 percent of US consumers believe that biometric authentication will make payments easier than using passwords.

“A consumer encounters many authentication moments during the course of a day, whether making a payment, checking a balance, or sending money to family and friends,” said Mark Nelsen, senior vice president of risk and authentication products, Visa. “But traditional methods for authenticating a customer can create frustration or are simply not designed for the new ways people are shopping and paying. We built Visa ID Intelligence to help accelerate smarter and easy-to-use authentication solutions for any commerce environment—to better protect against fraud and to move closer to a world without passwords.”

Recent Aite Group research found that, as the speed and complexity of fraud and cyberattacks increases, institutions and companies must look to nimble technology solutions that provide consumers with security as well as convenience. While many competitors offer solutions, not all of them are ideal for the payments industry and the high level of privacy, security and regulatory oversight that are required for financial transactions. Financial institutions and merchants can adopt effective and secure solutions and accelerate time-to-market with streamlined onboarding and implementation through Visa as a single trusted source. Visa has vetted technology providers to ensure they meet industry expectations for security and consumer privacy, including onsite Visa security assessments, penetration testing, and ongoing compliance audits. The platform also enables simplified contracting, saving clients potentially months of negotiations.

“Financial institutions and merchants are working hard to create streamlined and delightful digital experiences,” said Julie Conroy, research director, retail banking practice, Aite Group. “At the same time effective consumer authentication is critically important, given the escalating cyber threat landscape. The good news is that a variety of technologies can help businesses find the win-win, providing superior security while at the same time removing unnecessary friction.”

Authentication Capabilities

Today, Visa ID Intelligence features include:

Identity Documents – evaluates identification documents and matches selfies to photo IDs (e.g., driver’s license, passport, military ID), while extracting and converting document information into digital form. This authentication process can help financial institutions or merchants make smarter decisions and instantly provision banking services. Uses include creating new accounts, and as an alternative to customer service calls to perform password reset and lost or stolen card replacement. Au10tix provides identity document services through the Visa ID Intelligence platform.
Biometrics – allows clients to use biometrics such as face, fingerprint and voice to create simpler authentication experiences that meet consumer needs for convenience, security and speed. Applications include app login, payments, step-up authentication, and more. Daon, a global authentication and identity assurance solutions provider, will offer Visa ID Intelligence biometric authentication services.

Visa ID Intelligence offerings will expand in 2018 to user data and device data to improve digital identity decisioning, working with Neustar and ThreatMetrix. More information about Visa ID Intelligence can be found at www.visaidintelligence.com.

About Visa Inc.

Visa Inc. (NYSE: V) is the world’s leader in digital payments. Our mission is to connect the world through the most innovative, reliable and secure payment network—enabling individuals, businesses and economies to thrive. Our advanced global processing network, VisaNet, provides secure and reliable payments around the world, and is capable of handling more than 65,000 transaction messages a second. The company’s relentless focus on innovation is a catalyst for the rapid growth of connected commerce on any device, and a driving force behind the dream of a cashless future for everyone, everywhere. As the world moves from analog to digital, Visa is applying our brand, products, people, network and scale to reshape the future of commerce. For more information, visit usa.visa.com/aboutvisa, visacorporate.tumblr.com and @VisaNews.

View source version on businesswire.com: http://www.businesswire.com/news/home/20171019005445/en/

Source: Visa Inc.

Magento Developer Alert: Visa Mandate and Payment Gateways

Posted on October 11, 2017 by Christine Speedy

How can Magento developers help merchants get compliant with the Visa Stored Credential Transaction framework and mandates effective October 14, 2017?

Drive your profits while helping clients keep compliant with fast changing credit card processing rules.

Step by step guide:

How will clients manage consent record requirements? See Improving Authorization Management for Transactions with Stored Credentials https://usa.visa.com/dam/VCOM/global/support-legal/documents/stored-credential-transaction-framework-vbs-10-may-17.pdf . Will gateway provide a checkbox for consent records and ability to retrieve records on demand? (I called authorize.net on October 2 and they advised they will not offer this service, and will leave up to merchants.) Will you develop a custom application to include opt-in date, time and other requirements, plus storage and retrieval capability? Will you advise merchants to choose a technology solution, including payment gateway, that will manage automatically? CenPOS, a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement will provide an automated solution for clients. Contact me for the plugin.

Update terms and conditions. Ensure online order terms include sale, refund and cancellation policies. Add a checkbox for customer opt-in to terms, including online payments. CenPOS has an opt-in box and you can customize the text.

Verify if there’s a system to manage authorization validity. What the heck does that mean? Many businesses, especially B2B companies, have complex needs including pre-authorizations, incremental authorizations, delayed shipping etc. While merchants may get issuer approvals, that doesn’t mean the authorization is valid. The two most common rules businesses struggle with are “Settlement within 72 hours” for card not present sales, and “Authorization amount and settlement amount must be equal”. (I asked authorize.net support about both items on October 2 and was told they do not offer automated solution.) CenPOS automates compliance. Other payment gateways are incapable or may leave it up to developers to create a solution. How can a developer verify if merchant has an issue? Ask clients to look at their merchant statement ‘pending interchange fees. If you see EIRF or STD, that’s a red flag there’s a problem.

Create a hosted pay page. B2B Businesses almost always have more than one sales channel and use of paper credit card authorization forms is common. They need help to eliminate. You already have the SSL certificate, so it’s a natural add on to provide clients a secure web page with an iframe a solution to collect payments. With CenPOS, end customers can use the same stored credential in Magento and the pay page, both credit card and ACH. Prevent brute force attacks. System hardening is a PCI compliance requirement. See Visa best practices to prevent brute force attacks. https://usa.visa.com/support/merchant/library/visa-merchant-business-news-digest.html. CenPOS includes recaptcha and client managed velocity and other rules as part of a layered security approach.

Payment Gateway checklist:

Verify payment gateway will send correct transaction data and flags for the initial transaction and subsequent transactions.
Advise clients to set gateway for zero dollar authorization when storing a new card.
Ensure client is registered for 3-D Secure and it’s enabled.
Confirm if gateway will automatically flag a transaction as customer initiated stored credential or merchant initiated stored credential (automated recurring billing). Additionally, the merchant initiated transaction must be sent with the MOTO indicator, not ecommerce.
Does gateway support level 3 data?

CenPOS manages all compliance and other items seamlessly in the background.

Communicate with clients. Advise any upcoming changes will increase efficiency and security for everyone. Advise clients to learn more about CenPOS payment gateway – call Christine Speedy, 954-815-6040.

Why comply? With full compliance and following my recommendations, merchants can expect better qualified interchange rates, increased approvals (avoid declines based on issuer risk averse algorithms), reduced PCI Compliance burden, fraud liability shift to issuer and increased efficiency for both buyer and seller. The cost of non-compliance is hefty, including higher interchange rates, penalty fees, and risk of both issuer and cardholder chargebacks.

The same transaction can process at different rates as shown above, depending on which rules you follow. CenPOS Smart Rate Selector automates compliance to qualify transactions at the lowest rate possible. Which rates are on your merchant statement now?

Magento developer billing: Developers also need to comply with recurring billing requirements for your sales. What’s worked before is not compliant- everyone needs to change.

Resources and documentation /blog/merchant-bulletins-downloads – bookmark it!. Join Christine Speedy’s email list.

DISCLAIMER: condensed and incomplete information! Information may be quickly outdated.

With the fast pace of changing rules, developers need a technology partner to automate compliance. Did you know?

For those not ready to give up paper, CenPOS creates a printable PCI Compliant credit card authorization form for every stored card.
CenPOS has ERP, ecommerce shopping cart, accounting and other plug-in modules available for quick and easy implementation.
I’ve been selling for CenPOS since day 1. Though I have other payment gateways available in my arsenal, nothing else compares for meeting business to business needs.

Christine Speedy, CenPOS authorized reseller, 954-942-0483 is based out of South Florida and NY. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Card Not Present, CenPOS, credit card processing

B2B Cloud payment processing technology blog about increasing profits, efficiency and security.

Tag Archives: visa