Tag Archives: visa

B2B Steps to Visa Stored Credential Mandate Compliance

Posted on by
Reply

How can merchants get compliant with the Visa Stored Credential Transaction framework and mandates effective October 14, 2017?

Step by step getting started guide for B2B merchants:

Plan how you’ll comply with consent record requirements. See Improving Authorization Management for Transactions with Stored Credentials https://usa.visa.com/dam/VCOM/global/support-legal/documents/stored-credential-transaction-framework-vbs-10-may-17.pdf . Are you going to manage documenting everything or are you going to use technology to help you manage it? Ask your gateway if they’re going to provide a checkbox for consent and if you’ll be able to pull the opt-in records on demand. CenPOS, a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement will automates multiple elements for clients.

PCI Compliant credit card authorization form

Partial CenPOS PCI Compliant stored credential authorization form.

Update workflow and documents. Ensure your sales order or associated credit documents include sale, refund and cancellation policies. Add a checkbox for customer opt-in to terms, including online payments. CenPOS has an opt-in box and you can customize the text.hosted online pay pageVerify if you have a system to manage authorization validity. What the heck does that mean? Many B2B companies have complex needs including pre-authorizations, incremental authorizations, delayed shipping etc. While you may get issuer approvals, that doesn’t mean the authorization is valid. The two most common rules B2B businesses struggle with are Settlement within timeframe for card not present sales, and Authorization amount and settlement amount must be equal. Per Visa Core Rules October 2017, for typical distributor and manufacturer card not present transactions, the authorization must settle no later than 7 calendar days from the date of the initial Approval Response. CenPOS automates compliance. Other payment gateways are incapable or may leave it up to developers to create a solution. Are you compliant now? Look at your merchant statement ‘pending interchange fees. If you see  EIRF or STD, that’s a red flag there’s a problem.

Replace paper credit card authorization forms, and any digital form that you can decrypt and view sensitive card data. Offer your customers a way to self-manage their own wallet with either a hosted online pay page or Electronic Bill Presentment & Payment. CenPOS offers both options, including a lite ‘request a payment’ option, and lets your customers choose both text and email. For those not ready to give up paper, CenPOS creates a printable PCI Compliant credit card authorization form for every stored card.

New to online payments? See Visa best practices to prevent brute force attacks. https://usa.visa.com/support/merchant/library/visa-merchant-business-news-digest.html. CenPOS includes recaptcha and client managed velocity and other rules as part of a layered security approach.

Verify your gateway is ready or will be ready to send correct transaction data for the initial transaction and subsequent transactions for both customer initiated and merchant initiated use of the stored credential.  You’ll want the payment gateway to perform a zero dollar authorization and authenticate the cardholder with 3-D Secure. Ask your gateway if it will automatically flag a transaction as customer initiated stored credential or merchant initiated stored credential, or if they’ll require you to have multiple gateway accounts, one for each type. CenPOS does all this for you now in a single account.

Get an ecommerce merchant account. This is needed for online payments. Don’t run mail order telephone order (MOTO) transactions on the ecommerce account unless you know your payment gateway can alter the flag sent with transaction to change the transaction type. Many cannot. CenPOS manages all compliance seamlessly in the background; whether you need multiple merchant accounts varies by acquirer/processor.

Register for 3-D Secure, including Verified by Visa, with your acquirer. Don’t do this until you know which payment gateway will be used and get their instructions if applicable.

Communicate with customers. Advise any upcoming changes will increase efficiency and security for everyone.

Why comply? With full compliance, merchants can expect better qualified interchange rates, increased approvals (avoid declines based on issuer risk averse algorithms), reduced PCI Compliance burden, and increased efficiency for both buyer and seller. The cost of non-compliance is hefty, including higher interchange rates, penalty fees, and risk of both issuer and cardholder chargebacks.  

interchange rate qualification

The same transaction can process at different rates as shown above, depending on which rules you follow. CenPOS Smart Rate Selector automates compliance to qualify transactions at the lowest rate possible. Which rates are on your merchant statement now?

Why should developers choose CenPOS for their integrated payment gateway? CenPOS has native modules for ERP, shopping cart, accounting and other software.

  • Increase profits faster
  • More efficient, quicker reconciliation
  • More secure- from Encrypted Virtual Keypad to elimination of credit card auth forms
  • More robust- Wire, ACH, check, Paypal, credit card and more; text and email payments supported. No 3rd party Electronic Invoice solution needed such as BillTrust; CenPOS invoice portal and automated collections included.

Where can I buy CenPOS or learn more? You’ve already found one of the top salespeople, Christine Speedy. All agreements are direct with CenPOS, no middle man.

Resources and documentation https://3dmerchant.com/blog/merchant-bulletins-downloads – bookmark it!.  Join Christine Speedy’s email list.

DISCLAIMER: condensed and incomplete information! Information may be quickly outdated.

With the fast pace of changing rules, companies need a technology partner to automate compliance. Did you know?

  • CenPOS has a suite of solutions for companies just like yours, solving common problems and increasing profits virtually overnight.
  • For those not ready to give up paper, CenPOS creates a printable PCI Compliant credit card authorization form for every stored card.
  • CenPOS has ERP, ecommerce shopping cart, accounting and other plug-in modules available for quick and easy implementation.
  • I’ve been selling for CenPOS since day 1. Though I have other payment gateways available in my arsenal, nothing else compares for meeting business to business needs.

Christine Speedy, CenPOS authorized reseller, 954-942-0483 is based out of South Florida and NY. CenPOS is a merchant-centric, end-to-end payments engine that drives enterprise-class solutions for businesses, saving them time and money, while improving their customer engagement. CenPOS secure, cloud-based solution optimizes acceptance for all payment types across multiple channels without disrupting the merchant’s banking relationships.

Point of Sale for Heavy Equipment Rentals – Credit Card Processing Rules Changes 2017

Posted on by
Reply

Heavy equipment rental companies and dealers must make changes to comply with new Visa credit card acceptance rules. The sweeping changes to rental industry card acceptance rules were announced in October 2016, with April and October 2017 mandates for compliance.  The changes are complex and require cloud technology to automate compliance. Countertop terminals are not capable of compliance, and must be replaced.

fd130 emv terminal

Countertop terminals such as the FD130 and the Verifone VX520 are not capable of compliance for heavy equipment rentals, and must be replaced.

Visa rules changes include:

  • Defining who initiated the transaction (customer self-pay or merchant)
  • Transaction data sent
  • Authorization rules
  • Stored card rules
  • Customer communications.

Compliance will increase approvals and mitigate fraud risk; Failure to comply will increase risk of financial losses and issuer declines while reducing EBIDTA. These changes are significant, impacting chargeback risk and financial penalties to heavy duty equipment rental.

Visa compliant solutions:

The complexity of compliance with both card present and card not present rules requires a solution that can dynamically manage it, removing employees from making decisions that could impact profits. Everyone must change in the ecosystem- card issuer, acquirer (credit card processor),  payment gateway and merchant. Whatever you had in 2016 was not compliant since all the other players were not ready yet.

Merchants should update to a payment gateway that supports at a minimum:

  • Estimated, initial, incremental, and final authorization requests (traditional terminals cannot comply
  • Authorization Reversals for unused authorization (amount changed)
  • Authorization validity periods
  • Stored credential rules
  • Creation and retrieval of customer opt-in records
  • Automated authorization and settlement amount matching (otherwise transaction downgrades to worst rate possible and other repercussions)
  • Verified by Visa, which uses the 3-D Secure protocol to shift fraud liability to the issuer, much like EMV does for retail.

  • verifone MX915 EMV terminal

    The Verifone MX915 EMV chip terminal is an option to use in a compliant rental solution.

If you have a payment gateway, or need one, ask these questions:

  • How will you help us comply with the new Disclosure to Cardholder and Cardholder Consent rules?
  • What does the consent record look like?
  • How will we retrieve records?
  • How long are the records retained?

Contact Christine Speedy to get a compliant solution for your rental services needs. 954-942-0483. The ROI for most businesses is virtually overnight! Month to month risk free solutions.

Another change of note is revisions have been made to split the “Other Fraud” Dispute condition under Enhanced Dispute Resolution into separate conditions for Card-Present and Card-Absent Transactions, and to incorporate changes to the payment
flow related to Disputes. For merchants that comply, it’s all good. For merchants that do not comply, there will be more risk of financial penalties and risk of issuer initiated chargeback. A key component to mitigate chargeback risk is support for Verified by Visa.

There are many nuances to the rules and potential chargeback reason code 72 risk, which were non-existent in the past. Rather than consumer initiating a chargeback, the issuer will be within their rights to initiate a chargeback if the merchant fails to comply with the rules, for example, failing to submit the correct authorization flag for an estimate.

Reference: Visa Core Rules and Visa Product and Service Rules, 15 October 2016. See especially Table 5-14, 5-21, 5-22. https://3dmerchant.com/blog/merchant-bulletins-downloads

Resources:

• https://usa.visa.com/support/merchant/library/visa-merchant-business-news-digest.html see articles on Visa Stored Credentials mandate and updated revisions on Visa Stored Credentials framework

• Some acquirers put out statement alerts on their April, June and or July merchant statements.

See also, Visa Stored Credential Mandate.

Contact Christine Speedy to get a compliant solution for your rental services needs. 954-942-0483. You’ll be more profitable, efficient, and

SaaS Startups: Credit Card Customer Onboarding 2017

Posted on by
Reply

Critical rules changes for credit card processing, especially recurring billing, will impact business profits and chargeback risk effective October 2017. Simply copying what other big SaaS businesses are doing successfully is not good enough. Everyone needs to make opt-in updates to comply, and EMV chip card acceptance is a good example of how even big companies can takes months or years to change.

payment gateway SaaS recurring

Critical SaaS recurring billing credit card processing rules past, present and future:

    • To validate a card and create a token for future purchases, perform a Zero Dollar Authorization. There’s a procedure, including using recurring indicator, and a transaction fee for this. If the solution you’re looking at suggests a $1 authorization, that’s because the payment gateway, and or the implementation, are out of date and don’t support current requirements. Run!
    • The sales receipt must include phrase “recurring transaction”, frequency of the charges, and the period of time agreed to.
    • Cardholder opt-in record. Rules may vary by each card brand; following Visa requirements is a good practice. For example, read Visa Stored Credential Transaction Mandates and also Visa Core Rules. One of the new requirements is specifying how the Cardholder will be notified of any changes to the agreement. The significance of new mandates is huge, and non-compliance will result in higher fees, penalties, reduced sale approvals and chargebacks.

Payment gateway selection directly impacts profits, risk, and your customer buying experience. Lots of developers integrate one or two of the oldest payment gateways because they’re “reliable” and familiar. True, but, this could cost your company it’s path to profitability and even existence. Any WordPress developer knows technology and implementation of technology changes. It’s constant. Before selecting a payment gateway for a SaaS startup, ask these questions:

  • How will it help with new Visa Stored Credential Mandates?
  • Does it support 3-D Secure cardholder authentication?
  • How will it help with account updating for expiration and replacement cards?
  • What type of digital record is created at the time of customer opt-in to agreement, how is it retrieved, and how long is it retained?
  • Does it support authorization reversals?
  • Does it level 3 processing for commercial cards (if applicable to business type)?
  • If I change banks or payment processors, how will it affect my customers? My business?

TIP: Most payment gateways are reliable; level 3 processing, and 3-D Secure support are starting points to reduce the list of options. Need help to get compliant? Contact Christine Speedy to learn more about solutions for your business that are quick and easy to adopt, increasing efficiency and growing profits virtually overnight.

Credit Card Testing Explosion Hurts Merchants Profits

Posted on by
Reply

If you accept payments online, have you hardened security to protect from card testing? Card testing is a big criminal business. They’re sophisticated and use hardware and software that can send thousands of stolen credit card data in less than an hour to your payment portal or ecommerce shopping cart before you even know you’ve been hit.

Brute-force authorization attacks can be very expensive for merchants. For every attempted authorization, merchants pay a payment gateway fee, plus a fee to the merchant services processor (acquirer).

Example:

  • $.30 per transaction gateway
  • $.10 per transaction processor
  • 20,000 cards tested @$.40= $8,000

There’s no getting back the $8,000. The gateway and processor passed the data you gave them. In the event orders are approved, there’s the additional cost of lost product shipped and the associated chargeback fee. Then there’s the cost of damaged brand reputation from cardholders who voice on social media, where it lives on forever, how their card was used unauthorized.

How can merchants protect online payments from card testers?  Google reCAPTCHA is a free service that protects your website from spam and abuse. reCAPTCHA can prevent bots from submitting a transaction that you’ll pay for. For most shopping carts, it’s the payment gateway that must support reCAPTCHA. If the integration does not include reCAPTCHA or similar service, merchants might want to review if their gateway is compliant with current rules acceptance in general.

Protecting against both bots and fraudulent transactions is tricky.

Fifteen percent of all cardholders have had at least one transaction unnecessarily declined in the previous 12 months, according to a 2015 study by Javelin.

Unnecessary declines are also called False Positives. Cardholder authentication is a layer of security to protect against fraudulent purchasing, increasing approvals and reducing False Positives. 3-D Secure is a global XML protocol for Cardholder Authentication; The card brands each has their own name- Verified by Visa, Amex Safekey, MasterCard SecureCode. Benefits of 3-D Secure include automation, shifting liability to card issuers without manual review of orders, increased approvals, and sometimes reduced Visa and MasterCard interchange fees.

Which payment gateways support recaptcha and Cardholder authentication?

reCAPTCHA is easy to implement, just check with your payment gateway provider or web developer. 3-D Secure is quick, easy and requires a few steps:

  • Confirm your payment gateway is 3-D Secure certified for your credit card processor (merchant services provider or acquirer). Ask which are certified: Verified by Visa, Amex Safekey, MasterCard SecureCode. Some have certifications, some don’t.
  • If there’s an application such as a shopping cart or e-invoicing, confirm the payment gateway integration will support 3-D Secure.
  • Contact your acquirer and ask them to register your merchant account for 3-D Secure. Some can, some can’t. It’s usually done in a day.
  • Turn on 3-D Secure in the payment gateway.

FAQ

Is there a cost for reCAPTCHA? No, it’s free from Google. If your payment gateway supports reCAPTCHA, it may just need to be activated on your account, no programming needed. Contact your payment gateway support or check their FAQ to find out.

Is there a cost to register for 3-D Secure? That’s up to the individual company doing the registration. Costs start at $0.

Is there an ongoing cost to use 3-D Secure? Yes, and it’s up to the individual company offering the service. Costs typically range from $.075 to $.30 per attempted authorization.

If hit by a card tester, can I negotiate to reduce fees? It’s unlikely because services were delivered as per your agreements.

Christine Speedy, authorized CenPOS reseller, provides universal payment processing solutions, including reCAPTCHA and 3-D Secure cardholder authentication, to maximize merchant profits and mitigate risk across multiple sales channels. Contact Christine at 954-942-0483. 

Visa Stored Credential Transaction Mandates 2017

Posted on by
Reply

Whether you use token billing or have been considering it, all businesses storing credit cards are impacted by Visa rules updates. Visa has published multiple updates about requirements for its Stored Credential Transaction framework, including mandates to identify initial storage and subsequent usage of payment credentials.

If your business stores credit cards, including a 3rd party payment gateway or any software, you’re impacted. Merchants should not assume that any software or technology in their payment processing ecosystem is automatically updated and compliant. To the contrary, there are specific items that merchants will need to take action to implement. Now is the time to learn more and make a plan. While some businesses were impacted in April, most have until October 14, 2017 to comply.

Visit the Visa USA web site for more information; Visa Merchant Business News Digest. PDF download: Advance Copy of Rules for Stored Credential Transaction Framework REGIONS: US, AP, Canada, CEMEA, LAC, Europe, 15 JUN 2017.

##

TIP: All card brands have their own spin but frequently have similar rules. Need help to get compliant? Contact Christine Speedy to learn more about solutions for your business that are quick and easy to adopt, increasing efficiency and growing profits virtually overnight.