© Copyright 2014 Vantiv, LLC. All rights reserved.Vantiv, the Vantiv logo, and all other Vantiv product or service names and logos are registered trademarks or trademarks of Vantiv, LLC in the USA and other countries.®indicates USA registration.
Practical Payments10 Approaches to Consider in Card-Not-Present Commerce
card-not-pre•sent [kahrd not prez-uhnt] - noun
1. (CNP) is a card purchase transacted via the telephone, internet, mail, or mobile whereby the physical card is not swiped through a card reader.
Practical Payment Approaches
Table of Contents
1. General Best Practices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2. Avoiding Chargebacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
3. Interchange, Assessments, and Fee Structures . . . . . . . . 12
4. Address Verification Service . . . . . . . . . . . . . . . . . . . . . . . . . 16
5. Card Security Checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
6. Recurring Payments, Installment Billing,
and Soft Billing Descriptors . . . . . . . . . . . . . . . . . . . . . . . . . . 24
7. PCI Data Security Standard . . . . . . . . . . . . . . . . . . . . . . . . . . 28
8. Advanced Authorization Services . . . . . . . . . . . . . . . . . . . . 32
9. Tokenization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
10. Negative Option Marketing . . . . . . . . . . . . . . . . . . . . . . . . . . 40
In payment processing, best practices are built on the following principles:
• Presentinginformation• Gatheringandprotectingcardholderdata• Minimizingchargebacksandinterchangefees
These general best practice approaches outline how you can use Card-Not-Present (CNP) fundamentals to save money, reduce risk, and improve operational efficiency when processing digital and direct payments.
PRESENTING INFORMATION
Contact Information: Clearly display contact information on every page of a catalog or web store, on shipping materials, and on all correspondences. If customers can’t reach you about a dispute, they will call their card issuer, which might lead to a chargeback. Contact information should always include a toll-free phone number (digits, no letters) and an email address.
Billing Descriptor: This identifies you on the customer’s credit card statement. For example:
LNC*EXECUTIVEGADGETS 800-5551212 MA
Practical Payments Approach #1
General Best Practices
04
05
Use a company name or brand the customer will recognize and include a toll-free telephone number. If your customer doesn’t remember the purchase, they will generally call the number in the descriptor before contacting the card issuer. Billing descriptors can be truncated by processing systems, causing incomplete phone numbers. Avoid this by confirming your descriptors monthly, making test purchases with various credit cards, and reviewing the descriptions online and on your statement. For detailed information on billing descriptors, see Practical Payments Approach #6.
Email Confirmations: Send an immediate email confirmation whenever an order or refund is processed. Always indicate that the card issuer may require a full billing cycle to apply a refund and may not immediately appear on an online statement.
Policies: Post clear policies for billing, returns, shipping, back orders, and privacy. This will provide your processor with additional evidence to fight chargebacks and win representments. Order confirmation emails should include this information in the content or via a web page link.
GATHERING CARDHOLDER DATA
Customer Information: Gather evening and daytime phone numbers, as well as an email address, if the shipping and billing addresses are different. This is particularly important with high value orders.
Card Information: Ask for the name as it appears on the card, the account number, the card type, and the expiration date (make sure it is a future date). Also ask for the “CID” digits on the credit card to establish the customer’s physical possession of the card. See Practical Payments Approach #5.
Added Protection: Online merchants should consider using “Verified by Visa®” or MasterCard®’s “SecureCode.” Ask your processor if these enhanced anti-fraud programs are right for you.
PROTECTING CARDHOLDER DATA
The following best practices are drawn from the Payment Card Industry Data Security Standard, also known as “PCI”. Please see Practical Payments Approach #7 for detailed information on PCI.
• Make sure your company is PCI certified.
• Make sure your payment processor is PCI certified.
• Protect stored data. All merchants must use strong encryption to protect cardholder information stored internally or eliminate storage of actual card data through services such as tokenization (see Practical Payments Approach #9). Web merchants must not store cardholder information on web servers or computers outside of a firewall.
• Encrypt data sent across public networks. Cardholder data sent across public networks must be encrypted. This includes email, FTP, data streams, and phone lines. The most common violation of this practice is cardholder information sent via email. There are hundreds of encryption products available, many of them free.
• Restrict access to data by “need to know.” Your call center and chargeback departments will likely need to see cardholder data. Other departments do not. Merchants should work with processors that have online hierarchical role-based access to payments data. Store hard-copy cardholder information (e.g. paper reports from your processor, chargeback mail, and faxes) in a locked room with limited access.
• Partners handling your data must protect your data. If your business partners have access to your customers’ credit card information, it is your responsibility to make sure that they employ adequate protection methods. Partners that typically handle credit card information include fulfillment houses, call centers, and marketing affiliates.
06
07
PROCESSING ORDERS
Observing these rules can reduce your exposure to chargebacks and can result in lower interchange fees:
• AlwaysconductanAddressVerificationSystem(AVS)checkandcontact customers for order confirmation on AVS failures. See Practical Payments Approach #4.
• Totestcardvaliditypriortodeposit,usea“ZeroDollarVerification”(ZDF),alsoknownasan“AVS-only”authorization.Avoid “$1.00 Authorizations”, as these may appear in online statements and confuse customers.
• Eachdepositshouldreferenceoneandonlyonevalidauthorization. Do not submit deposits without valid authorizations (“forced deposits”).
• Shipwithinseven(7)daysoftheauthorizationorobtainanewauthorization.
• Submityourdepositstoyourprocessorwithintwo(2)daysofshipment.
• Ifsupportedbyyourprocessor,submityourauthorizationTransaction ID with all deposits and refunds. This prohibits forced deposits and can reduce fraud.
• Usevoiceauthorizationsasalastresort.Thesebypassprocessors’ systems and cannot be used to refute chargebacks.
08
Chargebacks occur when a customer disputes a charge on a card. The customer contacts his/her card issuer and initiates the process through your payment processor. Your processor will charge you a fee for each chargeback you receive. You have the right to fight the dispute in a process called representment, where you must substantiate the charge by providing verification of the sale. If you cannot substantiate the sale, you will have to reimburse the customer.
Chargebacks can be costly, time consuming, and can threaten your merchant account. Depending on the card type, chargeback rates exceeding 0.5% or 1.0% (by sale count) can result in substantial fines and excessive rates can cause your merchant account to be terminated withthepossibilityofcardbrandbanishment.Evenasmallnumberofchargebacks demonstrates that you have some unhappy customers.
THREE MOST COMMON REASONS FOR CHARGEBACKS
The three most common chargeback reasons for CNP merchants are:
“Unauthorized Use” chargebacks occur when consumers claim their cards were used without their knowledge or permission. In some cases, this will reflect actual fraud and may require the issuing bank to close the account. Asking the consumer for additional card information (e.g. CVV2 and CVC2 - see Practical Payments Approach #5) at the time of purchase can greatly reduce this form of chargeback.
Practical Payments Approach #2
Avoiding Chargebacks
09
“Authorization Not Obtained” chargebacks occur when the card issuer believes that a valid authorization was not obtained for a deposit. The merchant may have attempted a forced deposit, used an invalid authorization, or obtained a voice authorization. This type of chargeback often occurs when multiple partial deposits are made against single authorizations. A combination of sound procedures and proper exception handling by your processor can eliminate these chargebacks.
“Recurring Transactions” chargebacks occur when a consumer believes they have been billed after cancelling a subscription, membership, or multi-payment billing series (e.g. continuity program or installment payments). Using clear and explicit billing descriptors will help you avoid these types of chargebacks (see Practical Payments Approach #6). Be certain to quickly acknowledge and record any correspondences with customers regarding changes or cancellations. This should include keeping records of all phone calls.
Following are detailed guidelines to help avoid chargebacks and increase your odds of reversing chargebacks through representment.
10
ACTIONS TO AVOID THESE COMMON CHARGEBACK REASONS:
Always conduct an AVS check. Only process orders with a valid AVS response.
Obtain evidence of receipt of goods (i.e. signed shipping receipt).
Web Sales: Consider using “Verified By Visa” or MasterCard’s “SecureCode.” This proves card ownership and enhances the merchant’s position on chargeback representment.
Require card identification numbers like CVV2 (Visa), CVC2 (MC), and CID (AX). See Practical Payments Approach #5
Process refunds as quickly as possible!
Notify consumers in writing by email and/or mail when a refund has been issued or a membership cancelled. Provide them with the date the transaction was submitted and a reference number.
Always provide a clear billing descriptor with a phone number so the consumer can contact you directly rather than calling their bank to discuss any dispute.
Always provide a contact phone number and an email address on your website so consumers can contact you directly.
State the terms and conditions of the sale or service clearly and in plain view. All correspondences should include this information in the message or via a link to a web page.
Use email to notify consumers of the details of sales and to indicate that their cards will be charged.
Obtain written or electronic signatures from cardholders giving you permission to charge their cards on a regular basis for monthly fees or recurring payments. See Practical Payments Approach #6
Make it very easy for members or subscribers to cancel – have a “no-questions-asked” policy.
Authorizations must always be done for every deposit.
Deposits must not exceed the amount you have authorized.
Authorizations must be “positive.”
Avoid using voice authorizations.
If you are settling a transaction with an authorization more than 7 days old, you must reauthorize the transaction. While the authorization might still be valid, you will likely receive a better interchange rate. See Practical Payments Approach #3.
11
Unauthorized Use (Products)
Unauthorized Use (Services)
Authorization Not Obtained
Cancelled Recurring
Transaction
● ●
●
● ●
● ●
● ● ● ●
● ● ●
● ● ●
● ● ●
● ● ●
● ●
● ●
● ●
● ●
● ●
● ●
● ● ●
● ●
12
INTERCHANGE
Interchange is a fee — mandated by Visa & MasterCard — that the merchant’s acquiring bank (often represented by a payment processor) pays to the card issuing bank on each sales transaction. “Acquirers” or their processors pass this fee along in some form to the merchant. Interchange was developed as an income incentive for banks to issue MasterCard and Visa cards. Today, there are hundreds of distinct rates based on transaction and industry type. Interchange also typically represents the largest portion of a merchant’s total fees.
ASSESSMENTS
While interchange is paid to the card issuers, assessments are paid directly to Visa and MasterCard and typically offset the brands’ costs to operate and regulate the networks. These fees are also passed along in some form to the merchant and generally represent the smalllest portion of a merchant’s total fees.
A PROCESSING FEE EXAMPLE
The following chart depicts the typical fees a merchant might incur for a given CNP credit card sale. It introduces another fee, which is the fee your payment processor charges for sponsoring you into the Visa and MasterCard networks. This example is based on a $100 purchase from an online merchant and uses the Visa “CPS/Card-Not-Present” interchange rate.
Practical Payments Approach #3
Interchange, Assessments, and Fee Structures
13
FeeInterchange
(I)Assessments
(A)Processor
Fee (P)Total (D)
Published1.80% +
$0.100.110% $0.25 1.91% + $0.35
Expressedas $
$1.90 $0.11 $0.25 $2.26
Expressedas %
1.9% 0.110% 0.25% 2.26%
Generally, interchange rates are charged as a percentage of the sale plus a fixed fee. This structure allows the card brands to protect themselves with respect to very large and very small transaction values. Assessments are mostly expressed as a small percentage only. Payment processors may structure their fees at their discretion and can vary widely. In this example, we use a fixed per-transaction charge.
FEE STRUCTURES
Many payment processors use a bundled “discount” rate. That is, they present the merchant with a flat percentage rate that blends all of the fees described above. This idea can be expressed in a formula using the abbreviations in the chart: D = I + A + P. In this case, the payment processor would charge the merchant 2.26% for each qualifying transaction.
While simple to understand, this type of pricing can hide the true cost of doing business from the merchant. The processor will normally present the merchant with a tiered discount structure consisting of “qualified,” “mid-qualified,” and “non-qualified” discounts. The latter two rates are typically higher than the quoted rate and represent downgrades. Bundled rates can become even more complicated as many processors will add a fixed, per transaction fee on top of the flat percentage rate.
14
Some processors offer a “pass-through” model. Also known as the “Cost Plus” model, the processor reports on all of the constituent components, “I,” “A,” and “P” as separate fee areas. While more complex, this style of billing is transparent and can help reduce downgrades and optimize interchange.
DOWNGRADES AND INTERCHANGE OPTIMIZATION
To obtain the best interchange rate, a sale transaction must conform to certain rules established by the card brands. The following example depicts three Visa rates applicable to CNP transactions:
CPS/Card-Not-Present 1.80% + $0.10
Electronic InterchangeReimbursementFee(EIRF)
2.30% + $0.10
Standard Interchange Reimbursement Fee
2.30% + $0.10
The second and third rates are undesirable downgrades. You can get the best interchange rate (1.8% + $0.10) for CNP transactions by:
• ConductinganAddressVerificationSystem(AVS)check.• Shippingproductwithin7daysoftheauthorization.• IncludingtheoriginalauthorizationIDfromyourauthorizationin
your settlement transaction.• Providinganordernumberinthesettlementtransaction.• Settlingthetransactionnolongerthan7daysafterthe
authorization date.• Settlingthetransactionnolongerthan3daysafterthe
completion of the sale.
15
In today’s interchange landscape, some downgrades are unavoidable. Merchants have been particularly hard hit, for example, by higher rates associated with rewards cards. These higher rates help pay for the cardholders’ points and perks. Interchange rates are usually updated twice a year, so it is important to work closely with your processor to avoid downgrades and optimize your overall interchange exposure. You should also select a processing platform with reporting capabilities that let you review interchange qualification regularly. Rate reviews and optimization strategies should occur at least quarterly.For more information, please refer to the published rates on Visa and MasterCard’s websites.
AVOIDING THE REFUND TRAP
What happens to interchange when you process a refund? According to Visa and MasterCard regulations, the card issuer should return the interchange to the merchant. In practice, the issuer returns the interchange back to the payment processor, and in some cases the payment processor keeps the returned interchange. If your refunds average more than 5% of sales, the missing rebates can add up. If your processor charges a 2.3% discount rate and is not rebating interchange on returns, that 2.3% can become an effective rate of 3% or higher. Of course, average ticket price must be considered in the calculation, but you can see the potential for this hidden cost.
HOW CAN YOU AVOID HIDDEN FEES?
• Negotiateapass-throughfeearrangementwithyourprocessor.
• Establishbenchmarksandworkwithyourprocessortodevelopinterchange reduction programs.
• Understandpublishedinterchangeratesandhowtheyapplytoyou.
• Developthemathematicalfoundationforanalysis,auditing,andoversight of your payment processing costs.
16
Address verification service (AVS) is an automated fraud prevention service designed to reduce the risk associated with CNP transactions.
AVS helps minimize fraudulent transactions by verifying the cardholder’s billing address with the card issuer. The merchant must initiate the AVS check by providing the proper data in each transaction. Verification results help the merchant decide whether to accept a particular order or take follow-up action.
AVS uses two pieces of extra information in the authorization request you send to your payment processor: the numeric portion of the cardholder’saddressandtheZIPcode.Yourpaymentprocessorcompares this information against information at the cardholder’s issuing bank, along with other factors (card number, expiration date, etc.) and issues an AVS Response Code.
HOW TO USE AVS
Address Verification Service is transparent to your customer and appliestopaymentsusingVISA,MasterCard,AmericanExpress®,andDiscover® cards. To use AVS, a merchant should:
• Askthecustomerforthebillingaddressasitappearsontheirmonthly statement.
• Submittherequiredalpha/numericportionsoftheaddresswiththeauthorization request.
Practical Payments Approach #4
Address Verification Service
17
• ResearchallAVSpartialmatches.A“partialmatch”indicatesthatthebillingaddressbeingcomparedhasthesameZIPcodeorthesame numeric values in the street address, but not both. A “no match” response indicates that neither part of the billing address matches your data.
• EvaluateAVS“nomatch”responsescarefully,astheyaretypicallyastrong indicator of fraud. Because not all AVS “no match” responses necessarily indicate fraud, it is a signal that the merchant must take further steps to authenticate the order.
• A“nomatch”responsedoesnotautomaticallyresultintheauthorization being declined.
EXAMPLES OF AVS RESPONSE CODES*
AVS Result Code Description
00 5-DigitZIPandaddressmatch
01 9-DigitZIPandaddressmatch
10 5-DigitZIPmatches,addressdoesnotmatch
11 9-DigitZIPmatches,addressdoesnotmatch
12 ZIPdoesnotmatch,addressmatches
20 NeitherZIPnoraddressmatch
30 AVS service not supported by issuer
31 AVS system not available
32 Address unavailable
33 General error
34 AVS not performed
* The AVS codes listed above are numeric, processors may use alpha or numeric characters.
18
HOW TO HANDLE MOST COMMON RESULTS
“ZIP does not match, address matches” or “ZIP code (5 or 9 digit) matches, address does not match” EstablishadollarthresholdthatputstheseordersinanAVSHoldreportfor special processing. Look for these suspicious attributes:
• Largerthannormalorders• Severalunitsofthesameitem• Overnightshipping• Ordersshippedtoanaddressotherthanthebillingaddress
“Neither ZIP nor address match”This is a strong indicator of fraud, but an AVS failure may be legitimate. Example:Acustomerhasrecentlymovedbuthasnotnotifiedtheirbank.Follow-up by:
• Callingthecustomertoverifythetelephonenumber,billingaddress,and home address.
• Contactingthecardholder’sissuertodeterminewhetherthename,address, and telephone number match those in the issuer’s file.
• Usingdirectoryassistanceorinternetsearchtoolstocontacttheindividual at the billing address and confirm that he or she initiated the transaction
“AVS Service not supported by issuer”This is a typical response to an international order which AVS does not support. One solution is to fax a credit card slip to the consumer, requesting a faxed signature to verify the order. This may not be the most cost-effective means for all international orders, so a dollar threshold should be established to determine which orders must be validated.
19
WHY IS AVS IMPORTANT?
• ApositiveAVSresponseisonewaytoremedymany“UnauthorizedUse” and “Non-Receipt of Merchandise” chargebacks. Without a positive AVS response, CNP merchants have no dispute rights.
• VISAtransactionsusingAVSaregivenabetterinterchangeratethan those that do not, even if the AVS fails.
AVS is not foolproof and should be combined with your internal and external fraud detection tools such as CVV2, CVC2, CID (see Practical Payments Approach #5), “Verified by Visa”, and “SecureCard.”
20
To help reduce fraud for “Card Not Present” (CNP) transactions, the major credit card companies implemented authentication systems to ascertain if the credit card used in a transaction is actually in the possession of the owner. Knowledge of the card security value – known as CVV2, CVC2 (Card Verification Value/Code), CMID (Card Member ID), and CID (Card Identification Number) by Visa, MasterCard, Discover, and AmericanExpressrespectively—provesthatthepurchaserhasseenthe card, or has seen a record made by somebody who saw the card. In many countries it is now mandatory to provide this code when the cardholder is not present during the transaction.
WHAT ARE CVV2, CVC2, CMID, AND CID?
The diagram below shows the location and number of digits used by each major card brand. Visa, MasterCard, and Discover use a three digitcodeinthesignaturestrip,whileAmericanExpressusesafourdigit code on the front of the card. When collected, submitted, and substantiated during the authorization process, the security value significantly increases the probability that the person placing the order is in possession of the credit card. In combination with an AVS check (see Practical Payments Approach #4), the card security value is a useful tool to minimize fraud from stolen card numbers and counterfeit cards.
Practical Payments Approach #5
Cad Security Checks
CVV2 CVC2 CID
Card Member ID CIDxxx
xxx
xxx
xxxx
xxxx
3000 000 000 00000
3000 000 000 00000
21
HOW CVV2, CVC2, CMID, AND CID WORK
• Amerchantasksthecustomerforthecardsecuritycodeandsendsit to its processor as part of the authorization request.
• Themerchant’sprocessor–workingthroughthecardbrands–checks the code against the card issuer’s database to determine its validity and then sends a Response Code back to the merchant along with the authorization.
• ThemerchantevaluatestheResponseCode,takingintoaccountthe authorization decision and any other relevant or questionable data, like the AVS response.
COMMON RESPONSE CODES
Result: What it means: Suggested action:
M – Match The cardholder’s number matches the number stored at the issuing bank
Complete the transaction (using other anti-fraud tools such as AVS to supplement the decision to approve)
N - No Match The number the card holder submitted did not match the number at the issuing bank
View the “No Match” as a sign of potential fraud.Examinethe authorization response.
P - Request not Processed
Processor is unavailable
Resubmit the authorization request
U - Issuer does not support feature
The issuing bank is not registered with the credit card company to use this security feature
Use other anti-fraud tools to determine whether to process the transaction or investigate further
22
THINGS TO KNOW
• Merchantsshouldalwaysobtainandincludethecardsecurityvaluein the authorization. Some card issuers do not support the code and by regulation automatically lose chargeback rights for CNP sales.
• MerchantscannotstoreCVV2,CVC2,CMID,orCIDcodesintheircustomer databases or record once an authorization transaction has been completed. Codes must be requested for each unique transaction. Unless the customer is contacted each time, the codes should not be used for recurring transactions. Storing codes improperly could result in fines to the merchant.
• MerchantsmustregisterwithAmericanExpresstouseCID.AmericanExpresswillautomaticallydeclinetheauthorizationrequests with CID failure (with no letter result response).
• Cardsecurityvaluescanonlybefoundonthecard.Theyarenotcontained in the magnetic stripe data, nor do they appear on sales receipts or statements.
• Althoughwidelyimplemented,notallpaymentprocessorssupportthese codes. You must check with your processor to see if this service is available.
23
WHY ARE CVV2, CVC2, CMID, AND CID IMPORTANT?
Better Fraud ProtectionCVV2, CVC2, CMID, and CID can help merchants differentiate between good customers and criminals. For example, these security codes can prevent fraud from cards obtained via “trash diving” or “skimming” techniques. CVV2, CVC2, CMID, and CID enable the merchant to make a more informed decision before completing a CNP transaction.
Reduced ChargebacksUsing card security values potentially reduces fraud-related chargeback volume. While it does not eliminate the risk of fraud, this additional security feature is designed to protect merchants by verifying that the card is present during the purchase. Reduced fraud chargebacks translate into retained revenue.
24
Annual consumer spending through recurring payments is consistently growing. Merchants too have embraced recurring payment models because they make products more affordable and can generate larger, more predictable cash flows.
RECURRING PAYMENTS AND INSTALLMENT BILLING
Recurring Payments
Recurring payments are used when a consumer agrees to pay for a product or a service at specific intervals over a certain period of time. For example, health club memberships, insurance premiums, utility bills, and subscription fees occur predictably over time. The recurrence may be fixed with pre-determined renewal periods (e.g. magazine subscription) or perpetual (e.g. telephone bills) and might occur monthly, quarterly, or annually. The periodic payments may be equal or may vary based on the characteristics of the sale. Recurring payments can increase payment timeliness, reduce processing costs, and lower the risk of error due to manual entry.
Installment Billing
Payments made on installment billing plans are popular recurring payments. On these plans, the period is fixed and the payments are typically identical. Payments are generally made monthly, with between 3 and 10 installments. The direct response television (DRTV) industry is a good example of where installment billing is used routinely — think “three easy payments.” Because the payments are smaller, merchants can sell more product with fewer chargebacks.
Practical Payments Approach #6
Recurring Payments, Installment Billing, and Soft Billing Descriptors
25
IMPORTANT TIPS FOR USING AND PROCESSING RECURRING PAYMENTS
• Onthefirstbillingtransaction,askthecardholderforhis/herbillingaddress as it appears on their statement. Obtain the “ship to” address if it is different from the billing address.
• Providecardholderswithatoll-freephonenumbertocancelservices. Disclose all terms, conditions, and fees at the time of sale and on all correspondences.
• Processcreditspromptly.Stateclearlythatcreditpostingdatesdepend on the card issuer.
• Forinternettransactions,requirecardholderstoclickan“Accept”button on the disclosure statement to confirm that they have read your terms and conditions. Consider asking for an electronic signatureacceptableundertheE-SIGNact.
• Onthefirsttransaction,usefraudprotectiontoolsincludingAVS,CVC2, CVV2, and CID. Never store this data after obtaining the initial authorization.
• Usesoftbillingdescriptorstohelpcardholdersidentifychargeson their statements. A full treatment of soft billing descriptors is provided on the following page.
BILLING DESCRIPTORS
Static Billing Descriptors
Billing descriptors are line items that appear on cardholder statements describing their purchases. Billing descriptors are typically static by default. They remain the same for different products sold by the same entity.
26
To obtain better interchange rates, most card companies require that CNP transactions use billing descriptors with a company’s name and customer service phone number. Static billing descriptors, such as the one below, are generally sufficient for companies offering a limited number of products:
Acme Industries 888-555-1234 . . . . . . . . . . . . . . . . . . . $14.95
Soft Billing Descriptors Soft Billing Descriptors allow the merchant descriptor information to be modified on a per transaction basis (sometimes referred to as a “Dynamic Billing Descriptor”). Certain direct marketing merchants (MCCs 5966, 5968, 5967, 5969, and 5962) are required to represent their company name with a three-letter prefix followed by a more detailed description of the product or service. Note that this field is typically limited to 25 characters (excluding the phone number). Not all processors support this feature, so be sure to choose a processor with this capability in case you need it in the future.
ACM*GreatTVHits1of9800-555-1234..........$14.95
WHY USE SOFT BILLING DESCRIPTORS?
Soft billing descriptors are powerful tools. They enable merchants to more clearly identify transactions on cardholder statements. They are especially useful for installment billing where a cardholder’s payment progress can be noted in each statement. Dynamic billing descriptors are especially beneficial to merchants who sell multiple products or services through multiple companies or affiliates. Soft billing or services through multiple companies or affiliates. Soft billing descriptors have been proven to enable customers to keep more accurate buying records, reduce chargebacks, and improve customer satisfaction.
27
For additional information on Visa recurring transactions, please refer to:
Recurring Payments Best Practices Guide:www.visacemea.com/ac/selling/pdf/recurring_payments_bpg.pdf
Visa Bill Pay for Merchants:http://usa.visa.com/download/merchants/bill_pay_for_merchants.pdf
Merchant Marketing Resource Guide:http://usa.visa.com/download/merchants/merchant-marketing-resource-guide.pdf
For additional information on MasterCard recurring transactions, please refer to:
Revealing Attitudes on Recurring Payments:www.mastercard.com/us/merchant/pdf/Revealing_Attitudes.pdf
Bill Payment for Service Industries:www.mastercard.com/us/merchant/pdf/Bill_Payment_Brochure.pdf
Selling Recurring Payments to Your Customers:www.mastercard.com/us/merchant/pdf/Selling_Recurring_Payments_to_Your_Customers_Brochure.pdf
MasterCard Recurring Payment Cancellation Service:www.mastercard.com/us/merchant/pdf/RP_Cancellation_Service.pdf
28
The Payment Card Industry Data Security Standard, commonly known as “PCI-DSS” or “PCI” for short, is a standard across the major global cardbrandsVisa,MasterCard,AmericanExpress,Discover,andJCBtoaddress cardholder account security. PCI was developed to safeguard the personal information of cardholders while in the possession or use of merchants, payment processors, and other entities that store, process, or transmit payment card information.
Understanding the basics of PCI, defining your merchant level, and understanding your validation requirements are critical. Failure to adhere to these requirements may result in significant fines for merchants and potential cancellation of their merchant accounts by the payment brands.
THE BASICS OF PCI
PCI is a series of security requirements for all companies that handle cardholder information. The following is a high-level list of the current PCI “Control Objectives.”
• Installandmaintainafirewallconfigurationtoprotect cardholder data.
• Donotusevendor-supplieddefaultsforsystempasswords and other security parameters.
• Protectstoredcardholderdata.
• Encrypttransmissionofcardholderdataandsensitive information across public networks.
Practical Payments Approach #7
PCI Data Security Standard
29
• Useandregularlyupdateanti-virusandsoftwareonsystemssubject to attack.
• Developandmaintainsecuresystemsandapplications.
• Restrictaccesstodataonaneed-to-knowbasis.
• AssignauniqueIDtoeachpersonwithcomputeraccess.
• Restrictphysicalaccesstocardholderdata.
• Trackandmonitorallaccesstonetworkresourcesand cardholder data.
• Regularlytestsecuritysystemsandprocesses.
• Maintainapolicythataddressesinformationsecurity.
FINES FOR NON-COMPLIANCE
Merchants may be subject to potential fines from the card brands of up to $500,000 per incident if the merchant is compromised and not PCI-compliant at the time of the breach. Additionally, the merchant may also be responsible for other systemic costs or losses such as:
• Fraudulentuseofthecompromisedaccountnumbersfromthedate of compromise forward.
• Thecostofanyadditionalfraudprevention/detectionactivitiesrequired by the card brands associations (i.e. a forensic audit).
• Thecostsincurredbycreditcardissuersassociatedwiththecompromise (i.e. additional monitoring of system for fraudulent activity).
• Reimbursingallcard-issuingbanksforthecostofreissuinganycompromised cards.
For more information, please visit: http://usa.visa.com/merchants/risk_management/cisp_merchants.html
30
MERCHANT LEVEL DEFINITIONS FOR PCI VALIDATION
Some aspects of PCI, including merchant classification, differ between card brands. The following chart illustrates how Visa, MasterCard, Discover,andAmericanExpressclassifytheirmerchants.
Visa MasterCard and Discover
American Express
Merchant Level 1
Merchants processing over
6 million Visa transactions annually
(all channels) or Global merchants
identified as Level 1 by any Visa region2.
Compromised entities may be
escalated at regional discretion.
Greater than 6 Million MasterCard and Maestro transactions OR Discover
annually
Any merchant suffering an attack resulting in an
account data compromise
Any merchant meeting the Level 1 Criteria of another
payment brand
Any merchant MasterCard in its sole discretion
determines should meet the Level 1 Merchant
requirements to minimize risk to the system
2.5 Million transactions or more per year, or any merchant American Express
otherwise deems a Level 1
Merchant
Merchant Level 2
Merchants processing 1 million
to 6 million Visa transactions annually
(all channels)
>1 but < 6 Million MasterCard and Maestro OR Discover transactions
annually
Any merchant meeting the Level 3 Criteria of Visa
50,000 – 2.5 Million
transactions per year
Merchant Level 3
Merchants processing 20,000
to 1 million Visa e-commerce
transactions annually
>20,000 e-commerce transactions annually but
< to 1 Million e-commerce MasterCard and Maestro OR Discover transactions
annually
Any merchant meeting the Level 3 criteria of another
payment brand
Less than 50,000
transactions per year
31
Merchant Level 4
Merchants processing less
than 20,000 Visa e-commerce transactions
annually and all other merchants
processing up to 1 million Visa
transactions annually
All other merchants N/A
PCI VALIDATION REQUIREMENTS BY MERCHANT LEVEL
Annual On-Site Review
Annual Self-Assessment Quarterly Security Scans
Merchant Level 1
Required by Qualified Security
AssessorN/A
Required use of Approved Scanning Vendor for
external IP addresses*
Merchant Level 2
N/A (MasterCard – at merchant’s
discretion)
Required annually**
Required use of Approved Scanning Vendor for
external IP addresses*
Merchant Level 3
N/ARequired annually
Required use of Approved Scanning Vendor for
external IP addresses*
Merchant Level 4
N/A
Required annually
(compliance validation at acquirer discretion)
Required use of Approved Scanning Vendor for
external IP addresses* (Compliance Validation at
Acquirer Discretion)
* Internet accessible**EffectiveJune30,2012,Level2merchantsthatchoosetocompleteanannualself-assessmentquestionnaire must ensure that staff engaged in the self-assessment attend PCI SSC-offered merchant training programs (currently Internal Security Assessor [ISA] training) and pass any associated PCI SSC accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternatively, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by a PCI SSC approved QSA rather than complete an annual self-assessment questionnaire.
32
Over the last decade, the major card brands have introduced many new products targeting specific population demographics. Well-known examples include rewards cards, prepaid cards, gift cards, and electronic benefittransfer(EBT)cards.Theseproductlineshaveintroducedsignificantly more data elements into the payment stream.
The flood of new data creates challenges and opportunities in managing authorizations for sustained and growing profitability. Now is an important time to have a payment processor with the technology to capitalize on the opportunities and mitigate the challenges.
NEW DATA AND ITS ROLE IN MODERN PAYMENTSTo support these new cardholder data streams, the major card brands developed robust and descriptive data sets that better describe cards, cardholders, and purchases. Card brands pass some of this information along to payment processors in the purchase authorization response, although not all processing platforms are able to capture and report the data. As data (payments intelligence, specifically) becomes an important differentiator in how some business sustain and build customer relationships, smart businesses see payments data as key to their success.
Processing platforms that are capable of passing the data in the authorization response enable their merchants to implement better merchandising strategies, prevent customer churn, and increase revenue. There are three specific data sets that can have an immediate impact on merchants:
• Affluence indicators• Prepaid indicators• Account updater services
Practical Payments Approach #8
Advanced Authorization Services
33
AFFLUENCE INDICATORS AND THEIR ROLE IN MERCHANDISING
Credit card companies target affluent households with premier card programs such as Visa “Signature” cards and MasterCard “World” cards. When these types of cards are used, both Visa and MasterCard provide payment processors with an “Affluence Indicator” in authorization responses. The indicators denote two levels of affluence:
• “MassAffluent”–Cardholderswithanincomegreaterthan$100K
• “Affluent”–Cardholderswithanincomegreaterthan$100K, who also spend more than $40K per year on the card
Merchants who have this information at the time of authorization can adjust their sales approach to the needs and spending patterns of the consumer, potentially generating additional sales. By storing and analyzing this data, merchants can plan future targeted marketing campaigns to this valuable cardholder demographic, which typically spends more often and tends to purchase more expensive items. These cardholders are also more likely to have higher or unlimited spending limits, providing higher authorization rates.
INCREASING AUTHORIZATION RATES USING PREPAID INDICATORS
Card-branded prepaid cards represent one of the fastest growing card segments. These include non-reloadable cards like gift cards, rebate cards, and employee incentive cards, as well as reloadable cards like payrollcards,governmentEBTcards,andteencards.Authorizationresponses on prepaid cards also provide valuable data including:
• Visa,MasterCard,Discover,andAmericanExpressallreturnanindicator that identifies the card as prepaid.
• Non-reloadableVisaandMasterCardprepaidcardsalsoreturntheavailable balance.
• SomeVisaandMasterCardissuersprovidebalanceinformationforreloadable cards.
34
Many CNP merchants process payments with prepaid cards the same way they process credit and debit card payments. For merchants who use recurring payments or installment billing this presents obvious problems, as prepaids are more likely to become balance-depleted at some time during the billing series. Since prepaid cards can represent anywhere from 10-40% of authorization volume for many CNP merchants, a predefined strategy as to how to manage prepaid cards is advised.
In contrast, if a merchant knows that a card is prepaid and can determine the remaining balance, it creates opportunities to accept payments or make other adjustments. For example:
• Insteadofofferingrecurringorinstallmentbilling,merchantscanoffer the product or service on a fixed-term basis with an attractive one-time payment.
• Merchantsprocessingprepaidcardsalesoriginatingfromaffiliates can adjust the way they pay commissions based on the authorization response.
INCREASING REVENUE WITH ACCOUNT UPDATING ADVANCESBusinesses that bill on a recurring or installment basis know that card changes — the result of data breaches, issuing bank portfolio swaps, card upgrades, or expiration date changes (among other reasons) — can interrupt the billing series and potentially sever the customer relationship forever.
Over the past decade, the major card brands have introduced “Account Updater” services that allow merchants, via their processors, to submit card data on file to the networks for updating and correcting stale information.
35
These services have been well received by all parties involved: merchants retain more customers; customers enjoy uninterrupted service; the networks maintain sales volume; and card issuers see increased account balances.However,traditionalupdatersystemshavesomeshortcomings:
• MerchantsarerequiredtobuildandmaintainanITinfrastructuretosupport the system.
• Addedprocessesintrinsicallyintroduceinefficienciestothemerchant’s operations.
• Transmissionofcreditcarddatapresentsthemerchantwithadditional risk it may wish to avoid.
A second generation of Account Updater has emerged that removes these burdens from the merchant. Payment platforms supporting this option effectively offer account updating as an automated, managed service. Benefits of this approach include:
• NoneedtoinvestinITinfrastructure,coding,ordatatransmission.
• Eliminationofthefile-basedupdateprocess,resultinginfaster,more secure, and more efficient processing.
• Refreshedcardinformationisstoredinthecloudforfutureuse.
Some merchants may still want to maintain the updated credit card information in their systems. If so, they should make sure their processor offers the option to return updates in the authorization response. Additionally, as merchants consider the significant security benefits offered by an automatic Account Updater service, they should ensure that the solution they select is fully integrated with available data security solutions such as tokenization, see Practical Payments Approach #9.
36
Data breaches occur more frequently than ever. Data thieves don’t discriminate — both merchants and processors, regardless of size, are victims. Many breaches are particularly insidious because they go undetected for months, or longer, after an initial incursion. Most victims are PCI compliant, proving that such compliance doesn’t provide guarantees. New technologies are emerging that, when combined with other PCI approaches and standards, significantly bolster data security while lowering costs.
THE COST OF PROTECTING YOURSELFProtecting yourself against a data breach is an expensive endeavor. Merchants encounter direct expenses for both compliance and liability. According to Gartner Research, Level 2 Merchants (those processing between 1 and 6MM Visa or MasterCard transactions per year) can expect to pay $1.1MM to become PCI compliant. Maintaining compliance can cost these merchants up to $135K per year. The cost of liability insurance for these same merchants can run between $150K and $900K annually. Insurance can mitigate any financial costs associated with a breach, but it does nothing to protect the company’s reputation and valuable customer base. Using emerging technologies that lessen the likelihood of a data breach can lower the costs associated with compliance, liability, and brand damage.
Practical Payments Approach #9
Tokenization
37
PCI, E2EE, AND TOKENIZATION
PCI
PCI (see Practical Payments Approach #7) has been promoted by the card brands and industry as the leading defense against card data breaches. Compliance, however, is costly, time consuming, and unfortunately does not limit the merchant’s liability. Given the number of breaches in PCI compliant businesses, firms are looking to augment their protection. Two technologies have emerged to combat the problem, end-to-end encryption and tokenization. These two technologies are often thought of as competitive, however, there are situations where they can be complementary.
END-TO-END ENCRYPTION (E2EE)
E2EEisamethodologythataddressessecuritywhenthecarddataisintransitoratrest.PCIcompliantcompaniesemploysomelevelofE2EEasthey are required to encrypt the data during transmission and “protect” it when it is stored. Most often this protection is in the form of encryption. In this scenario, the data has to be decrypted for processing and encrypted beforebeingstoredortransmitted.E2EEprovidespoint-to-pointsecurity, but has some vulnerability when the data is decrypted for processing.
Tokenization
Tokenization is a methodology that addresses security when the card data is in transit, at rest, and while in use. Tokenization replaces card account information with “tokens” generated by a third-party service provider. In this manner, the merchant is not required to store any card data. These tokens are designed so they can be used in place of card numbers by all of the merchant’s systems. The additional security afforded during token usage usually means that tokenization is a more secure solution for merchants. Tokenization reduces the costs associated with having to encrypt, decrypt, and re-encrypt data each time access to credit card information is required.
38
Tokenization is increasingly popular and is now available through more paymentprocessorsandotherthirdparties.Everyimplementationisdifferent, so it is important to choose a vendor with features that provide the most security and require the least amount of IT investment. Some features and things to consider:
• Tokensshouldtakeonthegeneralformatofcreditcardssotheycan flow through the merchant’s systems like ordinary card numbers without significant programming changes.
• Tokensshouldonlybevalidforthemerchanttowhomtheyareregistered. This renders them totally useless to unauthorized parties.
• Tokensshouldbeusablebyanyauthorizedindividualthatisinyourorganization.
A CLOSER LOOK AT TOKENIZATION
In a tokenized environment, cardholder data is transmitted a single time and is stored by a third party data vault, not locally by the merchant. Upon registering a card-based account number, a token is returned and used in all subsequent transactions. A merchant may store a token locally, but its card equivalent is stored by the third-party vault provider.
CardholderConsumer
Merchant
DatabaseVault
DatabaseDatabase Database
Processor/Acquirer
Associations Processor/ Issuer
Account # Account # Account # Account #
Token
39
• Itshouldbepossibletousetokensinplaceofcardnumbersforallsuccessive payment transactions including authorizations, deposits, refunds, and chargebacks.
• Selectavendorthatallowsyoutoretainabsoluteownershipofthetokenized data in case you wish to move to a different solution or processing platform at a later date.
ANOTHER CONSIDERATION
With basic tokenization, there is a small window of vulnerability. That window is when the customer first enters his or her card data at the merchant’s site and the data is transmitted through the merchant’s systems to the processor for tokenization. Robust tokenization solutions offer a web service that allows point-to-point security during this stage. The vendor provides embeddable “payment page” code that interacts with the processor for tokenization. When the consumer enters payment card information, it is replaced with a registration key. Upon completion of check-out, the merchant uses this key to obtain a token representing card data already stored at the processor.
While tokenization itself will not completely eliminate the need for PCI compliance and liability insurance, it can significantly reduce costs, better protecting your brand.
Complete documentation on tokenization can be obtained from the PCI Security Standards Council via this URL: www.pcisecuritystandards.org/documents/Tokenization_Guidelines_Info_Supplement.pdf
40
Do your customers consent in advance to purchase recurring products and/or services until they cancel? If you use this type of marketing, known as negative option or continuity marketing, especially via ecommerce, you are continually on the radar of lawmakers and government regulators, both at the state and federal level.
We’ve developed the following practical approaches for using negative option marketing, which include regulatory considerations as well as those by the major card brands.
ADVERTISING
• Merchantsshouldbeabletosubstantiateanyperformanceclaimsshown on their websites. Performance claims include, but are not limited to: guaranteed results, false cures, weight loss promises, etc.
• Medialogosareprohibitedwithoutwrittenconsentfromthemediaoutlets (MSN, CNN, etc.).
• Imagesandendorsementsofcelebritiesareprohibitedwithouttheirexpress written consent.
• Merchantsshouldbeabletosubstantiatetestimonialsshownonthewebsite.
• Websitescannotcreateafalsesenseofurgencyforpurchase(e.g.countdown clock, limited time only, offers expires today, check availability, etc.).
Practical Payments Approach #10
Negative Option Marketing
41
• Ifclinicaltrialinformationisdisplayed,theentityconductingthetrialshould be identifiable and unrelated to the organization selling the product or service.
• Useof“FreeTrial”or“RiskFreeTrial”isprohibitedifattheconclusion of the trial the consumer is charged full price for the initial trial.
If there are qualifications for trial they should follow preset logic. Consumers who don’t meet qualifications should be disqualified and not allowed to receive trial. Qualifications include, but are not limited to, age, sex, race, weight, height, etc.
TERMS AND CONDITIONS SHOULD:
• Beatleast12pointfont(orthesamesizeasallotherfontonthepayment page) with no confusing color contrast.
• Beclearlydisclosedonthepaymentpage,eitheradjacenttothesubmit button or directly above the submit button.
• Includedetailsregardingthetrialperiod,therenewalperiod,trialstart/end period, and the cost for trial and renewals.
• Haveabillingperiodpercardholderequaltoonceamonth(30days).
• Includean“Iagreetotheterms”checkboxonthepaymentpage.
• Prohibittheuseofpre-checkedboxes.
• Disclosethecancellationpolicydirectlyonthepaymentpage.
42
CUSTOMER SERVICE
• Thereshouldbea“ContactUs”linkonthewebsite.
• “ContactUs”shouldincludeatollfreephonenumber,emailaddress,and hours of operation.
• Averageholdtimeshouldnotbemorethan2minutes.
• Customerservicehoursofoperationshouldbereasonablefortheregioninwhichtheproductissold.Example:TargetMarket-USA.CustomerServicehours:8:00amETtomidnightETshould be a minimum.
• Apurchaseconfirmationemailshouldbesenttotheconsumerviaemail. The email should restate terms, including length of trial periods, renewal terms, information on how to cancel, and customer service contact information.
• Ensurebillingdescriptorsareconsistentwithwebsitename,marketing materials, and confirmations sent to the consumer.
BILLING PRACTICES
• CVVshouldbeimplemented—themerchantshouldcollectanddecline all transactions when CVV is “No Match”.
• AVSshouldbeimplemented—themerchantshouldperforman AVS check and decline all transactions where AVS response is “ZIPCodeDoesNotMatch”
• Ifshippinginsuranceisoffered,thisshouldnotbeauto-checked. The consumer is required to opt into any additional insurance.
• Shippingandhandlingchargescannotbebilledseparatelyfrommonthly recurring charges.
• Shippingandhandlingchargesassociatedwiththetrialshould be charged as one transaction.
43
• Whenacustomerisissuedarefund,themerchantshouldcancel all future billing events.
• Fullrefundsshouldbegivenonallmerchandiseincludingshippingand handling for consumer satisfaction.
• Mandatoryup-sellsareprohibited,theconsumershouldoptinto all up-sells.
• Productsup-sellsshouldbeownedbythecompanythatownsthewebsite. Consumer’s credit card data cannot be shared or passed to a third party. All up-sells should be for a single charge as recurring up-sells, even with the consumer’s acceptance, are prohibited.
• Thetermsandconditionsoftheup-sellshouldbeclearlydisplayedeitheradjacenttoorabovethe“IEnroll”or“UpgradeMyOrder”etc.
DISTRIBUTION
• Merchantcannotcapturethedeposittransactionuntiltheproducthas actually shipped.
• Shippingshouldoccurwithin48hoursofpurchase,orbeclearlystated if the timeframe is going to be longer than 48 hours.
• Trackinginformationshouldbesenttotheconsumerviaemail.
© Copyright 2014 Vantiv, LLC. All rights reserved.Vantiv, the Vantiv logo, and all other Vantiv product or service names and logos are registered trademarks or trademarks of Vantiv, LLC in the USA and other countries.®indicates USA registration. VEC00106.14
vantiv.com