FIS Modern Banking Platform
Advance your bank with a modern core platform.
Worldpay Editorial Team
July 10, 2019
A card not present (CNP) transaction is one that is conducted via the telephone, internet, mail, or mobile device, whereby the physical card is not presented to the merchant. The following is a robust overview of 10 useful practices for card not present transactions:
In payment processing, most practices are built on the following three principles:
These three general approaches apply to both card present and card not present transactions, to help merchants save money, reduce risk, and improve operational efficiency when processing digital and direct payments.
Contact information: Clearly display your business’ contact information on every page of a catalog, website, on shipping materials, and on all correspondences. If customers can’t reach you about a dispute, they will call their card issuer, which might lead to a chargeback (see #2). Contact information should include a toll-free phone number (digits, no letters) and an email address.
Billing descriptor: This identifies you on the customer’s credit card statement. For example: LNC*EXECUTIVEGADGETS 800-5551212 MA
Use a company name or brand the customer will recognize and include a toll-free telephone number. If your customer doesn’t remember the purchase, they will generally call the number in the descriptor before contacting the card issuer.
Billing descriptors can be truncated by processing systems, causing incomplete phone numbers. Avoid this by confirming your descriptors monthly, making test purchases with various credit cards, and reviewing the descriptions online and on your statement. For detailed information on billing descriptors, see #6.
Email confirmations: Send an immediate email confirmation whenever an order or refund is processed. Always indicate that the card issuer may require a full billing cycle to apply a refund and may not immediately appear on an online statement.
Policies: Post clear policies for billing, returns, shipping, back orders, and privacy. This will provide your credit card processor with additional evidence to fight chargebacks and win representments. Order confirmation emails should include this information in the content or via a web page link.
Customer information: Obtain the customer’s evening and daytime phone numbers, and email address. This is particularly important if the shipping and billing addresses are different and with high value orders.
Card information: Ask for the name as it appears on the card, the account number, the card type, and the expiration date (make sure it is a future date). Also ask for the CVV/CVC/CID numbers on the back of the credit card to establish the customer’s physical possession of the card. See #5.
Added protection: Online merchants should consider using Verified by Visa or Mastercard’s SecureCode. Ask your processor if these enhanced anti-fraud programs are right for you.
Credit card fraud remains a major problem that costs merchants, consumers, and financial institutions billions of dollars every year. Many factors are involved in protecting cardholder data, and the risks are different for card present and card not present transactions.
While chip-enabled EMV cards have largely delivered on their security promises for card present fraud, chip cards don’t have the same effect on fraud that occurs on card not present transactions. So it’s important to implement other security measures, outlined in the following sections of this article.
The Payment Card Industry Data Security Standards, more commonly known as PCI provides a good overview for protecting cardholder data (see #7 for detailed information on PCI). PCI sugestions include:
Observing these guidlines can reduce your exposure to chargebacks and can result in lower interchange fees:
Chargebacks occur when a customer disputes a charge on a card. The customer contacts his/her card issuer and initiates the process through your payment processor. Your processor will likely charge you a fee for each chargeback you receive. You often have the right to fight the dispute in a process called representment, where you must substantiate the charge by providing verification of the sale. Generally, if you cannot substantiate the sale, you will have to reimburse the customer.
Chargebacks can be costly, time consuming, and can threaten your merchant account. Depending on the card type, chargeback rates exceeding 0.5% or 1.0% (by sale count) can result in substantial fines and excessive rates can cause your merchant account to be terminated with the possibility of card brand banishment. Even a small number of chargebacks demonstrates that you have some unhappy customers.
Three common chargeback reasons for merchants that accept card not present transactions are:
"Unauthorized Use" chargebacks occur when consumers claim their cards were used without their knowledge or permission. In some cases, this will reflect actual fraud and may require the issuing bank to close the account. Asking the consumer for additional card information like the CVV/CVC/CID code (see #5) at the time of purchase can greatly reduce this form of chargeback.
"Authorization Not Obtained" chargebacks occur when the card issuer believes that a valid authorization was not obtained for a deposit. The merchant may have attempted a forced deposit, used an invalid authorization, or obtained a voice authorization. This type of chargeback often occurs when multiple partial deposits are made against single authorizations. A combination of sound procedures and proper exception handling by your processor can eliminate these chargebacks.
"Recurring Transactions" chargebacks occur when a consumer believes they have been billed after cancelling a subscription, membership, or multi-payment billing series (e.g. continuity program or installment payments). Using clear and explicit billing descriptors will help you avoid these types of chargebacks for card not present transactions (see #6). Be certain to quickly acknowledge and record any correspondences with customers regarding changes or cancellations. This should include keeping records of all phone calls.
|Suggested Actions to avoid these common chargeback reasons||Unauthorized Use (Products)||Unauthorized Use (Services)||Authorization Not Obtained||Cancelled Recurring Transaction|
|Always conduct an AVS check. Only process orders with a valid AVS response||●●||●●|
|Obtain evidence of receipt of goods (i.e., signed shipping receipt).||●●●|
|Web sales: Consider using Verified By Visa or Mastercard's SecureCode. This provides card ownership and enhances the merchant's position on chargeback representment.||●●||●●|
|Required card identification numbers like CVV (Visa), CVC (MC), and CID (AX). See approach #5.||●●||●●|
|Process refunds as quickly as possible.||●●||●●||●●||●●|
|Notify consumers in writing by email and/ or mail when a refund has been issued or a membership cancelled. Provide them with the date the transaction was submitted and a reference number.||●●||●●||●●|
|Always provide a clear billing descriptor with a phone number so the consumer can contact you directly rather than calling their bank to discuss any dispute.||●●||●●||●●|
|Always provide a contact phone number and an email address on your website so consumers can contact you directly.||●●||●●||●●|
|State the terms and conditions of the sale or service clearly and in plain view. All correspondences should include this information in the message or via a link to a web page.||●●||●●||●●|
|Use email to notify consumers of the details of sales and to indicate that their cards will be charged.||●●||●●|
|Obtain written or electronic signatures from cardholders giving you permission to charge their cards on a regular basis for monthly fees or recurring payments. See approach #6.||●●||●●|
|Make it very easy for members or subscribers to cancel - have a "no-questions-asked" policy.||●●||●●|
|Authorizations must always be done for every deposit.||●●||●●|
|Deposits must not exceed the amount you have authorized.||●●||●●|
|Authorizations must be "positive."||●●||●●|
|Avoid using voice authorizations.||●●||●●||●●|
|If you are setting a transaction with an authorization more than 7 days old, you must reauthorize the transaction. While the authorization might still be valid, you will likely receive a better interchange rate. See approach #3.||●●||●●|
Interchange is a fee mandated by Visa and Mastercard that the merchant’s acquiring bank (often represented by a payment processor) pays to the card issuing bank on each sales transaction. Acquirers or their processors pass this fee along in some form to the merchant. Interchange was developed as an income incentive for banks to issue Mastercard and Visa cards. Today, there are hundreds of distinct rates based on transaction and industry type. Interchange also typically represents the largest portion of a merchant’s total fees.
While interchange is paid to the card issuers, assessments are paid directly to Visa and Mastercard and typically offset the brands’ costs to operate and regulate the networks. These fees are also passed along in some form to the merchant and generally represent the smallest portion of a merchant’s total fees.
The following chart depicts the typical fees a merchant might incur for a given card not present transaction. It introduces another fee, which is the fee your payment processor charges for sponsoring you into the Visa and Mastercard networks. This example is based on a $100 purchase from an online merchant and uses the Visa "CPS/Card-Not-Present" interchange rate.
|Published||1.80% + $0.10||0.11%||$0.25||1.91% + $0.35|
|Expressed as $||$1.90||$0.11||$0.25||$2.26|
|Expressed as %||1.90%||0.11%||0.25%||2.26%|
Generally, interchange rates are charged as a percentage of the sale plus a fixed fee. This structure allows the card brands to protect themselves with respect to very large and very small transaction values. Assessments are mostly expressed as a small percentage only. Payment processors may structure their fees at their discretion and can vary widely. In this example, we use a fixed per-transaction charge.
Many payment processors use a bundled "discount" rate. That is, they present the merchant with a flat percentage rate that blends all of the fees described above. This idea can be expressed in a formula using the abbreviations in the chart: D = I + A + P. In this case, the payment processor would charge the merchant 2.26% for each qualifying transaction.
While simple to understand, this type of pricing can hide the true cost of doing business from the merchant. The processor will normally present the merchant with a tiered discount structure consisting of "qualified," "mid-qualified," and "non-qualified" discounts. The latter two rates are typically higher than the quoted rate and represent downgrades. Bundled rates can become even more complicated as many processors will add a fixed, per transaction fee on top of the flat percentage rate.
Some processors offer a "pass-through" model. Also known as the "Cost Plus" model, the processor reports on all of the constituent components, "I," "A," and "P" as separate fee areas. While more complex, this style of billing is transparent and can help reduce downgrades and optimize interchange.
To obtain the best interchange rate, a sale transaction must conform to certain rules established by the card brands. The following example depicts three Visa rates applicable to card not present transactions:
|CPS/ Card-Not-Present||1.80% + $0.10|
|Electronic Interchange Reimbursement Fee (EIRF)||2.30% + $0.10|
|Standard Interchange Reimbursement Fee||2.30% + $0.10|
The second and third rates are undesirable downgrades. You can llikely get the best interchange rate (1.8% + $0.10) for card not present transactions by:
In today’s interchange landscape, some downgrades are unavoidable. Merchants have been particularly hard hit, for example, by higher rates associated with rewards cards. These higher rates help pay for the cardholders’ points and perks.
Interchange rates are usually updated twice a year, so it’s important to work closely with your processor to avoid downgrades and optimize your overall interchange exposure. You should also select a processing platform with reporting capabilities that let you review interchange qualification regularly. Rate reviews and optimization strategies should occur at least quarterly.
For more information, please refer to the published rates on Visa and Mastercard’s websites.
What happens to interchange when you process a refund? According to Visa and Mastercard regulations, the card issuer should return the interchange to the merchant. In practice, the issuer returns the interchange back to the payment processor, and in some cases the payment processor keeps the returned interchange.
If your refunds average more than 5% of sales, the missing rebates can add up. If your processor charges a 2.3% discount rate and is not rebating interchange on returns, that 2.3% can become an effective rate of 3% or higher. Of course, average ticket price must be considered in the calculation, but you can see the potential for this hidden cost.
Address Verification Service (AVS) is an automated fraud prevention service designed to reduce the risk associated with card not present transactions.
AVS helps minimize fraudulent transactions by verifying the cardholder’s billing address with the card issuer. The merchant must initiate the AVS check by providing the proper data in each transaction. Verification results help the merchant decide whether to accept a particular order or take follow-up action.
AVS uses two pieces of extra information in the authorization request you send to your payment processor: the numeric portion of the cardholder’s address and the ZIP code. Your payment processor compares this information against information at the cardholder’s issuing bank, along with other factors (card number, expiration date, etc.) and issues an AVS Response Code.
Address Verification Service is transparent to your customer and applies to payments using VISA, Mastercard, American Express, and Discover cards.
To use AVS for card not present transactions, a merchant should:
AVS Result Code
|00||5-Digit ZIP and address match|
|01||9-Digit ZIP and address match|
|10||5-Digit ZIP matches, address does not match|
|11||9-Digit ZIP matches, address does not match|
|12||ZIP does not match, address matches|
|20||Neither ZIP nor address match|
|30||AVS service not supported by issuer|
|31||AVS system not available|
|34||AVS not performed|
* The AVS codes listed above are numeric; processors may use alpha or numeric characters.
"ZIP does not match, address matches" or "ZIP code (5 or 9 digit) matches, address does not match"
Establish a dollar threshold that puts these orders in an AVS Hold report for special processing. Look for these suspicious attributes:
This is a strong indicator of fraud, but an AVS failure may be legitimate. Example: A customer has recently moved but has not notified their bank. Follow up by:
This is a typical response to an international order which AVS does not support. One solution is to fax a credit card slip to the customer, requesting a faxed signature to verify the order. This may not be the most cost-effective means for all international orders, so a dollar threshold should be established to determine which orders must be validated.
To help reduce fraud for card not present transactions, the major credit card companies implemented authentication systems to ascertain if the credit card used in a transaction is actually in the possession of the owner. Knowledge of the card security value – known as CVV/ CVC (Card Verification Value/Code), CMID (Card Member ID), and CID (Card Identification Number) by Visa, Mastercard, Discover, and American Express respectively — proves that the purchaser has seen the card, or has seen a record made by somebody who saw the card. In many countries it is now mandatory to provide this code when the cardholder is not present during the transaction.
The diagram below shows the location and number of digits used by each major card brand. Visa, Mastercard, and Discover use a three digit code in the signature strip, while American Express uses a four digit code on the front of the card. When collected, submitted, and substantiated during the authorization process, the security value significantly increases the probability that the person placing the order is in possession of the credit card. In combination with an AVS check (see #4), the card security value is a useful tool to minimize fraud from stolen card numbers and counterfeit cards.
|Result||What it Means||Suggested Action|
|M - Match||The cardholder's number matches the number stored at the issuing bank.||Complete the transaction (using anti - fraud tools such as AVS to supplement the decision to approve).|
|N - No Match||The number the card holder submitted did not match the number at the issuing bank||View the "No Match" as a sign of potential fraud. Examine the authorization response.|
|P - Request Not Processed||Processor is unavailable.||Resubmit the authorization request.|
|U - Issuer Does Not Support Feature||The issuing bank is not registered with the credit card company to use this secured feature.||Use other anti - fraud tools to determine whether to process the transaction or investigate further.|
CVV, CVC, CMID, and CID can help merchants differentiate between good customers and criminals. For example, these security codes can prevent fraud from cards obtained via "trash diving" or "skimming" techniques. CVV, CVC, CMID, and CID enable the merchant to make a more informed decision before completing a CNP transaction.
Using card security values potentially reduces fraud-related chargeback volume, particularly for card not present transactions. While it does not eliminate the risk of fraud, this additional security feature is designed to protect merchants by verifying that the card is present during the purchase. Reduced fraud chargebacks translate into retained revenue.
Annual consumer spending through recurring payments is consistently growing. Merchants too have embraced recurring payment models because they make products more affordable and can generate larger, more predictable cash flows.
Recurring payments are used when a consumer agrees to pay for a product or a service at specific intervals over a certain period of time. For example, health club memberships, insurance premiums, utility bills, and subscription fees occur predictably over time. The recurrence may be fixed with pre-determined renewal periods (e.g. magazine subscription) or perpetual (e.g. telephone bills) and can occur monthly, quarterly, or annually. The periodic payments may be equal or may vary based on the characteristics of the sale. Recurring payments can increase payment timeliness, reduce processing costs, and lower the risk of error due to manual entry.
Payments made on installment billing plans are popular. On these plans, the period is fixed and the payments are typically identical. Payments are generally made monthly, with between 3 and 10 installments. The direct response television (DRTV) industry is a good example of where installment billing is used routinely, e.g. "three easy payments." Because the payments are smaller, merchants can sell more product with fewer chargebacks.
Billing descriptors are line items that appear on cardholder statements describing their purchases. Billing descriptors are typically static by default. They remain the same for different products sold by the same entity.
To obtain better interchange rates, most card companies require that card not present transactions use billing descriptors with a company’s name and customer service phone number. Static billing descriptors, such as the one below, are generally sufficient for companies offering a limited number of products:
Acme Industries 888-555-1234 . . . . . . . . . . . . . . . . . . . $14.95
Soft billing descriptors allow the merchant descriptor information to be modified on a per transaction basis (sometimes referred to as a "dynamic billing descriptor"). Certain direct marketing merchants (MCCs 5966, 5968, 5967, 5969, and 5962) are required to represent their company name with a three-letter prefix followed by a more detailed description of the product or service. Note that this field is typically limited to 25 characters (excluding the phone number). Not all processors support this feature, so be sure to choose a processor with this capability in case you need it in the future.
ACM* Great TV Hits 1 of 9 800-555-1234 . . . . . . . . . . $14.95
Soft billing descriptors are powerful tools. They enable merchants to more clearly identify transactions on cardholder statements. They are especially useful for installment billing where a cardholder’s payment progress can be noted in each statement. Dynamic billing descriptors are especially beneficial to merchants who sell multiple products or services through multiple companies or affiliates. Soft billing descriptors have been proven to enable customers to keep more accurate buying records, reduce chargebacks, and improve customer satisfaction.
The Payment Card Industry Data Security Standard, commonly known as "PCI-DSS" or "PCI" for short, is a standard across the major global card brands Visa, Mastercard, American Express, Discover, and JCB to address cardholder account security. PCI was developed to safeguard the personal information of cardholders while in the possession or use of merchants, payment processors, and other entities that store, process, or transmit payment card information.
Understanding the basics of PCI, defining your merchant level, and understanding your validation requirements are critical. Failure to adhere to these requirements may result in significant fines for merchants and potential cancellation of their merchant accounts by the payment brands.
PCI is a series of security requirements for all companies that handle cardholder information. The following is a high-level list of the current PCI "Control Objectives."
Merchants may be subject to potential fines from the card brands of up to $500,000 per incident if the merchant is compromised and not PCI compliant at the time of the breach. Additionally, the merchant may also be responsible for other systemic costs or losses such as:
Some aspects of PCI, including merchant classification, differ between card brands. The following chart illustrates how Visa, Mastercard, Discover, and American Express classify their merchants.
|Visa||Mastercard and Discover||American Express|
|Merchant Level 1||Merchants processing over 6 million Visa transactions annually (all channels) or Global merchants identified as Level 1 by any Visa region 2; Compromised entities may be escalated at regional discretion||
Greater than 6 million Mastercard and Maestro transactions OR Discover annually
Any merchant suffering an attack resulting in an account data comprise
Any merchant meeting the Level 1 criteria of another payment brand Any merchant Mastercard, in its sole discretion, determines should meet the Level 1 Merchant requirements to minimize risk to the system
|2.5 million transactions or more per year, or any merchant American Express otherwise deems a Level 1 Merchant|
|Merchant Level 2||Merchants processing 1 million to 6 million Visa transactions annually (all channels)||
Merchants processing 1 million but less than 6 million Mastercard and Maestro OR Discover transactions annually
Any merchant meeting the Level 3 criteria of Visa
|50,000 - 2.5 million transactions per year|
|Merchant Level 3||Merchants processing 20,000 to 1 million Visa e-commerce transactions annually||
Merchants processing 20,000 e-commerce transactions annually but less than 1 million e-commerce Mastercard and Maestro OR Discover transaction annually
Any merchant meeting the Level 3 criteria of another payment brand
|Less than 50,000 transactions per year|
|Merchant Level 4||Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually||All other merchants||N/A|
PCI validation requirements by merchant level
|Annual On - Site Review||Annual Self - Assessment||Quarterly Security Scans|
|Merchant Level 1||Required by Qualified Security Assessor||N/A||Required use of Approved Scanning Vendor for external IP addresses*|
|Merchant Level 2||N/A (MasterCard - at merchant's discretion)||Required annually **||Required use of Approved Scanning Vendor for external IP addresses*|
|Merchant Level 3||N/A||Required annually||Required use of Approved Scanning Vendor for external IP addresses*|
|Merchant Level 4||N/A||Required annually (compliance validation at acquirer discretion)||Required use of Approved Scanning Vendor for external IP addresses* (Compliance Validation at Acquirer Discretion)|
Over the last decade, the major card brands have introduced many new products targeting specific population demographics. Well-known examples include rewards cards, prepaid cards, gift cards, and electronic benefit transfer (EBT) cards. These product lines have introduced significantly more data elements into the payment stream.
The flood of new data creates challenges and opportunities in managing authorizations for sustained and growing profitability. Now is an important time to have a payment processor with the technology to capitalize on the opportunities and mitigate the challenges.
To support these new cardholder data streams, the major card brands developed robust and descriptive data sets that better describe cards, cardholders, and purchases. The card brands pass some of this information along to payment processors in the purchase authorization response, although not all processing platforms are able to capture and report the data. As data (payments intelligence, specifically) becomes an important differentiator in how some businesses sustain and build customer relationships, smart businesses see payments data as key to their success.
Payment processing platforms that are capable of passing the data in the authorization response often enable their merchants to implement better merchandising strategies, prevent customer churn, and increase revenue. There are three specific data sets that can have an immediate impact on merchants:
Credit card companies target affluent households with premier card programs such as Visa Signature cards and Mastercard World cards. When these types of cards are used, both Visa and Mastercard provide payment processors with an "Affluence Indicator" in authorization responses. The indicators denote two levels of affluence:
Merchants who have this information at the time of authorization can adjust their sales approach to the needs and spending patterns of the consumer, potentially generating additional sales. By storing and analyzing this data, merchants can plan future targeted marketing campaigns to this valuable cardholder demographic, which typically spends more often and tends to purchase more expensive items. These cardholders are also more likely to have higher or unlimited spending limits, providing higher authorization rates.
Card-branded prepaid cards represent one of the fastest growing card segments. These include non-reloadable cards like gift cards, rebate cards, and employee incentive cards, as well as reloadable cards like payroll cards, government EBT cards, and teen cards. Authorization responses on prepaid cards can also provide valuable data including:
Many merchants process card not present transactions with prepaid cards the same way they process credit and debit card payments. For merchants who use recurring payments or installment billing this presents obvious problems, as prepaid cards are more likely to become balance-depleted at some time during the billing series. Since prepaid cards can represent anywhere from 10-40% of authorization volume for many CNP merchants, a predefined strategy as to how to manage prepaid cards is advised.
In contrast, if a merchant knows that a card is prepaid and can determine the remaining balance, it creates opportunities to accept payments or make other adjustments. For example:
Businesses that bill on a recurring or installment basis know that card changes — the result of data breaches, issuing bank portfolio swaps, card upgrades, or expiration date changes (among other reasons)— can interrupt the billing series and potentially sever the customer relationship forever.
Over the past decade, the major card brands have introduced account updater services that allow merchants, via their processors, to submit card data on file to the networks for updating and correcting stale information.
These services have been well received by all parties involved: merchants retain more customers; customers enjoy uninterrupted service; the networks maintain sales volume; and card issuers see increased account balances. However, traditional updater systems can have some shortcomings:
A second generation of account updater has emerged that removes these burdens from the merchant. Payment platforms supporting this option effectively offer account updating as an automated, managed service. Benefits of this approach may include:
Some merchants may still want to maintain the updated credit card information in their systems. If so, they should make sure their processor offers the option to return updates in the authorization response. Additionally, as merchants consider the significant security benefits offered by an automatic account updater service, they should ensure that the solution they select is fully integrated with available data security solutions such as tokenization (see #9).
Data breaches are occurring more frequently than ever. Data thieves don’t discriminate — both merchants and processors, regardless of size, are victims. Many breaches are particularly insidious because they go undetected for months, or longer, after an initial incursion. Some victims are PCI compliant, proving that such compliance doesn’t provide guarantees. New technologies are emerging that, when combined with other PCI approaches and standards, significantly bolster data security while lowering costs.
Protecting yourself against a data breach can be an expensive endeavor. Merchants encounter direct expenses for both compliance and liability. Insurance can mitigate any financial costs associated with a breach, but it often does nothing to protect the company’s reputation and valuable customer base. Using emerging technologies that lessen the likelihood of a data breach can lower the costs associated with compliance, liability, and brand damage.
PCI (see #7) has been promoted by the card brands and industry as the leading defense against card data breaches. Compliance is mandated for any merchant that accepts payment cards. In addition to complying with PCI, merchants are advised to augment their protection. Two technologies have emerged to combat the problem: end-to-end encryption and tokenization.
End-to-end encryption is a methodology that addresses security when the card data is in transit or at rest. PCI compliant companies employ some level of encryption as they are required to encrypt the data during transmission and protect it when it is stored. Most often this protection is in the form of encryption. In this scenario, the data has to be decrypted for processing and encrypted before being stored or transmitted. End-to-end encryption provides point-to-point security, but has some vulnerability when the data is decrypted for processing.
Tokenization is a methodology that addresses security when the card data is in transit, at rest, and while in use. Tokenization replaces card account information with "tokens" generated by a third-party service provider. In this manner, the merchant is not required to store any card data. These tokens are designed so they can be used in place of card numbers by all of the merchant’s systems. The additional security afforded during token usage usually means that tokenization is a more secure solution for merchants. Tokenization reduces the costs associated with having to encrypt, decrypt, and re-encrypt data each time access to credit card information is required.
In a tokenized environment, cardholder data is transmitted a single time and is stored by a third party data vault, not locally by the merchant. Upon registering a card-based account number, a token is returned and used in all subsequent transactions. A merchant may store a token locally, but its card equivalent is stored by the third-party vault provider.
Tokenization is increasingly popular and is now available through more payment processors and other third parties. Every implementation is different, so it is important to choose a vendor with features that provide the most security and require the least amount of IT investment. Some features and things to consider:
With basic tokenization, there is a small window of vulnerability. That window is when the customer first enters his or her card data at the merchant’s site and the data is transmitted through the merchant’s systems to the processor for tokenization. Robust tokenization solutions offer a web service that allows point-to-point security during this stage. The vendor provides embeddable "payment page" code that interacts with the processor for tokenization. When the consumer enters payment card information, it is replaced with a registration key. Upon completion of check-out, the merchant uses this key to obtain a token representing card data already stored at the processor.
While tokenization itself will not completely eliminate the need for PCI compliance and liability insurance, it can significantly reduce costs, better protecting your brand.
Complete documentation on tokenization can be obtained from the PCI Security Standards Council via this URL:
Do your customers consent in advance to purchase recurring products and/or services until they cancel? If you use this type of marketing, known as negative option or continuity marketing, especially via eCommerce, you are continually on the radar of lawmakers and government regulators, both at the state and federal level.
We’ve developed the following practical approaches for using negative option marketing, which include regulatory considerations as well as those by the major card brands.
Merchants should be able to substantiate any performance claims shown on their websites. Performance claims include, but are not limited to: guaranteed results, false cures, weight loss promises, etc.
If there are qualifications for trial they should follow preset logic. Consumers who don’t meet qualifications should be disqualified and not allowed to receive trial. Qualifications include, but are not limited to age, sex, race, weight, height, etc.
Have questions about card not present transactions? We can help. Contact Worldpay today for information on card not present transactions.
**Effective June 30, 2012, Level 2 merchants that choose to complete an annual self-assessment questionnaire must ensure that staff engaged in the self-assessment attend PCI SSC-offered training programs (currently Internal Security Assessor [ISA] training and pass any associated PCI SSC accreditation program annually in order to continue the option of self-assessment for compliance validation. Alternately, Level 2 merchants may, at their own discretion, complete an annual onsite assessment conducted by a PCI SSC approved QSA rather than complete an annual self-assessment questionnaire.