Credit Card Processing
EMV and the Changes it Brings to Credit Card Processing The way you accept credit card payments changed in October 2015, thanks to EMV (Europay, MasterCard, Visa) card security improvements. Liability for card-present fraudulent transactions shifted to businesses that are not using processing terminals that accept chip-embedded (EMV) credit cards. This October deadline was set by the major card issuers to decrease counterfeit card transactions in the U.S. Chip-embedded cards are more secure than magnetic stripe cards because the chip provides dynamic authentication information that changes for each transaction. The magnetic stripe currently used in the U.S. contains static data that can be easily stolen and used for fraudulent transactions. Currently, if a customer uses a counterfeit card at your business, the card issuer is liable for the charge. Beginning October 1, 2015, if a customer uses an EMV card for a counterfeit transaction, but your business is not using an EMV-enabled terminal, your business is liable for the charge. The United States is late in adopting chip technology and the improved security it brings. EMV transactions represented 32 percent of the world’s credit card transactions from January 2014 through December 2014. During that same time period, only .12 percent of U.S. transactions were EMV. The chip-embedded cards and the EMV-enabled terminals that process them represent the biggest change in the credit card processing industry in 35 years (since we switched from the “knuckle busters” to terminals). The new technology brings changes that may take a while for you and your customers to get accustomed to: New Procedures for Accepting Credit Cards at Your Point of Sale The October deadline for EMV compliance has come and gone. Merchants have new equipment, cardholders have new cards. And with all that new hardware comes a new procedure for processing transactions at your point of sale. Accepting EMV cards isn’t difficult, but it’s different enough that it might cause some initial confusion among your staff and clients. In the interest of eliminating such confusion and ensuring smooth transactions at your point of sale, we offer the following guide. And that’s it. Review these procedures with your sales staff and you’ll be experts in no time! Digital Phone Lines Play Havoc With Credit Card Processing Many businesses are making the jump to the popular and highly advertised digital phone service. But give some thought to your credit card processing before making the leap. RCSC frequently receives calls from distressed business owners dealing with issues such as multiple authorizations, duplicate transactions and the inability to batch as a result of converting to digital phone service. Credit card processing dial-up terminals work best with traditional analog telephone lines, which transmit and receive information differently than digital lines. When you use digital phone service with an analog credit card terminal it will most likely lead to technical problems. Problems with the digital phone lines don’t always immediately present themselves. A terminal could successfully work using a digital phone line for days, weeks or even months before complications surface. RCSC Director of Member Development Nicholl Lockwood suggests you purchase an Ethernet terminal that runs through the Internet to avoid these complications. “The best and most simple way to avoid the headaches of incompatible technology is to purchase an Ethernet terminal and hook it up to your Internet with a cat-5 cable,” said Ms. Lockwood. “Another option is to re-establish a dedicated analog phone line for your dial-up terminal, though many phone companies are offering digital phone lines exclusively.” If you have questions about digital phone lines and processing terminals, call RCSC for assistance. You can reach Michele, Nicholl and Carly at (800) 442-3589 or info@rcnys.com. Auto Settling vs. Manual Settling Businesses are accustomed to settling (also called batching out) their credit card processing terminal at the end of each business day or first thing in the morning. Settling is the process of moving the transaction information from your business to the cardholder’s (your customer’s) financial institution. Your terminals can be programmed to settle automatically or manually. There are pros and cons for both methods and you should examine your individual business to decide which method is right for you. Auto settling Terminals are programmed to automatically settle the transactions at a specific time each day so you don’t have to remember to batch out. Manual settling Busy businesses with a large staff and many people inputting transactions into the terminals may want to choose manual settling since there is a higher probability of mistakes. Manual settling allows the business owner to catch any inconsistencies with transactions and make changes to the batch before the final settlement with the processing bank is made (e.g., any business that adds tips to their transactions at the end of the business day should use manual settling). One con with manual settling is the business owner must remember to settle the credit card terminal at the end of each day. If transactions are not settled within 48 hours the credit card companies will charge the highest possible rates, which is usually twice the normal rates a business owner pays. Direct your questions about auto and manual settling and all other processing questions to the Retail Council’s credit card processing experts, Michele, Nicholl and Carly at (800) 442-3589. Always Verify Address When Key-Entering Credit Card Transactions It’s generally bad practice to manually enter credit card transactions – it costs you more to process these sales and, especially in cases where the card isn’t present, opens your business up to the possibility of fraud. Still, there are times when you won’t have a choice but to manually enter a customer’s credit card number (and if you have a mail order component to your business, manually entered transactions are the norm). When performing manually entered transactions there is a way to limit the likelihood of foul play by ensuring that the mailing address supplied to you by the customer matches what is on file with the credit card company. Verifying the billing address is simple and helps to protect your business from a chargeback, which is a dispute over the transaction with the customer. Your processing terminal will prompt you to enter the card holder’s address. Depending on the type of terminal you utilize, you may be prompted for the full address, the street address or just the zip code. To determine whether the address supplied to you by the customer matches the address on file with the credit card company, you need to examine the printed receipt. While the terminal will approve the dollar amount of the transaction, it does not verify the address. It is your responsibility to do this by taking a look at the receipt. When examining a receipt to determine whether the addresses match, look at the AVS (Address Verification System) slot (see accompanying diagram). For manually entered transactions you will find a “Y” or “N” printed in this slot. A “Y” indicates that the address supplied by the customer matches that on file with the card company. An “N” tells you that the address doesn’t match the card company’s address and you need to verify it a second time. The customer may have supplied you with a work address or the address to a second home. Or they may have given you their physical address, but the billing address is a PO Box number. If the customer is unable to supply you with the correct address, you have the right to void the transaction and retain your merchandise. You will need to explain to the customer why you are unable to sell them the goods and the importance of verifying the correct address information. While you may always be diligent about verifying addresses for manually entered transactions, you need to ensure that your employees are also following the correct protocol. While the credit card terminal will prompt the user to enter the customer’s billing address, it is easy to bypass this request and simply complete the sale. Failing to verify the customer’s address for manually entered transactions can have costly consequences. If the address wasn’t verified on the receipt (an “N” was present) and a chargeback occurs, the card company will hold you fully liable for the dispute because you did not follow correct card acceptance procedures. Verifying that the addresses match with a “Y” printed on the receipt shows the card company that you followed procedure; this gives you a stronger leg to stand on in defense of chargeback accusations. If your terminal is not prompting for address information during a manually entered transaction, call your credit card processing experts immediately to rectify the problem. Be Wary of Magnetic Strips That Don't Work Victims of credit card theft have been scratching their heads trying to figure out how someone has used their card when they still have it in their wallet. That’s because the newest credit card scam involves the luck and patience of perpetrators without the presence of a valid card. The scammers painstakingly go through various combinations of 16 digits, testing them at online stores or calling into verification centers just as businesses do, until they happen upon 16 numbers that work. Unfortunately for the victim, this 16 digit combination happens to be their credit card number. They have no idea their card is being used because they never lost the card, had any mail stolen or experienced any other type of burglary. Once the perpetrators find a successful combination, they shave off the appropriate numbers from old credit cards and glue them onto gift cards that resemble credit cards. They often only alter a portion of the numbers, since the first few are the same on most cards because it is the bank identification code. Their final trick is to scratch up the magnetic strip so that the clerk is forced to enter the numbers into the keypad to complete the transaction. Given this new insidious way to steal from unwitting consumers and businesses, it is more important than ever to follow the prompts your terminal will give you for address verification and the CVV or CVV2 code. If your terminal is not prompting for address verification call your processor immediately to resolve this issue. You should also call your processor for a Code 10 authorization if you are ever suspicious of the card or the client. This is an important safety precaution to protect your business. “Businesses and their employees should always be on the lookout for altered cards and trust their gut when anything looks suspicious,” warned Michele Coons, member services manager of the Retail Council. “Unfortunately, not everyone can be trusted when they claim their card just went through the wash.” Direct all your questions about credit card processing to the Council’s processing experts, Michele, Nicholl and Carly at (800) 442-3589. Beware of Credit Card Processing Scams Businesses that accept credit cards should be aware of scams currently affecting merchants and their customers. Con artists claiming to be employees of a processor or Visa are attempting to gain access to credit card processing terminals to change merchants’ processors or install tampering devices. The Retail Council recently received a report that an individual entered a member’s business falsely claiming to be a representative from their current processor with the promise of further lowering processing rates. If this happens to you, please alert your processor immediately. If you allow your terminal to be reprogrammed, you could be charged excessive rates and fees you never agreed to. Visa also reports that scammers are calling merchants claiming to be from the “Wholesale Division of Visa” and requesting an appointment to come and adjust their interchange rates on their POS terminals. Once the individual has access to the POS terminals, they install a tampering device that allows them to obtain sensitive customer card data. Visa would like all merchants to know: You should also be aware of “social engineers” who claim to be from Visa or other companies and attempt to gain access to privileged areas of your business. These people rely on the trusting and helpful nature of people. They may use publicly available information to seem credible and to make you more comfortable sharing information with them. Tell them you will contact someone at their company’s main phone number to discuss the matter further until you can verify their identity. If you have any questions about your credit card processing, please call the Retail Council at (800) 442-3589. Completing Mail and Telephone Orders Note: You cannot accept Card Not Present transactions unless your credit card processor has agreed to process these for you and such provision is contained in your merchant agreement. It is often convenient for both you and your customers to complete a credit card order by phone or mail rather than at your business’ physical location. However, there are precautions you should take to guard against data compromise when handling these “card not present” transactions. Since a visual identification cannot be made for cardholders requesting mail or phone transactions, some personal information must be obtained to receive authorization from your credit card processor. Two security tools are available to assist you in the detection and prevention of fraudulent activity – verification of cardholder billing address (AVS) and authentication that the customer has the card in their possession (CVV2/CVC2/CID). Address Verification Service (AVS) is an automated program that allows a merchant to check a cardholder’s billing address, as part of the electronic authorization process. Fraudsters often do not know the correct billing address for the cards they are using, thereby yielding a clue that the transaction may not be valid. Card authentication is a three-digit code number imprinted on the signature panel of cards to help authenticate that the customer has a genuine card in their possession. Follow the instructions below when completing mail and telephone orders: An authorization for a phone order, mail order, fax, or Internet transaction does not guarantee against chargebacks. Please ship only to the address verified as the cardholder’s. Shipment to a different address jeopardizes your protection from chargebacks. You may verify the billing address of the cardholder with the Authorization Center or the cardholder’s bank. If you have any questions about completing mail and telephone orders, please call the Council’s card processing experts Michele, Nicholl or Carly at (800) 442-3589. What You Should Know About Your Credit Card Processing Agreement To accept credit and debit cards at your business, you must sign a contract with a processor. That contract, often called a merchant agreement, details the practices and policies you (and every other business that accepts credit and debit cards) must abide by to accept cards. The following are prohibited according to merchant agreements: Each processor provides a manual to new customers describing all its policies. Pick up this manual regularly for a refresher – you’ll be glad you did! If you have questions about this article or any other concern with regard to credit card processing, call our credit card processing experts Michele, Nicholl or Carly at (800) 442-3589. Notes From NYSIF - Workers' Comp Insurance Tips Retail Council members should be aware of these workers’ compensation insurance regulations (among many others), which apply to all carriers including the New York State Insurance Fund (NYSIF): Unpaid relatives must be covered All unpaid relatives working for your business are covered under workers’ compensation law. Relatives cannot waive their rights to be covered. NYSIF will assign payroll and bill based on comparable wages and classifications of non-relatives working in the business. Responsibility for uninsured contractors Avoid liability and higher premiums. Be sure to obtain original certificates of workers’ compensation insurance coverage from subcontractors before work is started. If you don’t have proof of a subcontractor’s insurance, you are responsible for their coverage. Do you have questions about these topics or any other workers’ compensation issue? Contact the Council’s Insurance Services Coordinator Virginia Hitchcock for assistance at (800) 442-3589. Why Are Workers' Comp Payroll Audits Necessary? It seems like just one more paperwork headache: completing your workers’ comp payroll audit. Insurance carriers, such as NYSIF, are required to audit the payroll records of employers to determine premiums for workers’ compensation policies. In reality, the payroll audit actually helps you get the lowest possible rates on workers’ comp insurance for your business. The purpose of the audit is: By examining each of these areas as part of the payroll audit, you are setting up accurate records that will help you pay the lowest possible premium on this insurance. “When employees aren’t classified correctly, it can lead to a significant increase in premiums that the employer really shouldn’t need to pay,” said Retail Council Insurance Services Manager Virginia Hitchcock. “The audit is designed to catch errors so employers aren’t paying more than they should for workers’ comp or less than they should, which will eventually lead to a sizeable back payment of premium due.” The audit is time sensitive as the information on payroll is one component used to calculate experience modifications on applicable policies and to estimate the next renewal premium. When an audit is completed early, additional premium due can also be paid in an installment schedule. Retail Council Safety Group participants need to remember, too, that a payroll audit(s) must be complete to be eligible to receive your part of the Safety Group’s dividend! In November 2010, more than $4.1 million was returned to qualified group members. Don’t let an incomplete payroll audit stand in the way of the hundreds, thousands, and in some cases, tens of thousands, of dollars you may be eligible to receive. When it comes to conducting the audit, insurance carriers may want to examine your books and records to determine payroll; this is called a physical audit. In other cases, a policyholder may be permitted to complete an underwriting payroll report (DP517) or a premium audit payroll statement in lieu of a physical audit. If NYSIF, underwriter of the Retail Council’s Safety Group 493, would like to perform a physical audit of your records you will receive advance notice either in writing or by telephone from NYSIF within two weeks of a scheduled audit date. If you have questions about your payroll audit(s) or any other aspect of your workers’ comp insurance, please call Virginia or Ken in the Retail Council’s Insurance Services Department at (800) 442-3589. Business Disaster Preparedness As soon as possible before severe weather is expected, review your Business Continuity Plan to ensure it is current and updated. Inspect the store for the following items: 1. Sump pumps are properly functional. 2. Roof is clear of debris. 3. Gutters and downspouts are clear of obstructions, debris. 4. Storm drains are clear in parking lots and receiving areas. 5. Emergency generator is functional and tested recently. 6. Alarm systems are functional. 7. Store exterior is clear of extra pallets, bales. 8. Items outside the store such as garbage cans, benches, etc. are secured. 9. Emergency lighting is operational. As the severe weather approaches, do the following: 1. Maintain communications with your stores or head office. 2. Establish communications with local first responders. Follow any instructions you are given. 3. Provide key customers with emergency contact information for service and support. 4. Tape windows with duct tape. 5. Chain all shopping carts or move them inside the store. Remove or secure any temporary exterior store signage. 6. Back up all computer files and secure your computer and server equipment. Identify and secure key paper documents critical to business continuity. 7. Review emergency evacuation plans. 8. Secure all cash and other media assets. Make sure to have emergency funds in your bank accounts in case of closure for several days. 9. If necessary, or as directed, shut down power and gas feeds. 10. Keep informed as to weather conditions and other related emergency information via a battery-operated radio. 11. Make sure all in-store communications equipment is fully charged and operational. 12. Keep a supply of batteries and flashlights ready for use by associates. If the weather causes damage, make a detailed report of damages and product loss for insurance purposes. Be sure to take pictures as supporting documentation. INFORMATION RESOURCES FOR SEVERE WEATHER 1. New York State Aware Prepare http://www.nyprepare.gov/aware-prepare 2. National Oceanic and Atmospheric Administration Website http://www.noaa.gov/index.html 3. FEMA’s Ready.gov website on Hurricanes http://www.ready.gov/hurricanes 4. National Hurricane Center Website
Auto settling is a good method for businesses with a small, trustworthy staff who don’t make many mistakes when inputting transactions.
PCI DSS Articles by our Partner, Security Metrics
Workers’ Compensation Insurance
Other
How to prepare your business if severe weather is headed your way