Article Library

Credit Card Processing

EMV and the Changes it Brings to Credit Card Processing

The way you accept credit card payments changed in October 2015, thanks to EMV (Europay, MasterCard, Visa) card security improvements. Liability for card-present fraudulent transactions shifted to businesses that are not using processing terminals that accept chip-embedded (EMV) credit cards. This October deadline was set by the major card issuers to decrease counterfeit card transactions in the U.S.

Chip-embedded cards are more secure than magnetic stripe cards because the chip provides dynamic authentication information that changes for each transaction. The magnetic stripe currently used in the U.S. contains static data that can be easily stolen and used for fraudulent transactions.

Currently, if a customer uses a counterfeit card at your business, the card issuer is liable for the charge. Beginning October 1, 2015, if a customer uses an EMV card for a counterfeit transaction, but your business is not using an EMV-enabled terminal, your business is liable for the charge.

The United States is late in adopting chip technology and the improved security it brings. EMV transactions represented 32 percent of the world’s credit card transactions from January 2014 through December 2014. During that same time period, only .12 percent of U.S. transactions were EMV.

The chip-embedded cards and the EMV-enabled terminals that process them represent the biggest change in the credit card processing industry in 35 years (since we switched from the “knuckle busters” to terminals). The new technology brings changes that may take a while for you and your customers to get accustomed to:

  • The EMV card should be in the cardholder’s possession for the entire transaction.
  • The cardholder must insert the card into the terminal, rather than swipe it, and leave it there until the terminal indicates they can remove it.
  • The card issuer determines if a PIN will be required for the card, or just a signature, and the cardholder should be aware of what is required.
  • More time will be added to each transaction because it takes several seconds for the EMV card to process.
  • Make sure your terminal is activated to accept EMV cards. Your terminal may have a card slot, but it may still need to be programmed to accept chip cards.
  • Magnetic stripe cards can still be swiped with your EMV-enabled terminal, if that is what the cardholder has.

New Procedures for Accepting Credit Cards at Your Point of Sale

The October deadline for EMV compliance has come and gone. Merchants have new equipment, cardholders have new cards. And with all that new hardware comes a new procedure for processing transactions at your point of sale.

Accepting EMV cards isn’t difficult, but it’s different enough that it might cause some initial confusion among your staff and clients. In the interest of eliminating such confusion and ensuring smooth transactions at your point of sale, we offer the following guide.

  1. Select your transaction and card type, then enter the amount of the transaction. Even if your client presents an older magnetic stripe card, you cannot skip this step; simply swiping the card to initiate a sale no longer works.
  2. If the client is using an EMV card, they need to “dip the chip,” or insert their card into the terminal. Hand your terminal to the client or turn it to face them, then instruct them to insert their card into the smart card slot chip side first and face up until they feel it click. Tell them to leave the card in the slot. Clients using magnetic stripe cards do not need to do this.
  3. The terminal may prompt the cardholder for a card PIN.
  4. Make sure they press Enter after they’ve entered their PIN.
  5. Your terminal will now process the transaction.
  6. The client should remove their card from the smart card slot when the terminal indicates.
  7. If you have swiped an EMV card, you may need to hit the red “X” key and start the transaction over then insert the card.
  8. If the client was using a magnetic stripe card or their smart card does not require a PIN, have them sign the printed receipt. Be sure to check the back of the card to verify the signature and hand the card back to the client.

And that’s it. Review these procedures with your sales staff and you’ll be experts in no time!

Digital Phone Lines Play Havoc With Credit Card Processing

Many businesses are making the jump to the popular and highly advertised digital phone service. But give some thought to your credit card processing before making the leap. RCSC frequently receives calls from distressed business owners dealing with issues such as multiple authorizations, duplicate transactions and the inability to batch as a result of converting to digital phone service.

Credit card processing dial-up terminals work best with traditional analog telephone lines, which transmit and receive information differently than digital lines. When you use digital phone service with an analog credit card terminal it will most likely lead to technical problems.

Problems with the digital phone lines don’t always immediately present themselves. A terminal could successfully work using a digital phone line for days, weeks or even months before complications surface. RCSC Director of Member Development Nicholl Bautochka suggests you purchase an Ethernet terminal that runs through the Internet to avoid these complications.

“The best and most simple way to avoid the headaches of incompatible technology is to purchase an Ethernet terminal and hook it up to your Internet with a cat-5 cable,” said Ms. Bautochka. “Another option is to re-establish a dedicated analog phone line for your dial-up terminal, though many phone companies are offering digital phone lines exclusively.”

If you have questions about digital phone lines and processing terminals, call RCSC for assistance. You can reach Michele, Nicholl and Carly at (800) 442-3589 or RCSC@retailcouncilnys.com.

Auto Settling vs. Manual Settling

Businesses are accustomed to settling (also called batching out) their credit card processing terminal at the end of each business day or first thing in the morning. Settling is the process of moving the transaction information from your business to the cardholder’s (your customer’s) financial institution. Your terminals can be programmed to settle automatically or manually.

There are pros and cons for both methods and you should examine your individual business to decide which method is right for you.

Auto settling

Terminals are programmed to automatically settle the transactions at a specific time each day so you don’t have to remember to batch out.
Auto settling is a good method for businesses with a small, trustworthy staff who don’t make many mistakes when inputting transactions.

Manual settling

Busy businesses with a large staff and many people inputting transactions into the terminals may want to choose manual settling since there is a higher probability of mistakes.

Manual settling allows the business owner to catch any inconsistencies with transactions and make changes to the batch before the final settlement with the processing bank is made (e.g., any business that adds tips to their transactions at the end of the business day should use manual settling).

One con with manual settling is the business owner must remember to settle the credit card terminal at the end of each day. If transactions are not settled within 48 hours the credit card companies will charge the highest possible rates, which is usually twice the normal rates a business owner pays.

Direct your questions about auto and manual settling and all other processing questions to the Retail Council’s credit card processing experts, Michele, Nicholl and Carly at (800) 442-3589.

Always Verify Address When Key-Entering Credit Card Transactions

It’s generally bad practice to manually enter credit card transactions – it costs you more to process these sales and, especially in cases where the card isn’t present, opens your business up to the possibility of fraud. Still, there are times when you won’t have a choice but to manually enter a customer’s credit card number (and if you have a mail order component to your business, manually entered transactions are the norm).

When performing manually entered transactions there is a way to limit the likelihood of foul play by ensuring that the mailing address supplied to you by the customer matches what is on file with the credit card company. Verifying the billing address is simple and helps to protect your business from a chargeback, which is a dispute over the transaction with the customer. Your processing terminal will prompt you to enter the card holder’s address. Depending on the type of terminal you utilize, you may be prompted for the full address, the street address or just the zip code.

To determine whether the address supplied to you by the customer matches the address on file with the credit card company, you need to examine the printed receipt. While the terminal will approve the dollar amount of the transaction, it does not verify the address. It is your responsibility to do this by taking a look at the receipt.

When examining a receipt to determine whether the addresses match, look at the AVS (Address Verification System) slot (see accompanying diagram). For manually entered transactions you will find a “Y” or “N” printed in this slot. A “Y” indicates that the address supplied by the customer matches that on file with the card company. An “N” tells you that the address doesn’t match the card company’s address and you need to verify it a second time. The customer may have supplied you with a work address or the address to a second home. Or they may have given you their physical address, but the billing address is a PO Box number.

If the customer is unable to supply you with the correct address, you have the right to void the transaction and retain your merchandise. You will need to explain to the customer why you are unable to sell them the goods and the importance of verifying the correct address information.

While you may always be diligent about verifying addresses for manually entered transactions, you need to ensure that your employees are also following the correct protocol. While the credit card terminal will prompt the user to enter the customer’s billing address, it is easy to bypass this request and simply complete the sale.

Failing to verify the customer’s address for manually entered transactions can have costly consequences. If the address wasn’t verified on the receipt (an “N” was present) and a chargeback occurs, the card company will hold you fully liable for the dispute because you did not follow correct card acceptance procedures. Verifying that the addresses match with a “Y” printed on the receipt shows the card company that you followed procedure; this gives you a stronger leg to stand on in defense of chargeback accusations.

If your terminal is not prompting for address information during a manually entered transaction, call your credit card processing experts immediately to rectify the problem.

Be Wary of Magnetic Strips That Don't Work

Victims of credit card theft have been scratching their heads trying to figure out how someone has used their card when they still have it in their wallet. That’s because the newest credit card scam involves the luck and patience of perpetrators without the presence of a valid card.

The scammers painstakingly go through various combinations of 16 digits, testing them at online stores or calling into verification centers just as businesses do, until they happen upon 16 numbers that work.

Unfortunately for the victim, this 16 digit combination happens to be their credit card number. They have no idea their card is being used because they never lost the card, had any mail stolen or experienced any other type of burglary.

Once the perpetrators find a successful combination, they shave off the appropriate numbers from old credit cards and glue them onto gift cards that resemble credit cards. They often only alter a portion of the numbers, since the first few are the same on most cards because it is the bank identification code.

Their final trick is to scratch up the magnetic strip so that the clerk is forced to enter the numbers into the keypad to complete the transaction. Given this new insidious way to steal from unwitting consumers and businesses, it is more important than ever to follow the prompts your terminal will give you for address verification and the CVV or CVV2 code. If your terminal is not prompting for address verification call your processor immediately to resolve this issue. You should also call your processor for a Code 10 authorization if you are ever suspicious of the card or the client. This is an important safety precaution to protect your business.

“Businesses and their employees should always be on the lookout for altered cards and trust their gut when anything looks suspicious,” warned Michele Coons, member services manager of the Retail Council. “Unfortunately, not everyone can be trusted when they claim their card just went through the wash.”

Direct all your questions about credit card processing to the Council’s processing experts, Michele, Nicholl and Carly at (800) 442-3589.

Beware of Credit Card Processing Scams

Businesses that accept credit cards should be aware of scams currently affecting merchants and their customers. Con artists claiming to be employees of a processor or Visa are attempting to gain access to credit card processing terminals to change merchants’ processors or install tampering devices.

The Retail Council recently received a report that an individual entered a member’s business falsely claiming to be a representative from their current processor with the promise of further lowering processing rates. If this happens to you, please alert your processor immediately. If you allow your terminal to be reprogrammed, you could be charged excessive rates and fees you never agreed to.

Visa also reports that scammers are calling merchants claiming to be from the “Wholesale Division of Visa” and requesting an appointment to come and adjust their interchange rates on their POS terminals. Once the individual has access to the POS terminals, they install a tampering device that allows them to obtain sensitive customer card data. Visa would like all merchants to know:

  • There is no Wholesale Division of Visa;
  • Visa would never contact merchants directly to negotiate interchange rates;
  • You are advised to immediately contact your merchant bank and Visa if you receive suspicious communications from someone claiming to be a representative of Visa.

You should also be aware of “social engineers” who claim to be from Visa or other companies and attempt to gain access to privileged areas of your business. These people rely on the trusting and helpful nature of people. They may use publicly available information to seem credible and to make you more comfortable sharing information with them. Tell them you will contact someone at their company’s main phone number to discuss the matter further until you can verify their identity.

If you have any questions about your credit card processing, please call the Retail Council at (800) 442-3589.

Completing Mail and Telephone Orders

Note: You cannot accept Card Not Present transactions unless your credit card processor has agreed to process these for you and such provision is contained in your merchant agreement.

It is often convenient for both you and your customers to complete a credit card order by phone or mail rather than at your business’ physical location. However, there are precautions you should take to guard against data compromise when handling these “card not present” transactions. Since a visual identification cannot be made for cardholders requesting mail or phone transactions, some personal information must be obtained to receive authorization from your credit card processor.

Two security tools are available to assist you in the detection and prevention of fraudulent activity – verification of cardholder billing address (AVS) and authentication that the customer has the card in their possession (CVV2/CVC2/CID).

Address Verification Service (AVS) is an automated program that allows a merchant to check a cardholder’s billing address, as part of the electronic authorization process. Fraudsters often do not know the correct billing address for the cards they are using, thereby yielding a clue that the transaction may not be valid.

Card authentication is a three-digit code number imprinted on the signature panel of cards to help authenticate that the customer has a genuine card in their possession.

Follow the instructions below when completing mail and telephone orders:

  1. Obtain the cardholder’s name, card account number and expiration date and record these on your sales draft. You must also obtain the cardholder’s billing address and zip code. (You may need to provide this information when you request authorization.)
  2. Request the three-digit card authentication number (CVV2/CVC2/CID) from the signature panel (or the four-digit number if approved for American Express CID participation) Note: Merchant retention of this authentication number is strictly prohibited. However, you may record and retain the one-character result code.
  3. Fill in a brief description of the goods sold and show the amount of the sale in the space marked “Total.”
  4. Write TO (telephone order) or MO (mail order) on the signature line of the sales draft.
  5. Enter transaction information into terminal or PC. Refer to your processor’s reference guide for instructions on manually entering sales transactions.
  6. Provide a copy of the sales draft to the cardholder, either with the cardholder order (if being shipped to the cardholder) or separately (i.e., if purchase is a gift). The transaction date is the date goods were shipped to the cardholder. Electronically printed sales receipts provided to the cardholder should truncate or mask the account number and the expiration date.

An authorization for a phone order, mail order, fax, or Internet transaction does not guarantee against chargebacks. Please ship only to the address verified as the cardholder’s. Shipment to a different address jeopardizes your protection from chargebacks. You may verify the billing address of the cardholder with the Authorization Center or the cardholder’s bank.

If you have any questions about completing mail and telephone orders, please call the Council’s card processing experts Michele, Nicholl or Carly at (800) 442-3589.

What You Should Know About Your Credit Card Processing Agreement

To accept credit and debit cards at your business, you must sign a contract with a processor. That contract, often called a merchant agreement, details the practices and policies you (and every other business that accepts credit and debit cards) must abide by to accept cards. The following are prohibited according to merchant agreements:

  • Personal information – A business cannot require customers to give their phone numbers, addresses, driver’s license numbers or any other personal information as a condition of making a purchase with a credit card. You may request this information from a customer, however, he/she has the right to decline your request and cannot be prevented from paying with his/her card because of that refusal.
  • Fees for credit card purchases – Your business cannot charge fees to customers using credit cards. However, the credit card companies would allow you to offer discounts to customers paying with cash or check.
  • Cash refunds – Your business must credit returns through the credit card that was originally used to purchase the item being returned. It is prohibited to offer cash or check refunds to customers who paid with a credit or debit card.

Each processor provides a manual to new customers describing all its policies. Pick up this manual regularly for a refresher – you’ll be glad you did! If you have questions about this article or any other concern with regard to credit card processing, call our credit card processing experts Michele, Nicholl or Carly at (800) 442-3589.

 

PCI DSS Articles by our Partner, Security Metrics

 

Workers’ Compensation Insurance

Notes From NYSIF - Workers' Comp Insurance Tips

Retail Council members should be aware of these workers’ compensation insurance regulations (among many others), which apply to all carriers including the New York State Insurance Fund (NYSIF):

Unpaid relatives must be covered

All unpaid relatives working for your business are covered under workers’ compensation law. Relatives cannot waive their rights to be covered. NYSIF will assign payroll and bill based on comparable wages and classifications of non-relatives working in the business.

Responsibility for uninsured contractors

Avoid liability and higher premiums. Be sure to obtain original certificates of workers’ compensation insurance coverage from subcontractors before work is started. If you don’t have proof of a subcontractor’s insurance, you are responsible for their coverage.

  • Certificate validation protects you and fights fraud by denying dishonest contractors an unfair competitive advantage.
  • Retain a certificate in your files for each subcontractor for review by NYSIF auditors.
  • Log onto nysif.com and locate Validate a Certificate to verify the certificate of any NYSIF-insuredsubcontractor is in effect.

Do you have questions about these topics or any other workers’ compensation issue? Contact the Council’s Insurance Services Manager Virginia Hitchcock for assistance at (800) 442-3589.

Why Are Workers' Comp Payroll Audits Necessary?

It seems like just one more paperwork headache: completing your workers’ comp payroll audit. Insurance carriers, such as NYSIF, are required to audit the payroll records of employers to determine premiums for workers’ compensation policies. In reality, the payroll audit actually helps you get the lowest possible rates on workers’ comp insurance for your business. The purpose of the audit is:

  • To determine the total amount of payroll subject to a premium charge.
  • To determine the nature of your business and ensure your employees are classified correctly.
  • To verify the division of payroll for each employee’s job classification.

By examining each of these areas as part of the payroll audit, you are setting up accurate records that will help you pay the lowest possible premium on this insurance.

“When employees aren’t classified correctly, it can lead to a significant increase in premiums that the employer really shouldn’t need to pay,” said Retail Council Insurance Services Manager Virginia Hitchcock. “The audit is designed to catch errors so employers aren’t paying more than they should for workers’ comp or less than they should, which will eventually lead to a sizeable back payment of premium due.”

The audit is time sensitive as the information on payroll is one component used to calculate experience modifications on applicable policies and to estimate the next renewal premium. When an audit is completed early, additional premium due can also be paid in an installment schedule.

Retail Council Safety Group participants need to remember, too, that a payroll audit(s) must be complete to be eligible to receive your part of the Safety Group’s dividend! In November 2010, more than $4.1 million was returned to qualified group members. Don’t let an incomplete payroll audit stand in the way of the hundreds, thousands, and in some cases, tens of thousands, of dollars you may be eligible to receive.

When it comes to conducting the audit, insurance carriers may want to examine your books and records to determine payroll; this is called a physical audit. In other cases, a policyholder may be permitted to complete an underwriting payroll report (DP517) or a premium audit payroll statement in lieu of a physical audit.

If NYSIF, underwriter of the Retail Council’s Safety Group 493, would like to perform a physical audit of your records you will receive advance notice either in writing or by telephone from NYSIF within two weeks of a scheduled audit date.

If you have questions about your payroll audit(s) or any other aspect of your workers’ comp insurance, please call Virginia or Ken in the Retail Council’s Insurance Services Department at (800) 442-3589.

 

Other

Business Disaster Preparedness

How to prepare your business if severe weather is headed your way

As soon as possible before severe weather is expected, review your Business Continuity Plan to ensure it is current and updated.

Inspect the store for the following items:

1.   Sump pumps are properly functional.

2.   Roof is clear of debris.

3.   Gutters and downspouts are clear of obstructions, debris.

4.   Storm drains are clear in parking lots and receiving areas.

5.   Emergency generator is functional and tested recently.

6.   Alarm systems are functional.

7.   Store exterior is clear of extra pallets, bales.

8.   Items outside the store such as garbage cans, benches, etc. are secured.

9.   Emergency lighting is operational.

As the severe weather approaches, do the following:

1.   Maintain communications with your stores or head office.

2.   Establish communications with local first responders. Follow any instructions you are given.

3.   Provide key customers with emergency contact information for service and support.

4.   Tape windows with duct tape.

5.   Chain all shopping carts or move them inside the store. Remove or secure any temporary exterior store signage.

6.   Back up all computer files and secure your computer and server equipment. Identify and secure key paper documents critical to business continuity.

7.   Review emergency evacuation plans.

8.   Secure all cash and other media assets. Make sure to have emergency funds in your bank accounts in case of closure for several days.

9.   If necessary, or as directed, shut down power and gas feeds.

10.  Keep informed as to weather conditions and other related emergency information via a battery-operated radio.

11.  Make sure all in-store communications equipment is fully charged and operational.

12.  Keep a supply of batteries and flashlights ready for use by associates.

If the weather causes damage, make a detailed report of damages and product loss for insurance purposes. Be sure to take pictures as supporting documentation.

INFORMATION RESOURCES FOR SEVERE WEATHER

1.   New York State Aware Prepare

http://www.nyprepare.gov/aware-prepare

2.   National Oceanic and Atmospheric Administration Website

http://www.noaa.gov/index.html

3.   FEMA’s Ready.gov website on Hurricanes

http://www.ready.gov/hurricanes

4.   National Hurricane Center Website

http://www.nhc.noaa.gov/index.shtml