The Payment Card Industry Data Security Standard (PCI DSS) is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. This comprehensive standard is intended to help organizations that process credit card transactions proactively protect customer account data. As a merchant, you should only process with a company that makes cardholder data security a top priority.
The PCI DSS is administered and managed by the PCI Security Standards Council, an independent body that was created by the Council’s five founding global payment brands — American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. The individual card brands require that merchant banks and processors implement their own PCI DSS compliance programs to educate merchants on compliance and ensure they meet the requirements.
All merchants that accept, transmit or store cardholder information must comply with the requirements of the PCI DSS, regardless of the number of transactions processed or the size. Compliance is also required regardless of how you receive credit card transactions – via mail, over the phone, online, or even terminal swiped.
Merchants who do not comply with the requirements may be subject to fines, audits, and card replacement costs, to name a few. It’s important to note that while validation of the security standard is not yet required, compliance is mandatory. To learn more about the PCI DSS security standard, visit their website by clicking here.
Prior to beginning the PCI compliance assessment process, it is important to understand your merchant level categorization and corresponding compliance validation and reporting requirements. A Merchant Level is determined by primary factors: annual transaction volume and the % of non-face to face transactions.
Level | Validation |
---|---|
1 | All merchants processing more than 6 million card transactions annually on the Discover network. Any merchant that Discover, in its sole discretion 1, determines should meet the Level 1 compliance validation and reporting requirements. All merchants required by another payment brand or acquirer to validate and report their compliance as a Level 1 merchant. |
2 | All merchants processing between 1 million and 6 million card transactions annually on the Discover network. |
3 | All merchants processing between 20,000 and 1 million cart-not-present only transactions annually on the discover network |
4 | All other merchants |
Once an organization has determined its Merchant Level, the table below details the corresponding validation and reporting requirements.
Level | Validation | Reporting |
---|---|---|
1 | Full on-site assessment using the PCI DSS Requirements and Security Assessment Procedures. Quarterly external network vulnerability scans. |
Attestation of Compliance from Report on Compliance (“ROC”) Submission of scan results is not required. |
2 | Self-assessment using the applicable PCI DSS Self-Assessment Questionnaire (“SAQ”). Quarterly external network vulnerability scans. |
Attention of Compliance from SAQ. Submission of scan results is not required. |
3 | Self-assessment using the applicable PCI DSS Self-Assessment Questionnaire (“SAQ”). Quarterly external network vulnerability scans. |
Attestation of Compliance from SAQ. Submission of scan results is not required. |
4 | Complete a self-assessment using the applicable PCI DSS Self-Assessment Questionnaire (“SAQ”). Quarterly external network vulnerability scans. Important note: If an organization does not have a direct acquiring relationship with Discover, its requirements as a Level 4 merchant may be different. These organizations should with their acquirer for the appropriate acquirer-determined Level 4 merchant validation and reporting requirements. |
Attestation of Compliance from SAQ (Discover Merchants only) Submission of scan results is not required. |
Many merchants and even merchant services providers (our competitors) are confused by interchange and its impact on the fees that merchants pay to accept credit and debit card payments. In addition to interchange, the card brands – Visa, MasterCard and Discover – assess other fees to cover the costs of maintaining their payment networks and systems.
Interchange is a fee mandated by the Card Brands, which Payvant pays to the credit card issuing bank on each sales transaction. Interchange was developed as an income incentive for banks to issue credit cards and extend credit to consumers. Today, there are hundreds of distinct rates based on transaction environment merchant type, and even card type. Interchange typically represents the largest portion of a merchant's total fees. Interchange is set by the card brands, and all merchant service providers (our competitors) are billed the same interchange fees.
Assessments are paid directly to the Card Brands and typically offset the brands' costs to operate and regulate the networks. These fees are also set by the card brands, and all merchant services providers (our competitors) are billed the same dues & assessment costs.
Interchange is determined for each transaction based on the industry of the merchant, the type of card, the way the card is accepted, the transaction size, and other factors. Here are some common examples of factors that drive interchange costs:
- Manually entered and e-commerce transactions have higher interchange costs because without the swipe data, there is a greater risk that the transaction may be fraudulent. The address verification system should be used to mitigate this risk.
- Corporate Cards and Reward Cards tend to carry higher interchange costs to fund the incentive programs offered to the cardholders.
- Debit cards have lower interchange rates than credit cards because of the lower credit risk. Debit card transactions are deducted directly from the cardholder’s bank account at the time of sale.
- Commercial Cards and even Government Cards can have higher interchange rates to fund card programs that include rewards, spending controls and detailed reporting.
Merchants can follow best practices for card acceptance to obtain the lowest possible interchange rates for their business. For example:
- Swipe the card whenever the card is present.
- When it is necessary to manually enter a transaction, verify the cardholder’s address using the Address Verification Service.
- Settle (batch out) your terminal or point-of-sale software every day to avoid downgrades and higher interchange rates.
- Make sure you obtain a valid authorization for every transaction.
A non-qualified fee is generated when a transaction does not qualify at the expected level because it does not meet Visa®, MasterCard®, and Discover® network requirements. Based on the data submitted and risk associated with particular transactions, the Card Brands assign the appropriate interchange level. Each account is set up with an interchange level according to its processing method and business type. Any transaction that does not qualify at that level may result in a non-qualified fee being charged.
Common Surcharge Reasons
- Missing or Invalid Authorization
- AVS not entered on manual or e-commerce transactions
- Rewards, Corporate, Government, or Commercial card type
- Late Batch Presentment
Interchange is important because it helps drive growth of the payment system. Interchange fees earned by card issuing banks provide financial motivation for them to promote and issue more cards to more cardholders. Interchange also helps cover the risk associated with doing so. Adding more cardholders to the system increases the benefits to merchants of accepting credit and debit cards.
Interchange also helps expand the market of accepting merchants by tailoring interchange programs to certain types of businesses. For example, smaller ticket transactions receive a lower transaction fee so that it is not too costly for merchants to accept card-based payments. The card associations attempt to maintain a delicate balance with interchange. If interchange is too high, merchants will not accept cards; if interchange is too low, then issuing banks will not issue cards.
Preventing unwanted transactions is a key component to any business that accepts payments and should be top of mind for merchants. But where to start and how do you know which transactions should be accepted and which transactions should be denied? There is no black and white answer to these questions as each business is different from another. There is however best practices that should be followed at all times and by doing this you’ll build a solid security foundation to ensure business safety.
Basic fraud prevention is all about asking questions to make sure your business is not being taken advantage of. From terminal based to e-commerce transactions, if you ask the right questions and understand the expected response you’ll be able to prevent unwanted transactions and increase the number of accepted payments. Questions are asked in the form of data requests, such as:
Face to Face Transactions:
- Ask to check ID
- Ask for a signature
- Compare signature with what’s on the back of the card
Non Face to Face Transactions:
- Ask for the first and last name on the card being used for the transaction
- Ask for the billing and shipping address associated with the card
- Ship product only to the address verified through the AVS system
- Use a shipping method to collect the cardholder’s signature at the time of delivery
- Ask for the Card Verification Value (CVV)
A sales draft (retrieval) request is a request from the cardholder’s bank to supply a copy of a sales draft. If the transaction was a non-face-to-face transaction, substitute information must be provided such as proof of AVS & CVV match along with a copy of the customer’s signature upon delivery of the product.
Interchange also helps expand the market of accepting merchants by tailoring interchange programs to certain types of businesses. For example, smaller ticket transactions receive a lower transaction fee so that it is not too costly for merchants to accept card-based payments. The card associations attempt to maintain a delicate balance with interchange. If interchange is too high, merchants will not accept cards; if interchange is too low, then issuing banks will not issue cards.
How am I notified of a Sales Draft Request?
You will receive a letter of each retrieval request in the mail. The letter provides the cardholder’s account number, transaction date, and dollar amount to assist you in locating the requested sales draft. It is critical that merchants store sales drafts by cardholder number and transaction date, as the cardholder’s name will not be available to Payvant. The amount may reflect a foreign currency versus the United States dollar amount for transactions made with a foreign card.
Payvant offers an easy receipt capture service to our clients so they do not have to worry about storing paper terminal print out receipts.
How long do I have to respond to a Sales Draft Request?
As we are under strict time limitations instituted by the Card Brands, we must receive a response within ten (10) days from the date of the notification letter. If you fail to respond to a retrieval request you may retrieve a chargeback for the transaction in question. There is no recourse available to the merchant for chargebacks received due to failure to respond to a retrieval request.
How long should I retain copies of Sales Drafts?
According to Card Brand Regulations, and described in the Merchant Agreement, you must retain sales drafts for at least three (3) years from the date of the transaction.
- Obtain an imprint of the card (either manual or electronic) and the cardholder’s signature for every transaction processed.
- For non face-to-face transactions utilize both the Address Verification Service (AVS) and transmit the 3-Digit card identifier when authorizing the credit card transaction.
- Document any return / cancellation policy on the sales draft or the sales documentation to be signed by the cardholder.
- Ship product ONLY to where the AVS matches and obtain signed proof of delivery for all merchandise that is shipped to the customer.
- Obtain a valid authorization response for all transactions, remember that authorization only does not verify that the cardholder is the actual person making the transaction.
- Process all transactions for billing within (14) fourteen days from the date of the issuer’s valid authorization response.
- Check all security features on the credit card which includes matching the cardholder’s signature on the back panel of the card to the signature on the sales draft.
The first step of a credit card transaction is the authorization. This is a request for transaction approval sent from the merchant to the Card Issuer at the time of the sale. This step prevents sales on credit cards that are over limit, have unsatisfactory history or may be reported stolen. It also verifies that a card is a valid number that could have been issued by the institution.
Front-end: Authorization
- The process by which a transaction is approved by the Issuer or by the Card Brand on behalf of the Issuer
- The “front-end” processor sends a request to the Issuing Bank asking if funds (or credit) are available for the specific transaction.
- The Authorization process is different for each merchant type.
Front-end: Capture
- The collection formatting and storage of information in computer memory.
- The process in which terminals store authorization and transaction information.
- The actual posting of the transaction against the consumer’s credit line at the Issuer.
Back-end: Clearing & Settlement
The process by which Payvant and Issuing Banks exchange financial data and value resulting from sales transactions, cash advances, merchandise credits, etc. The already Authorized transactions are sent to the acquiring network and:
- Information is forwarded to move the funds from the card issuing bank to Payvant.
- Payvant initiates funding of the merchant’s bank account on file.
There are several tools developed by the Card Brands for combating credit card fraud. Address Verification and Card Verification Value/ Card Validation Code are used in situations when a credit card purchase is made via mail order, telephone or internet (MOTO). Occasionally a card is present but will not successfully swipe and must be key entered; in this situation, a manual imprint should always be obtained.
The Address Verification Services (AVS) is an automated fraud prevention tool that allows card-not-present merchants to check a cardholders billing address as part of the electronic authorization process. ALWAYS SHIP YOUR PRODUCT ONLY TO THE AVS SYSTEM VERIFIED BILLING ADDRESS. A customer can call their Issuing Bank at any time and add a different billing address to their card to obtain a positive AVS system response. Address Verification will ask merchants to enter the zip code, street number or both into the terminal when an authorization is requested.
The Card Verification Value Codes (3-digits on the back of the card) are comparable tools used to further prevent fraudulent transactions. As of January 1, 2001, all Credit Card Issuers were required to produce all cards with a three or four digit code following the P.A.N. in the signature strip on the back of the card. This code is an algorithm derived mathematically for each individual card using the P.A.N. and expiration date ensuring that someone who has only this information and not the physical card cannot determine it.