Helpful Articles


Digital phone lines play havoc with credit card processing


Many businesses are making the jump to the popular and highly advertised digital phone service. But give some thought to your credit card processing before making the leap. RCSC frequently receives calls from distressed business owners dealing with issues such as multiple authorizations, duplicate transactions and the inability to batch as a result of converting to digital phone service.

Credit card processing dial-up terminals work best with traditional analog telephone lines, which transmit and receive information differently than digital lines. When you use digital phone service with an analog credit card terminal it will most likely lead to technical problems.

Problems with the digital phone lines don’t always immediately present themselves. A terminal could successfully work using a digital phone line for days, weeks or even months before complications surface. RCSC Director of Member Development Nicholl Bautochka suggests you purchase an Ethernet terminal that runs through the Internet to avoid these complications.

“The best and most simple way to avoid the headaches of incompatible technology is to purchase an Ethernet terminal and hook it up to your Internet with a cat-5 cable,” said Ms. Bautochka. “Another option is to re-establish a dedicated analog phone line for your dial-up terminal, though many phone companies are offering digital phone lines exclusively.”

If you have questions about digital phone lines and processing terminals, call RCSC for assistance. You can reach Michele, Nicholl and Carly at (800) 442-3589 or RCSC@retailcouncilnys.com.

 

What you should know about your credit card agreement

To accept credit cards at your business, you signed a contract with a processor. That contract, often called a merchant agreement, details the practices and policies your business must abide by to continue accepting cards. Your contract with most credit card processors prohibits the following practices:

  • Minimum purchases – Merchants cannot establish policies setting a minimum or maximum purchase amount for credit card customers
  • Personal information – A business cannot require customers to give their phone numbers, addresses, driver’s license numbers or any other personal information as a condition of making a purchase with a credit card
    • You may request this information from the customer, however, he/she has the right to decline to give out personal information and cannot be refused a sale because of that refusal
  • Fees for credit card purchases – Businesses cannot charge fees to customers using credit cards
    • The credit card companies do allow businesses to offer discounts to customers paying with cash or check
  • Cash refunds – Businesses must credit returns through the credit card that was originally used to purchase the item being returned. The card associations prohibit businesses from offering cash or check refunds to credit card customers for returns.

Each processor provides a manual to new customers describing all its policies. Pick up this manual regularly for a refresher – you’ll be glad you did!

 

What cardholder data you can and cannot store


Security rules your business must follow

As a business owner you’re understandably concerned with the rising incidence of stolen cardholder account data. The thefts cause businesses and financial institutions fraud losses and unanticipated operational expenses, and inconvenience consumers significantly.

The major credit card companies (Visa, MasterCard, American Express, and Discover) have established stringent requirements for collecting and storing customers’ payment card data. These Payment Card Industry (PCI) Data Security Standard Requirements protect your business, your customers (cardholders) and the payment system’s integrity.

You may store the following cardholder data:

  • Account number
  • Cardholder name
  • Expiration date

Cardholder data you should never store:

  • Full magnetic strip information
  • The card verification codes or values (three digit code on the signature panel or code embedded within the magnetic stripe)
  • The cardholder’s PIN

You should always destroy or purge all media containing obsolete transaction data with cardholder information.

According to the PCI requirements, your business may have to comply with security audits and you may be asked for a system’s scan or self-assessment. If your business has a security breach and is found not in compliance with the payment card security rules, there are severe penalties, including barring your business from accepting payment cards.

When you follow the payment card security requirements you protect your customers’ sensitive data, and put your business at a competitive advantage with others that are not in compliance.

Contact the bank or company that manages your payment card processing for details or visit www.pcisecuritystandards.org for more details on the PCI Data Security Standards Requirements.

 

Earn cash reward for credit card pick up

Every once in a while a business owner swipes a card and an unusual message appears on their terminal screen telling them not to return the card to the customer. A reported stolen credit card or an extremely overdue payment may be the reason for this “pick up” message.

If the terminal displays a pick up card response, such as “PICUP” or “PIC UP,” or the Authorization Center tells you to take the card, follow their instructions. You may be eligible for a cash reward from your credit card processor for doing so.

To collect your reward, simply cut the card in half directly through the entire account number. Place the card in an envelope along with your name, merchant number, date of pick up, and your address and mail it to your credit card processor (check your card acceptance guide for the appropriate address).

 

What to do when you get a draft retrieval request

Occasionally, your customer’s credit card issuing institution may require a copy of a sales draft (sales receipt) for a billing question or because the cardholder does not recognize the transaction.

Your credit card processor will forward a retrieval request letter when someone requests a sales draft from your records.  The letter will ask for a copy of the receipt with the following legible information:

  • Cardholder’s account number
  • Reference number
  • Dollar amount
  • Date of the transaction

You should forward a copy of the sales draft along with the request form to the appropriate processing center (per the request letter).

It is advisable that you respond to all retrieval requests within the number of days indicated, or a chargeback may occur. You should give requests for draft copies top priority to avoid this problem.

 

Payment Card Industry Standards Info and Materials

The payment card industry (American Express, Visa, MasterCard, Discover, JCB) developed the Payment Card Industry Data Security Standards (PCI-DSS) to protect cardholder data from being stolen and used for fraudulent purchases or identity theft. You must comply with PCI-DSS if you accept credit cards at your store or business.

Visit the PCI Security Standards PCI-DSS Web page for more information and to learn what you should do to be in compliance.

  • PCI-DSS Self Assessment Questionnaires (SAQ). Find all SAQs in the Documents Library, SAQ tab of the PCI Security Standards web page.
    • SAQ A – Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.
    • SAQ B – Imprint-only and stand-alone terminal merchants with no electronic cardholder data storage.
    • SAQ C – Merchants with POS systems connected to the Internet, no electronic cardholder data storage.
    • SAQ D – All other merchants (not included in Types 1-4 above) and all service providers defined by a payment brand as eligible to complete an SAQ.
  • PCI-DSS Prioritized Approach – Provides guidance that will help merchants identify how to reduce risk to card holder data as early on as possible in their compliance journey.

Source: PCI Security Standards Council website