Credit Card Processing Blog

From a merchant’s point of view, face-to-face and e-commerce transactions are similar in that in both environments the payment information is electronically collected by the merchant’s system. In the former instance the data processing is performed by a point-of-sale (POS) terminal, which reads the card’s information following a swipe, while in the latter the task is performed by the merchant’s payment gateway, following the customer’s manual entry of her payment information on the merchant’s website.

But how do you accept your customer’s payment, if her credit card information is verbally given to you over the phone or electronically by fax or via email? Well, that’s when you need a virtual terminal. Here is what you need to know about this payment processing service and how to use it.

Virtual Terminal Basics

Virtual terminal is the web-based equivalent of the physical POS credit card acceptance machine. It performs exactly the same function, which is to collect the transaction information, encrypt it for protection against hackers, transmit it securely to the processor and then communicate the processor’s authorization response back to the merchant. The only difference is that, rather than reading the customer’s payment information from her card’s magnetic stripe or chip, the virtual terminal does it from a payment form, which is filled out by the merchant in a browser. In that respect, the virtual terminal resembles an e-commerce transaction processing set-up, except that in the latter case the payment form is filled out directly by the customer.

So it can be said that, when making an e-commerce payment, the customer is doing it through a simplified version of a virtual terminal. The only difference between making an online payment for yourself and doing it for a customer of yours is that in the first instance you are charging your own card, while in the latter you are billing your customer.

A great thing about virtual terminals is that they can be accessed from anywhere internet connection is available, either from a computer or a smart phone. You can set up multiple user accounts for your employees and assign different levels of control.

Some virtual terminals allow you to accept ACH (e-check) payments, in addition to bank cards. However, not all of them do, so if you need e-check acceptance, be sure to ask your prospective processor if their system supports it.

Recurring Payment Support

Some merchants’ business models are based on delivering products and services on a pre-determined schedule (weekly, monthly, etc.) over time. For instance, a car insurance policy is typically paid in monthly installments of pre-defined amounts. These are known as recurring payment plans and can last until the payment plan is canceled by the customer. A similar type of a plan can be set up for the payment of, say, a TV set. In this case, however, both the number of payments and their amounts are pre-determined and the plan is automatically discontinued after the last payment is processed. These are known as installment payment plans.

The virtual terminal is the best platform for setting up and managing recurring and installment payment plans. It enables you to create customer profiles by storing their payment information securely on your processor’s server. Then you can use the managed billing service that is built into the system to manage your customers’ payment plans.

Who Are Virtual Terminals For?

Virtual terminals are designed for everyone who accepts payments in a non-face-to-face environment. That includes e-commerce businesses, which sometimes need to process a payment that a customer has called in for some reason, rather than made online. Conveniently, all major payment gateways feature a built-in virtual terminal.

Yet, the primary virtual terminal users are mail order and telephone order (MO / TO) merchants, which accept payments exclusively by phone or mail. Virtual terminals are also the preferred payment processing platform for most non-profit and membership-based organizations, either exclusively or in combination with an e-commerce set-up.

The Takeaway

If you don’t meet your customers in person or do not operate an e-commerce website, you need a virtual terminal to accept payments. Typically, the most cost-effective approach would be to have your processor provide both the merchant account and the virtual terminal. Keep in mind that all major virtual terminals out there have the same capabilities, so there is no reason to overpay for any one of them.

Image credit: Real Simple.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

E-commerce transactions are vulnerable to fraud, customer disputes and chargebacks to a much greater extent than card-present ones. There are several major reasons why this is the case and the most obvious among them are that neither the merchant can physically verify the validity of the card used for payment and the authenticity of the cardholder, nor can the customer physically inspect the product she is purchasing. Then there are the potential complications that can arise from a late delivery of a purchased product or a premature posting of the transaction to the cardholder’s account that are typically not an issue in payments accepted in a face-to-face setting.

It is unlikely that we will ever be able to bring e-commerce risk down to brick-and-mortar levels, but we can certainly take measures to make it tolerable. Listed below are eleven specific best practices that you should adhere to when accepting credit card payments on your website. Make them part of your sales process and you will see fewer chargebacks and fraudulent transactions.

11 Steps to Processing E-Commerce Transactions

1. Obtain the cardholder’s name, address and phone number. If the shipping address is different from the billing one, make a phone call to your customer or send her an email to verify the order. Do not proceed with the transaction until you get a satisfactory response from your customer.

2. Collect the card account information. Get the card number and brand. Most consumers, including criminals, do not know that a card’s brand can be determined by the card number, so a discrepancy here may indicate that the customer is not in a physical possession of the card. Also obtain the card’s expiration date and security code – the CVC 2, CVV2 or CID number, located near the signature panel on the back of the card (or on the front for American Express cards). The security code is another tool used to ensure that the customer is in possession of the card.

3. Enroll in Verified by Visa and MasterCard SecureCode. These services are used to authenticate cardholders who had previously enrolled in the programs. Participating merchants are protected from certain fraud-related chargebacks, even when customers have not enrolled.

4. Always use Address Verification Service (AVS). The AVS allows you to verify a cardholder’s billing address with the issuer. Perpetrators of fraud often do not know the account’s correct billing address.

5. Authorize every transaction. All e-commerce transactions must receive an authorization approval.

6. Avoid using voice authorizations. These cannot be used as supporting evidence in chargeback re-presentments.

7. Do not use forced authorizations. Forced is a transaction which, after an authorization request has been declined, is key-entered by the merchant. Do not do it, nor should you make repeated authorization requests in the hope of eventually receiving an approval.

8. Ship within seven days of receiving the authorization approval. If unable to do so, make a new authorization request.

9. Inform your customer of the expected delivery date. If the purchased merchandise or services are not delivered to the cardholder at the time of the transaction, inform your customer of the delivery method and (expected) date. If the delivery is running late, inform your customer immediately and provide a new delivery date.

10. Deposit transactions after the product is shipped or delivered. In card-not-present environment, the transaction date is the date on which the product is shipped, not the one on which the payment is accepted. Make the deposit within three days of the shipping (transaction) date.

11. Use the original authorization number for your deposit and refund transactions. Doing so eliminates the possibility of depositing refunds for sales transactions for which an authorization approval has not been received and which should not have been processed. This is a great fraud-prevention measure.

The Takeaway

This is a very short list and there are many other items that can be added to it. However, if you only stick to these eleven best practices, you will be in good shape and have far fewer chargebacks, customer disputes and fraudulent transactions to deal with.

As you gain experience and your business grows, it would be a good idea to start building an internal negative file, set up velocity limits and controls, implement fraud screening and other risk management best practices.

Image credit: Diariopyme.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

At UniBul Merchant Services the great majority of our clients are e-commerce and mail order or telephone order (MO / TO) merchants. We get to speak to people from many businesses and non-profits that accept payments in a non-face-to-face setting which, incidentally, is how we get many of the ideas for our blog posts.

A recent conversation with the owner of a medium-sized provider of SAT preparatory courses reminded me that I needed to write a refresher course on credit card acceptance over the phone. It has been a while since we have written anything on this topic and there are a few new things that need to be added to what we’ve already said.

How to Process MO / TO Credit Card Payments

Your primary objective when accepting payments over the phone or in the mail must be to verify the cardholder’s identity and the validity of the card. To that end, you will need to implement the following procedures into your payment processing cycle:

• At a minimum, you should always collect the following information from your customer:
  • The entire card account number.
  • The cardholder’s name, as shown on the card.
  • The card expiration date, as shown on the card.
  • The cardholder’s billing address.
  • The card security code (CVV2, CVC 2 or CID, depending on the brand).
  • Ask if the card has a start date and if so, record it.
  • Ask for a contact phone number. Ideally, you would want to obtain a land line phone number, which you can much more easily verify through directory services.
  • Ask for the name of the card issuer.
  • If you are taking an order over the phone, make a note of:
    • The date and time of the conversation.
    • The details of the discussion.

    
    These details can come in handy during a follow-up conversation, but also in case of a dispute later.

• If you are taking an order by mail or fax:
  • Always ask for a signature on the order form. Notate the field as mandatory.
  • Save a copy of the order.
  • Get proof of delivery.

  
  Your processor may also request that additional details are obtained. Contact them and ask what their requirements are. There is usually a good reason for that.

• Use the Address Verification Service (AVS) for all of your transactions. Verifying whether the billing address provided by your customer matches the one on file with the issuer is an important indicator that should be part of your fraud prevention process. It is a simple and inexpensive service and there is absolutely no reason not to use it.
• Implement a fraud screening process, which would, if certain pre-defined high-risk characteristics are discovered, suspend the processing of the transactions at issue and set them aside for a more detailed review. Whether proprietary or provided by a third-party, your fraud screening mechanism should use the following elements as trigger points for the suspension of a transaction:
  • Match with information in your internal negative file.
  • Exceeding your internal velocity limits and controls.
  • An AVS mismatch.
  • A security code mismatch.
  • International shipping address.
  • International IP address.
  • Shipping address that is different from the billing one.
  • High-risk shipping address, such as P.O. boxes, prisons, hospitals and addresses with known fraudulent activity.

When developing your own internal policies for processing credit card transactions (yes, you do need to do that!), you should adjust the above procedures to address your particular circumstances. Then you will need to provide adequate training to all of your employees.

Get a personalized credit card rate for each of your transactions!

Get the lowest possible credit card processing rate for each individual transaction! Our interchange-plus pricing model gives you:

• Processing rates calculated separately for each transaction to ensure that not a single one of them is overcharged.
• No more mid-qualified and non-qualified fees.
• No fixed monthly fees.

Merchants accepting credit cards online, over the phone or otherwise in a card-not-present environment have a much more difficult job verifying the payment information provided by customers than their counterparts operating brick-and-mortar stores. Consequently, risk exposure and processing fees are correspondingly higher in virtual payment settings.

Risk Exposure in Card-not-Present Transactions

There are two major factors that determine the level of risk exposure for card-not-present merchants: fraud and chargebacks. It is ultimately the merchant who bears the financial liability for processing fraudulent transactions and ones that are subsequently charged back. Developing a solid process for verifying the payment information provided by the customer at the checkout goes a long way toward limiting your risk exposure.

The verification of payment information consists of two separate, although interrelated processes: cardholder authentication and card validation. We have written in some detail on how to verify the authenticity of a payment card and will no doubt be doing so again in future posts, but in this article I will focus on verifying cardholder information.

Fraud Screening and Scoring

Before we dive into the verification procedures, I’d like to say a few words about screening and scoring transactions. Screening is an automated mechanism for identifying high-risk transaction characteristics and suspending the processing of such payments. Fraud scoring is the process of rating the highest-risk card-not-present transactions that need to be additionally examined.

You will need to either develop your own or implement third-party fraud screening and scoring solutions. The reason you need them is that these processes will increase the efficiency of your fraud prevention strategy by helping you concentrate your efforts on these transactions that are most likely to be fraudulent, rather than evaluating all of them.

5 Steps to Verifying Cardholder Information

Virtually all information provided by a customer at the checkout can be verified, to one degree or another. Here is how you can do this (I am assuming that you have implemented fraud screening and scoring mechanisms):

• Verify land-line and cell phone numbers. Check the land-line number’s area code and telephone prefix (the first three digits after the area code) and make sure that they are valid for the provided city and state. However, many consumers no longer use land-lines, so cell phones will often be the only option. Even though the above characteristics are much less applicable to cell phones, you should still call the provided number when there is a discrepancy.
• Check the ZIP code. There are many directory services you can use to verify that the entered ZIP code corresponds to the provided city and state. You may want to consider allowing customers to override error alerts, as information may have been recently updated.
• Validate the email address. You should be sending order confirmations to your customers’ email addresses. If the email is returned as “undeliverable,” this can be a sign of fraud. Very few customers provide wrong email addresses at the checkout, because they want to be notified of their order’s status.
• Call the issuer. If you suspect fraud or unauthorized card use, you can call the card issuer directly and:
  • Verify the name, address and phone number the issuer has on file for their cardholder.
  • Check if the cardholder has recently changed their address.
  • Call the cardholder. If you have not been able to verify the information, call the cardholder at the number on file with the issuer and ask them whether or not they have placed the order.

The above verification procedures can be very time consuming, which again is the reason you should implement fraud screening and scoring. You don’t want to be verifying information for transactions that are unlikely to be fraudulent in the first place. Additionally, you don’t want the verification process to be costlier than the potential loss.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

Businesses that accept credit cards in a face-to-face environment benefit from the lower interchange rates at which Visa and MasterCard process card-present transactions. Or at least they should benefit from these rates, unless what their processors are charging them makes up for the lower interchange.

However, in order for a credit card transaction to be classified as “card-present,” one of the qualifications is that it must be swiped. So, even if both the card and the cardholder are physically present throughout the transaction, if the payment information is key-entered, rather than “read” by the point-of-sale (POS) terminal from the card’s magnetic stripe, the transaction is classified as a “card-not-present” one. You will want to keep card-not-present transactions to a minimum, because they are processed at higher rates.

Card-Present vs. Card-not-Present Interchange

To be more specific, I have listed in the table below the interchange rates for some of the most widely processed types of credit card transactions in both environments.

As you see, there is quite a bit of a difference between the interchange of card-present and card-not-present transactions. Now, if you accept payments online or over the phone, you don’t need to worry about that, as you will never qualify for the lower interchange anyway. However, this is not the case if you accept credit cards through a POS terminal.

Why You Should Avoid Key-Entered Transactions

Any time you manually key-enter transaction information into your system, you are charged card-not-present interchange. In fact, if your pricing is based on a tiered model, the rate difference will be even bigger than what you see in the table above, because key-entered transactions will be classified as “non-qualified” and processed at a substantial premium.

At times you will have no choice but to key-enter a payment. For example, if your terminal’s card reader is malfunctioning or the card’s magnetic stripe is damaged, you will probably have to manually enter the transaction information. Keep in mind, however, that if the card itself is unreadable, this reason may be that the card has been altered and is invalid or counterfeit. In other words, your customer may be committing fraud.

Processing Key-Entered Transactions

Whenever your POS terminal cannot read a card, follow these steps to complete the transaction:

1. Check the terminal. See if the terminal is working properly. If it is, check the card.
2. Check the account number. The last four digits of the account number on the front of the card must match the four digits in the signature panel on the back of the card, right before the security code.
3. Check the expiration date. A bank card is only valid when it is used before the expiration date listed on its front.
4. Manually enter the transaction information. If you have discovered no reason to suspect foul play, key-enter the information.
5. Make an imprint of the card. You need to keep a manual imprinter handy for such circumstances.
6. Obtain a signature. Your customer must sign the transaction receipt.
7. Compare the signatures. The signature on the sales receipt must match the one on the back of the card. Unsigned cards are invalid and should not be accepted.

If, however, the card looks as if it has been altered in some way or the signatures don’t match or something else leads you to suspect that a fraudulent transaction may be under way, you need to make a Code 10 call. You will be connected with the card issuer’s authorization center and given instructions on how to proceed with the transaction.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).