Credit Card Processing Blog

Swipely, a social shopping network, is the latest entrant in the increasingly crowded field of social networks who offer users the ability to share their credit card purchases with friends, we learn today from ReadWriteWeb’s Adrianne Jeffries. After several months of private beta testing, today Swipely opened its doors for everyone.

Given the track record of similar services in the recent past, Swipely has its work cut out for them. To say that its competitors have had a hard time both convincing a skeptical public and protecting users’ personal information would be a huge understatement.

You may remember, for example, what happened with Facebook’s ill-fated Beacon project. It was supposed to “help people share information with their friends about things they do on the web,” according to Facebook’s founder Mark Zuckerberg. A month after Beacon’s release, Zuckerberg was already apologizing for making “a lot of mistakes building this feature” and simply doing “a bad job with this release.” Eventually, Beacon was shut down and Facebook had to pay $9.5 million to settle a lawsuit alleging privacy violations.

Earlier this year, Blippy, another start-up that offers users a platform to share credit card purchases with others, accidentally revealed the credit card details of some of its users on Google. As announced on Blippy’s blog:

In early February, due to a technical oversight on our part, some raw transaction data appeared within the HTML code on some Blippy pages for about half a day. Raw transaction data is the messy one-line sentence that appears on a bank or credit card statement.

Half a day of course was all the time needed to cause the trouble:

Google had crawled and indexed a portion of Blippy’s pages. Even though the sensitive information was hidden in the HTML and not visible in plain view, the Google crawler observed it and recorded the information to put into its search index. Google effectively took a snapshot of Blippy during that half day period.

Undaunted, Swipely is going ahead with its own service and says it has learned from others’ mistakes. Here is how it works, as explained by Jeffries:

Swipely collects purchase information from more than 4,000 banks and credit card companies, using the Localeze database to match transaction codes to physical locations. Users can also forward email receipts to Swipely or install a Gmail plugin that pulls receipt data automatically.

You can broadcast all your purchases, all your purchases from a specific store, or pick individual purchases to show on Swipely, Twitter and Facebook.

…

The data is used to target users for ads and discounts. Users can also search for all the comments for a store or item, similar to user reviews on a site like Yelp or Amazon.

Swipely founder Angus Davis acknowledges the obvious – that convincing people to trust them with their personal information will be hugely challenging. His major selling point seems to be Swipely’s potential to save users money. Whether people will buy into it remains to be seen.

Accept card payments quickly and safely

Accept credit and debit card payments at the lowest processing costs. You will get:

• Free merchant account set-up.
• No fixed monthly fees.
• 24 / 7 customer support.

Store-front merchants have the advantage of accepting payments in a face-to-face environment, which allows them to physically inspect their customers’ signatures. Moreover, industry regulations require that merchants compare signatures on sales receipts to the ones on the back of the cards used by their customers and make sure they belong to the same person. Complying with this requirement will help you minimize fraud and chargebacks.

During the check-out process, while waiting for authorization and for the customer to sign the sales receipt, you should keep the card in your possession and examine the signature on its back. You should also inspect and compare the name and account number. Once the receipt is signed, compare the signature on it to the signature on the back of the card. It is a simple procedure and you should do the following:

• Compare the name and last four digits embossed on the card to the name and last four digits on the sales receipt. Your terminal should be set up to only print the last four digits of a card number for security purposes. The other twelve digits should be truncated.
• Compare the signature on the back of the card to the signature on the sales receipt. The first initial and spelling of the surname must match. If there is a mismatch, ask for additional identification, such as a driver’s license or contact your processing bank for instructions. The signature would not match if the signature panel were signed “John R. Smith” and the sales receipt – “Mark Smith” or “K. Smith.” The signature would be acceptable if signed “John R. Smith,” J. R. Smith” or “John Smith.” The signature would also be acceptable if a title such as Mr., Mrs., or Dr. is missing or is included.

If the two signatures do not match, the transaction should not be completed. If you accept the transaction and it turns out to be fraudulent and charged back to you, you may be liable for the chargeback and lose your re-presentment attempt, even if the transaction was properly authorized. Be advised also that the name, embossed on the front of the card does not have to match the signature.

Whenever a merchant determines that there is enough evidence to indicate that a transaction may be fraudulent or that the signatures do not match, he or she should take one of the following actions:

• Ask the customer for a second signature to be compared again to the one on the back of the card.
• Make a Code 10 call with your processor’s voice authorization center and follow the instructions the representative gives you.

Signatures are not required for card-present transactions where a Personal Identification Number (PIN) is used as a cardholder verification method. In the U.S., PIN transactions are the exclusive domain of debit cards. In Europe and elsewhere, however, chip-and-PIN credit cards have been replacing the traditional credit card system that works by swiping a card with a magnetic stripe and signing a sales receipt. It is not clear if and when these cards will make their debut on this side of the Atlantic, so in the mean time merchants will have to continue to physically inspect signatures.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

Recently we reviewed the fraud prevention guidelines that airlines should follow when accepting credit cards for payment. This post will focus on how credit card payments should be processed by companies selling airline tickets and what information should be disclosed to customers, in order to minimize customer disputes and chargebacks.

• Clearly disclose the total transaction amount. Tell your customer, before the sale is completed, what the total transaction cost would be, including all applicable fees. Few things annoy customers more than ploys designed to disguise the total sales amount, in an effort to make it look smaller than it actually is. Remember that consumers don’t care how much the ticket itself is, how much the airport fees amount to, and how much an agency charges for the sale. The only price that matters from a consumer’s standpoint is the final transaction amount, so that they can compare it to rival websites and make an informed decision about the purchase. Failure to clearly communicate the final transaction amount is a sure proof way to generate customer disputes and chargebacks, as well as negative publicity.
• Tell customers how your name will appear on their credit card statements. Your customers must be able to easily recognize your company’s name on their statements. Your processor can manage this information field through the billing descriptor. Contact them and make sure that the billing descriptor is set up correctly. This is especially important if your legal name is different from your “Doing Business As” (DBA) name. In such cases, consumers can easily get confused, as they can recognize your DBA, while processors typically use the legal name in the billing descriptor.

• Clearly disclose all terms and conditions of the sale. Your customers should know all terms and conditions of the sale before making a decision to buy. Any unpleasant surprises after a sale is completed will most likely lead to a customer dispute and / or a chargeback. More specifically, your terms and conditions should provide the following details:
  • The amount of an itinerary change fee. If your customer needs to change his or her itinerary, he or she must know what the applicable fees would be before the transaction is completed.
  • How the itinerary change fee will appear on the cardholder’s card statement (in total or billed separately).
  • When the fee will be billed.
• Additional fee disclosures. Tell your customers what fees there are, if any, for the following services:
  • Baggage fees. If there would be charges for checked bags, tell customers what they would be. If there are different charges for the first and second bag, provide information about both.
  • Oversize / overweight bag fees. If different from the regular bag fees, tell your customers what they are.
  • Travel with pet fees. List applicable fees for pet travelers.
  • Unaccompanied minor fees. List fees for unaccompanied minors.
  • Preferred seat selection fees. Tell your customers whether seat selection is free and, if not, what the applicable fees are.
  • Beverage and snack fees. Be sure to let customers know what, if anything, they should expect to pay for food and drinks on board the airplane to help them avoid awkward situations.

A clear disclosure of the above information prior to the sale will ensure quality of service and help avoid unnecessary and costly customer disputes later. Require that customers accept the disclosure statement by clicking on an “Accept” or “Agree” button on your website before the sale is completed.

Accept card payments quickly and safely

Accept online payments via credit and debit cards and electronic checks at the lowest processing costs. You will get:

• Free merchant account and Authorize.Net gateway set-up.
• No monthly merchant account or gateway fees.

Content of sales receipts. Sales receipts are used by both customers and merchants to validate a transaction in which they have participated and to use them as reference points whenever a dispute needs to be resolved or a representment is requested in a case of a chargeback. Each copy of a receipt for a retail sale, credit, or cash disbursement transaction must contain the following information:

• In the case of retail sale and credit receipts, a space for the description of products or services that are sold by the merchant to the customer and their cost, in sufficient detail to identify the transaction.
• Sufficient spaces for:
  • Customer’s signature.
  • Card imprint and the merchant or bank identification plate imprint.
  • Transaction date.
  • Authorization number (except on credit slips).
  • Sales representative’s initials or department number.
  • Currency conversion field.
  • Merchant’s signature on credit receipt.
  • Description of the identification document supplied by the cardholder on cash disbursements and retail sale slips for certain unique transactions.
• A note clearly identifying the receipt as a retail sale, credit, or cash disbursement and the receiving party of each copy.
• On the customer copy of the sales receipt, the words (in English, local language, or both): “IMPORTANT – retain this copy for your records,” or words to that effect.

The merchant can include other relevant information on the receipt, provided it is not inconsistent with these rules. It is recommended that each retail receipt identifies the organization that distributed the receipt to the merchant.

Card account number truncation. Since 2005 it is also required that all sales receipts generated by newly installed, replaced or relocated point-of-sale terminals, whether attended or unattended, display only the last four digits of the account number. All preceding digits must be replaced with fill characters that are neither blank spaces nor numeric characters, such as “X,” “*,” or “#.” The last four digits provide the customer with enough information to identify the card that he or she used in the transaction.

General truncation consideration. Typically, the truncation of a greater number of digits, when compared to the total number of digits in the personal account number (PAN), increases the effectiveness of the procedure. However, it can also make it more confusing and difficult for cardholders to reconcile transaction receipts to their monthly card statements. There are several considerations to take into account when developing your own procedures for truncating account numbers:

• A truncation of the routing bank account number (BIN) alone, while helpful, may not prevent duplication of the PAN. It is possible to observe the card in use in order to obtain card issuer identification.
• Truncating the check digit and several other digits does not improve PAN security. Without the check digit, calculation of several missing digits within the PAN, especially if the routing BIN also is truncated, is substantially more complicated and time consuming.
• Truncating a small number of digits, when compared to the total number of digits in the PAN, makes the procedure less effectiveness. It is possible to reconstruct a few missing digits by trial and error.
• Truncating a greater number of digits, when compared to the total number of digits in the PAN, increases the effectiveness of the procedure.

Electronic signatures. Processing banks that are using Electronic Signature Capture Technology (ESCT) must ensure the following procedures are implemented:

• Adequate electronic data processing (EDP) controls and security measures are established, so that digitized signatures are recreated on a transaction-specific basis. Processors may recreate the signature captured for a specific transaction only in response to a retrieval request for the transaction.
• Sufficient controls exist over employees with authorized access to digitized signatures maintained in the processor’s or merchant’s computers. Employees and agents should be allowed to access the stored, electronically captured signatures only on a “need to know” basis.
• Digitized signatures are accessed and used in compliance with applicable industry regulations.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).

Authorization is the process of obtaining permission from the card issuing bank to accept the card for payment. Authorization involves assessing the card’s transaction risk and, if approved, reserving the specified amount of credit on the cardholder’s account. If a merchant does not comply with Visa or MasterCard rules regarding authorizations, payment to the merchant may be withheld or the transaction may be charged back at a later time. The authorization takes place in real time, as the transaction occurs. The exact processing activities during authorization may be different from one processor to another and vary among merchant types but the process goes through the following stages:

1. Cardholder places an order with a merchant. The authorization, and transaction, process begins when the cardholder places an order at a physical store, on an e-commerce website, or in another environment, and provides his or her card account details: name, address, card account number, card’s expiration date, card verification code (the 3- or 4-digit number on the back or front of credit and debit cards), payment amount (if not estimated by the merchant and automatically provided).
2. Payment data transmission to the acquiring bank. The payment information provided by the cardholder is transmitted to the acquiring bank (also known as acquirer, merchant bank or processing bank).
3. The acquiring bank sends the authorization request to Visa or MasterCard. The processing bank sends the received payment information on to the respective Credit Card Association, requesting transaction authorization.
4. The Credit Card Association sends the authorization request to the card issuer.
5. The card issuer approves or declines the transaction. Once the card issuer makes its authorization decision the response is sent back to the merchant through the same channels. The possible responses in card-present transactions are listed in the table below:
   
   

   Response	Explanation
   Approved	Issuer approves the transaction. This is the most common response-about 95% of all card-present authorization requests are approved.
   Declined or Card Not Accepted	Issuer does not approve the transaction. The transaction should not be completed. Return the card and instruct the cardholder to call the issuer for more information on the status of the account.
   Call, Call Center, or Referrals	Issuer needs more information before approving the sale. Most of these transactions are approved, but you should call your authorization center and follow whatever instructions you are given. In most cases, an authorization agent will ask to speak directly with the cardholder or will instruct you to check the cardholder’s identification.
   Pick Up	Issuer wants to recover the card. Do not complete the transaction. Inform the customer that you have been instructed to keep the card, and ask for an alternative form of payment. If you feel uncomfortable, simply return the card to the cardholder.
   No Match	The embossed account number on the front of the card does not match the account number encoded on the magnetic stripe. Swipe the card again and re-key the last four digits at the prompt. If a “No Match” response appears again, it means the card is counterfeit. If it can be done safely, keep the card in your possession, and make a Code 10 call.

A positive authorization response indicates that there are funds available in the account and the card has not been reported as lost or stolen. It is not, however, a proof that the card is not fraudulently used.

Real time vs. batch authorization processing. In a card-not-present environment, merchants who do not process card transactions in real time typically download their transactions from their server within 24 hours of the order request. They then group all orders together (forming a batch) and submit them for authorization. If an order is declined, the cardholder must be notified by phone or email.

Learn how to lower your card acceptance cost

Learn how to accept credit and debit cards at the lowest processing costs. The Payment Card Acceptance kit contains a video and an e-book:

• Video – Card Acceptance Best Practices for Lowest Processing Costs (18 min).
• E-Book – Payment Card Acceptance Guide (19 pages).