With ever increasing rules, regulations and policies being put in place to cover various organizations across the globe, it can sometimes be hard to know what is expected of your company. After all, understand the wording and small print doesn't always come easy!
Credit card processing is no exception. Whenever you purchase, rent or use any card processing equipment and/or application you are effectively entering into a legal contract.
This is known as the Financial Management Services (FMS) Card Processing Rules and Regulations Agreement.
Who Must Comply?
All transactions made by Visa, MasterCard, American Express, Discover and any debit cards are subject to these rules. Organizations must also adhere to the individual regulations set out by these companies as well as those of the FMS.
However, the FMS and the individual card companies do work together to avoid conflicting regulations wherever possible, bearing in mind that card processing rules are always subject to change.
How Do You Comply?
In order to gain approval, organizations are required to complete and submit an Agency Participation Agreement (APA) and an application to FMS.
Applications for transactions that happen within a company (via mail order, telephone order, delayed debit and internet purchases) must be stated on the FMS application and approval in writing must be received back from the FMS before these transactions can occur.
A new application should be submitted to the FMS for each new type of cash flow transaction.
All organizations must honor valid cards according to its transaction type and card used. There are many ways transactions can be processed including:
Over the Counter Transactions
Employees processing signature based transactions should always check:
- The card validity (on the face of the card).
- For Visa and MasterCard, that the four digits below the account number are the same as the first four digits embossed on the card.
- The 'valid from' and 'valid to' dates.
- If the card is signed and not been visibly altered.
- The transaction form is signed in front of the employee and the signature compared with that on the card.
- The same card used for purchase is used in the event of a return.
- The organization should have an appropriate POS (Point of Sale) device positioned for privacy of PIN input for cardholders.
- The PIN should not be displayed, transmitted or stored in a non-encrypted form.
- POS devices must be fully compatible with the processing unit of the organization's financial agent to be able to directly send, receive and process transactions.
Internet and Telephone Transactions
Organizations can accept credit cards over the internet by using SSL (Secure Sockets Layer) for security. The sales draft should be clearly printed with:
- TO for a telephone order transaction
- MO for mail order
- E-Commerce for electronic commerce transactions
It should also include:
- The cardholder's account number (last four digits visible and the other digits hash marks)
- Date of transaction
- Description of good or services
- The full amount of the transaction (inc shipping, charges, handling etc)
- The cardholder's name and billing address (shipping address if different)
- Authorization code
- Organization's name and address
Workstations where card numbers and details are entered are to be secured with an appropriate firewall and networking configurations and not stored on a Web server or database accessible by unauthorized employees.
Merchants or organizations must display promotional materials for all payment cards accepted and honored by them. This should be placed near the entrance of the organization, on their website and at payment points.
During the processing of all transactions the organization must obtain an authorization code for the total amount being paid.
This code will only indicate whether the cardholder's credit is available at the time of authorization. If the transaction is not authorized the transaction should not be completed.
For Internet or phone transactions the validation code should be used to authorize payments.
After transactions are completed the organization should transmit credits and debits to their relevant financial agent within one business day.
Exceptions to this are:
- If the cardholder agrees to a delayed delivery or services at the time of transaction.
- If the organization requested and received authorization for a delayed transaction.
- If, by law, the transaction is to be retained or if multiple locations of a business are used and only one central office is responsible for collecting and transmitting transactions - 3 calendar days are allowable then.
What's the Limit?
The FMS limit for individual transactions is less than or equal to $99,991.99.
If the transaction is greater than this, alternative electronic collection is to be used by means of Automated Clearing House debits or credits or Fedwire transactions.
Disclosure of cardholders' information must only be used for the sole purpose of completing the transaction, or as required by law. Any suspicious requests should be reported to the FMS.
Legible copies of sales drafts and credits should be kept for at least ninety days by the organization's accounting contact.
Records of each card transaction should be retained for at least six years from the date of the card processing.
Data that shouldn't be retained or stored is magnetic-stripe data and card validation codes (CVV2, CVC2 or CID).
Chargeback and Retrieval
Complaints or claims arising from transactions should be taken up with the cardholder immediately and any unresolved claims or complaints will eventually be debited from organization accounts.
Organizations have five days to return these sales drafts to their relevant financial agent. Failure to do so will result in a chargeback from the agent.
Financial agents will audit and review all credits and debits of the organization.
Security of Data
The Payment Card Industry (PCI) Data Security Standards works alongside the FMS to ensure security of data. They have twelve basic requirements that must be adhered to:
To Build and Maintain a Secure Network:
1. Install and maintain a firewall to protect data.
2. Use own system passwords and other security parameters (not vendor supplied defaults).
To Protect Cardholder Data:
3. Protect stored data.
4. Encrypt transmissions of sensitive information and card data.
To Maintain a Vulnerability Management Program:
5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and applications.
To Implement Strong Access Control Measures:
7. Restrict access to data on a need-to-know basis.
8. Assign a unique ID computer access log-in code to each person.
9. Restrict physical access to cardholder data.
To Monitor and Test Networks Regularly:
10. Track and monitor all access to network resources and cardholder data.
11. Test security systems and processes regularly.
Information Security Policy:
12. Maintain a policy addressing information security.
Personnel should be appropriately trained to accommodate all credit and debit collection processes and chargeback transaction procedures, and to ensure responsibility of action whilst employed at the organization. Training programs are obtainable from the FMS agency.
Organizations must be compliant to Section 508 and give disabled employees and members of the public information that Is accessible to their disabilities and needs in comparison with others.
Any written enquiries from the FMS should be responded to within thirty calendar days of receipt.
Glossary of Terms
A few acronyms to assist with PCI DSS assessment and compliance:
QSA - Qualified Security Assessor - employees of an organization qualified by the Council.
PA-QSA - Payment Application Qualified Security Assessor - organizations qualified by the Council to have their employees assess compliance.
ASV - Approved Scanning Vendors - organizations which validate DSS requirements.
ISA - Internal Security Assessor - sponsor companies qualified by the Council.
QIRs - Qualified Integrators and Resellers - provide opportunity for eligible professionals of qualifying organizations to receive training and qualifications of secure installation security.
PFI - PCI Forensic Investigator - establishes, maintains rules and requirements regarding PCI eligibility.
Whilst PCI DSS can appear to be a daunting and time consuming process, it is essential to the security of both merchants and clients alike. Indeed, non-compliance to PCI DSS can lead to legal fees, fines and loss of business due to security failings.
Many products are available to help with meeting the requirements and programs are available to assist organizations with training, testing and certifying compliance.
Image Source: 1