Card Payments – Do More With Less and Reduce Security Requirements

March, 2010

Let’s be frank. The only way a card holder can be sure his or her data will never be compromised is simply to not pay by credit card. And the only way a merchant (company accepting card payments) can be certain that the business is safe from security breaches is to not accept card payments.
But how many businesses can afford such a restriction?
Implementing and maintaining processes related to card data security are complex and costly. To reduce complexity and cost, goals should be to remove staff involvement from the payment processes and staff access to card data, plus to eliminate as much as possible storing, processing and transmitting card data within the merchant’s environment.
These goals can be accomplished by leveraging advanced managed solutions and value-added services from PCI DSS-compliant service providers (www.pcisecuritystandards.org).
For a merchant, one simple step toward compliance is to ensure that all payment applications in operations (applications / systems used to create card transactions) and third party service providers are compliant. However, the scope of card security goes well beyond these compliances. A common mistake is that companies focus on the compliance of their vendors but overlook reviewing all aspects of their business to understand where, how and for which purposes card data are being stored, transmitted and accessed.
It is often believed that card data are needed to fulfill tasks related to customer support and back-office requirements. Such tasks include handling of customer inquiries, researching transactions, managing disputes, reviewing of charges, manual capture of transactions, reconciliation, and issuing of adjustments and refunds.
But one must ask if the access to card data is a true need.
Could such tasks be completed without storage and access to card data? Also, accepting card payments requires the ability to issue refunds. Do organizations have clear refund processing procedures? Do they know how refunds are being done, by who and and if employees are accessing card data to do so? If procedures are in place, are they up-to-date with card data security requirements and are they being followed?
How the solutions & services apply to the parking industry
While understanding the true picture, implementing and maintaining card security processes are significant and costly endeavors for a retail organization with multiple standardized locations., It is even more complex for parking operators with a broad range of locations and a variety of revenue control systems of all ages inherited with each location over time.
There are many ways to look at card security, but essential goals should be (1) to remove staff intervention from the payment processes and access to card data and (2) to eliminate storing and handling of card data from the merchant’s environment or at least remove them from the control of the merchant’s staff.
These goals can be accomplished while allowing customer support and back-office tasks to be fulfilled by leveraging advanced managed solutions and value-added services from compliant providers.
Advanced managed solutions and value-added services:
• Solutions managed by compliant service providers:
Merchants should standardize on processing solutions without local staff access, independent from local revenue control systems and managed by compliant service providers. Management services should include monitoring and upgrades of operating systems and software to account for ever changing PCI-DSS requirements.
• Real-time authorization and off-line processing capabilities:
One drawback of real-time authorization, which is now common in the parking industry, is that it is dependent on high-speed connectivity at the time of payment. At a parking facility, inability to accept card payments can quickly result in an operational nightmare, with traffic flow through the facility interrupted as parkers and cars are unable to leave. A common procedure in such circumstances is to raise the gates, thus resuming traffic flow but at the same time losing significant revenue.
For optimal operations, systems should have the ability to automatically and temporarily switch to an off-line mode, allowing transactions to be accepted locally. From a merchant’s perspective, this process should be outsourced and managed by a compliant PCI DSS provider. Services should include monitoring of off-line activity to identify potential starting or recurring connectivity issues and the ability to reattempt declined offline transactions without access to card data.
• Tokens for “Card-on-file” applications:
For “card-on-file” applications, such as for automated recurring payments (monthly parker fees), card data storage can be removed from merchant’s environment using token-based solutions. Tokens are dummy numbers issued by the service provider to be used by the payment application in place of card data when creating transactions. Card data are stored remotely by a compliant service provider and linked to tokens. No actual card data are stored on the merchant’s systems.
• Remotely hosted solutions:
Web-based payment solutions hosted by compliant service providers can completely remove card data from the merchant’s environment.
Virtual terminal solution
This solution is similar to a stand-alone credit card terminal but “virtual” without any hardware or software. Once logged onto a secure web portal, users have a credit card machine on their web browser. With an advanced virtual terminal solution, users can create new charges or refunds based on previously completed transactions without access to card data.
Managed recurring payment solution
Recurring payment data include a recurring period (monthly, quarterly etc. ), an amount and card data. Once a recurring payment is created, users no longer have access to card numbers. Transactions are automatically processed on the specified dates. Declined transactions can be re-attempted without access to card data.
Integrated hosted pay page solution
This solution can be used for either e-commerce “online” payment applications or integrated to point-of-sale applications. At time of payment, the browser is redirected to a pay page hosted by the service provider on which the card data are entered. No card data are actually transmitted via the merchant’s web server or application.
• Remotely hosted back-office solutions:
For optimal operations, the advanced solutions presented must be used in combination with hosted web-based solutions for customer support and back-office tasks. All necessary data are stored remotely and managed by the compliant service provider. Essential transaction details and revenue information are made available only to the accredited users.
Advanced functionalities allow users to complete reconciliation, to research transaction details and to issue refunds or partial-refunds against completed card payment without having access to card data.
Hosted back-office solutions also help streamline processes and data management, plus eliminate the possibility of illegitimate actions by unauthorized staff. Tasks can be standardized independently of the revenue control systems and performed either by staff locally at each facility (while allowing supervisors to oversee the activity in a controlled manner), or by “expert” staff with central management of all accounts independently, thus removing the requirements from the local facilities.
The reality is that access to card data is not a true business requirement.
Removing staff intervention from the payment processes and staff access to card data, plus eliminating storage and handling of card data from an organization’s environment while allowing fulfillment of all tasks related to support and back-office requirements are possible today by leveraging advanced managed solutions and value-added services from compliant service providers.
Implementing such solutions can help reduce card security scope and therefore can reduce costs associated with implementation and maintenance of card security processes. It also can result in the implementation of better managed, standardized and centralized processes, which in turn will improve overall operations. All solutions and services presented are currently being used by merchants in the parking industry.
Fabien Pesenti, Country Manager and VP of Business Development for Six Card Solutions, can be reached at fabien.pesenti@3cnorthamerica.com.