A Merchant’s Guide To In-Store Credit Card Processing
There are a huge number of network guidelines issued for accepting card payments, and merchants are expected to understand them all. Yet, few business owners ever actually read these manuals. Unfortunately, this is a pretty significant source of avoidable issues down the road.
Although the extensive fine print and technical jargon in credit card guidelines may be a big turnoff, it’s important to be able to sift through the complicated wording and find the meaning within. Be aware, though, that the information I am about to share does not include all of the credit card processing rules, rather just the ones that are referenced and used most often.
Reviewing the Rules for Visa
Each credit card brand publishes its own tome of guidelines, but for the most part they are all very similar. To keep things simple, we’ll focus on Visa’s card-present guidelines, since it is the most popular brand worldwide.
Minimum Transaction Amounts
Look, I get it. If you’re being charged a percentage fee on top of a flat rate for every transaction, those small purchases can really start eating into your margin. So you can go ahead and impose a minimum transaction fee, we understand. The only stipulation is that you can only impose them on credit card purchases and the minimum can be no greater than $10.
Refunds are just part of the business. Even if you’re selling the most stylish parkas in the entire northern hemisphere, someone is going to buy the one with the stylish blue polka dots and faux mink lining before realizing that he lives in northern Brazil and will probably never have a use for heavy winter wear. So what you need to know in this situation is this: with returns and adjustments that require a refund, you can’t refund card transactions with cash. You can’t, that is, unless the cardholder got scissor-happy on their way home from the parka store and decided to slice up all that plastic. If the customer has disposed of the card they paid with, you can refund with cash or store credit. This rule is in place because if the customer receives cash as a refund, it is ostensibly a cash advance on his or her line of credit that bypasses the fees and regulations imposed on cash advances.
Okay, I know you know this one, but just pretend you don’t because if I didn’t include it, I wouldn’t be doing my job: Please, please, please keep the cardholder’s data confidential! This means that you need to suppress the account number printed out on the receipt (your system should already do this, but you’re going to want to double check just in case). The account numbers come out of the printer looking like this: XXXX-XXXX-XXXX-1234
And remember that the card’s expiration date shouldn’t appear anywhere on the receipt. Ever.
Let’s say that, as the aforementioned Brazilian tourist is returning his parka, he notices that you also custom make hand-carved mahogany headboards. He decides he absolutely must have one, but his plane back to Brazil leaves in an hour. Of course, this is no problem since you deliver. All he needs to do is put a deposit down and the balance can be paid when his new headboard is delivered. You’ll just need to make sure you run the deposit and the balance as two separate transactions. Since the two payments are received at different times (and probably different days) they will need to be authorized and processed separately. You’ll also want to make sure that “Delayed Delivery” and the authorization codes can be found somewhere on each transaction receipt.
I know everyone loves checking credentials (it is certainly one of my favorite past times), and Visa wants to remind you to make sure your merchant servicer is registered in accordance with their rules. Basically, any third party agent who handles the storing, processing, and transmitting of account numbers on your behalf needs to be registered with Visa as a merchant servicer. (And yes, all of the companies we’ve reviewed are certified.)
Validating Cards and Fallbacks
Just to make sure everything’s on the up-and-up at the register, go ahead and take a couple seconds to check the card for alterations of any kind and make sure it’s signed. You’ll have a moment or two while the transaction is authorizing anyway. You might as well look busy.
Match the signature on the receipt to the one on the back of the card. Or if they sign on the card reader, make sure they’re in full view when they do so. An unsigned card is considered invalid and should not be accepted. If it’s unsigned, you should check the customer’s ID against the name on the card, have them sign the card, then compare the signature on the card to the one on the ID (if possible).
After you swipe a card, you could get a number of responses:
- Approved – Yay, it went through!
- Declined/Card Not Accepted – Oops. Return the card to the customer and tell them to call their issuer for more information on the status of their account.
- Call/Call Center/Referral – The issuer needs more information before approving the sale. You’re probably going to need to call your authorization center and they’ll most likely ask you to check the customer’s ID.
- Pick Up – Uh oh. You’ve got a card that the issuer wants recovered, meaning that it’s probably lost of stolen. Tell the customer that you need to keep the card and ask for another form of payment. However, if they get hostile and demand the card back, just give it to them. You should never put yourself in danger.
Sometimes a transaction won’t go through because the magstripe has been demagnetized or damaged. In these cases, you might just be dealing with someone who unintentionally damaged their card, but you could be standing in front of someone trying to make a fraudulent charge. You’re going to want to be extra careful with these transactions and be sure to follow all of the fallback procedures:
- Compare the customer’s ID with the name on the card, if this checks out, go ahead and manually key-in the account number.
- Because you can’t capture a PIN in these cases, be sure that you get a signature on the receipt and compare it with the signature on the ID (if there is one).
- You’ll also need to get a manual imprint on the receipt or a separate manual receipt form signed by the customer. Note that you can only get an imprint from embossed cards. So if the card is not embossed, you’ll want to ask for another form of payment.
To prevent the frequent need for fallback procedures, especially since keyed-in transactions are more often disputed for chargebacks, be sure to clean the stripe-reader head a couple times a year to ensure it is running properly.
As of October 1st, the transition to chip cards in the U.S. is officially in full swing. The rules have more or less remained the same for safe processing, but just to be sure you’ve got what you need, we’ll go over the new liability rules and acceptance guidelines. For more general information, follow this link to a handy article.
The issuer (the bank that issued the card to the customer) is held liable for any fraud committed with non-chip cards at any type of terminal (whether EMV-enabled or not), as long as the merchant followed the proper authentication guidelines.
The acquirer (the merchant and your bank) is held liable if the customer uses a counterfeit chip card and the merchant doesn’t have a terminal that can read it, and thus has to fallback to the less secure magnetic stripe.
Basically, whoever fails to provide the most secure means of processing a card-present transaction will be held responsible for fraudulent charges. If the issuer provides secure chip cards, but you don’t provide a way to process them, then you are responsible. If you have a terminal that can read chips, but the issuer hasn’t sent out the chip cards, then they are responsible.
In the case of damaged or non-functioning chip cards where the merchant has to fallback to swiping the magstripe, liability still lies with the issuing bank. However, you still want to be careful with chip cards that cannot be read, because counterfeiters can make cards with non-functional chips, and if you use the fallback method of swiping the card or keying in the numbers without checking ID, you’ve just given counterfeiters a way around chip technology. Like I said, liability still lies with the issuer in this case, but this is probably going to change soon (as it already has in Europe). Also, you could be fined if you have to run too many fallback transactions, because this indicates a faulty terminal as opposed to a faulty card.
Chip Card Acceptance Guidelines
Follow the on-screen directions for reading chip cards carefully. If the chip cannot be read you may use fallback procedures, although the transaction will be less secure.
If the chip transaction fails, you can follow the rules for a normal magstripe card. Check to make sure the terminal is working properly. If everything is fine on your end, ask for some kind of ID verification and compare signatures if possible (you should technically be checking the customer’s ID with every purchase, but even Visa admits that this is impractical).
If you suspect that you might be running a card with skimmed information, you can always compare the last four digits of the account number on the receipt to the numbers printed on the card. If they don’t match up, that means that some has encoded a stolen or counterfeit card with someone else’s account information.
PCI DSS Compliance
You can’t go far in the credit card processing world without hearing about the Payment Card Industry Data Security Standard (PCI DSS) and the Security Standards Council (PCI SSC) that makes the rules. I assure you, the entire rulebook is incredibly long, and I’d certainly perish before recounting the whole thing. Fortunately, the PCI SSC was nice enough to pare down the most important rules into a twelve-step list (and they even made a cute music video to go along with it):
- Install and maintain a firewall configuration to protect cardholder data.
- Do not use vendor-supplied defaults for system passwords and other security parameters.
- Protect stored cardholder data.
- Encrypt transmission of cardholder data across open, public networks.
- Use and regularly update anti-virus software or programs.
- Develop and maintain secure systems and applications.
- Restrict access to cardholder data by business need to know.
- Assign a unique ID to each person with computer access.
- Restrict physical access to cardholder data.
- Track and monitor all access to network resources and cardholder data.
- Regularly test security systems and processes.
- Maintain a policy that addresses information security for all personnel.
This list was taken from another post specifically on PCI DSS compliance so I’d recommend checking that out for more detailed information.
There are more guidelines I could go into, of course, but these basics should help you avoid most card-present processing problems. Above all, remember to keep all cardholder information confidential and be sure to follow these processing rules carefully to protect yourself and your business.
As one final plug, be sure to check out our other articles on payment gateways, merchant accounts, processing rates and fees, and a myriad of other topics for a broader look into the exciting world of payment card processing.