For those who have their own merchant accounts

Talk to http://netbilling.com

ASAP sounds like your Gateway is doing something very wrong

How can you do your own rebills without saving the CVV code?!

Netbilling is a great solution/company. They have been around for ages and are always around when you need them.

If you have a higher volume, lets say 40K+ per month, I'd be able to hook you up as well. [email protected].

You can hook people up with merchant accounts and talk about saving CVV codes?! That's concerning.

Sorry, I did not understand your reply.

CVV codes should not be saved. For this reason most acquirers offer a ?rebill? option. With this option, the acquirer takes care of the rebills.

Yes. I can get all that info from my gateway provider and start billing customers on my own. You know?

Why not?

MasterCard / Visa regulations.

Storage of Account, Cardholder, and Transaction Data

A merchant and any DSE must not store in any system or in any manner,
discretionary card-read data, CVC 2 data, PIN data, Address Verification Service (AVS) data, or any other prohibited information as set forth in the MasterCard Standards including, but not limited to, sections 2.5.5.1.1 and 2.8.2.1 of the Security Rules and Procedures manual, except during the authorization process for a transaction, that is, from the time an Authorization Request message is transmitted and up to the time the Authorization Request Response message is received. MasterCard permits storage of only the card account number, expiration date, cardholder name, and service code, in a secure environment to which access is limited, and then only to the extent that this data is required for bona fide purposes and only for the length of time that the data is required for such purposes.

Be careful about jumping into something... All these regulations, are just one reason why payment processing is such a tough business.

I have merchant account only for tangible products.

In any case. Mitch from Netbilling would be my suggestion. He is a pro.

Also, check out Paycom. Rand is a great guy always looking to help people; also a pro.


Just be sure to inform yourself about those regulations. It doesn?t matter what type of products you are processing. As far as I am aware, you are not allowed to store the CVC code yourself. Then again, I am no expert. It is just that I heave read or heard.

50% failure with rebills? That is insane! Around 9-11% here

If the bank says no there is nothing you can do.... gateway or manual. Doesn't matter.

CVC must not be stored in any case. CVC is not required to charge a card but a damn good thing to check for the initial charge as part of the fraud screening.

CVC is not required anymore to charge a card? That is something new to me. Where did you get that information from?

That is correct. CVV is quite often used for initial authorization in order to pass a gateways fraud screening, but is not mandated for all transactions, and is not used for rebills. The processing gateway is not allowed to store the CVV any more than the merchant is. It is actually up to the acquring bank as to whether or not the CVV is required for all transactions or not.

For example, when you use your card at a gas pump, or ATM, the CVV is not required. It varies from bank to bank, MCC to MCC, and transaction type to transaction type.

Oh, interesting. Ah well, I must have read the regulations wrong then. This is what it says:

An acquirer?s fraud loss control program must meet the following minimum
requirements, and preferably will include the recommended additional
parameters. The program must automatically generate daily fraud monitoring
reports or real-time alerts. Acquirer staff trained to identify potential fraud
must analyze the data in these reports within 24 hours.

To comply with the fraud loss control Standards, acquirers also must transmit
complete and unaltered data in all card-read authorization request messages,
and also CVC 2 for all Card Not Present (formerly MO/TO), voice, and
e-commerce transactions.

Additionally, acquirers with high fraud levels must:

? Install ?read and display? terminals in areas determined to be at high risk
for fraud or counterfeit activity, or
? Install EMV chip terminals

No, you aren't reading it wrongly, (and notice that it applies specifically to card-not-present/MOTO transactions), however, in different areas of the VISA regulations (which are the size of a full set uf encyclopedia) there are detailed exceptions and conditions. Also associated member banks (banks, not processors) can negotiate certain conditions with VISA to allow for exceptions. Also protocols and procedures vary in each of the six VISA regions.

Surprised

I am surprised that Versign is doing adult, as many of the big companies pulled out around when Card Services dropped all of us. We have two tangible account through Net Billing and love the service. Their fees may be even cheaper as we had a friend that used Verisign, and if I recall correctly, his setup fees were outrageous...
Jeff

Hi,

Storing CVV2 #s is strictly against card association rules and could result in huge fines leading to hundreds of thousands of dollars. If you are seeing a 50% decline rate in rebills there is certainly a problem with eith initial trasnactions or the scrubbing itself. What is the highest reason for the declines that you are seeing?

Mitch

p.s. Thank you for the kind words everyone.

mvc sounds like a good option

OK! OK! I got it! Can't store the CVV/CVC code. But here's how I'll do it:

Check for CVV/CVC code at the first upgrade and only allow the upgrade if that's correct. Then I'll store all of the information EXCEPT for the CVV/CVC code and rebill customers without using it in the future.

Is that a good plan?

You are not storing credit card #s are you?

Mitch

Not right now, but I will start to. Why?

We have used Netbilling for years. Nobody else comes close to them as far as service and support. Verisign sucks (we used them previously).

What are the good points about the Netbilling and what are the negative points about VeriSign?

I have a merchant account with humboldt bank and use netbillings secure gateway and call center, they are awsome.

50% sounds way high...talk to mitch at netbilling.com

Don't do that, your gonna get squigged by visa/MC ... you will also need to get your computer audited by security metrics ( http://www.securitymetrics.com/ ) or similar company before you do something like that.

first all, dont do anything stupid... stop what your doing, your about to get yourself seriously screwed!
get with netbilling and you will not have any problems, you wont go to jail or get any multi million dollar fines.
I read what you are thinking of doing.. dont do it..your gonna get fucked by bubba

Talk with Mitch... LOL

I do Securty Metrics scan every quater. So, I'm fine. But why would I get hassled by Visa/MC for doing my own rebills?

OK! OK! But none of you told me what's so good ( in particular ) about the NetBilling and what is so bad about VeriSign. I'm ready to be sold, but someone has to say something reasonable.

I am not sure a bout VeriSign, what I do know is that Mitch (Netbilling) has been in business for a long time. In my opinion they are specialists when it comes to high-risk payment processing and professional in how they handle business. If you ever have a question, Mitch is there to help; ask anybody here.

Payment processing is very complex with many rules and regulations. Mitch will make sure you don?t get yourself into trouble by accidentally doing something wrong (e.g.: CVC, Security?)

I am also pretty sure (97%) that VeriSign does not process high-risk merchants.

Just send Mitch an e-mail! Discussing your payment processing habits/needs on a public board isn?t really ideal.

Venus - thanks for the very kind words. We really do apprecite it and it is a pleasure serving you.


Alex - Nice conversation we had on ICQ. I look forward to having you as a merchant. Let me know if you need anything.

Mitch

Hey Venus hit me up i want to talk to you about some shit

sounds like you got with netbilling already, but doing your own rebills is not a problem, storing credit card info on your computer is.
the quarterly thing does not apply when you start storing numbers, you have to have the onsite audit, your also asking for allot of possible trouble.
the best method, and safest, is to use a good company so your rebills work correctly and your not resorting to off the wall stuff like storing cc numbers on a personal computer. If I found out someone was storing my credit card number on their personal computer I would do what ever it took to put a stop to it as I am sure most people would.

I did chat with Netbilling and my programmer is evaluating what would be better: (1) to do my own rebills with VeriSign, (2) Signup with Netbilling and have them handle it all.

Though I'm still waiting for someone to tell me what are the great or bad things about what over the other?

Did you read what I wrote? Your re-bills don?t really matter in your decision making. In any case, Netbilling is a professional company that has been around for a very long time and has always delivered the promised.

If you run high-risk transactions through VeriSign? I?d be surprised if they are happy about it.

okay that was bad english, but... I hope I made sense.

Use Netbilling whetheryou run your own rebills or not. You will make more money with them, plain and simple. Have you seen their system?

Ever bought something where your cc wasn't process in real-time? Chances are your information was stored to be process through their daily batch processing. Also a lot of third party shopping carts, well store your information too. People might argue about encryption but if AOLs database can be decrypted which has happen in the past I am sure a mere third party shopping cart could be decrypted with ease. Also if information is stored on your webserver it might as well be stored on your personal computer. Stuff gets infected, sniffed and BAM their goes the data. Kind of scary of the information I seen being passed by a lot of companies you thought were reputable.

Who does not process in real time anymore?

Z

Actually, most do a pre-authorization on a transaction/credit card and then to a capture later on. Kind of like a hotel. With the pre-authorize they check if the card is present and if the funds are available, if they are, a hold is put on those funds. After X hours they capture the pre-authorization... finalize the transaction.

Since most Banks do require the CVC code (I did learn that some don't require you to send it as well) actually doing a "batch list" could cause some problems with regs.

The gateway I use do a realtime authorization but do the captures once a day.

Visa and MC have very clear guidelines on what is allowed and what is not, and your gateway, acquiring bank or ISO should inform you as to what your responsibilities and liabilities are to be compliant within these guidelines. There is no rule that says that you cannot store your own credit card numbers as a merchant, HOWEVER, there are plenty of rules pertaining to exactly how you must store, maintain and protect this data if you choose to do it yourself.

In many cases, probably close to all of them, it's much wiser to have your gateway store the data for you, since they are (I am assuming) compliant with the regulations and with the PCI security standards required.

Whether someone settles in real time, batch settles periodically throughout the day or settles once daily (just like a POS terminal does), is of little consequence to the transfer of funds from one bank to another.

What is important is how the data is secured, what data is stored, and the circumstances around which both happen.

An IPSP, even one that doesn't do gateway processing for outside clients, will store their own data normally, since they've passed all the security and compliance requirements, while a merchant account holder may choose between the options offered by their gateway provider.

I have no idea how Verisign is set up, but it does seem odd to me that if they are doing the gateway in this instance, that they have not informed a client as to how their process works, and what options are available to the client. If Verisign is not aware that they are processing 5967 transactions for you, then it is because of either very poor due diligence on their part, or perhaps a failure to inform them of your true business model on your part. Once again, I don't have any idea which could be the case, and I'm not going to speculate. You should be aware that if you've misrepresented your business to Verisign, it's possible that you could lose the ability to process transactions entirely and you would lose your rebill database in that instance as well.

I also agree with Mitch (who runs a very nice business) that a 50% decline in rebills is a problem. I can't think of any reason why that should happen, but if you are seeing it, before you decide to run your own rebills, you should investigate the cause of the problem and correct it. Bad scrubbing on the initial transaction could be a factor, your consumer base could be another factor. Without any idea of your conversion ratio, your credits or chargebacks, it's hard to say for sure what is causing the problem.

You're not going to go to jail or pay multi-million dollar fines with a merchant account unless you are doing something illegal or you deliberately abuse the card association regulations with some very high volume. That kind of scare talk is nothing more than scare talk.

Depending on your account volume, you should have options. Talk to Mitch or shoot me an icq if you want to discuss specific things that may be occurring. I'd be happy to talk to you about it if you like.

I'd suggest getting sorted out and into compliance as quickly as you can.

Excellent posting and completely factual as always Kimmy. Looking forward to seeing you in Phoenix.

Mitch