Transcript Title

Using Credit Cards in B2B Transactions:
What Every Credit Manager Needs to Know
Presented by:
Robert L. Day
Assistant Vice President
Commercial Interchange
The information presented in this seminar is for information purposes only, and is not intended as legal or financial
advice. The information does not amend or alter your obligations under your agreement with Fifth Third Bank, or under
the Operating Regulations of any credit card or debit card association.
Confidential and Proprietary
Fifth Third Bank | All Rights Reserved
Robert Day 1-800-884-0353
Sept 2007
Can you relate?
Your Profit
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
2
Agenda
•
•
•
•
•
•
•
•
What is Interchange?
Why is everything downgrading?
What are you really paying ????
Statements: From Best to Worst
Convenience Fees
Risk & PCI
Fraud Protection
Choosing a business partner versus a processor
What is Interchange?

Interchange makes us the largest cost component for merchant
transactions.
— Does not include Dues & Assessments, Access Fees, etc.

Fee collected by Acquirer from the merchant for every Visa and
MasterCard transaction.

The Fee is then passed through Visa and MasterCard to the
issuing bank.

Depending on detail that is passed with the transaction (Level I, II
or III), the transaction may qualify for lower interchange rates.
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
4
Three key entities manage the payment system
Issuers




Issue cards
Assume buyer’s credit risk
Generate reports
Provide customer service
Networks





Provides systems/operations
Develops products
Provides risk management
Provides advertising
and promotions
Sets standards and rules
Acquirers





Sign up suppliers
Underwrite supplier risk
Provide processing
—Authorization
—Capture
—Settlement
Generate reports
Provider customer service
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
5
Breakdown of Cost
$50 Visa Credit Card Transaction
$0.001
$0.0463
$0.005
$0.0150
$0.87
Interchange (1.54% + $0.10)
Base II Fee
$0.0017
Tran Fee
Total Cost = $0.94
Access Fee
Assessment Fee
Risk Fee
Interchange represents 92% of the cost of this transaction.
*Based on Average Ticket currently qualifying for the Visa Credit Retail Rate, 1.54% + 0.10
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
6
Interchange Management
 Evaluate payment strategies within a framework
that closely considers your unique customer
demographics as well as your overall business
strategies
 Minimize the overall impact to your bottom line
by monitoring the interchange qualifications
affecting your transactions
 Understand how interchange downgrades and
surcharges increase your effective rates.
Electronic payments continue to grow rapidly and at
the same time the cost per transaction is increasing
due to payment industry evolution
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
7
Why is everything
downgrading?
Consumer Cards
Some interchange surcharges are unavoidable
•International, Rewards, World etc..
Most can be avoided.
This should be your focus!!!!
Visa Consumer Card Not Present
Consumer card
transaction where
card/ cardholder
are not present
Electronically
authorized?
Yes
No
Authorized
through Intl.
Automated
Referral
Service?
No
One
authorization Yes
per clearing
message?
Cleared
within two
days?
No
No
Yes
No
Yes
No
AVS
performed?*
Yes
Cleared
within three
days?
No
Shipped within 7 days
and transaction
includes order number
and MOTO/ECI
Indicator?
Yes
Yes
Standard
EIRF
CPS Card Not
Present
• Transactions originating from a Visa Corporate or Purchasing card do not require
AVS. Business Cards do require and AVS attempt for interchange qualification.
• Recurring payment transactions do not require AVS as long as the transaction is
not the first payment and the time between payments is less than a year.
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
9
MasterCard Consumer Card Not Present
Consumer
card
transaction
where card/
cardholder
are not
present
Authorize
d?
Cleared within
three days?
Yes
No
No
Yes
MCC in auth
and settle
match?
Yes
Merit I
No
Standard
• For MasterCard MO/TO transactions, the authorization and settlement
amounts MUST match unless the MCC is a Direct Marketing MCC.
• If the transaction is properly identified as E-Commerce, auth and
settlement do not have to match
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
10
Why is everything
downgrading?
Commercial Cards
Level II and Level III Processing
Commercial Card Trends
• Commercial payment solutions are emerging as the most efficient way to
manage corporate payments and receivables.
• With the recent increase for MasterCard Data Rate 2, merchants need to
re-evaluate the cost/benefit of transmitting Level III data!
U.S. Segment for Corporate and Purchasing Cards (billions)
$800
$700
$600
$500
Purchasing
$400
$300
$200
Corporate (T&E)
$100
$1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009
Source: Packaged Facts – the US Market for Corporate an Purchasing Cards, January 2005
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
12
Authorization/Settlement Time Frames
Visa – CNP & E-Commerce Interchange



1
Transaction Date must be within 7 days of the
Authorization Date
Transaction Date should equal the Shipment Date
Transaction must be settled / cleared to your Processor
within 2 days of the Transaction Date
2
Auth on Day 1
3
4
5
6
7
Ship on Day 7
Tran Date = Day 7
9
8
Settle/Clear transaction
to Processor by Day 9
As Visa has the stricter requirements of the 2 networks, it is
best to follow the Visa requirements as Best Practices.
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
13
Authorization/Settlement Variance
 Depending on your Industry and MCC Code, the variance
varies from 0-25%
 MasterCard MOTO: Tran amount have a 0% Auth/Settlement
tolerance and all transactions not matching will go to
Standard if not set-up with the MCC codes below.
 Visa MOTO: Tran amount may be different than the original
auth amount. As long as the auth amount in settlement
matches the original auth amount (and all other requirements
are met), the transaction should qualify for the optimal rate.
MOTO (Mail Order Telephone Order) MMC Codes
4816,5960,5962,5964,5965,5966,5967,5968,5969,6531
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
14
MasterCard Commercial Card
Level I

Must include merchant zip code, location, description, Tax ID
Level II

Must include merchant zip code, location, description, Tax ID
AND
Level III

Must include Sales Tax and Customer Code

Sales tax must be between 0.1% and 22%

Customer Code must be sent if provided by customer

Effective April 2008: Tax Exempt transactions must be properly
identified as such or they cannot qualify for Data Rate 2 (Level II)

Must include Level I and Level II data
AND



Line Item Detail
Unlike Visa, MasterCard’s Business, Corporate and Purchasing
Cards are eligible for the Level III rate - Data Rate III
Large Ticket Requirements: Transactions > $7,272, Level II and
Level III, no registration required.
The greater the amount of data provided…
the better the interchange rate.
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
15
This is not a complete
description of all
required data elements,
but a high level
overview
NOTE:
Dial Terminal and
Host Capture
applications cannot
support Level III
data transmission.
MC Commercial Card Changes
U.S. COMMERCIAL CARDS
BUSINESS CARD
Commercial Standard
Commercial Data Rate 2
Commercial Face-To-Face
Current
2.70%
2.05%
+ $
+ $
0.10
-
2.95% + $
2.32% + $
2.05%
+ $
-
2.32% + $
CORPORATE CARD, CORPORATE WORLD, and CORPORATE WORLD ELITE
Commercial Standard
2.70% + $
0.10
Commercial Data Rate 2
2.05% + $
Commercial Face-To-Face
October 2007
2.05%
+ $
-
2.95% + $
2.05% + $
2.05% + $
0.10
0.10
0.10
0.10
0.10
0.10
-
-
2.20%+ $0.10
-
PURCHASING CARD
Commercial Standard
Commercial Data Rate 2
2.70%
2.05%
+ $
+ $
0.10
-
2.95% + $
2.33% + $
2.05%
+ $
-
2.33% + $
BUSINESS WORLD and BUSINESS WORLD ELITE
Commercial Standard
2.85%
Commercial Data Rate 1
2.80%
Commercial Data Rate 2
2.20%
+ $
+ $
+ $
0.10
0.10
-
+ $
+ $
-
Commercial Face-To-Face
Commercial Data Rate 3
Commercial Face-To-Face
1.90%
2.20%
2.95%
2.65%
2.32%
2.20%
1.75%
2.32%
+
+
+
+
+
+
$
$
$
$
$
$
0.10
0.10
0.10
0.10
0.10
0.10
0.10
-
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
16
2.70%+ $0.10
2.20%+ $0.10
2.20%+ $0.10
2.10%+ $0.10
2.00%+ $0.10
Visa Commercial Card
Level II
Level III
Additional
Info

Must include merchant zip code, location, description, Tax ID, and
Sales Tax.

Sales Tax amount must be between 0.1% and 22% of the amount of
the transaction.

Customer Code is no longer required for Level II on Purchasing
Cards at non-fuel locations. Customer Code is required for
Purchasing Cards at fuel locations

Available to Purchasing Cards ONLY

Must include merchant zip code, location, description, Tax ID, and
Message Identifier/Line Item Detail

NOTE: Level II Data (specifically Sales Tax and Customer Code) is no
longer required for Level III on Purchasing Cards at non-fuel
locations

Tax Exempt transactions can no longer qualify for Level II rates.
They may get Level III on P-Cards if Level III data is provided

GSA and Large Ticket requirements have NOT changed (Sales Tax,
Customer Code and Line Item Detail still required)

Large Ticket Requirements: Level II and Level III data required,
registration required, $1,000 set-up fee, transactions > $4,105
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
17
This is not a
complete
description of all
required data
elements, but a
high level
overview
NOTE:
Dial Terminal and
Host Capture
applications
cannot support
Level III data
transmission.
Visa Commercial Card Changes
April 2007 (Non-T&E Merchants)
• Visa Business, Corporate, and Purchasing transactions that are CPS
qualified, however do not meet Level 2 data requirements, will no longer
receive the Commercial Electronic rates.
• These transactions will be eligible for the new Commercial Card CNP,
Commercial Card Retail, or Commercial Card B2B rates.
• Fleet Purchasing card fuel transactions will now be eligible for the new
Purchasing Retail rate under certain conditions.
• These changes to the Commercial card interchange fee structure
should benefit a number of tax-exempt merchants currently receiving
the Commercial Electronic rates.
Fee
Program
Standard
Electronic
CNP
Retail
B2B
Level 2
Level 3
.25
Purchasing
Current
New
2.70% + $0.10 2.70%+ $0.10
2.20% + $0.10 2.45%+ $0.10
2.40%+ $0.10
N/A
2.20%+ $0.10
N/A
2.10%+ $0.10
N/A
2.00% + $0.10 2.00%+ $0.10
1.70% + $0.10 1.80% + $0.10
.10
.20
Business
Current
New
2.70%+ $0.10 2.70%+ $0.10
2.20%+ $0.10 2.40%+ $0.10
2.25%+ $0.10
N/A
2.20%+ $0.10
N/A
2.10%+ $0.10
N/A
2.00% + $0.10 2.00%+ $0.10
N/A
N/A
NOTE – Increases in Electronic, Level II and Level III
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
18
.10
Corporate
Current
New
2.70%+ $0.10 2.70%+ $0.10
2.20%+ $0.10 2.20%+ $0.10
2.20%+ $0.10
N/A
2.20%+ $0.10
N/A
2.10%+ $0.10
N/A
1.90% + $0.10 2.00%+ $0.10
N/A
N/A
Sample Transaction Costs:
Interchange Expense
Visa Purchasing Card: $500 transaction

Purchasing B2B Rate (Level I):
$10.60

Purchasing Level II Rate:
$10.10

Purchasing Level III Rate:
$ 9.10
14% reduction in cost by processing Level III versus Level I data
MasterCard Purchasing Card: $500 transaction

Purchasing Data Rate I (Level I):
$13.35

Purchasing Data Rate II (Level II):
$11.75

Purchasing Data Rate III (Level III):
$ 8.75
34% reduction in cost by processing Level III versus Level I data
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
19
Level III Incentive Interchange Rates
•
•
•
Case Study
Visa Commercial Card
• $10,000,000 sales
• 100,000 transactions
• $100 average ticket
MasterCard Commercial Card
• $7,500,000 sales
• 75,000 transactions
• $100 average ticket
Visa Commercial Cards
Corporate/Business Level II – 2.00% + $.10
Purchasing Level III – 1.80% + $.10
MasterCard Commercial Cards
Corporate/Business Data Rate III – 1.75%
Purchasing Data Rate III – 1.75%
Visa: 15% Purchasing, 16% Corporate, 69% Business
MasterCard: 11% Purchasing, 89% Corporate/Business
Merchant does Level I, but not Level II or III
Visa Fees
MC Purchasing
$22,688
(Data Rate I: 2.65% + $.10)
Visa Purchasing
$34,500
(Purchasing Retail: 2.20% + $.10)
Visa Corporate
$36,800
(Corporate Retail: 2.20% + $.10)
V/MC Business
$158,700
$183,563
TOTAL
$230,000
$206,250
Current Effective Interchange
2.30%
2.75%
*Optimal Effective Interchange
2.07%
1.75%
Interchange Improvement %
0.23%
1.00%
(Business Retail/Data Rate I)
(Visa: 2.20% + $.10, MC: 2.65% + $.10)
Interchange Savings = $98,000
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
20
MC Fees
Why Upgrade to Level III Support?
• Retain current customers requiring Level III detail
– Fortune 500 companies
– Government
– Universities
• Gain new customers with competitive edge
• Realize interchange savings opportunity
– For MasterCard, Data Rate III (Level III) interchange is 58 basis
points lower than Data Rate II (Level II) interchange and up to 90
basis points lower than Data Rate I (Level I) interchange!
• Significant interchange savings opportunity available on Large
Ticket commercial card transactions greater than $4,105 (Visa) &
$7,272 (MasterCard)
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
21
Purchasing Card Usage:
Buyer Benefits
Streamlines the Purchasing Power
Eliminates Paperwork
Increases Employee Productivity
Reduces Costs
Provides Automated Controls
Offers Customized Reporting
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
22
Card Acceptance:
Supplier Benefits
Increased Sales Volume
Increased Productivity
Improved Cash Flow
New Sales Channel
Less Paperwork to Process
Enhanced Competitive
Position
Fewer Credit Approvals
and Collection Activities
Customer Acquisition
and Retention
Reduced Costs
Improved Customer
Service
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
23
Common myths to dispel...
There are misperceptions and misunderstandings about Level III
enhanced line item detail information for Commercial Cards...


Level-3 is hard for a supplier to implement
It’s expensive - the supplier will have to pay more to the banks
and will just pass the cost along to buyer

Level-3 requires significant volumes to be worthwhile

The supplier has to write an interface directly to the processing
bank OR, the related...

The supplier has to purchase expensive software in order to
provide Level-3 data

The supplier only has limited need for this...
Historically, there was some truth to these generalizations.
For the last several years they have not been accurate and yet their
persistence holds back many organizations from participating with
enhanced data.
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
24
Credit Card Fees:
What are you really paying
????????????
Effective Rate Calculations
Per Item Effective Rate:
•
To convert a Per Item Fee into a %…
1) Take the total Per Item Fee and divide it by the Average Ticket
2) Multiply the result by 100
•
This will assist in determining the effective rate for a transaction or converting
from a “rate + transaction fee” model to a model “rate only”
Example 2:
Example 1:
Discount Rate:
1.95% + $0.25
Average Ticket:
$75
Effective Rate:
$0.25/$75 X 100 = .33%
1.95% + .33% = 2.28%
Effective Rate 2.28%
Discount Rate: 1.95% + $0.25
Auth Fee:
$0.20
Average Ticket: $75
Effective Rate:
$0.45/$75 X 100 = .60%
1.95% + .60% = 2.55%
Effective Rate 2.70%
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
26
What is Padding?
•
Some processors do not charge interchange fees as “pass through”, meaning
that in addition to paying the surcharge on a downgraded transaction, they
mark-up or “pad” the surcharge
•
Be on the look out for “hidden” or “padded” fees on your processing statement
Processor A
Swiped Transaction
EIRF Transaction
Total
Processor A
Swiped Transaction
Keyed Transaction
Total
1.75%
.76%
2.51%
1.75%
.31%
2.06%
Processor B (re-seller/ ISO)
Swiped Transaction
1.55%
EIRF Transaction
1.20%
Total
2.75%
.44% Pad
Processor B (re-seller/ ISO)
Swiped Transaction
1.55%
Keyed Transaction
.61%
Total
2.16%
.30% Pad
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
27
Statements
From Best to Worst
Sometimes things are not as they appear
Best
This one requires a little work. It does not show the downgrade rate, only the base rate; however, it
gives all the information needed to calculate your rate as well as manage your Interchange. While it is
not misleading, it could be improved by giving the downgrade rates as long as partial rates are not
located in several places. This one is an overall favorite for the novice (98% fall into the novice
category). We call this one a “Factual Statement” while it could give more facts, it does give all the
necessary information without becoming the dangerous “Lawyer’s Statement”.
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
29
Best
The transaction volume is $10.00 the adjustment amount .11 is the surcharge from MC and passed on
to the merchant. To calculate your percentage, divide the fee by the transaction volume 0.11 divided by
10.00 This shows the merchant the percentage they are paying for the Data Rate I downgrade .11%
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
30
Good
Like the best statement it shows the number and volume of transactions which is crucial in managing
your cost as well as your Interchange. What’s very dangerous is, at first glance, it looks like the merchant
is only paying 1.95% + a ten cent transaction fee. After further review; the merchant is also paying a
sales discount of .002200 as well as a Dues and Assessment fee of .000950 (on second page of
statement not shown). Not counting the transaction fee can be a crucial oversight. The effective rate of
2.27% versus 1.95% is very misleading. This one is nicknamed the “Lawyer’s Statement” because they
data dump to the point you can’t find the truth buried in the pile of evidence. This one is a favorite for
those highly skilled in Interchange
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
31
Bad
This one is nicknamed the “Political Statement”. It says a lot while saying nothing. It shows a ton of data
while leaving out one key element - the downgrade transaction volume. With this missing you have no
way to calculate your rate. Yes, it shows the base (contract) rate which is usually a lowball rate. Seeing
how it is the only rate disclosed they typically give you a very low rate while making up their losses (and
a whole lot more) in the non-disclosed rates on the downgrades (which usually make up the bulk of the
merchants transactions).
Transaction Volume
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
32
Worst
This statement shows your rate but does not show the Interchange category (QUAL, MID-QUAL and
NON-QUAL are not Interchange categories). In other words, you know how much you’re paying; you just
don’t know for what.This is especially dangerous because you have no knowledge of how your
transactions are qualifying (keeping in mind that Interchange makes up 92% of your cost). You can not
improve when you don’t know what’s wrong. We call this the “No Comment Statement” because it tells
you nothing.
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
33
Commercial Card Compliance



Merchants and processors have historically “enhanced”
some of the commercial card data obtain better rates
The networks have the ability to edit on certain fields
such as Customer Code, Sales Tax Indicator, Sales Tax
Amount and Line Item Data
The Networks have begun active compliance efforts to
ensure the integrity and validity of the data
Merchants must insure that data submitted is
valid and accurate.
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
34
Manage You Cost of Acceptance!
Watch for hidden or padded fees in your
processing proposals.
 Many processors will surcharge or “pad” downgraded
transactions and charge you higher fees!
Ensure you take advantage of the best
interchange
rates
by processing Level III data.
 Many processors
do not have Level III solutions!
 Keep
an eye onyour
your rates
and fees and
ensure your locations
Review
merchant
statements!
are properly configured on your processor’s system!
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
35
Convenience Fees
Rules of Engagement
Convenience Fee Definition

Charged for a bona fide convenience in the form of an alternative
payment channel outside the merchant’s customary payment
channels.
—

Disclosed to the cardholder as a charge for the alternative payment
channel convenience.
—

Example: A face-to-face merchant allows customers the convenience of
paying by phone or Internet.
The fee must not be disclosed as a processing fee or fee to cover
merchant costs associated with card acceptance.
Added only to a non face-to-face transaction.
—
Merchants who only operate exclusively in a MO/TO or Internet
environment may not assess a convenience fee, as there is not an
added convenience to pay through the current payment channel.
General Visa rules as they
tend to be the strictest
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
37
Convenience Fee Definition (cont.)

Added as a flat or fixed amount, regardless of the value of the
payment due.
—
—


There are certain exceptions to this rule for specific pilots in specific
industries (e.g. tax, government, schools)
Applicable to all forms of payment accepted in the alternative payment
channel.
—

The fee may not be assessed as a percentage of the transaction amount.
The fee may not be assessed only to customers paying by debit or credit
card through the alternative payment channel, but rather to any kind of
payment accepted through that channel.
Disclosed prior to the completion of the transaction and the cardholder
is given the opportunity to cancel.
Included as part of the total transaction amount, with the exception of
certain industries like utilities and tax pilot
General Visa rules as they
tend to be the strictest
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
38
Convenience Fee Usage

Regulated Industries
—
—

Convenience Fee often broken out separately
Un-Regulated Industries
—
—

Typically Utilities, not allowed to pass the cost of Interchange
through normal costing methodologies
Typically government, education, or other businesses who
offer a non-traditional payment channel
Typical alternative channels include IVR, Website, etc.
Taxing Authorities
—
The networks have created special “pilot” programs for tax
payments that allow percentage based convenience fees
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
39
Risk and PCI
Payment Card Industry Standards…
What Is It?
Types of Risk

Systemic Risk
— Primarily Risk associated with large scale data breaches
— Increasingly sensitive due to PR impact and potential for civil litigation
— Often associated with organized crime and sophisticated IT “break ins”
— PCI ( Payment Card Industry Data Security Standards) meant to address
major challenges

Operational Risk
—
Normal fraud risk associated with individual transactions
—
Can often be prevented by operational best practices
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
41
PCI – Merchant Levels

Merchant Level 1
— Any merchant processing 6,000,000 Visa or MasterCard transactions
per year, or identified by another card brand as Level 1, or
compromised in the last year

Merchant Level 2
—

Merchant Level 3
—

Any merchant processing 1 million to 6 million Visa or MC transactions
per year
Any merchant processing 20,000 to 1 million Visa or MC E-Commerce
transactions per year
Merchant Level 4
—
Any merchant processing less than 20,000 Visa or MC E-Commerce
transactions per year, and all other merchants processing up to 1
million Visa transactions per year.
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
42
PCI Compliance
Merchant Compliance Validation
Level
1
Validation Actions

Annual On-Site
Security Audit
Scope

Authorization
and Settlement
Systems

Internet facing
perimeter
systems
And

2 and 3

Quarterly Network
Scans
Annual SelfAssessment
Questionnaire

And

4


Quarterly Network
Scan
Annual Self –
Assessment
Questionnaire
Recommended
Network Scan
Recommended
Any systems
storing,
processing, or
transmitting
cardholder data

Internet-facing
perimeter
systems

Any systems
storing,
processing, or
transmitting
cardholder data

Validated By

Independent
Assessor or
internal auditor if
signed by officer of
company

Qualified
Independent Scan
Vendor

Merchant

Qualified
Independent Scan
Vendor

Merchant

Qualified
Independent Scan
Vendor
Internet facing
perimeter
systems
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
43
Key PCI Considerations

Do not store magnetic-stripe data after transaction authorization
— Merchants must not retain full-track magnetic-stripe data on any of their
systems once a transaction has been authorized.
— Per PCI DSS requirements, merchants can retain only cardholder names,
account numbers, and expiration dates.

Do not store PIN blocks after transaction authorization
— Merchants should examine all transaction journals and logs to verify that
their payment systems do not retain PIN block data – even if it is encrypted –
after transaction authorization.

Avoid CVV2 Storage
— When requesting cardholder CVV2 online or in mail order/telephone orders,
merchants should not document this information on paper or store it in their
databases after transaction authorization.
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
44
Key PCI Considerations

(cont.)
Guard against SQL injection attacks caused by insecure shopping carts
(primarily an E-Commerce phenomenon)
— Test SQL vulnerability using automated tools or manual techniques
— Ensure that all payment applications were developed using secure coding
practices that included independent code reviews
— Validate that all merchant payment software includes all applicable up-todate security patches

Protect against remote access vulnerabilities
— Implement a policy prohibiting group-shared passwords
— Determine from your software vendor how to securely configure your
payment application.

Never use vendor-supplied defaults
— Visa encourages merchants to change vendor-supplied defaults – remove or
disable features, set specific parameters, etc. – before installing payment
application systems in your networks.
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
45
Fraud
Best Practices for Merchant
Protection
(Card Present)
Quick Steps to Card Acceptance
1. Check the card security features.
•
•
Hologram, matching 4 digits under embossed 4 digits, CVV2 value, etc.
Make sure that the card has not been altered.
2. Swipe the stripe.
•
Swipe the card through the terminal in one direction only to obtain authorization.
3. Check the authorization response.
•
Take appropriate action for the specific response:
Approved
Ask the customer to sign the sales receipt
Declined
Return the card to customer and ask for another Visa card
Call or Call
Center
Call your voice authorization center and tell the operator that you have a “Call”
or “Call Center” response. Follow the operator instructions.
Note: In most cases, a “Call” or “Call Center” message just means the card
Issuer needs some additional information before the transaction can be
approved.
Pick Up
Keep the card if you can do so peacefully
No Match
Swipe the card and re-key the last four digits. If “no match” response appears again,
keep the card if you can do so peacefully. Request a Code 10 authorization.
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
47
Quick Steps to Card Acceptance
(cont.)
4. Match the numbers.
–
Check the embossed number on the card against the four digits of the
account number displayed on the terminal.
5. Request a signature.
–
Have the cardholder sign the transaction receipt.
6. Check the signature.
–
Be sure that the signature on the card matches the one on the
transaction receipt.
If you suspect fraud, immediately make a Code 10
call to your voice authorization center.
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
48
Fraud
Best Practices for Merchant
Protection
(Card Not-Present)
CNP Payment Acceptance
Take these steps to accept Card Not Present payments:
— Obtain an authorization
— Verify the card’s legitimacy:
– Ask the customer for the card expiration date, and include it in you
authorization request. An invalid or missing expiration date might indicate
that the customer does not have the actual card in hand.
– Use fraud prevention tools such as Address Verification Services (AVS),
Card Verification Value 2 (CW2)
— Look for general warning signs of fraud
— If you receive an authorization, but still suspect fraud:
– Ask for additional information during the transaction (e.g., request the
financial institution name on the front of the card)
– Contact the cardholder with any questions
– Confirm the order separately by sending a note via the customer’s billing
address rather than the “ship to” address.
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
50
12 Potential Signs of CNP Fraud
Keep your eyes open for the following indicators!
When more than one is true during a card-not-present transaction,
fraud might be involved.
1. First-time shopper: Criminals are always looking for new victims.
2. Larger-than-normal orders: Because stolen cards or account numbers
have a limited life span, crooks need to maximize the size of their purchase.
3. Orders that include several of the same item: Having multiples of the
same item increases a criminal’s profit
4. Orders made up a “big-ticket” items: These items have maximum resale
value and therefore maximum profit potential.
5. “Rush” or “overnight” shipping: Crooks want these fraudulently obtained
items as soon as possible for the quickest possible resale, and aren’t concerned
about extra delivery charges.
6. Shipping to an international address: A significant number of fraudulent
transactions are shipped to fraudulent cardholders outside of the U.S. Visa AVS
can’t validate non-U.S., except in Canada and the United Kingdom.
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
51
12 Potential Signs of CNP Fraud (cont.)
7. Transactions with similar account numbers: Particularly useful in the
account numbers used have been generated using software available on the
internet (e.g., CreditMaster)
8. Shipping to a single address, but transactions placed on multiple
cards: Could involve an account number generated using special software, or
even a batch of stolen cards.
9. Multiple transactions on one card over a very short period of time:
Could be an attempt to “run a card” until the account is closed.
10. Multiple transactions on one card or a similar card with a single
billing address, but multiple shipping addresses: Could represent
organized activity, rather than one individual at work.
11. In online transactions, multiple cards used from a single IP (Internet
Protocol) address: More than one or two cards could definitely indicate a fraud
scheme.
12. Orders from Internet addresses that make use of free e-mail
services: These e-mail services involve no billing relationships, and often neither
an audit trail nor verification that a legitimate cardholder has opened the account.
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
52
Handling Key-Entered Transactions
If a card cannot be swiped, you must key-enter the card account data into
your POS terminal…
When you key-enter a transaction, you run the risk of accepting a
counterfeit card because the magnetic stripe information is unavailable.
1. Check the terminal. Be sure your terminal is working properly. If the terminal is
okay and the problem appears to be with the magnetic stripe, continue to step 2.
2. Match the account number. Check to see that the embossed account number
on the front of the card matches the number indent-printed on the back.
3. Check the expiration date. Look at the “good thru” or “valid thru” date to be
sure the card hasn’t expired. If the card has a “valid from” date, be sure the card
isn’t being used before it is valid.
4. Make an imprint. Get a manual imprint of the card.
5. Get a signature. Ask the customer to sign the imprinted sales draft.
6. Check the signature. Be sure that the signature on the card matches the one on
the sales draft. Do not accept an unsigned card.
You can also do a Zip Code check
for additional protection.
For Visa, if the Zip Code matches,
it will also allow you to qualify for a
Confidential and Proprietary © Fifth Third Bank All Rights Reserved Robert Day 1-800-884--0353
lower interchange rate.
53
Choosing a Business Partner
Versus a Processor
Find a partner that will help you manage the evolving payment
landscape and “navigate the networks” for you!
 Has expertise in the Business to Business market segment
 Promotes Proactive Interchange Program
 Shares Industry Best Practices
 Supports Level II and Level III Data Transmission
?
The Evolution of Credit Cards in B2B Transactions Presented by:
Robert L. Day, AVP Commercial Interchange
1-800-884-0353