January | 2008 | Payment Consulting Inc

Hi,

This is the best single thing I’ve ever seen that shows what happens when a cardholder (justifiably or not) calls their bank to do a chargeback. Contrary to popular opinion your processor doesn’t give up without a fight and does (or should) check for validity and to see if you’ve already issued a credit.

However if they can’t automatically reject it the ball’s in your court and you must fill out an answer and include all possible documentation. It’s just a sad fact of life that a cardholder can often get their bank to roll over and issue an unfair chargeback.

If your response does not succeed and the sum is large enough I do work with a consulting firm that specializes in chargebacks and can also recommend attorneys that specialize in cc law. As you can see the card holder and card issuing bank can be pushed to arbitration and whoever loses can be liable for all arbitration fees.

—
Bill Hoidas
District Sales Manager
Larger B2B/MOTO/Internet Accounts
Product Development Manager
Matrix Payment Systems
(847) 381-3482 office
(847) 381-4289 fax
http://paymentconsulting.net
John 3:16 For God so loved the world, that he gave his only begotten
Son, that whosoever believeth in him should not perish, but have
everlasting life.

CB_RetrvlProcessFlowChart.pdf
38K View as HTML Download

Hi,

Below please find a PCI security theft update. Please note PABP for programmers & mandates for January (that would be now!), July and October.

Visa, PCI council make security move

By Michael Petitti
TrustWave

Editor’s Note: A version of this article originally appeared in the December 2007 issue of Trusted News, a TrustWave publication.

B e prepared. Two major announcements made in recent months will send merchants scrambling to their payment application vendors and merchant level salesperson (MLS) for guidance and clarity.

Visa Inc. and the Visa’s Payment Application Best Practices (PABP), it’s likely that a great number of these compromises would not have occurred.

Visa created PABP to prevent payment card compromises by guiding software vendors in developing payment applications that support a merchant’s compliance with the PCI Data Security Standard (DSS). The PCI SSC and Visa detail plans to unify a payment application security standard and begin enforcing the use of adherent applications.

Total takeover

The PCI SSC took over management of PABP in November, and renamed it the Payment Application Data Security Standard (PA DSS). New standards are expected to be released by the first quarter 2008. (For more information, see “Farewell PABP, hello PA DSS,” The Green Sheet, Nov. 26, 2007, issue 07:11:02 )

While the PA DSS is based on the PABP and remain similar, feedback received from various stakeholders may alter the PA DSS slightly. While these differences will impact software developers, merchants will not likely be affected.

Merchants will not need to look into the detailed requirements of the PA DSS or comply with it per se – applications developed for internal use only must still comply with the PCI DSS. Merchants only need to ensure that the payment applications they use are certified as PA DSS compliant. (For a list of validated, PABP-adherent payment applications, visit http://usa.visa.com/download/merchants/validated_payment_applications.pdf )

Once the transition is complete, the PCI SSC will maintain the list of validated applications. MLSs should ensure that the payment applications they offer are on this list. If not, MLSs should consider removing the offering from their portfolio of products.

As with the PCI DSS, the council will maintain its position as governing body of the PA DSS. Enforcement will continue to fall under the authority of the individual card brands.

While the transfer of the PABP standard to the PCI council will increase awareness of payment card security and increase adoption of secure payment applications, Visa’s recent announcement will probably have a more immediate effect on your merchant customers.

Calendar of events

In October, Visa set forth a plan to mandate merchants’ use of PABP-adherent (now PA DSS-adherent) applications. The plan entails a number of deadlines set by Visa to eradicate the use of vulnerable payment applications and payment applications that do not adhere to the PA DSS.

While the deadlines for the program are set for acquirers, VisaNet processors and agents because these organizations stand above merchants in the payment card acceptance process, the deadlines also apply to merchants.

Following are the specific mandates and deadlines Visa established:

* Jan. 1, 2008 – Merchants cannot use payment applications identified by Visa as vulnerable. For a list of these vulnerable payment applications, contact your acquirer.
* July 1, 2008 – VisaNet processors and agents cannot grant access to their network to new payment applications that are not PA DSS certified.
* Oct. 1, 2008 – Newly boarded level 3 or 4 merchants must prove their PCI compliance or use PA DSS-adherent payment applications.
* Oct. 1, 2009 – Payment applications identified by Visa as vulnerable will be decommissioned from the Visa network.
* July 1, 2010 – Merchants must use PA DSS-adherent applications to accept Visa transactions.

Field of queries

It’s likely that a number of current customers or potential customers will have questions about the new requirements.

Here are talking points to remember during these discussions:

* The PA DSS does not supplant the PCI DSS.
* The PA DSS supplements the PCI DSS.
* The card brands will continue to require that merchants continue to comply with the PCI DSS.
* Visa is the only card brand thus far that will require the use of PA DSS-compliant payment applications, but other card brands are likely to follow.

Payment Consulting Inc

Monthly Archives: January 2008

great flow chart showing what really happens with a chargeback

foreign payment processing including credit cards, eChecks, ACH, etc. now possible

keeping up with PCI dealines for 2008-January, July & October including PABP for programmers/software vendors