This message contains very important information. It’s important that both management and office staff read and understand the details within.
PCI Compliance & Payment Processing
As many of you know, the US has been implementing credit card standards, typically referred to as PCI Compliance. There are many factors related to being PCI compliant and different strategies for getting there.
PCI Compliant Card Storage – For most small- to medium-size software vendors, the requirements of making software PCI compliant to STORE credit cards is prohibitively expensive and complex. Vendors such as ourselves have two basic strategies that we can undertake.
- NEVER Store Credit Cards – By never storing a card or any confidential data about the card, vendors can avoid a lot of compliance issues. However, there is an obvious drawback for our customers — especially in the Equestrian business where you need to return to payment methods frequently.
- Find a 3rd party solution for storing card information securely (often referred to as a PCI Compliant Vault) – With this option we essentially transfer the complexity and cost of storing card information to a 3rd party. With this solution the confidential information is put into a secure “Vault” (this is an electronic vault…not a real one). The provider passes back a “token,”which represents the specific card. We then can use that token to process transactions.
Both solutions have their merits. To get to the point, we chose option #2, in order to maintain the greatest flexibility for our customers.
Vaults (skip this section if you are feeling sleepy)
Almost all credit card vaults have one major flaw, especially for a software vendor like ourselves. Most vaults are associated with a single payment gateway (i.e. Securenet.com, Authorize.net, Beanstream.com, etc). With a gateway-specific vault there are number of drawbacks.
- Customer Specific – Card storage is only available for customers with gateways that have a vault.
- Development Costs – We then have to implement different logic to support each vault for each gateway we support. This becomes very costly and time consuming, and potentially fraught with ongoing support issues.
- Lack of Portability – Our (mutual) customers on ShowGroundsLive.com want card portability. They want to be able to store a card with their profile and use it to pay at different events. If each of our show company customers uses a different gateway and therefore a different vault then we can not provide that functionality.
Our Solution (Read this, if you’re awake again)
We are very, very excited about our solution and the many exciting options it will open up for YOU, our SGL customers, and ourselves. We have been developing our card storage solution and revamped payment system using a gateway agnostic payment processor and vault. Hmmm, what the heck does that mean? Here goes:
- We can have one vault to store cards regardless of the payment gateway.
- We can allow our ShowGroundsLive.com customers to now store credit cards securely in their account and use those cards to pay for entries at any facility. (This is the portability piece.)
- We can code once to one system and deliver for many (lower development costs).
- We can eliminate card data in our system entirely and reach our PCI compliance requirements.
The 3rd party we’re using for this is Spreedly.com.
Details (these are good so you should keep reading)
The power of our new solutions has prompted us to significantly enhance our payment tools in ShowGrounds and on ShowGroundsLive.com
Here’s a rundown of *some* of our new features.
Unlimited credit cards per person.
Billing Address and other information now stored with cards
New cards automatically stored with RTO
Card storage and access for ShowGroundsLive.com users
- Unlimited Cards per RTO – You can now store unlimited cards with an RTO. Cards can be updated, added or deleted as needed.
- Better Integration of Stored cards for Payments – We’ve completed the work to allow any number of cards to be accessed when paying for ONE or MANY entries. When making a single entry, we provide a list of cards on file in the order of Responsible Party, Owner, Rider. When making a payment on several entries at once, we present cards in the order of frequency of the person on those entries (cool, eh?).
- Ability to add a new card AND STORE IT while making a payment.
- Ability to link a new card during a payment to a specific person.
- Obtain payment method during entry process even when you don’t require a deposit – This is going to be an awesome feature. We will now be requiring a payment method be provided to “secure” the entry even if you don’t need a deposit. This way every entry has a payment method attached. During checkout, the supplied payment method will be “highlighted.” If the entry isn’t paid on checkout day you will have a payment method in hand.
- ShowGroundsLive.com users can create unlimited payment methods – We think this will help during the entry process AND make it much easier for users to checkout online, where they can simply select an already stored credit card.
The programming work is done and we will be testing the rest of this week. We plan to install the new version on Monday August 5, 2013. During the conversion process the following steps will be taken.
- Your Gateway Created Through Spreedly – As all transactions will now move through our “meta” gateway we will be creating a gateway for your particular processor. This will be done manually and set in your database manually.
- Cards Moved to Vault – All cards currently stored in RTO records will be moved to the vault so long as they meet the following criteria.
1. Card Number is valid.
2. Expiration date is CURRENT.
3. Other data needed is stored in the card (Name on Card for instance). This means we WILL NOT BE TRANSFERRING ANY CARDS that:
1. Have expired expiration date, even if that date were 07/2013 – This is simply a restriction in the vault.
2. There is any missing or invalid information stored with the card.
- Once the transfer is complete ALL CREDIT CARD DATA STORED IN 4D WILL BE DELETED – This does not mean you won’t have any credit cards on file. It simply means the old storage mechanism will be gone, and card data permanently expunged from 4D. In it’s place will be a list of payment methods. Any valid card will be visible in that list under each RTO. There will be some data to help you know something about the card. For instance, last 4 digits and name on card. Valid cards should continue to work as they have. Invalid cards will be gone.
- Security Codes Can’t Be Stored – We will be eliminating security codes completely. The reason for this is that it is strictly not PCI compliant to ever store these values. We can’t do it and no secure vaults can do it either. NOTE: If your gateway requires the CVD to be entered OR you have the gateway set to require the CVD then you will be able to enter it during a transaction. Since it is illegal to store this in any way shape or form whether digitally or on paper, it implies that you must have the customer in front of you to obtain that code. To avoid this use a gateway that does not require CVD be sent OR set your gateway to not require it.
I know there is a lot of information to digest and there is not a great deal of prior warning. We have done extensive testing and expect the process to go smoothly.
If you have any questions please contact us about them at firstname.lastname@example.org.