Payment Processing
Payment Card Industry (PCI) Data Security Standards
|
 |
 |
Once I'm accepted for a merchant services account, how do I actually get set up to accept cards?
We take care of everything from leasing or selling you an authorization terminal, programming it to suit your needs, and ensuring that you have all of the training to begin accepting payments.
|
|
|
|
|
I know that as a business I can accept credit cards, but can I also accept debit or check cards?
Yes, with our Merchant Services program we can set you up to accept both types of cards as payment for your services.
|
|
|
|
|
How can I get more information about your services?
You can contact us by or e-mail or phone (1.800.228.5882) or complete our online form.
|
|
|
|
|
What is interchange?
"Interchange" describes the clearing process the Visa® and MasterCard® associations provide to settle transactions between the banks that issue Visa and MasterCard cards to consumers and the banks or processors that process Visa and MasterCard transactions for merchants like you.
The interchange process makes it possible for customers with Visa and MasterCard cards from hundreds of different banks to make purchases at thousands of merchant locations.
As part of the interchange process, Visa and MasterCard associations charge banks that process transactions an "interchange fee" for each transaction. This fee goes to the cardholder's bank as compensation for expenses incurred in providing lines of credit to cardholders. Interchange fees make up a part of your merchant discount rate. The other part of your discount rate - the processing fee - compensates the bank that provides authorization, deposit, and settlement services for your transactions.
|
|
|
|
|
How do I set up an account with Bank of America Merchant Services?
To apply for a Bank of America Merchant Services account, just complete our online form. A Bank of America Merchant Services representative will get back to you right away.
|
|
|
|
|
How do I find out your prices on point of sale equipment- such as terminals, printers, stackers, etc.?
If you're an existing Bank of America merchant, just call your Account Manager to get any kind of pricing information.
If you're not a Bank of America merchant, just complete the our online form. Include your pricing request in Additional Comments. A Bank of America Merchant Services representative will get back to you right away.
|
|
|
|
|
What is a chargeback and what do I do if I get one?
The name describes what it is -- a processed credit card transaction that is reversed (charged back) to you because your customer or your customer's bank finds something wrong with the transaction.
There are several reasons why a transaction can be charged back:
- Some chargebacks are authorization-related. For example, the transaction was allowed even though the authorization was declined.
- Some chargebacks are processing related. For example, errors were made in addition on the sales draft; an account number was invalid; the card had expired.
- Some chargebacks are related to customer disputes. For example, these occur when customers deny taking part in the transaction. Or they claim they didn't receive purchased merchandise or services, and tried unsuccessfully to resolve the dispute; mail order merchandise was defective or a promised credit wasn't processed.
If you get a chargeback:
- If you're a Bank of America merchant, just follow the steps detailed in your Merchant Guide.
- If you're not a Bank of America merchant, follow the procedures your processor gave you when you signed up. If you are not able to get procedures, think about switching to Bank of America Merchant Services. We provide detailed information on chargebacks, how to avoid them, and action required for all common Visa and MasterCard chargebacks.
If you would like a representative to contact you for more information about Bank of America Merchant Services go to our online form, and complete it as directed.
|
|
|
|
|
How can I avoid chargebacks?
To view our chargeback prevention guidelines, select your industry:
If you would like more information about Bank of America Merchant Services, complete our online form and a representative to will contact you.
|
|
|
|
|
What is the difference between an online and an offline debit card?
An ATM card is an online debit card, which means your customer’s checking account is debited right at the time of the sale. To accept ATM cards, you’ll need a PIN Pad attached to your terminal so customers can swipe their cards and enter their secret PINS (personal identification numbers).
Visa® Check Card and MasterMoney® Card are offline debit cards. When these cards are used for purchase, the customer’s account is debited in one to three days after the purchase. To accept an offline debit card, you handle it just like a credit card and swipe it through your terminal.
Through Bank of America Merchant Services you can accept both online and offline debit cards.
|
|
|
|
|
Do I really need to have my business online?
According to Forrester Research, consumer Internet commerce is predicted to reach $76 billion by 2003. In less than seven years the Word Wide Web has penetrated 30% of U.S. households. Intelliquest estimates 81% of Internet users plan to shop online within the next year. Because of these numbers, small- to mid-sized businesses are rushing to develop commerce-enabled web sites.
|
|
|
|
|
Why would I want to open an online store if I have an existing retail outlet? Won't I just be competing with myself?
Selling online offers the "brick and mortar" retailer a terrific opportunity to grow his or her business through an additional sales channel, at a low cost. Open 7 days a week, 24 hours a day, an online store it is not constrained by time or limited by geography. Electronic commerce presents a whole new range of methods and techniques for building a broader customer base.
|
|
|
|
|
Do I have to comply with the Payment Card Industry (PCI) Data Security Standard?
Yes. This is a mandatory compliance program instituted by Visa® and MasterCard® which requires all merchants who store, process or transmit cardholder data to adhere to certain data security standards. The Cardholder Information Security Program (CISP) and Site Data Protection Program (SDP) were the basis for PCI. PCI is supported by all major card brands in the industry. Each card brand continues to maintain its own compliance program and has the right to demand additional requirements and may assess fines for non-compliance.
|
|
|
|
|
What happens if I don’t comply with these standards?
If you do not comply with the PCI standards, you could face fines ranging from $2,000 to $500,000 per incident for each affected card type. You are liable for data compromises that occur at your place of business as well as any subsequent fraud transactions that occur at any other merchants’ location(s) where the subject compromised cards are used.
|
|
|
|
|
What is the difference between Compliance and Validation?
Compliance: Merchant abides by the new security standards. This applies to all levels.
Validation: This is a process that confirms the merchant is abiding by the new security standards.
|
|
|
|
|
What is a Data Compromise?
Incidents involving electronic or physical breach of cardholder data through the communication and/or information processing of the merchant/third party:
Electronic: Data vulnerability in transit and storage, attacks via web sites or servers, private key mismanagement, access related to user ID/password and administrative network performance problems.
Physical: Physical breach may include theft of documents or equipment (e.g., receipts, files, PC’s, POS Terminals, etc)
|
|
|
|
|
What does VISA and MasterCard define as "cardholder data"?
Cardholder data is any personally identifiable data associated with a cardholder. This could be an account number, expiration date, name, address, etc. The account number is the critical component that makes PCI applicable. All personally identifiable information associated with the cardholder that is stored, processed, or transmitted is also considered cardholder data, however, PCI applies even if the only data stored, processed, or transmitted is account numbers.
|
|
|
|
|
When is it acceptable to store magnetic stripe data?
It is never acceptable for Acquirers, merchants, or service providers to retain magnetic stripe data subsequent to transaction authorization. The Visa & MasterCard Operating Regulations prohibit storage of the contents of the magnetic stripe as a unit. The following individual data elements may be retained subsequent to transaction authorization • Cardholder Account Number • Cardholder Name • Card Expiration Date.
|
|
|
|
|
When is it acceptable to store CVV2 & CVC?
It is never acceptable for Acquirers, merchants, or service providers to retain CVV2 and CVC, which consists of the last three digits printed on the signature panel of all Visa and MasterCard cards, subsequent to transaction authorization. The Visa and MasterCard Operating Regulations prohibit such storage, whether encrypted or unencrypted.
|
|
|
|
|
Where can the Self-Assessment Questionnaire be found?
The Self-Assessment Questionnaire is available on www.visa.com/cisp. Many of the qualified security assessors offer merchants and service providers the option to complete the Compliance Questionnaire on the security assessor’s Web site.
|
|
|
|
|
What is a Network Security Scan?
A Network Security Scan involves an automated tool that checks a merchant or service provider’s systems for vulnerabilities. The tool will conduct a non-intrusive scan to remotely review networks and Web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan will identify vulnerabilities in operating systems, services, and devices that could be used by hackers to target the company’s private network. As provided by qualified security assessors, the tool will not require the merchant or service provider to install any software on their systems, and no denial-of-service attacks will be performed.
|
|
|
|
|
Is the Network Security Scan only applicable to e-commerce entities?
No. The System Perimeter Scan is applicable to all merchants and service providers with external-facing IP addresses. Even if an entity does not offer Web-based transactions, there are other services that make systems Internet accessible. Basic functions such as e-mail and employee Internet access will result in the Internet-accessibility of a company’s network. These seemingly insignificant paths to and from the Internet can provide unprotected pathways into merchant and service provider systems if not properly controlled.
|
|
|
|
|
To whom do I provide compliance validation documentation (i.e. network scans, compliance assessment questionnaires, necessary progress updates, and/or other reports of compliance as applicable)?
Furnish all required information to your Acquirer/processor ("Acquirer"). The Acquirer will file your information with the applicable card brand. Acquirers' reporting requirements vary with each card brand.
|
|
|
|
|
How is the transaction volume measured that determines a merchant’s compliance level?
The number of transactions will be determined based on the gross number of Visa transactions processed by a DBA of a chain store—not of a corporation that owns several chains. For all levels, if a merchant meets the compliance validation criteria based on Visa OR MasterCard transaction volume, they must comply with the PCI DSS requirements.
|
|
|
|
|
How is "IP-based POS environment" defined?
The POS environment is the environment in which a transaction takes place at a merchant location (i.e. retail store, restaurant, hotel property, gas station, supermarket, or other point-of-sale location). An IP-based POS environment is one in which transactions are stored, processed, or transmitted on IP-based systems, or systems communicating via TCP/IP.
|
|
|
|
|
Do merchants need to include their service providers in the scope of their PCI review?
Yes. To the extent the merchants’ service provider(s) interface with, provide software, store, process, or transmit cardholder data.
|
|
|
|
