Cardholder-Activated Terminals

Cardholder-Activated Terminals

Typically, cardholder-activated terminals (CATs) are unattended terminals that accept bankcards, debit, credit, and proprietary cards. These terminals are frequently installed at train and subway ticketing stations, gas stations, toll roads, parking garages, and other merchant locations. The cardholder is typically guided through the sales process by a series of requests posted on the terminal's screen. There are four types of cardholder-activated terminals:

• Automated Dispensing Machines - Level 1.
• Self-Service Terminals - Level 2.
• Limited Amount Terminals - Level 3.
• In-Flight Commerce (IFC) Terminals - Level 4.

Cardholder-activated terminal requirements specify the maximum dollar amount of transactions permitted as well as authorization, clearing and chargeback requirements and related transaction liability for each cardholder-activated terminal type.

Because cardholder-activated terminals are usually unattended, the traditional point-of-sale (POS) card acceptance procedures do not apply, such as the merchant's verification of the card's authenticity by examining its hologram, embossed account number, or embossed security features for signs of altering. The merchant is also prevented from verifying the authenticity of the cardholder's signature.

Requirements for Cardholder-Activated Terminals

Cardholder-activated terminals must comply with the following six general card acceptance requirements:

1. All non–face-to-face transactions initiated by the cardholder where the card number is either captured as a result of reading the card electronically or by using an electronic device (such as a transponder, PC, or mobile phone) must include the proper cardholder-activated terminal (CAT) level indicator in both the authorization message and clearing records. Depending on the CAT level indicator, other specific data is required for authorization and clearing.
   
   • The Authorization Request message must include a valid merchant category code, point-of-sale (POS) country code, POS postal code, and CAT level indicator (Level 1, 2, 3, 4, 6, or 7).
   • Messages used at the CAT must communicate to the cardholder, at a minimum, the following information:
     
     • Invalid transaction.
     • Unable to route.
     • Invalid PIN—re-enter (Level 1 only).
     • Capture card (subject to the terminal’s ability to retain cards).
   • The merchant identification number and the CAT level indicator must be present in the First Presentment, First Chargeback, Second Presentment, and Arbitration Chargeback messages.
2. The acquiring bank must ensure that the description of products or services on the CAT sales receipt is clearly recognizable to the cardholder.
3. Acquiring banks are responsible for providing requested transaction information documents.
4. No cardholder-activated terminal may accept a payment card for the purchase of scrip.
5. Acquiring banks must ensure that sales receipts show only the last four digits of the card account number, and that all preceding digits are truncated. The truncated digits must be replaced with fill characters such as "X," "*," or "#" and not with blank spaces or numeric characters.

Requirements for Automated Dispensing Machines

The following card acceptance requirements apply to Automated Dispensing Machines (ADM)/Level 1.

1. The Automated Dispensing Machine must accept a personal identification number (PIN) as a substitute for signature.
   
   • If PIN is not adopted as a standard within a country or card issuers have not provided one, this level of service is not available.
   • The PIN authorization must be made via a secured transmission.
   • ADM terminals must be able to support numeric, alpha, or alphanumeric PINs with a minimum length of four digits.
2. The acquiring bank may decline a transaction after four attempts and four consecutive negative responses of "invalid PIN" or "invalid transaction" from the credit card network. Optionally, the acquiring bank may allow more than four consecutive PIN entry attempts that each received a negative response at an ADM.
3. All transactions regardless of amount must be authorized on a zero floor limit basis with full, unaltered card read data transmitted.
4. Card retention at an ADM is not required, however, if the terminal capability is available, the merchant may do so only at the card issuer's specific direction.
   
   • The retained card must be logged and secured under appropriate audit controls.
   • The retained card must be cut in half and then returned to the acquiring bank.
5. For transactions processed at ADMs where a PIN and full, unaltered card data is transmitted, "No Cardholder Authorization" chargeback rights are not available to card issuers because PIN is a valid proxy for the cardholder's signature.
6. An ADM that is also a hybrid terminal may perform fallback procedures unless it is prohibited by a region. Acquiring banks use fallback procedures when a smart card is present at a hybrid terminal and the merchant processes the transaction by using the magnetic stripe or by manually entering the account number because the merchant cannot process the transaction using smart card technology.

Requirements for Self-Service Terminals
The following card acceptance requirements apply to Self-Service Terminals (SST)/Level 2.

1. Self-Service Terminals do not process PIN. They include (but are not limited to) automated fuel dispensers identified with MCC 5542.
2. All Self-Service Terminals must comply with the following requirements:
   
   • The floor limit for authorization purposes is zero.
   • The acquiring bank must read and transmit full, unaltered card account data.
3. The Authorization System will send all transactions identified as Self-Service Terminals in the Authorization Request message to the card issuer, regardless of Limit 1 parameters.
4. The maximum transaction amount is $100 or its equivalent.
5. Chargebacks processed because of no cardholder authorization for Self-Service Terminal transactions will be allowed only if the card issuer verifies that the account number used in the transaction is fraudulent, as documented in a letter written by the cardholder to the card issuer. Additionally, the card issuer must block the account number until card expiration on or before the Central Site processing date of chargebacks processed because of no cardholder authorization. The card issuer also must list the cardholder account number on the respective Credit Card Association's Account File with a "capture card" response until card expiration. Card issuers in the Europe region also must list such accounts on the European Stop List (ESL).Counterfeit transactions occurring at Self-Service Terminals for which the acquiring bank has transmitted the full magnetic stripe data in the authorization request message and for which an authorization was obtained are ineligible for chargebacks processed because of no cardholder authorization.
6. A U.S.-based merchant acquiring automated fuel dispenser transactions at Self-Service Terminals/Level 2 may forward an Authorization Request message for $1 if properly identified by MCC 5542 (automated fuel dispenser) and CAT level indicator 2. If authorization is obtained, the acquiring bank is protected from authorization related chargebacks "requested/required authorization not obtained", or "exceeds floor limit - not authorized and fraudulent transaction" for transactions less than or equal to $75. The acquiring bank protection is limited to $75 for transactions that exceed $75, and card issuers may charge back only the difference between the transaction amount and the implied $75 limit.
7. A Self-Service Terminal that also is a hybrid terminal may perform fallback procedures from chip to magnetic stripe unless it is prohibited by a region.

Requirements for Limited-Amount Terminals
The following card acceptance requirements apply to Limited-Amount Terminals/Level 3.

1. A Limited Amount Terminal must check the account number against the Electronic Warning Bulletin file if the terminal has such a capacity.
2. The maximum transaction amount is $40 or its equivalent.
3. Re-presentment rights for chargebacks processed because of no cardholder authorization are not available to card issuers for properly identified Limited-Amount Terminals/Level 3 transactions. Re-presentment rights for chargebacks processed because the requested or required authorization was not obtained or exceeded the applicable floor limit or for not authorized and fraudulent transactions, are available if the maximum transaction amount of $40 or its equivalent has been exceeded.
4. A Limited-Amount Terminal that also is a hybrid terminal is prohibited from performing fallback procedures from chip to magnetic stripe.

In-Flight Commerce Terminals

1. Acquiring Bank and Merchant Services Provider Requirements and Transaction Identification
   Specifications.
   
   • Acquiring banks must ensure timely delivery and installation of the In-Flight Commerce (IFC) Blocked Gaming File to gaming service providers. IFC Blocked Gaming File access is required before every gaming transaction.
   • Acquiring banks must identify in-flight commerce services or merchandise with the most appropriate merchant category code (MCC) in the authorization message and merchant business code (MCC) in First Presentment messages. If an airline also acts as the service provider, the acquiring bank may not use an airline MCC but must assign the proper MCC for each type of IFC transaction. The following list of IFC transaction types must be identified with the designated MCC.
     
     • Catalog merchant - 5964.
     • Duty-free store - 5306.
     • Gaming - 7995.
     • Miscellaneous services - 7299.
     • Video game - 7994.
   • Transactions must be consolidated by MCC, per flight, for each cardholder account.
   • The acquiring bank must identify the transaction with the most appropriate transaction category code (TCC) in the authorization request message. The TCC for gaming transactions should be "U" (unique transaction) and for any other type of transactions - "R" (retail purchase).
   • The merchant name and location must include the service provider's name and flight identification. The flight identification must be a recognizable identification of the airline.
   • The city field description for mailed purchases and gaming transactions should contain the the service provider's customer service telephone number. For all IFC transactions other than mailed purchases and gaming, the city field description optionally may be a customer service telephone number.
   • For all IFC transactions except IFC mailed purchase transactions, the transaction date is defined as the date that the flight departs from the originating city. The transaction date for mailed purchases is defined as the shipment date unless otherwise disclosed to the cardholder.
   • Acquiring banks must ensure that the service provider provides full disclosure to the cardholder via the video monitor screen prior to the initiation of any IFC transactions. The screen must prompt the cardholder to acknowledge these disclosure terms before initiating a transaction. Disclosures must include the following:
     
     • Full identification of the service provider and provision for recourse in terms of cardholder complaints or questions.
     • Notification that transactions will be billed upon the issuer's approval of the authorization request.
     • For mailed purchases only, any additional shipping or handling charges.
     • Policy on refunds or returns.
     • Provision for a paper receipt.
     
     For IFC gaming transactions, service providers must additionally disclose the following:
     
     
     
     • Maximum winnings ($3,500) and maximum losses ($350).
     • Notification that total net transaction amount (whether a net win or loss) will be applied against the cardholder's account.
     • Notification that cardholder must be at least 18 years of age to play.
     • Notification that some card issuers may not allow gaming.
   • Acquiring banks must ensure that the service provider is capable of providing an itemized receipt to the cardholder for all IFC transactions. The acquirer must ensure that, at the cardholder's option, the service provider can effect this offer in one of three ways:
     
     • Printing a receipt at the passenger's seat.
     • Printing a receipt from a centralized printer on the plane.
     • Mailing a receipt to the cardholder.
     The mailed receipt offer must be made available via the video monitor and must require the cardholder to input his or her name and address. For IFC gaming transactions the service provider must provide a receipt to the cardholder by one of the first two methods described above. The receipt must contain the following elements:
     
     
     
     • Identification of the passenger's flight, seat number, and date of departure.
     • Itemized transaction detail.
     • Gaming transaction specified as a net win or net loss.
     • The cardholder's account number truncated on the receipt. Acquiring banks must ensure that transaction receipts provided to cardholders reflect a minimum of four and a maximum of 12 digits of the cardholder account number. The remaining digits must be truncated. It is recommended that the receipt reflect only the last four digits of the primary account number, and that all preceding digits are truncated. It is also recommended that truncated digits are replaced with fill characters such as "X", "*", or "#" and not with blank spaces or numeric characters.
   • For IFC terminals, the assurance and demonstration of security of the transmission of data between the on-board client server and the acquiring bank and the physical controls over hardware and operating software. Encryption of transmitted data is advised.
2. Transaction Requirements.
   
   • There are no maximum transaction amount requirements that apply to any IFC transaction, with the exception of IFC gaming transactions.
   • Merchants are not allowed to perform fallback procedures from chip to magnetic stripe on an IFC terminal that also is a hybrid terminal.
3. Additional Requirements for IFC Gaming Transactions.
   
   • Net gaming losses cannot exceed $350 per flight per cardholder account. Net payouts to cardholders for gaming wins cannot exceed $3,500 per flight per cardholder account. The service provider must monitor gaming activity throughout the flight by and ensure compliance with this requirement.
   • When a cardholder posts a gaming win, the transaction must result in posting of net winnings (credit) to the cardholder's account. Under no circumstance may winnings be paid in cash or other form of payment.
   • Before participating in IFC gaming activity, the acquiring bank must ensure that such IFC gaming activity will be conducted in full compliance with all applicable laws and regulations.
4. In-flight Cardholder Account Number Verification Prior to Transaction Initiation.
   
   • The service provider must conduct a Mod-10 check digit routine to verify card authenticity.
   • The service provider must confirm that the card account number is within a valid BIN range that begins with:
     
     • American Express - 3.
     • Visa cards - 4.
     • MasterCard cards - 5.
     • Discover cards - 6.
   • For IFC gaming transactions, the acquiring bank must ensure that the cardholder's account number is checked against the IFC Blocked Gaming File. Cardholders whose account numbers are listed on the IFC Blocked Gaming File are prohibited from participating in any IFC gaming transaction.
5. Authorization Requirements
   
   • The authorization request message must include the cardholder-activated terminal level 4 indicator.
   • Acquiring banks must read and transmit full, unaltered card account data. An IFC authorization request may not contain a key-entered account number or expiration date.
   • Transactions are either authorized air-to-ground during the transaction or authorized in a delayed batch. All in-flight commerce transactions have a floor limit of zero and must be authorized without exception.
   • Acquiring banks must convert all "refer to card issuer" and "capture card" messages received from issuers to "declines."
6. Additional Authorization Requirements. All IFC gaming losses authorized post-flight must be submitted for authorization for the net amount. All gaming transactions authorized during the flight will be for the full wager amount ($350 or a lower amount pre-determined by the airline and gaming service provider). No gaming wins will be submitted for authorization.
7. Clearing Requirements.
   
   • Acquiring banks are not allowed to submit declined transactions for clearing.
   • No surcharges or service fees may be assessed on any IFC transaction, including IFC gaming transactions.
8. Additional Clearing Requirements.
   
   • IFC gaming transactions submitted for clearing must be for the net amount that is won or lost.
   • IFC gaming win transactions will be submitted as a credit transaction. Interchange will be paid to card issuers by acquiring banks on gaming win transactions.
   • Acquiring banks may resubmit a gaming transaction for a different amount within the specified transaction limits if it was previously rejected for exceeding the specified transaction limits which are $3,500 for wins and $350 for losses.

Best Practices for Sales Receipts

Content of Sales Receipts

Each copy of a receipt for a retail sale, credit, or cash disbursement transaction must comply with minimum statutory and regulatory requirements in the jurisdiction in which the receipt originates and any applicable regulations, and must contain the following:

• In the case of retail sale and credit receipts, a space for the description of products, services, or other things of value that are sold by the merchant to the customer and their cost, in sufficient detail to identify the transaction.
• Sufficient spaces for:
  
  • Customer's signature.
  • Card imprint and the merchant or bank identification plate imprint.
  • Date of the transaction.
  • Authorization number (except on credit slips).
  • Sales representative's initials or department number.
  • Currency conversion field.
  • Merchant's signature on credit slips.
  • Description of the identification document supplied by the cardholder on cash disbursements and retail sale slips for certain unique transactions.
• A note clearly identifying the receipt as a retail sale, credit, or cash disbursement and identifies the receiving party of each copy.
• On the customer copy of the receipt, the words (in English, local language, or both): "IMPORTANT - retain this copy for your records," or words to similar effect.
• Any other contents as are not inconsistent with these rules.

It is recommended that each retail sale, credit, and cash disbursement receipt provides a way of identifying the organization that distributed the receipt to the merchant.

Content of Sales Receipts at the Point of Sale

Each copy of a sales receipt produced by a physical terminal at the point of sale must be in compliance with all requirements of applicable laws and regulations. Whether a terminal or another device has been used at the point of sale, the sale receipt must not display magnetic stripe track data other than card account number, expiration date, and cardholder name. The following information information must be included in the sales receipt:

• The merchant's Doing Business As (DBA) name, city and state, country, or the point of banking location.
• Transaction date.
• Card account number.
• Transaction amount in the original transaction currency.
• Sufficient space for the customer's signature (required on merchant copy only).
• Authorization response code (except on credit receipts). Alternatively, the acquiring bank also may print the transaction certificate, the application cryptogram, or both for EMV chip card transactions.
• Merchant's signature on credit receipts only.

It is also required that each sales receipt must clearly identify the transaction as a retail sale, credit, or cash disbursement.

Card Account Number Truncation

The Credit Card Associations of Visa and MasterCard require acquiring banks to truncate, or make indeterminable on printed sales receipts generated by automated telling machines (ATM), a minimum of four digits of the personal account number (PAN). The Associations also require PAN truncation for all receipts generated at Cardholder-Activated Terminals (CATs). PAN truncation is permitted for receipts generated at all other points of interaction.

Since 2005 it is also required that all sales receipts generated by newly installed, replaced or relocated point-of-sale terminals, whether attended or unattended, display only the last four digits of the account number. All preceding digits must be replaced with fill characters that are neither blank spaces nor numeric characters, such as "X," "*," or "#."

Following best practices for truncating card account numbers helps merchants fight fraud but it also promotes customer confidence in the merchant's ability to securely handle personal information. The last four digits provide the customer with enough information to identify the card that he or she used in the transaction.

General Truncation Consideration

Typically, the truncation of a greater number of digits, when compared to the total number of digits in the PAN, increases the effectiveness of the procedure. However, it also increases the confusion and difficulty that cardholders may have reconciling their ATM terminal receipts to their periodic card statements. There are several considerations to take into account when developing your own procedures for truncating account numbers:

• A truncation of the routing bank account number (BIN) alone, while helpful, may not prevent duplication of the PAN. It is possible to observe the card in use in order to obtain card issuer identification.
• Truncating the check digit and several other digits does not improve PAN security. Without the check digit, calculation of several missing digits within the PAN, especially if the routing BIN also is truncated, is substantially more complicated and time consuming.
• Truncating a small number of digits, when compared to the total number of digits in the PAN, reduces the effectiveness of the procedure. It is possible to reconstruct a few missing digits by using a trial-and-error approach.
• Truncating a greater number of digits, when compared to the total number of digits in the PAN, increases the effectiveness of the procedure.

Electronic Signatures

Acquiring banks that are using Electronic Signature Capture Technology (ESCT) must ensure the following procedures are implemented:

• Proper electronic data processing (EDP) controls and security measures are established, so that digitized signatures are recreated on a transaction-specific basis. Acquiring banks may recreate the signature captured for a specific transaction only in response to a retrieval request for the transaction.
• Adequate controls exist over employees with authorized access to digitized signatures maintained in the acquiring bank or merchant host computers. Employees and agents should be allowed to access the stored, electronically captured signatures only on a "need to know" basis.
• Digitized signatures are not accessed or used in a manner contrary to applicable industry regulations.

What Is Authorize.Net Payment Gateway?

There is a constant stream of inquiries coming at us about payment gateways and more particularly, about our free Authorize.Net merchant account, by far the most popular among them. More often than not, merchants with no e-commerce experience are not quite clear on what exactly payment gateways do and, just as importantly, what they don't do. There is often a tendency to conflate payment gateways with payment processing accounts, which leads to confusion and to our attempts to explain the meanings of the two terms, the interrelation between them and the larger transaction cycle.

This article will be yet another attempt to do that. I have no doubt that it will be read by hundreds of thousands of aspiring merchants, so we will no longer be have to endure the same questions day after day!

What Is Authorize.Net

Authorize.Net, and all other payment gateways, is a software tool that exchanges payment data between e-commerce websites and credit card processors. This is exactly the job that in a brick-and-mortar type of business would be done by a credit card machine. The most conspicuous difference of course is that you don't get to swipe your card through the gateway. Well, the customer does something which, when you think about it is quite similar - she manually enters the information into the merchant's website from her browser.

The Payment Process Step-by-Step

Authorize.Net integrates into the e-commerce website through the latter's shopping cart - another software tool used for organizing products selected for purchase during an e-commerce shopping session. The payment process goes through the following stages:

1. The customer places an order at the e-commerce checkout of the website and the enters her credit card account information.


2. The payment data is encrypted by the website's SSL certificate.


3. Authorize.Net collects the encrypted information, encrypts it yet again, and transmits it to the credit card processing bank's server.


4. The processor sends the transaction data on to the card issuer through Visa's or MasterCard's payment networks.


5. The issuer evaluates the available information, compares it to what they have on file for their customer and, if everything checks out, validates the transaction.


6. The issuer's response is transmitted back to the processor and then, through the gateway, on to the e-commerce website, which shows an approval authorization message to the customer to complete the transaction cycle.

As you see, Authorize.Net is no more than a mere tool for information exchange between commercial and financial institutions. It is no doubt an incredibly important function, not least because if it is not performed properly, these sensitive data can be intercepted by hackers and then used for fraudulent transactions and to steal identity. Still, the gateways role should not be exagerated and it should be seen as a part of the merchant account infrastructure.

Credit Card Processing with Virtual Terminal

Businesses contacting us with requests for information on our services often seem to confuse virtual terminals with payment gateways. They are not quite clear on what each services does. Additionally, many of them still process payments key-entering the card information into a point-of-sale terminal's keypad, rather than do it through a virtual terminal. But then, that should be expected, considering tha t they don't know what a virtual terminal is.

So with this article I will try to provide the missing information and hopefully, make your decision making process a bit easier.

Virtual Terminal Basics

So virtual terminal is an internet-based service that enables businesses to take credit card payments by key-entering the transaction information, through a browser form, directly into the merchant account provider's payment system.

Once a payment processing account is established, the business gets a direct access to the processor's back end. Multiple user accounts can be created, each with a separate log-in. Then each user can access the service from anywhere web access is present and process payments or refunds, but also to only request transaction authorizations, without actually submitting the payment for clearing and settlement. You may want to do this if you need additional time to research the transaction.

If your business accepts payments on your own website, you will get the virtual terminal as part of your payment gateway package, at no additional charge. The most widely used gateway is Authorize.Net, which UniBul Merchant Services offers for free.

Reasons for Using Virtual Terminal

More than anything else, it is convenience. If you accept credit card and / or check payments over the phone or in the mail, there just isn't a more convenient tool to enable you to do that. You manually manually enter the information into a payment form within your browser and click submit. It is mush easier than using a telephone keypad.

The reason some businesses still use the phone option is mainly habit. It is absolutely fine to do it this way, however a virtual terminal is much easier.

Virtual Terminal Cost Considerations

Virtual terminal fees vary by vendors and processors. Here are some guidelines to look for:

• Set-up fee. You should not be paying any set -up fees, whatever your prospective processor tries to convince you.
• Monthly service fees. Again, virtual terminals can come on their own or as part of a payment gateway package, which affects the pricing. It ranges anywhere from $0 to $30, but you should evaluate it as part of the whole pricing agreement.
• Processing rate. The processing rate can vary widely, but the more confusing thing is that there are multiple pricing models. You should select an interchange-plus model, where the processor charges you no more than 0.50% + $0.10 above interchange. Alternatively, you can consider a flat rate pricing structure.

Considerations to Accept Online Payments

If you want to be able to accept online payments, you need an e-commerce website with the following features available:

• An already functioning website with an SSL certificate set up.
• A functioning shopping cart, which is the service that allows your visitors to collect and manage the items they are interesting in purchasing.
• Payment gateway, which is the online version of the point of sale credit card machine that facilitates the transfer of data between your website and your acquirer, swiftly and securely.

The first two items should be provided by your web designer. The e-commerce payment gateway tool may be sold and set up for you by your credit card processing company that you will elect to work with.

You must not pay anything until you actually start to accept online payments through your website. Your biggest consideration, though, as far as rates and fees are concerned, should be your bank card rates. You must carefully evaluate your pricing agreement before making your decision about which processor to choose. I would recommend that you examine pricing proposals from at least ten payment processing providers. The cost to accept online payments consists of multiple components and you need to understand precisely how much you will be charged for each one of them. Listed below is a breakdown of the most typical fees associated with an e-commerce merchant account:

1. Discount rate - the fees a card acceptor is charged to accept online payments. It is made up of a percentage fee (for example 2.05%) and a fixed fee (e.g. $0.20).
2. Authorization per-item fee - paid on a "per-transaction" basis, it should be no more than twelve cents for any type of service.
3. Application processing and set up fee - both are one-time fees that should not be agreed to!
4. Monthly service fee - as the name implies, this fee is assessed on a monthly basis and should not be exceeding $15.
5. Support fee - a monthly charged assessed for customer service that you should not be paying.
6. Payment gateway charge - specific to the online payment processing industry and charged on a monthly basis. This fee should not be in excess of $19.95.

If you notice that there are any other rates or fees on your pricing agreement, you will be very well advised to look for a processor elsewhere. Remember that there are hundreds of them, so there is no shortage. Additionally, some processors may be able to provide you with a line-by-line comparison of their pricing schedules with the competition's.