If you’re looking for a new credit card processing vendor, choosing one that already has an interface with Advantage will save you time and money. Not all companies are compatible for integration with Advantage, and you want to make sure you are getting the functionality you need before you buy.
The current list of supported payment card applications/vendors in Advantage, and which capabilities they offer, follows.
• Online pre-auths - Initial card verification, funds held for later debit/capture. Supported for web, uploads, and data entry.
• Voids/cancellation of pre-auths - Advantage can auto reverse/cancel an auth, when order amount increases, or is cancelled.
• Captures and refunds, via online and/or batch settlement – Advantage performs captures and refunds automatically via scheduled processes.
• Card number tokenization – An opaque 3rd party “token” can be obtained from supporting payment interfaces, enabling Advantage to store tokens, rather than card numbers. Advantage can automatically tokenize for web, uploads and payment data entry, bypassing the need to store card numbers in Advantage. Saved cards (showing the last 4 digits) can still be offered, at web and/or payment entry dialogs, if desired.
• International card payments – Maestro cards, 3D Secure, multi-currency, and use of payment interfaces tailored to specific regional needs.
Web-only Payment Gateways
The last several years have seen a proliferation of web-only, or web-hosted payment gateways, which, unfortunately, are not suitable for integration to Advantage. These gateways offer a “simple integration method” for websites to offer credit card processing, however, often this comes with simplifying assumptions, which may severely limit their usefulness apart from the web customer’s browser context. Examples of these limitations include lack of support for:
- programmatic maintenance of a credit card transaction (only manual voiding and refunding can be performed via a website).
- non-customer data-entry and maintenance of card information.
- two-step auth/captures (which may be required unless no shippable product is involved).
- voids or partial captures (e.g., in cases where an order amount changes for any reason).
- multiple auths/captures (e.g., in cases of mixed or split orders, where delivery/fulfillment might occur at different times).
- subsequent re-use of saved cards for future orders (where customer authorizes this).
- payment of multiple invoices with a single card payment, or partial payment on an installment or a recurring schedule.
These gateways offer just enough functionality for smaller web-based businesses to receive payments, but fall far short of what is needed for adequate servicing of credit card payments beyond the simplest case. Before committing to any 3rd party interface, it is strongly recommended that API documentation be obtained and forwarded to Advantage in order to confirm suitability for integration.
Full-Featured (API) Gateways
In contrast, full-featured payment gateways avoid these limitations by providing an API (application programming interface) which supports either “real time” and/or batch credit card transaction processing from any software which is capable of invoking this functionality.
Advantage implements credit card processing via an internal framework, which supports tokenization, pre-auths, captures, voids, and refunds, and can support both “real time” and batch processing (or a mixture of both), with business rules which determine appropriate times to perform these transaction requests, and credit card rules which can customize how different responses are handled. This level of functionality is only possible using the full-featured processors which support API’s that are not tied to a customer’s web browser session.
A few questions to ask any CC payment gateway vendor:
1. Do you offer an API (.e.g, in .NET or HTTPS, which is call-able from Windows)?
2. Does this API support auths, captures, voids, refunds?
3. (If you are interested in tokens) Does this API support token creation and later reuse of tokens, in place of card numbers? And how long are tokens usable, before they expire?
- What about PCI DSS Compliance?
The Payment Card Industry Data Security Standard (PCI DSS) is an evolving set of standards, which is periodically tweaked and refined based on industry feedback. It is not necessarily the final word on the best or safest practice in every detail relating to payment cards. It is, however, a set of industry-agreed-upon standards established with a view towards reducing risk of cardholder data misuse in ways that are achievable for merchants in a wide variety of environments.
There are many myths and misconceptions regarding what constitutes PCI compliance. Following are some of the more common questions we’ve been asked:
- Do PCI DSS standards apply only when storing card data?
No, PCI standards apply to any scenario where payment card numbers (Primary Account Numbers) and related data are collected, transmitted, processed, or stored.
- Can we avoid applicability or scope of PCI DSS by tokenizing card numbers?
Tokenization can reduce PCI DSS scope, but not necessarily eliminate it, as PCI DSS still applies to the card number collection and transmission points, as well as to storage of CSC/CVV and related data. If a merchant only accepts card payments via the web, and if untokenized card numbers are never seen nor “touched” by employees or agents acting on behalf of the merchant, and tokenization only occurs when initiated in a web customer’s browser session, then, in that case, a merchant may be exempt from applicability of PCI DSS. However, it is still always safest to have your cardholder data environment (CDE) assessed by a PCI DSS Qualified Security Assessor (QSA – more on this below). At a minimum, a QSA can assist with confirming correct understanding of the extent of your CDE scope -- which could be wider and extend further than you might think.
- Does use of Citrix or Microsoft’s remote desktop for entry of PCI data outside our LAN reduce our PCI DSS scope?
No, in fact, any use of virtual applications/desktops actually extends your PCI DSS scope, to those end-points. This is because while the PCI data may be physically entered offsite, this data is still being conveyed from remote sessions to your virtualization server.
- Does use of virtual payment consoles (by our employees or agents) accessed strictly within a web browser reduce our scope?
No, this also extends the scope to those machines/end points, so firewall, antivirus, access control and other considerations still apply.
- Are there ways we can reduce our PCI DSS scope, by use of software and/or hardware?
Yes, PCI DSS guides recommend use of network subnet segmentation, firewall access restrictions, and security policies and auditing to meet and/or reduce certain requirements.
- Can use of cloud services reduce or eliminate our PCI DSS exposure/scope?
Yes, it could; however the cloud service provider then has its own PCI DSS scope(s), which must still be secured. This is a rather involved topic in its own right, as there are different types of clouds (e.g., private, community, public, hybrid, and cumulo-nimbus; OK, scratch that last one) and different service models -- e.g., Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS). Generally speaking, the design and security of API’s and intercommunication with this cloud service may be even more sensitive, as the exposure is potentially much greater than it would (or should) be with an internal network.
- What is involved in obtaining PCI DSS certification?
To achieve PCI DSS certification, one hires a Qualified Security Assessor (QSA), which is a firm trained and certified by the PCI Security Standards Council, to verify all technical details, provide initial and ongoing guidance during the process, review changes, and provide independent judgment and a summary report confirming that standards have been met.
- How does using Advantage assist us with PCI DSS compliance?
Advantage application software has been certified, at specific releases, as PA DSS compliant. This does not automatically extend the same compliance to each or any site using it, but does indicate that a client using Advantage software is capable of qualifying for PCI DSS certification, when configured and used with compliant practices. Advantage supports both encryption and tokenization (and a hybrid mixture of both), as well as certain card entry device hardware, which can reduce entry scope. A number of configuration settings, such as CVV/CSC storage options, card masking, and encryption key expiration, can facilitate meeting certain requirements.
- Where can we learn more about PCI DSS?
The standards-related documents and guides are available at the “official” PCI Security Standards Council website: www.pcisecuritystandards.org