It seems as if everywhere you look, you see new cyber-security practices being implemented. For example, Visa recently introduced new requirements for businesses that store cardholder payment information for use in future transactions, such as recurring payments and installments. These requirements restrict card
How it works
The first time the information is used in a “future use” transaction, Visa passes back a new Transaction ID element (Visa’s term) on authorization requests. The business must retain this ID and send it with subsequent transactions in the “future use stream” for this card/Transaction ID. But only for this specific card and Transaction ID.
That’s not all
Visa also requires that the merchant obtain and store explicit cardholder consent as to the use of the card for the “future use” scenario in question (for example, an auto-charge subscription). If the customer later uses the same card for a different “future use” transaction---even another auto-charge subscription---a separate Transaction ID is issued, and separate cardholder consent must be obtained.
Penalties for non-compliance have not yet been announced but are assumed to be forthcoming.
Supported by Advantage
NOTE: As of this writing, the functionality described below is supported only for select processors. Contact your AdvantageCS representative for more information.
AdvantageCS now supports these Visa requirements, thanks to the assistance of a client partner.
When cardholder consent is obtained, Advantage stores it on the database until consent is explicitly removed. In addition, the required Visa Transaction ID is obtained and used by Advantage Card Vault for future payments involving the card.
Both MasterCard and Discover have announced similar requirements, with some slight differences from the Visa mandate. AdvantageCS is continuing to monitor communications in the