CISP laws

[AlohaWahini]

Hey guys,

I was wondering if someone knew factual information regarding the CISP (credit card) laws. Specifically, what date compliance would be mandatory, and what the penalities are (not that I expect anyone would want to ignore this, but just in case).

I've heard a lot of dates and the amounts of fines thrown around over the last 6 months, and I know when it comes to these mandatory regulations, they are often "pushed back" to allow ample time for everyone to comply.

I have a feeling some of you work for Aloha dealers (Bo, Adam? ) will probably know, since they are probably the only system to release versions in the last 2 years that weren't compliant. All in good fun, of course.

Does anyone know the latest?

 

[RadAlohaQE]

Aloha 5.3.15 and higher is CISP compliant, validated on March 24, 2005.

Apparently factual info on mandatory compliance dates is hard to come by, even on the Visa site. The amount of the fine is stated though, up to 50,000 dollars per incident, whew..

It only states that it was mandated in 2001, cannot find where there is a strict deadline for getting this done by a certain date.

I will keep digging though and see if I can find a concrete answer on specific deadline date for compliance.

 

[AlohaWahini]

Thanks for your post, Rad. In fact, I'll even go one better. From what I can tell, it's not even a law per se, and compliance is not mandatory (though VISA calls it a mandate). The local Aloha dealer in our area has everyone convinced that if they don't block out the numbers (and comply with the rest of CISP), a federal agent will fine them $10k. I never believed that, but nearest I can tell, the fines come into play when (and if) your system is hacked... and if VISA can trace the fraudulent charges back to a breach in security in your system. That could be difficult to prove, and what kind of authority does VISA have to slap you any kind of fine?

The kicker for me is, no where on the site could I see an order from any goverment agency that compliance was mandatory, or that a specific date was in effect... two pieces of information that I would suspect WOULD be present if the government was making this mandatory.

Again, this is just what I have gleaned from what I've read, and may not be 100% accurate. I am not even suggesting that people not comply, even if it isn't mandatory. I was just trying to get to the bottom of this bunk to see exactly what the deal is here. Let me know if you hear anything.

 

[AdamDR]

I've been away for an aloha convention, sorry for not posting earlier. Here are a few more tidbits for you.

The following versions of Aloha are CISP compliant;
• Versions 5.2.7.263 and higher
• Versions 5.2.8.224 and higher
• Versions 5.3.15 and higher

(CISP)
Background
Over the last couple of years, the concern of identity theft and security of personal financial information has become a major issue. The Federal Trade Commission released a report in 2003 stating that 4.6% of the population had experienced some form of identity theft in the past year, and about half of that was of existing credit cards. The report estimated that the total amount stolen from US consumers in the previous year was about 14 billion dollars.

Visa, and all of the other card providers have developed security guidelines in an effort to reduce this theft. The ultimate responsibility is upon the merchant to safeguard their customers information. If you have card information stolen from your store, and it is due to an insecure system, you may be liable for fines up to $100,000.

Overview
Among the various network and procedural security guidelines, is a technical requirement for software. It states that the merchant can not store any track information from the magnetic stripe on the back of the card. Older versions of Aloha store that track information unencrypted in certain data files. In order to comply with this, Aloha has updated its software so that the card numbers are encrypted in any new data generated. They have also released a utility that will go through historical data, and replace any unencrypted card numbers with the words “CARD PRESENT.”
There are many other regulations, such as windows passwords, and internet firewall requirements. They are beyond the scope of this document, but require your attention. Please do some research on this, it affects the way you do business.

The following versions of Aloha are CISP compliant;
• Versions 5.2.7.263 and higher
• Versions 5.2.8.224 and higher
• Versions 5.3.15 and higher

Summary
Visa, and all other card providers are holding merchants responsible for protecting cardholder information. If they find fraud has been committed, and it is a result of an insecure system, or a bad practice, they will hold the merchant liable. Limiting access to computer systems that process credit cards is the foundation of CISP.

Resources
For more information about the cardholder security programs from each of the major Card issuers, open the following links;

Visa
Mastercard Amex Discover

Interesting data about identity theft can be found at the FTC’s consumer website;

FTC

 

[AdamDR]

The links didn't show up, so here you go!!

http://usa.visa.com/business/accepting_visa/ops_risk_management/cisp.html

http://www.consumer.gov/idtheft/

 

[AlohaWahini]

Adam, thanks for that valuable information. I have another question, and I really wish this idiot banks and processors would get there act together to form a cohesive plan about what is going on here.

Now I have an Aloha customer whose bank is telling them they have to have the expiration date blanked out too! Can any version of Aloha even do this?

 

[AdamDR]

Are you talking about the CC slip that prints out? I think the bank that said this is incorrect. Aloha is 100 percent compliant with Visa's regulations. They even list Aloha as compliant. I do not know of a way to do blank it out. Embarassingly enough, I've never noticed whether the exp. date shows up or not!! Bottom line is that in my opinion nobody knows 100 percent what the final rules are, and that includes Visa. I've asked CC processors about CISP, and a majority of them didn't know about it at all. Fun stuff.

Adam

 

[AlohaWahini]

It's nothing short of a joke, is what it is. They start throwing numbers around about fines, using scare tactics, etc. Not only that, but there are third party companies (and some processors are doing this to) trying to profit off this confusion by offering "services" to secure your network, with routers, etc. The whole thing really tics me off.

Not sure about your region, but 5th/3rd Bank (stupidest bank name ever--should be fined for that ) is saying that the expiration date needs to omitted or blocked out. What they hell good is the expiration date going to do a thief who does not have the card number??

Anyway, heads up on that.. I am getting asked (and hearing about) these silly standards that seem to be changing by the minute.

 

[DTSMAN]

The reason this is so misinterpreted is because they are keeping it vague for the sole purpose of covering their a**. This gives them the oppurtunity to go after a merchant if they can prove credit card fraud due to the merchants mishandling of customers' credit cards. I beleive this all goes back to a major restaurant chain in Ohio that had a dishonest manager who stole credit card numbers from the POS system a few years back. At least that is the story I got at the end of my grapevine.

Bo

Kentucky phone support-
"Mash the Kentrol key and hit scape."

 

[AdamDR]

I just got a new bit of info on this absolutely fun topic. Apparently someone is saying that restaurants can no longer authorize for a percent over the principal amount to account for the tip. I hope you all know what I'm talking about. The funny thing is that gas stations authorize for at least $50 when you slide your card in at the pump. So why isn't anyone going after them?? ARGGGG!!! I'm getting frustrated.

Adam

 

[AlohaWahini]

That is actually a hot topic too. I get a lot of customers who have been getting angry phone calls from patrons claiming they were overcharged. With the rise of online banking and fraud, customers check their accounts regularly. And for those of you who don't know how it works, when a customer is paying by credit card, most POS systems can be configured to automatically authorize over a certain percentage to cover the expected tip. For example, I eat a $20 meal, pay for it by charge, and leave a cash tip. I check my bank statement online the next day, and my credit card is showing a charge for $24 ($20 plus a 20% tip of $4.00). I get pissed off, call the restaurant, and give them an ear full. What the customer doesn't know, is that the $4.00 will disappear within 3 days.

In Aloha, I know you can change the percentage or turn it off. But herein lies the problem... when a server adjusts a tip in Aloha, it doesn't dial out to verify the funds (it only does it for the initial authorization). So when the shift is over, before the batch is settled, my server has been tipped out for their credit cards and gone home. When the batch is formally settle, this customer may or may not have enough left on the card to cover the tip. If they don't, the restaurant is SOL.

I also can see the customers point too. A tip is a gratuity, and even though some form of it is generally expected, it is not considered mandatory in American culture. In european countries, it's a given that it will be included on the price of your bill. So I can see where customers our offended where you just assume that you're going to get a certain amount.

Here's a little bit of trivia for you The word TIPS is actually an acronym that stands for TO INSURE PROMPT SERVICE. In my opinion, if the server knows they are getting it either way, there goes their incentive to give said service.

So, it's a tough call. I think what needs to happen is restaurants just need to change their procedures. Rather than adding the tip after the initial bill is settle, they should just do it all at once... when they get the bill, put they should fill in the tip and pay the bill all at once. I assume this practice started because people thought it was rude for them to see what they were getting... that way they could leave a crappy tip, and not be around for the dirty looks.

 

[AdamDR]

Thanks for explaining that to everyone. I would have done it, but I felt lazy and didn't want to type it all out!!

I think this whole situation would be resolved if everyone that has a credit card would actually know how the process works. But then again, that would be like expecting everyone to know how to drive correctly.

Adam

 

[Shift4SMS]

A few points I would like to add:

A) Hiding the expiration date is not a CISP issue as much as it is a privacy issue in many of the state (lead by California, of course). The CA law is that only the last five digits of the card number OR the expiration date can be printed on a receipt, but not both. Other states enacted a four-digit limitation. When CISP was created, they chose the four-digit limitation but never addressed the expiration date issue and this may be why so many bankers are confused.

B) As for the fines, I doubt you will ever see fines being levied for non-compliance when a hack was not evolved. The card associations are having a hard enough time certifying the biggest merchants and it will be years, at best, before they'll be able to audit any of the smaller merchants and systems. But you can expect immediate cancellation of your merchant account processing privileges and fines if you are ever hacked into and non-CISP (PCI-DSS) compliance is determined to be a factor.

C) As to restaurants no longer being able add 20% to the authorization request -- hogwash. There is a lot of confusion on this topic primarily due to three reasons: 1) the 20% over authorization was already accounted for by the bank based on the SIC code or the merchant meaning that restaurant merchants were already allow a 20% tolerance without having to add anything to the authorization amount, 2) the popularity of online banking, partly due to the BofA advertising campaign, the growing share of debit cards which have "hard" ceiling (the account balance in the checking account), and the expansion of VISA, MC and AMEX gift cards which again have "hard" ceilings, have made the consumers more nit picky in regard to how much is authorized so adding 20% will generate consumer squawking whereas five years ago, no one noticed or cared, 3) VISA and MC recently changed the pricing structure for restaurants in regard to the tolerance allowing virtually an unlimited tip as far as "best rate" goes -- it used to be the final amount had to be within 20% of the original auth amount to qualify for the best rate, now the percentage has been lifted so a $10 auth can have a $100 tip and still receive the same discount rate -- the jury is still out on how defendable this would be in a charge back scenario so we are not promoting this change to our merchants.

Hope this helps...


Steve Sommers
Shift4 Corporation -- <a href="

http://www.shift4.com"

target="_blank">

http://www.shift4.com</a>

Creators of $$$ ON THE NET(tm) payment processing services

 

[AlohaWahini]

Steve,

Don't know where you came from, by thank you for all that informative information (can do that? use the word "information: twice in a row?)

Nice to have someone who has some concrete material for us!

 

[RadAlohaQE]

BTW, to answer AlohaWahini's question on whether Aloha can blank or supress out the expiration date, here is your answer.

In versions 5.3.x and higher..

You can suppress the credit card expiration date on guest checks by selecting the credit card tender in Aloha Manager/Maintenance/Payments/Tenders, selecting the Type subtab, and clearing the option for Print Expiration.

You can suppress the credit card expiration date on credit card chits by opening Aloha Manager, selecting Maintenance/Store Settings/Credit Card/Voucher Printing, and selecting the option for 'Do Not Print Expiration Date'.

In versions 5.2.8.x and higher

You can suppress the credit card expiration date on credit card chits by opening Aloha Manager, selecting Maintenance/Store Settings/Credit Card/Voucher Printing, and selecting the option for 'Do Not Print Expiration Date'