Credit Card Processing Training Materials

Last reviewed: 01/18/2011
Article ID: R11248

The information in this article applies to:

• Tabs3 Version 15
• Tabs3 Trust Accounting Software Version 15.3
• Tabs3 Credit Card Authorization Module

Summary

Tabs3 has the ability to accept credit cards for payments, and Tabs3 Trust Accounting Software (TAS) to accept credit cards for trust account deposits, using the Tabs3 Credit Card Processing Authorization Module. This document includes training information as well as recommended best practices when dealing with credit card transactions. The information in this article can be used as training materials for firms, employees, resellers and consultants.

Security Standards

The Payment Card Industry Data Security Standard (PCI DSS) is a security standard that includes requirements for security management, policies, procedures, network setup, software design, and other protective measures. The PCI DSS was developed by the PCI Security Standards Council (PCI SSC), consisting of members from each of the card companies including American Express®, Discover® Financial Services, MasterCard Worldwide®, and Visa® Inc. The PCI DSS provides a common standard with which the payment industry must adhere, called the Payment Application Data Security Standard (PA-DSS).

The Tabs3 Credit Card Authorization Module has been reviewed and accepted by the PCI SSC. As of March 10, 2009, Tabs3 is the only legal billing application listed on the Security Standards Council’s List of Validated Payment Applications. A list of applications accepted by the PCI SSC can be found at: https://www.pcisecuritystandards.org/security_standards/vpa/.

Firms that accept credit card payments must meet the requirements of PCI DSS by properly safeguarding cardholder data. It is critical that your firm adheres to the security requirements to ensure the highest standard of care to help keep sensitive cardholder data safe from hackers and fraudsters.

The following highlights the 12 main standards for data security established by the PCI DSS:

Build and Maintain a Secure Network

• Requirement 1: Install and maintain a firewall configuration to protect cardholder data
• Requirement 2: Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

• Requirement 3: Protect stored cardholder data
• Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

• Requirement 5: Use and regularly update anti-virus software
• Requirement 6: Develop and maintain secure systems and applications

Implement Strong Access Control Measures

• Requirement 7: Restrict access to cardholder data by business need-to-know
• Requirement 8: Assign a unique ID to each person with computer access
• Requirement 9: Restrict physical access to cardholder data

Regularly Monitor and Test Networks

• Requirement 10: Track and monitor all access to network resources and cardholder data
• Requirement 11: Regularly test security systems and processes

Maintain an Information Security Policy

• Requirement 12: Maintain a policy that addresses information security

Additional information regarding these standards can be found at: www.firstnationalmerchants.com under the PCI & Compliance tab.

Tabs3 Credit Card Authorization Implementation Guidelines

The Tabs3 Credit Card Authorization Module was designed with the above security measures in mind. However, it is important to keep the following in mind:

Tabs3 does not store sensitive cardholder information.

The Tabs3 software encrypts and transmits sensitive credit card information to PayFuse, but does not store Credit Card Numbers, Expiration Dates, Security Codes (i.e., Card Verification Values of CVV, CVV2, CVC2 or CID), or PIN numbers. Only the Credit Card Type, Cardholder Name, and the last four digits of the Credit Card Number are stored. Additionally, the following PayFuse transaction information is also stored: Authorization #, Transaction ID, and Order ID. The limited information that Tabs3 stores is only accessible by users who have access to the Payment Entry program in Tabs3 and the Credit Card Authorization List in Tabs3.

In order to best meet the standards required by the PCI Security Standards Council, we recommend that you perform the following.

Operating System and Network

Consider the following items as they apply to your network, for servers and workstations.

• Set up unique users in your operating system.
• Assign strong passwords to each user accessing the computer. Strong passwords consist of 8 or more characters (14 or more is ideal), with a combination of numbers, letters and symbols. Test the strength of your passwords at:
  http://www.microsoft.com/protect/yourself/password/checker.mspx
• Grant rights to the Tabs3 Program Directory and Current Working Directory for only those employees that require access.
• Enable operating system auditing as recommended below.
• Make sure Windows Update is configured to apply the most current Service Packs and Security Patches.
• Make sure adequate anti-virus software has been installed and is configured to update automatically on a regular basis.

System Configuration

Perform the following in System Configuration.

• Assign a unique User ID for each user that uses the software.
• Assign passwords to each defined User ID in the software.
• Delete the BLANKID User ID from the User file.
• Review which Access Profiles are assigned to each user.
• Restrict the number of users who have been granted manager rights.
• Set up an Access Profile that has rights to the Tabs3 Payment Entry program. This program is used to enter a credit card transaction in Tabs3. Assign rights for that Access Profile to only those users that need to use the Payment Entry program. Likewise, restrict access from the Payment Entry programs for those users who do not require access.
• Set up an Access Profile that has rights to the Tabs3 Payment Adjustment program. This program is used to reverse or refund payments in Tabs3. Assign rights for that Access Profile to only those users that need to use the Payment Adjustment program. Likewise, restrict access from the Payment Adjustment program for those users who do not require access.
• Set up an Access Profile that has rights to the Tabs3 Credit Card Authorization List. This program is used to display PayFuse transaction information. Assign rights for that Access Profile to only those users that need access to the report. Keep in mind that these users may not necessarily be the same users as those who have rights to the Payment Entry program.
• Set up an Access Profile that has rights to the Tabs3 Customization program. This program is used to configure and access merchant account information. Assign rights for that Access Profile to only those users that need access to the program.
• Set up an Access Profile that has rights to the TAS Trust Transactions Entry program. This program is used to enter a credit card transaction in TAS. Assign rights for that Access Profile to only those users that need to use the Trust Transactions Entry program. Likewise, restrict access from the Trust Transactions Entry programs for those users who do not require access.
• Set up an Access Profile that has rights to the TAS Credit Card Authorization List. This program is used to display PayFuse transaction information. Assign rights for that Access Profile to only those users that need access to the report. Keep in mind that these users may not necessarily be the same users as those who have rights to the Trust Transactions Entry program.
• Set up an Access Profile that has rights to the TAS Customization program. This program is used to configure and access merchant account information. Assign rights for that Access Profile to only those users that need access to the program.

 Tabs3

• Configure Tabs3 to create the Payment Verification List (Utilities | Customization | Main | Create List for Payments).
• Do not include sensitive credit card information in any Tabs3 data field (i.e., the Payment description, client notes, etc.).

 TAS

• Disable editing of trust account balances (Utilities | Customization | Main | Allow Editing of Trust Account Current Balance).
• Disable editing of bank account balances (Utilities | Customization | Main | Allow Editing of Bank Account Current Balance).
• Do not include sensitive credit card information in any TAS data field (i.e., the Trust Transaction description, etc.).

 Office Procedures

• Establish a policy regarding acceptance of credit card payments.
• Educate all employees regarding best practices.
• Educate all employees regarding credit card security features.
• Do not write down credit card information on paper or store sensitive credit card information on paper. If you store this information, store it in a secure area and limit access to this information.

Credit Card Processing Best Practices

Using approved applications does not protect you from exposure to disputes, chargebacks and fraud. The following practices are designed to help you reduce your exposure.

Transactions where the credit card and customer are present

When the credit card is present:

• Check the credit card's security features. All credit cards have a number of security features, including a hologram, expiration date, embossed card number, and tamper-proof signature panels.

• Check the hologram - A hologram is a three-dimensional symbol that helps deter counterfeiting. The image should reflect light and appear to move when you tilt the card. It may be located on the front or back of the card or on the signature panel.
• Check the expiration date on the card - The card is valid though the last date of the month. Do not accept an expired card.
• Check the valid date - Some cards will have this feature, where the card is not valid until the date shown. Do not accept an invalid card.
• Check the first four digits - For Visa and MasterCard cards, the first four digits of the embossed card number must match the four digits pre-printed above or below that number and on the back of the card. Visa cards begin with a 4. MasterCard cards typically begin with a 5.
• Embossing - The embossing should be clear and uniform size and should match the indentation on the back of the card.
• Signature Panel - The word "void" will appear if the signature panel has been tampered with.
• Check the Magnetic Stripe - It should be smooth and straight.

• Use a card reader to swipe every card. If a card cannot be read, obtain a manual imprint of the card before entering the transaction manually.
• Wait for authorization to be sure the transaction was approved. If the card was declined, ask for another form of payment.
• Obtain the customer's signature. Match the signature on the receipt to the signature on the back of the card. If the card is unsigned, request another form of identification with a photo and signature. Request that the customer sign their card. If the customer refuses to sign their card, inform them you are unable to accept an unsigned card for payment and request another form of payment. The Tabs3 Receipt function provides a method of obtaining a signature, as well as providing the customer proof of payment.
• Hold onto the card until the transaction is complete. This enables you to complete any necessary security checks without having to ask the client for their card again.
• Compare the name, account number, and signature on the card to those that print on the receipt. Additionally, the four digits shown on the receipt should match the last four digits on the card. 

Transactions where the credit card must be manually keyed

Key-entered transactions carry additional fraud risk as the contents of the magnetic stripe are not obtained. In addition to the above guidelines, consider these additional steps:

• Take a manual imprint of the card.
• Complete all of the fields on the Credit Card Information window, including the clients billing address.
• Have the customer sign the receipt and compare the signature with the signature on the card. Do not accept an unsigned card. 

Transactions where the credit card is not present

Mail, telephone, and Internet transactions represent the greatest exposure to disputes, chargebacks and fraud because neither the card nor the customer is present. You are responsible for any losses due to transactions in which the card is not present. These transactions are taken at your own risk. Follow these additional guidelines:

• Ask for both a billing and mailing address.
• Ask for the client's phone number.
• Verify the Card Verification Value (CVV2, CID, or CVC2). This Card Verification Value is a three- or four-character code and may also be referred to as CID or CVC2 depending on the card type. This number must be entered in the Credit Card Information window. However, this number should never be recorded or stored after authorization is received.
• Request that your customer service number appear on the customer's credit card statement. Both Visa and MasterCard regulations permit mail and telephone order processors to place their customer service telephone number where the merchant city would normally appear. Contact your customer service representative at TSYS Merchant Solutions^SM (formerly First National Merchant Solutions^®) to discuss this option. 

Do not accept a card if:

• The hologram is missing or of poor quality.
• The customer's signature does not match the one on the card.
• The account number or cardholder name are ironed out and the card is embossed with a different number. Evidence of this alteration is noticeable on the back of the card.
• The card is warped or has a dull finish.
• The account number is tilted or slanted, or the embossed data spacing is off.
• The printed information is on top of the laminated surface of the card.
• The printing on the back of the card is blurry or distorted.
• Information displayed on the printed receipt does not match the account number embossed on the front of the card.

Fraud Detection

• Always be aware of the following:
• A hesitant caller. Shaky voices or delayed responses to questions may indicate that the caller is not comfortable with the information they are providing.
• P.O. Boxes and mail receiving services, which may indicate lack of a permanent address.
• Toll-free numbers given as the day or evening phone number. Attempt to get a direct line instead.

Enable Operating System Auditing

It is recommended that Microsoft Windows operating system auditing be enabled at each workstation for the following events and objects:

• Logon Events (not Account Logon Events)
• System Events
• Policy Changes
• Account Management

On the server installation location, we also recommend that Object Access auditing be enabled for write access of the T3CCAUTH.DLL file of the Tabs3 working directory to record any updates to this program file.

To enable auditing, follow the procedures outlined in the following Microsoft Knowledge Base articles. Use the article that matches the Windows version being used on each workstation. The Microsoft Knowledge Base is available on the Internet at http://www.support.microsoft.com/.

• Microsoft Knowledge Base Article 921469 - How to use Group Policy to configure detailed security auditing settings for Windows Vista-based and Windows Server 2008-based computers
• Microsoft Knowledge Base Article 814595 - How to Audit Active Directory Objects in Windows Server 2003
• Microsoft Knowledge Base Article 310399 - How to Audit User Access of Files, Folders and Printers in Windows XP
• Microsoft Knowledge Base Article 314955 - How to Audit Active Directory Objects in Windows 2000

The presence of file auditing logs provides tracking and analysis abilities in the event that they are needed.

Resources

Additional information regarding the Payment Card Industry requirements and Best Practices can be found on the Internet at:

• http://www.mastercard.com/us/merchant/security/what_can_do/SDP/merchant/index.html
• http://www.visa.com/cisp
• http://www.discovernetwork.com/fraudsecurity/disc.html
• https://www.pcisecuritystandards.org/

THE INFORMATION PROVIDED IN THE SOFTWARE TECHNOLOGY, INC. KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. SOFTWARE TECHNOLOGY, INC. DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL SOFTWARE TECHNOLOGY, INC. OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF SOFTWARE TECHNOLOGY, INC. OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

© 1999-2012 Software Technology, Inc.   All rights reserved. Terms of Use
The maker of Tabs3 and PracticeMaster
Tabs3, PracticeMaster, and the “pinwheel” symbol () are registered trademarks of Software Technology, Inc.
e-Mail Suggestions for the Knowledge Base to: kb@Tabs3.com
Technical Support via e-mail is not available.
Knowledge Base:   http://support.Tabs3.com
Web Site:   http://www.Tabs3.com