Business to business merchants who require their customers to fax back a signed authorization form, often create bigger problems than the risks they’re trying to reduce. Learn how to achieve the desired goal, without creating additional financial risk. The answer may not be the form, but the entire process of card acceptance.
There are two common workflows for using a Credit Card Authorization Form. In the first, the customer calls the merchant, who then faxes the form to the customer. The customer completes the form and faxes it back; the Cvv shop merchant then key enters the transaction into a desktop or virtual terminal. This manual process wastes everybody’s time, especially when the merchant requires a unique authorization for every sale.
For the second method, the merchant attempts to gain some efficiency by directing customers to their web site to download the form. This helps the merchant, but they may also lose the sale when a buyer finds easier ways to purchase from someone else.
Merchants want the form to prove that a card absent customer approved the sale in the event of a future dispute. But most forms also collect the CVV, or security code. It’s a Payment Card Industry Data Security Standards (PCI DSS) violation, and against card acceptance rules. To comply with the rules, the form must be cross-cut shredded, not stored. Since virtually every form puts the credit card information in the form body, merchants are in a quandary: PCI compliance or dispute protection.
The top three common problems with Credit Card Authorization Forms:
- Collects security code and the merchant cannot store document with signature, without also storing CVV.
- Form offers option to send it back via email, a non-PCI compliant practice.
- Form does not contain required card not present refund or cancellation policy.
Methods to fix Credit Card Authorization Form problems cited above:
- Create a tear off strip on the Credit Card Authorization Form that contains the sensitive payment data. Add additional fields for last 4 digits and card brand type above the tear off. This enables merchants to have a signed record, without storing payment data after the sale.
- Do not put an email address on the form. Provide a fax number or mail instructions. If using a digital fax, review PCI compliance rules.
- Review merchant card acceptance guidelines (Visa publishes the on their merchant web site) for card absent transactions and add the appropriate language to your form or to your invoice. Add a checkbox on the authorization form that the customer must acknowledge receipt of and agree to the stated terms.
Other solutions for merchants eliminate the manual processes above, while mitigating lost dispute and fraud risks. Some examples include secure pay pages and Electronic bill presentment and payment, or EBPP. With these methods, the fax form with exposed card number is completely eliminated.
TIP: If concerned about risk, ask your customer to sign the receipt generated from the sale. This contains vital data often not available on the Authorization Form.
DISCLAIMER: The suggestions above are simple, immediate solutions to merchant problems. Merchants are advised to review the latest rules per card acceptance brands, merchant agreement(s), and PCI Security Standards.