How to Remain Compliant on "Card Not Present" Transactions

This year was the first time in the five years of BillingTree’s ARM survey that online portals (84 percent) moved ahead of live agents (80 percent) as the most common form of payment offered by processors when respondents asked to list which payment methods they currently offer. The change is being driven by millennials who want to send and receive payments within twenty-four hours using smartphones or other mobile devices, and brings with it more complex compliance challenges for payment providers. Here Barton “Chip” Bright, General Counsel & Chief Compliance Officer at BillingTree, discusses four key areas of compliance that should be top of mind for any organization looking to adopt card not present channels to meet the demand for digital payment options.

According to Dave Yohe, VP of Marketing at BillingTree “The financial services industry is the number one target for hackers, and unsurprisingly an area where consumers expect their data to be secure. A single breach can sink a company – especially smaller organizations.” Damage to reputation aside, the average cost of a data breach is $3.6m, a much higher expense than the investment needed to remain PCI compliant ­– something that is often imagined to be much more complicated than it is.

Here are four key areas I think should be top of any agency’s compliance priority list.

  1. Reg E Protecting the consumer

Fear of Reg E litigation has caused some organizations to revert to paper-based payments, but that doesn’t need to be the case.

The Electronic Funds Transfer Act and its implementing regulation (Reg E) establish the rights, liabilities and responsibilities of participants in 'electronic funds transactions' involving ACH payments and debit card transactions. Rule-making is shared between the Federal Reserve and the CFPB, but with increased scrutiny from the CFPB, there has been some confusion among collectors as to what type of transactions are covered by Reg E, as well as how the regulation applies to recurring payments.

In simple terms, if funds are being collected directly from a deposit account, then Reg E applies. An 'account' in this instance is defined as any “demand deposit, savings deposit or other asset account established for personal, family or household purposes.”

With plentiful documentation and numerous specialists now in this area, Reg-E is no longer a time-consuming enigma.

  1. Sign on the digital line – E-sign is good

Another frequent point of confusion is the interplay between the Electronic Funds Transfer Act (EFTA), Regulation E and E-sign. E-sign is simply an electronic means of satisfying certain notice and signature requirements of the EFTA, meaning both service providers and consumers can eliminate paper communication. In contrast, the EFTA is a federal law enacted in 1978 to protect consumers when their funds are transferred electronically.

E-sign refers to all legally required communications with a consumer, not just payments. The basic requirements of E-sign are as follows:

  1. The consumer must consent to receiving legally required disclosures electronically;
  2. The consumer must be informed of their right to receive such disclosures in paper form and any associated costs;
  3. The business should identify whether or not the consent relates to a particular transaction, such as account opening documents, or to ongoing disclosures over the course of the parties’ relationship, for example, account statements;
  4. The consumer must be informed of their right to withdraw consent to electronic disclosures, and the process and terms for such withdrawal;
  5. The business must provide a method for updating the consumer’s contact information;
  6. The business must provide the consumer with the hardware and software requirements necessary for communicating electronically; and
  7. The consumer must confirm consent electronically in a manner that reasonably demonstrates the consumer’s ability to receive or access necessary communication electronically.

As digital communication becomes the norm, E-sign compliance will minimize risk and differentiate a business from others still only offering wet signatures and paper disclosures.

3. Phone payments – different cards, different requirements

When collecting a payment over the phone, different payment data needs to be stored depending on the type of card being used and the type of payment being made.

One-time debit or credit payments are one of the most straightforward phone payments to process. They can be authorized via an oral call recording, with the records of authorization kept for a minimum of 2 years. Recurring credit card payments, which are governed by the Truth in Lending Act and Regulation Z, follow the same process with the only difference being that the authorization also can be completed in writing, however it does not necessarily need to be signed.

Recurring debit payments are slightly more complicated, however with the correct processes in place don’t need to be a concern. These payments are subject to Reg E, EFTA and the interpretation of these according to the CFPB. They require written authorization which must be signed, but it is not compulsorily for this to be a wet signature. Many organizations have the view that if a consumer is required to sign in ink and return a letter a payment is less likely to be made – this is a key driver behind E-sign.

In addition to certain regulatory requirements, collectors must also be aware of the PCI data security standards. To be PCI compliant when call-recording, businesses need to ensure the card number and the card verification value (CVV/CV2) are not captured together. New technology is able to mask card numbers, but if using legacy phone technology, organizations need to make sure the card’s CVV/CV2 is not captured. If there is a need to collect both, the two details need to be encrypted and stored separately.

Most processors have the ability to distinguish whether a card is debit or credit by its first few digits, however, some cannot, so you should include in your payment call script a question asking what type of card the consumer is using. If an organization has done its part by asking, the law provides a safe harbour if the customer then incorrectly informs them of the card type they are using and the relevant checks haven’t been carried out. In any event, calls should be recorded and a record should be kept of the consumers consent.

  1. Not so convenient fees – check before you charge

Convenience fees are anything but convenient, both for the processor and consumer, especially involving transactions governed by the FDCPA. It’s not just different states that have different policies, different card processing networks do too. In addition, the CFPB has expressed its distaste for such fees. The fee is used to offset the cost of payment processing by charging consumers for the privilege of using an alternative payment channel, or a payment method that is not standard for the merchant – be aware this means the fee can’t be charged across all channels.

The number of merchants charging this fee is dropping – for the second time in five years, the BillingTree ARM survey found that a majority of agencies were not collecting convenience fees, nor were they planning to do so. Paying with plastic is no longer seen as the convenient option but the norm, so it’s not surprising that many consumers are against the fee. By charging it organizations can alienate potential customers.

If an organization decides to charge a convenience fee it needs to check the laws in the state it is based in, the states in which it operates, as well as the states where its consumers reside.

Keeping up with compliance

These four key areas to be aware of will to help you stay compliant, but as always, make sure to check with your compliance experts to ensure that your business is operating within the bounds of applicable laws, rules and regulations. When deciding who to trust with processing your payments, you should check they maintain reputable payment technology, a focus on compliance and the correct certifications. Look forth appropriate PCI-DSS, HIPAA and SSAE-16 certifications and audits.

There are many options organizations can choose from when embracing new technology, but at the end of the day there is no point in implementing the latest and greatest tools, if your business is going to be shut down for compliance violations.


Barton "Chip" Bright is general counsel and chief compliance officer at payment technology company BillingTree.