FAQ

Merchant Card Account FAQ’s

What is a Merchant Card Account and why do I need one?
A merchant account allows businesses to accept credit card payments. A merchant account is set-up with a financial institution. Unlike other services, money collected through your merchant account is deposited into your checking account within 2-3 business days. You must have a merchant account to accept credit card payments using your company name and if you want the funds deposited into your checking account within 2-3 business days.
What is a Payment Gateway and why do I need one?
A Payment Gateway allows you to securely process transactions online. It is a third-party service that transmits eCommerce transactions to your payment processor for authorization. A Payment Gateway allows you to offer your customers a safe and secure way of buying from you online or over the phone. Authorize.Net and PayTrace are the VPS preferred payment gateways.
How long does it take to get set-up?
It typically takes 2 business days to get approved for your merchant account. The time it takes to get set-up also depends on how quickly you follow up with answering any questions from the Underwriting Department and faxing the required paperwork.
What is a qualified vs. a non-qualified transaction?
Certain conditions must be met for a transaction to Qualify for the discount rate. If a transaction doesn’t “Qualify”, it becomes a Mid-Qualified or Non-Qualified transaction and the discount rate will increase (please check your Schedule of Fees). Qualified Transactions:

  • These are swiped transactions.
  • To qualify for the qualified discount rate the credit card must be present and swiped at the time of the sale.
  • Qualified Cards are typically standard, VISA/MASTERCARD/DISCOVER, Credit/Debit Cards.

Mid-Qualified:

  • These are typically key-entered transactions.
  • Mid-Qualified transactions are typically processed using your payment gateway or mobile device.

Non-Qualified:

  • These are transactions that process at the higher discount rate.
  • Typically these are Corporate, Government, Foreign or High-End Rewards Cards.

How long does it take to receive our funds?
It typically takes 48 to 72 hours for the funds from your transactions to be deposited directly into your checking account.
What is a monthly minimum?
The monthly minimum is the minimum amount you will be charged in relation to the discount fees for your monthly Visa/MasterCard sales. You will pay the Monthly Minimum ($25.00) or your Discount Fees, whichever is greater. For example: In one month you processed $1000.00 in Visa/MC sales. $1000.00 x 2.19% = $21.90. This amount does not meet the monthly minimum of $25.00 so you will be charged an additional $3.10 to meet the monthly minimum of $25.00 ($21.90 + $3.10 = $25.00). However if in one month you process $1500.00 in Visa/MC sales then your fees = $32.85 ($1500.00 x 2.19% = $32.85). You will be charged $32.85 in Discount Fees as you have met the monthly minimum of $25.
What is a chargeback?
Customers have the right to dispute a charge to their credit card, typically when goods or services are not delivered within the specified time frame, goods received are damaged, or the purchase was not authorized by the credit card holder. A Chargeback is the return of funds to the customer, initiated by the Issuing Bank. Merchant will be granted a timeframe to reply to the chargeback request, submit proof of the sale or the receipt of goods/services sold, and receive credit for the original sales amount.
How can Chargebacks be prevented?
Depending upon the method in which a merchant accepts credit cards there are various steps a merchant can take to prevent their exposure to fraud and risk, thereby preventing a potential chargeback. It is also crucial when accepting credit card payments that the proper documentation is gathered; in the event a chargeback is initiated having the proper documentation can assist the merchant in winning the dispute.

Card Present:

  • Obtain a full magnetic strip read whenever possible; if the magnetic strip is damaged, obtain a fully legible manual imprint
  • Check that the signature on the receipt matches that on the back of the card
  • All sales policies should be conspicuously posted at the cash register
  • Card Not Present (E-commerce or MO/TO)
  • Utilize the Address Verification Service and only allow transactions that have a perfect match to be completed
  • Ship only to the billing address of the card
  • Ship with a signature required on delivery

What is Interchange?
It is a fee that a merchant’s bank (the “acquiring bank”) pays a customer’s bank (the “issuing bank”) when merchants accept cards using card networks such as Visa and MasterCard for purchases. In a credit card transaction, the acquiring bank pays the merchant the amount of the transaction minus both the interchange fee and an additional, usually smaller fee which is often referred to as a discount rate, or fee.
What is PCI Compliance?
The Payment Card Industry Data-Security Standards (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment.
The PCI DSS is administered and managed by the PCI SSC (www.pcisecuritystandards.org), an independent body that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.) To read more visit https://www.pcisecuritystandards.org/ Also, see additional FAQs about PCI here.
What is AVS?
AVS (Address Verification System) is a system that attempts to match the billing address that a customer enters in the Billing Address fields during checkout. When the credit card entered is authorized, AVS checks to see if the cardholder’s address entered during checkout matches the address information on file with the issuing bank. This system will reduce the merchant’s exposure to fraud especially in a card not present environment.
What is CVV2?
A CVV2 is a three or four-digit number printed on credit cards to help card-not-present merchants verify that the customer has a legitimate card in hand at the time of the order. The term “CVV2″ literally means card verification value 2. This is a code that is placed on the credit card for security purposes. The merchant asks the customer for the CVV2 and then sends it to the card Issuer as part of the authorization request. The card Issuer checks the CVV2 code to determine its validity, then sends a CVV2 result back to the merchant along with the authorization.
How do I update the bank account that my deposits are sent to?
Please call Customer Service at 877.674.2286 option 3, and you will be sent an account update form. The completed form may be faxed to 207.221.1512.
How do I retrieve copies of my merchant statements?
Merchant statements can be viewed online by logging on to our website at www.VisionPayments.com. Under the “Aurora” heading, click on the link “Need to register for Aurora?” to register your account. For security purposes you will be asked for your 16 digit Merchant Account Number (MID) as listed above. Please follow the steps to ensure secure logins and also make sure to keep record of your new case sensitive password. Please contact customer support with any questions at 877-674-2286 Option 3.

Personally Identifiable Information (PII)

CSR Breach Reporting Toolkit® FAQs

The questions and answers below are offered as a general reference to help you understand the CSR Breach Reporting Toolkit® services and how they relate to your handling of personally identifiable information (PII). Every information security breach is different, and each one should be carefully evaluated in light of its unique facts and circumstances. As such, if you believe that PII in your care may have been compromised, you should promptly consult an attorney who can help you understand your legal obligations.

What is CSR Breach Reporting Toolkit®?

CSR Breach Reporting Toolkit® is an information security breach defense, preparedness, and response service that helps merchants address the risks associated with handling personally identifiable information (PII) without committing all of their valuable internal resources to the cause. Forty-nine state laws as well as laws in additional jurisdictions mandate certain responsive procedures in the event that certain forms of PII in your possession are compromised. That’s where we come in.

If and when you determine that a breach of PII has occurred, or suspect a breach or loss of data, CSR Breach Reporting Toolkit® can assist you in notifying the proper authorities (including, in particular, card brands and government agencies) that data has been compromised.

What services does CSR Breach Reporting Toolkit® provide?
CSR Breach Reporting Toolkit® services are designed to help you react quickly to a data breach. When PII is lost, stolen, or otherwise compromised, merchants are often confused about what steps to take to rectify the situation. But merchants must be prepared to act quickly in order to comply with applicable laws and industry standards, and in order to preserve their customers’ trust. In the event you discover a breach of PII, CSR Breach Reporting Toolkit® can help you take action to respond.
When should a VPS Merchant call CSR Breach Reporting Toolkit®?
For the reporting of a suspected or actual breach, members should call 1-855-PII-Data (1-866-744-3282).
CSR Breach Reporting Toolkit® will report the breach to federal, state and any other governmental agencies as required.
What agencies do I have to report to when a breach occurs?
Whether and which agencies must be notified of a breach involving PII depends on the applicable law(s). Depending on the particular circumstances, you may be required to report the breach or multiple agencies or none at all. CSR Breach Reporting Toolkit® maintains a database of federal, state, and law enforcement agencies that may require reports. CSR Breach Reporting Toolkit® can also help by providing reporting to these agencies on your behalf. Reporting to federal, state, and law enforcement agencies (in addition to card brands) are included as part of our Tier I services.
What is personally identifiable information (PII)?
There are many different definitions of PII, and the applicable definition depends on which state law(s) apply to a particular situation. Most definitions, however, include some variation of a person’s name or initials IN COMBINATION WITH other pieces of information that can be used to identify the person, including Social Security numbers, driver’s license numbers, and financial account numbers. Some state laws further include date of birth, mother’s maiden name, biometric records, and certain medical, educational, or employment information.
Can I get copies of the breach reporting to these agencies?
CSR Breach Reporting Toolkit® will provide you with copies of any reporting it sends on your behalf.
How can my business be harmed if PII is lost or stolen?
Forty-six states in addition to other jurisdictions currently have laws in place that may require you to notify affected individuals (and others) in the event that PII is lost, stolen, or otherwise compromised. The ramifications of such breaches can be substantial. They can also take many forms, including costs and expenses associated with managing a breach, private lawsuits or government investigations arising from a breach, and lost consumer trust.
The financial consequences of failing to properly report a breach can also be substantial, possibly even more substantial than those associated with the breach itself. As just one example, Visa can assess fines of up to $100,000 per breach incident against merchants that fail to promptly and appropriately report the incident to Visa. You can mitigate this risk by positioning yourself to act quickly in the face of a breach. CSR Breach Reporting Toolkit® can help.
What if I don’t record or maintain any Personally Identifiable Information?
Many merchants do not realize that the cardholder’s name is included in the magnetic stripe of some cards, and is captured when the card is swiped at your POS terminal. (That is often how the cardholder name is printed on the cardholder copy of the receipt). As such, you may be collecting and storing information that constitutes PII through your POS terminal even if you are not expressly asking your customers to provide it. This means that if your POS terminal is breached, you could be required to notify individuals (and others) of the breach.
What are my responsibilities to my internal business operation (i.e. employees, contractors, etc.)?
Information security and breach preparedness are not just for customer-facing businesses. The forty-six plus security breach notification laws already in existence generally apply to any person’s PII. This means that you could be required to notify your employees, subcontractors, service providers, or others if PII about them that is in your care is compromised. (Your employees likely provided PII to you, on their employment application, before you even let them in the door for an interview.) In addition, if you act as a service provider for other companies, you may be required to notify these other companies if PII about their customers, employees, or contractors is compromised while in your care.
What is a breach of PII?
The definition of a breach or a “breach of the security of the system” varies from state to state. In many states, a “breach of the security of the system” arises from any “unauthorized acquisition of computerized data that compromises the security, confidentiality, or integrity of personal information maintained by [your] business.” In some states, however, the unauthorized disclosure or acquisition of hard copy records (in addition to computerized data) may also constitute a breach. A breach can occur in many ways, including through lost laptops or PDAs, improper disposal of paper records, or intrusion into your network or PC by hackers.
What are my PII data breach risks?

Occurrences of lost or stolen PII occur every day. The financial penalties for these data breaches can be significant. More serious breaches involving PII, especially those involving highly sensitive forms of PII, can result in criminal penalties. Also, your business reputation can be severely damaged. Consumer surveys cited by Visa USA indicate that approximately 79% of customers lose trust in a company that experiences a breach involving their PII, and approximately 74% say they will not continue to shop at a place where they feel their PII may be at risk. Other studies show that a data breach costs companies, on average, about $214 per compromised record.

It’s clear, then, that a breach can hurt your business in more than one way. CSR Breach Reporting Toolkit® can help you avoid these penalties and harm to your reputation by helping you position your business to fend off PII breaches in the first instance and to respond accordingly if and when one occurs.

I believe a hacker has compromised my system or network. What steps do I take regarding my system?
CSR Breach Reporting Toolkit® cannot provide this information. Each breach (and suspected breach) is unique and the appropriate response varies accordingly. If the breach potentially involves payment card information, you may want to visit Visa’s web site (http://j.mp/VisaCISP), which provides a guide for merchants called “What to do if compromised”. Visa’s guide offers some tips and suggestions about responding to a breach of payment card information that may be useful to you.
What are the requirements to notify my customers when their PII has been compromised?
Requirements to notify customers in the event of a breach vary from state to state. CSR Breach Reporting Toolkit® can help you identify the sources of potential legal obligations to notify customers of a breach, even though we cannot interpret these laws for you. For that, you may need an attorney. If and when you determine a breach has occurred, however, CSR Breach Reporting Toolkit®’s Tier II consulting services can help you fulfill any customer notification requirements. See our FAQ concerning CSR Breach Reporting Toolkit® Tier I and Tier II services for additional details about the services that are available to you.
Do credit-reporting agencies (CRAs) need to be informed of a breach involving PII?
Sometimes. There are provisions in most of the state security breach notification laws regarding reporting breaches to CRAs like Equifax, Experian, and TransUnion. CSR Breach Reporting Toolkit® maintains a data base of the applicable provisions in these state laws that details under what circumstances CRAs must be informed of a data breach, and we can help you notify them when necessary. Reporting to CRAs is a standard component of our Tier II services, and may be available for an additional fee if you are a Tier I customer. See our FAQ concerning CSR Breach Reporting Toolkit® Tier I and Tier II services for additional details
MasterCard and Visa have Payment Card Industry (PCI) rules. What is the difference between PCI and PII?
PCI stands for the “payment card industry” and their data security standards protect payment card data such as the debit or credit card number, expiration date and card security code. PII, or “personally identifiable information,” is a broader category of information that encompasses both payment card information and various pieces of information that uniquely identifies, or can be used to so identify, an individual. Please see our FAQ concerning the types of information that constitute “personally identifiable information” for further details about PII
What is the difference between a PCI DSS breach and a PII breach?
The differences between a PCI DSS and a PII breach chiefly stem from the different types of information compromised in each. The particular data elements involved can significantly impact the long and short-term consequences of a breach in a variety of ways. For example, a payment card information breach often results in card fraud (e.g., unauthorized transactions) and a fine to merchants from MasterCard, Visa, or American Express. But a PII breach can be more damaging in that a person’s identity could be stolen as a result of the unauthorized acquisition of personal details about affected individuals. Perpetrators can sometimes open new credit cards, apply for loans, and establish new credit accounts with the stolen information.
How can I minimize the threat of PII data breach?

Almost everyone can do more to protect PII. Our Tier II services, in particular, are designed to help you do just that. Our Tier II services offer a comprehensive suite of breach defense, preparedness, and response products for merchants who want us be very involved in the process from start to finish. In addition to the full suite of Tier I services (such as our monthly newsletter), Tier II customers can take advantage of our consulting services concerning (1) appropriate safeguards for PII, (2) forensic evaluation of particular breach incidents, and/or (3) responding to affected individuals and other necessary parties (beyond card brands and government agencies) when PII is compromised.

In addition, if you store, process or transmit payment card information, for example, you must become PCI compliant to help ensure that you are adequately protecting your systems and networks that may be involved in the processing of payment card information. Our PCI ToolKit product can help with that. The PCI ToolKit walks you through your annual PCI Self-Assessment Questionnaire as required by the PCI Security Standards Council. For more information about the PCI Toolkit, please visit the Web site at www.pcitoolkit.com.

What is the purpose of sending consumer notifications?
While the risk may be difficult, or impossible, to quantify, the unauthorized acquisition of sensitive PII by a third party potentially increases the risk that an individual will be victimized by fraud or some form of identity theft. Telling individuals that their PII has been, or may be, exposed to an unauthorized third party allows them to take proactive steps to protect themselves from identity theft and other forms of fraud. Such precautions can include canceling compromised credit or debit cards, placing a fraud alert on consumer credit reports, or simply reviewing financial account statements more carefully. Regardless whether notice recipients elect to take any additional precautions, they will be in a better position to make an informed decision about them if they receive notice of a breach. Consumer notifications can also be an opportunity for you to let the affected individuals know that you care about their privacy and are willing to help them understand what happened and how their PII was exposed.
What if the PII in my care is always encrypted?
Virtually all jurisdictions have mirrored California’s exemption from breach reporting and notification when PII is encrypted or otherwise rendered secure. So you may not have to notify affected individuals (or others) if PII in your care is encrypted. While “encryption” is not defined in some of the state security breach notification laws, it generally requires that PII be transformed into a form in which there is a low probability of assigning meaning to it without use of a confidential process or key. Some states, however, require that PII be encrypted or secured using particular technologies or processes in order for this notification exemption to apply. CSR Breach Reporting Toolkit® maintains a list of state laws that do not apply to encrypted PII.
What if I received PII from someone else and that PII is compromised?
If PII belonging to another organization is compromised while in your care, you may be required to notify that organization of the compromise. Most state laws place the ultimate responsibility for notifying consumers of a breach on the “owner” or “licensee” of PII, but others who receive or maintain this information are typically required to promptly (or immediately) notify the owner or licensee after discovering a breach of PII so that the owner or licensee can take action accordingly. In addition to the obligation to notify the owner or licensee of a breach, you may also be required to cooperate with the data owner or licensee by, among other things, providing to the owner or licensee relevant details about the breach incident and about any remedial measures being taken. Even where notice to the owner or licensee is not legally required, it may be appropriate depending on your relationship with the owner or licensee.
Who is responsible for overseeing compliance of the various security breach laws?

As a general rule, the various state attorneys general and other state regulatory bodies are responsible for enforcing and overseeing compliance with state security breach notification laws. But in some states consumers who are harmed by a violation of the state’s notification law may bring a private lawsuit to enforce the law and recover damages for a violation.

At the federal level, this responsibility is principally vested in the Federal Trade Commission, the Consumer Financial Protection Board, and the Department of Health and Human Services (for healthcare-related entities). The consequences of failing to comply with applicable breach notification obligations can be significant, and will likely only result in additional frustration in the wake of a breach. Several companies have already found this out the hard way. CSR Breach Reporting Toolkit® can help you avoid becoming another example of what not to do.

PCI Compliance

What is the PCI DSS Standard?
The Payment Card Industry Data Security Standard (PCI DSS) is a set of questions that each merchant who handles, accepts or transmits merchant service credit or debit cards must answer and attest to. PCI DSS is written and maintained by the PCI Security Standards Council.
What is the Self-Assessment Questionnaire?
The Self-Assessment Questionnaire (SAQ) is the actual set of questions that the merchant must answer. There are currently four SAQ’s available to answer. The merchant needs to choose the SAQ that best fits how the merchant processes credit cards on a per Merchant Identification Number (MID) basis. Many merchants have more than one MID for example an MID for the retail store and a separate MID for the ecommerce store.
Who needs scanning?
Any MID who answers SAQ C or D needs scanning. If you use an outside vendor and you do not receive or store credit card numbers, you qualify for SAQ A and therefore, do not have to be scanned.
What merchant levels does PCI ToolKit® cover?
PCI ToolKit can be used by any merchant of any size who does not need an on-site examination to complete PCI DSS.
What SAQ does the PCI ToolKit cover?
PCI ToolKit contains all of the material required to complete SAQ A, B, C and D.
Does the PCI ToolKit offer scanning?
PCI ToolKit offers fully integrated quarterly scanning through our partners. However there is no requirement that you must use one of our integrated scan vendors. Any currently certified PCI Security Standards Council Approved Scan Vendor (ASV) can use their scan tools in conjunction with PCI ToolKit.