Cryptopay, First Data, and PCI compliance

[cherokee235]

Just switched to First Data as my merchant provider in my laundromat and still considering Crypto at the Carwash. The PCI compliance requirement for First Data/Ignite payments was about a 30 question survey along with the required scans of my IP address. I passed, but the whole dynamic changes if I add Crypto at the carwash as that is not PCI compliant. It will increase my cost by $20 per month from Ignite to be out of compliance.

I assume none of you are compliant and just pay the money. I know card swipe is here for a long time, but I feel like I'm getting ready to spend $4000 on obsolete equipment and will run into lots of expense again soon. It really gives me pause.

I've read many posts of the benefits of cards, but I've read many complaints of chargebacks and other unexpected costs, too.

Is anyone chip card compliant in the carwash format?

 

[Jeff_L]

Call Dave at cryptopay. How I read the compliance is that his system has to be compliant, not you as you would be encrypting at the point is swipe. Thus, you have no in-encrypted data onsite or transmitted. It's all decrypted at cryptopay.

 

[loewem]

I'm not aware of any card reader for car wash that handles the chip cards (EMV). That is, the kind of reader that holds the card during the transaction. There is an alternative to EMV which is near field communication (NFC). NFC allows the user to "tap" or hold the card close to the reader and the transaction is as secure as EMV. NFC is what smart phones use (apple pay, droid pay and Samsung pay, I think there are others). Some cards also also support NFC. Visa and MasterCard advertise cards that are NFC enabled. From what I've read the number of cards with NFC is small. There are two card readers that I know support or will support NFC. Eport by USA Technologies supports NFC. From a different thread I learned that Wash Card does or will support NFC soon. Maybe one of our friends who uses Wash Card will respond with some details.

You've raised some good points. I didn't realize that cryotopay is not PCI certified. I'm not sure what this means for the end user/operator. Do you know if this is a risk of any sort other than the mag strip issue? I agree with you about the risk of having obsolete equipment in the future. I use eports and that is a concern that I have. I'm hoping that NFC becomes as common as EMV. I think there is a good chance that this will happen, but I wouldn't bet on it. I see several contactless payment each week and they seem to be increasing, but thy are a small percentage of my card transactions.

I'm fairly new to the car wash business. Credit card acceptance has been difficult for me to make decisions about. Seems like it shouldn't be so difficult.

BTW - Eport is PCI compliant.

 

[Jeff_L]

In my opinion, chip readers will come and go very quickly. NFC or some other way will pass it up.

 

[loewem]

In my opinion, chip readers will come and go very quickly. NFC or some other way will pass it up.

I think and hope that you are right.

 

[Jeff_L]

Having a chip reader in a self serve bay seems silly to me. I don't know any of my customers who would want to stick and leave their card in a meter box while they move around the bay washing their car. They'd always be watching their card to be sure someone doesn't walk by and grab it. I'm sure the chips on the cards are prone to falling off too after a bunch of use of twisting bending, etc. I know my mag strip cards start cracking after being pulled in out of my wallet a bunch.

As PCI compliance has been explained to me, it's regarding whether any cc info traverses your network in plain text before encryption. Thus a hacker could get in and intercept it. Take WashGear for example (I am a user of their gear too), they send the cc info in plain text from terminal back to the computer in the workshop where it is then encrypted and sent over the internet. Albeit, the data from terminal to computer is sent on a separate, private network, you still have to be PCI compliant because you do have a potential window open in your network for a hacker to sneak in. This is different than CryptoPay, who's swiper encrypts at the swipe before transmission to the coordinator. Thus, nothing is sent in plain text. (I know I kinda said the same thing in the earlier post, but I want to clarify a couple of things as earlier I was typing on my iPad).

 

[Earl Weiss]

HAve Crypto in SS with Cocast internet and First Data. Initially it was not compliant for whatever reason but now it passes.

 

[loewem]

HAve Crypto in SS with Cocast internet and First Data. Initially it was not compliant for whatever reason but now it passes.

I thought that World Pay was the only option for credit card processing with cryptopay. Can you use any card processing service with cryptopay now?

 

[Earl Weiss]

I thought that World Pay was the only option for credit card processing with cryptopay. Can you use any card processing service with cryptopay now?

When I got cryprtopay a few years ago they said I had a choice of First Data and one other. Perhaps World pay. Maybe it's changed.

 

[slash007]

I have First Data for both locations. They were cheaper than World Pay.

 

[Scrub Free]

I use first data and believe it was cheaper also. As far as the risk of being non compliant... I don't think it's as simple as just paying more and/or risking a $12.00 charge back. I may be wrong, but I think if your site is not compliant and someone hacks in, you are personally resposible for their shopping spree. That's how I read the fine print.

 

[soonermajic]

I'm wanting to add Cryptopay to my SS, but you guys are worrying the hel outta me. CaN I add it, or not? If not, then why & what can be done so I can add it?
In layman's terms

 

[slash007]

Simple. If you have digital timers you can add them. If you have Dixmor timers, you can use count up mode. Any other timers, you have to use count down mode. Easy to install. Nothing else to them.

 

[Earl Weiss]

I'm wanting to add Cryptopay to my SS, but you guys are worrying the hel outta me. CaN I add it, or not? If not, then why & what can be done so I can add it?
In layman's terms

You will also need internet at the wash.

 

[mjwalsh]

I use first data and believe it was cheaper also. As far as the risk of being non compliant... I don't think it's as simple as just paying more and/or risking a $12.00 charge back. I may be wrong, but I think if your site is not compliant and someone hacks in, you are personally resposible for their shopping spree. That's how I read the fine print.

Scrub Free & others,

Based on what I heard via C-Span at a hearing in Congress not that long ago from the key players I couldn't agree more with what you have stated. I think another dynamic could be the level of trial lawyers' influence happening along with some court precedents that could come up.

IMHO ... the deepest pockets' tends to be with MasterCharge & others who pushed & continue to push for the mandated weakest link in the chain liability.

I really don't think anybody has a crystal ball as to exactly how the liability thingy will play out in the future. In some people's eyes this makes us the bad guys ... so be it ... we are just sharing our current observations the best way we know how.

mike walsh http://kingkoin.com/USA_Deficit_Reduction.html

 

[Earl Weiss]

This is what my crystal ball tells me. The CC Companies will stick it to the little guy at every opportunity just as they do now even though the equipment and technology is in place to prevent it. with notable small exception lie cryptopay most CC acceptors have a PIN Pad. Simply require a PIN and not the billing zip which is likely the home and easy to find. I say this because theyu jam it to me now when they can for Pay at the pump asking for a signed receipt if the cardholder claims fraud, or in the store if I have the receipt they still deny liability and say i have to pay $250 for arbitration or they chargeback my account.

 

[BBE]

This is what my crystal ball tells me. The CC Companies will stick it to the little guy at every opportunity just as they do now even though the equipment and technology is in place to prevent it. with notable small exception lie cryptopay most CC acceptors have a PIN Pad. Simply require a PIN and not the billing zip which is likely the home and easy to find. I say this because theyu jam it to me now when they can for Pay at the pump asking for a signed receipt if the cardholder claims fraud, or in the store if I have the receipt they still deny liability and say i have to pay $250 for arbitration or they chargeback my account.

Have you ever had the same person try and do more than one chargeback? If so, did you still lose?

 

[loewem]

I'm wanting to add Cryptopay to my SS, but you guys are worrying the hel outta me. CaN I add it, or not? If not, then why & what can be done so I can add it?
In layman's terms

I'm wanting to add Cryptopay to my SS, but you guys are worrying the hel outta me. CaN I add it, or not? If not, then why & what can be done so I can add it?
In layman's terms

Soonermajic, you can add credit card readers, but adding them it isn't without some risk. The issues are not specific to any one credit card system/reader. The issues apply to most options for credit cards at car washes. At least the ones that I've looked at. The discussion that is concerning you and everybody else is about who is responsible when someone commits credit card fraud or hacks into a credit card processing system that contains card data. With the recent movement to issue chip and pin credit cards, the credit card companies and credit card processing companies are shifting the majority of responsibility for card fraud from themselves to the business that accepts the transaction (us). In addition, chip and pin will eventually cause the phase out of the magnetic strip on credit cards.

Hopefully the following scenarios help clarify some of the issues for you. I don't have any first hand experience dealing with these issues, but this is what I've come to understand as some of the issues.

Risks:
- you might be responsible for fraudulent card charges at your wash (stolen or counterfeit cards used at your wash)
- you might be responsible for theft of card information that occurs at your wash (some thieves can steal card data by putting "skimmers" on readers that allow them to steal card information)
- magnetic strips on cards will be phased out at some point. Card readers that only work with the magnetic strips will become obsolete when the magnetic strips go away. When that will happen is unknown and your guess is as good as mine. could be two years could be ten.
- you might be responsible if someone figures out how to hack/steal card data after a customer swipes their card at your wash. are you responsible or is the manufacturer of the system you use responsible? This is related to the comments that Scrub Free made about PCI compliance.

Again, this isn't meant to discourage you or cast any credit card system in a negative light. These are the issues that need to be understood and they are going to be present with most card systems available for car washes at this time.

 

[Earl Weiss]

Have you ever had the same person try and do more than one chargeback? If so, did you still lose?

No, But i don't think it's a function of it being a scam or not. Once unauthorized use is claimed they kill the card.