Daily Archives: January 13, 2013

PCI Compliance

PCI Compliance
An Overview

Some of you have expressed a little concern and are apprehensive on how the new PCI compliant method of approving credit cards will work.

Knowing how easy flowerSoft’s current credit card approval method is, I can understand the concern.

Let me explain the differences between the 2 methods of obtaining approvals.

The current method allows you to store as many credit card numbers for a customer as they are willing to give you.  flowerSoft uses ICVerify as a ‘go between’ itself and your bank or clearing house.  flowerSoft passes the credit card information to ICVerify and ICVerify communicates with the clearing house and obtain an approval or decline from the clearing house.  ICVerify then it passes that approval information to flowerSoft.

I have some customers tell me that they have called First Data (the company that owns ICVerify) to ask about ICVerify’s compliance and they have been told that ICVerify is compliant.
This is true if you are running the latest version of ICVerify, which is version 4.04.  All earlier versions are not compliant.  And while it is true that ICVerify version 4.04 is compliant because they encrypt the information going and coming from your bank, it does not mean that you are compliant.  You are still keeping credit card numbers stored in your computer system.
While these stored numbers are encrypted with flowerSoft’s own encryption algorithm, they are still stored in your system and that alone can make you and/or your shop fail the PCI compliance test and be subject to fines and penalties from your bank or clearing institution.

The new PCI compliant method also allows you to store as many credit card numbers for a customer as they are willing to give you, but the stored numbers are not kept by flowerSoft or you in your computer system and that makes you and/or your shop compliant.  If you do not store the credit card numbers or any other credit card data except for the last 4 digits of the card and the expiration date, no one can break into your system and steal the actual credit card number.

There is one disadvantage to the new PCI compliant method, and that disadvantage is that because you are not allowed to keep credit card data in your system, the first time a customer calls, after you’ve embraced the PCI compliant method, you will need to enter the credit card number, expiration date and security code as if this was the first time the customer used that card with you.

Here is what the process looks like…

A customer, either new or existing calls you to place an order with you.  Once you get to the method of payment and select CREDIT CARD, a web page will open up to allow you en enter the credit card information.  Below is what this web page looks like:


On the web page above, you enter the credit card number, the expiration date and the security code of the card and click on the “Submit” button.

Merchant Warehouse’s program will then obtain the approval information and pass it back to flowerSoft.


Notice that in addition to the approval number there is something new called an MW Token.  In the example above that token # is 77238 and it will be used in future transactions from that customer if he or she uses the same credit card.

Let’s say the the customer comes back a month later and places another order with you using the same credit card.  When you get to the method of payment field and select credit card flowerSoft, instead of opening the web page for you to enter the credit card information, will display the following screen:


As you can see, the previously used card is now displayed by flowerSoft, even though it does not store the full credit card information in your computer.
It only stores the last 4 digits and the expiration date, which should be enough for you and your employees to be able to select it.

But what if the customer now wants to use a different credit card?

Notice that at the bottom of the screen there is a prompt that reads N-New Card.  Should you hit N, flowerSoft will bring up the web page again for you to enter the new credit card information:


Enter the new credit card and flowerSoft will try to get an approval:



The next time the customer places an order with you, both credit cards will be visible for you to pick from.
















So as you can see, the new method is not that different from the old one and should not be a problem for you or your employees to get used to.

This new method will also work when entering A/R payments on account and rucurring orders.