Skip to main content
ArticlesPCI ComplianceSecurity

Frequently Asked Questions About Payment Processing

By August 18, 2022September 1st, 2022No Comments

Over 20+ years in the payment processing industry, we have seen it all. Our team has helped merchants deal with everything from the routine and mundane to the obscure and impractical. Through it all, there have been a handful of “frequent fliers” that we see all the time.

To help you answer your questions about integrated payments, we’ve put together a list of the most frequently asked questions that we hear.

Does Curbstone’s payment processing solution support tokenization?

The short answer is yes! Curbstone’s products were developed with two intentions:

  • Providing merchants with the ability to accept card payments securely
  • Providing merchants with the ability to qualify for the least complicated Payment Card Industry Self-Assessment Questionnaire (PCI-SAQ)

Given that tokenization is highly encouraged by PCI as a secure method to offload direct handling of the cardholder data, you’d better believe that it is a core component of our payment processing technologies.

What is the difference between a surcharge and a convenience fee?

There are some special considerations when it comes to surcharges – a.k.a., credit card processing fees that merchants pass on to their customers.

  • A convenience fee is a fee that is added to the base amount of a customer’s purchase and run as a single transaction. The fee amount must be itemized on the receipt.
  • A surcharge is a fee for a specific service. This MUST be processed as its own, separate transaction. The fee amount must be itemized on the receipt.

Surcharges are card brand-specific (set by Visa, Mastercard, etc.) and require the charging entity to have performed a certification prior to use.

Is it legal to charge customers surcharges or convenience fees? Generally, yes, although there are absolutely legal considerations that vary state to state. For example:

  • Merchants have to charge the same fee to all clients.
  • The fee cannot be more than the merchant actually pays.
  • The merchant must offer a way to pay without the fee.

While Curbstone cannot help with your legal specifics, we can help you get in touch with the correct person. Then, once you have determined your business’s preferred approach to payment processing surcharges and convenience fees, Curbstone can help you tailor your transactions accordingly.

How is an authorization different from a sale transaction?

In the world of credit card processing, there are two key actions: authorizations and settlements. (Ultimately, there are more, but for now let’s stick to these two.)

Authorization is the act of validating the account information provided by the cardholder. This includes verifying that the card is valid and that the account associated with the card is active. One could also verify the name, address, and CVV code provided by the cardholder against that on file with the issuing bank.

A merchant can verify all of the above without impacting the cardholder. We call this a “$0 authorization”. Alternatively, an authorization against the order total can be made, which will validate all of the above while also checking that the account has adequate funds for the transaction.

Authorizations appear as pending transactions, or holds, against the cardholder’s account until the merchant performs the other action mentioned above: the settlement.

Settlement is the process of submitting a batch of authorizations; generally, everything that has been ordered or shipped since the previous settlement. During settlement, the funds actually leave the consumer’s account and are deposited into the merchant’s account.

The primary difference between a pre-authorization transaction and a sale transaction is that a sale transaction is automatically included in settlement, without any additional action required. A pre-authorization transaction will only be submitted for settlement once that transaction has been flagged to be included in the next settlement.

How is a voided transaction different from a credit?

When a pre-authorization is made, the funds are held until the merchant settles that transaction, at which point the funds are removed from the cardholder’s account. Prior to settling, a merchant can perform a void, which will eliminate the pre-authorization. Voiding the transaction will remove the transaction from the order entry system and will release the funds back into the cardholder’s account.

If that pre-authorization was settled, but needed to be reversed, a “credit” transaction would be used. Credits work just like authorizations except the money moves in reverse. Authorizations take money from the cardholder and deposit it into the merchant’s account. Credits take money from the merchant’s account and deposits it into the cardholder’s account.

The easy rule of thumb to keep in mind: pre-settle = void or post-settle = credit.

Does Curbstone offer the ability to save/use cards on file? 

Of course we do! This pairs with our usage of tokenization. Curbstone supports the ability to store and refer to cards on file for referential transactions. Accept the card once and use it again whenever you need to – whether that’s to streamline a future purchase or to issue a refund or credit.

Are debit cards considered in scope for PCI?

This one is a tricky one. PCI is mandatory for any merchant that accepts credit cards, which has left many merchants wondering if they can only accept debit cards to avoid the burdens of PCI compliance. However, debit card transactions absolutely do fall under the scope of PCI requirements.

When PCI refers to scope, they are referring to systems, processes, or people that have access to or can impact the security of cardholder data (CHD). This extends to systems, processes, or people who have access to systems, processes, and people that have access to cardholder data. Phew – that was a mouthful. Basically, anything in your environment and in your control, that can access CHD or that can communicate with something that has access, is considered in scope for PCI reporting and audits.

Once the data contained within a payment card – be it debit or credit – is passed into your possession, that is where your scope typically begins.

However, please keep in mind: Curbstone can have competent conversations, based on our industry experience, when it comes to PCI scope. With that said, we aren’t QSAs (PCI-Qualified Security Assessors). For anything authoritative regarding your compliance obligations, you must consult with a QSA.

Other Questions? Just ask!

Whether you’re actively shopping for a new payment processing system or just looking to optimize what you already have in place, we’re here to serve as a resource. Feel free to submit any additional questions you have below and we’ll get you an answer:

A Trusted Member Of The Payments Industry