Updated by 11.20.2023
Recurring Billing Malpractice
You’re likely aware already that recurrent billing (much better known as “recurring billing”) of a credit or debit card is quite popular among merchants and customers alike these days.
Just in case you’ve been hiding out in an underground room beneath a rock, recurring billing refers to a system wherein, after a customer has done a one-time setup (typically online) and given a one-time authorization, a merchant can bill that customer card over and over again, periodically (typically monthly), for the same service provision, subscription, etc., without the customer needing to do anything more. This recurring billing cycle goes on until the customer contacts the merchant and requests that it be stopped, (for example, because the subscription is no longer something that the customer desires or needs).
Historically, recurring billing has been done by ACH or bank-to-bank money transfers. But these days, it’s done more and more by way of credit or debit card. While some remain skittish about letting a merchant continually bill them, more and more customers are seeing the advantages of setting up a recurring billing system for something that they know they will continually need or desire more of. It speeds up payment processes, frees up a little more of the customer’s “brain space”, greatly reduces the chance of errors in order placements, and even helps the customer be a little bit more disciplined about spending. On the merchant side of the matter, recurring billing of a card means fewer delinquencies, fewer late payments, less time and money spent tracking down customers, (which means more time and energy available to spend helping customers with real problems), better cash flow, and more commitment from customers.
Unfortunately, we here at E-Complish have seen many instances of, let us say, “recurring billing malpractice”. It seems to be the norm and not the exception.
You see, during the one-time setup for recurring billing of a credit or debit card, a customer must enter his card’s CVC/CVV/Security Code. They are all named differently depending on the type of credit card used. For the purposes of clarity, we’ll call it the CVV from now on. The CVV is proof that the card is in the physical possession of the person entering the card info, and is meant as a physical layer of security against fraud. For this very reason, it is against the rules by PCI Standards, for ANY merchant to store the CVV code. All of the other card info can be, and anyway needs to be, stored for recurring billing purposes. But the CVV, again, only gets entered at the time of the initial setup and authorization just to verify that the cardholder has physical possession of the credit card. Once physical possession is verified, the CVV is then supposed to be discarded immediately by the merchant and NEVER used or stored again. This is where we see “recurring billing malpractice” all the time.
To be clear, Under PCI Rules, any merchant found guilty of storing CVV codes is subject to having its card processing privileges taken away, and in today’s business world, that’s tantamount to being put right out of business! In spite of this firm rule, we’ve encountered merchants who are either ignorant of it or are trying to circumvent it to try to get a discounted transaction rate from the card provider (in the name of utilizing a “more secure” transaction system).
One recent example of this “recurring billing malpractice” we’ve observed is an event that happened to none other than our own CEO, Mr. Price (aka “Stephen”)!
Stephen had used an American Express credit card to set up a recurring billing transaction with a supplier. The initial setup and authorization went through without even the slightest wrinkle, and secure in the knowledge that there was plenty of credit on the Amex Stephen thought nothing more about the matter.
When the time for the first recurrent billing transaction came, nothing happened (that is, nothing got charged on the card, which meant no forthcoming supplies). Stephen knew that nothing happened because he received a “declined credit card” notification. Dumbfounded, he double-checked the Amex expiration date and all other card info, but it was all correct and current.
After placing a call to Amex, Stephen was able to tell the supplier’s billing department that the payment order never went over to American Express, and as the CEO of a payments processing solutions company he surmised that the billing department’s Stripe configuration wasn’t set up properly. This was something that the supplier would have to get straightened out, as the Amex card in question was in good standing and ready to be charged.
But then Stephen learned the truth: the billing department of the supplier “couldn’t” put the transaction through because a vital piece of information from the card was allegedly missing. This piece of info was, of course, the CVV.
Stephen had entered the Amex card’s CVV at the time of setup and authorization, but after that, the CVV shouldn’t have been necessary on any future recurring billing transactions. Not only did this billing department fail to understand that, but it even had the audacity to ask for the code to be sent via email another gargantuan “no-no” completely outside of PCI standard protocols.
At this point, Stephen was not pleased with this supplier’s billing department. Didn’t they know the rules? Did they really want to do something against PCI Rules that would jeopardize their merchant account privileges and get him to do something (email a CVV to a merchant) too? Furthermore, was his card’s info going to be secure if he was dealing with a merchant that would try to store the CVV information?
After a time-consuming set of emails and then a phone call to the supplier’s customer service department, the matter was resolved, and the Amex card was able to be charged as desired. Nevertheless, this wasn’t a mistake that ought to have occurred. It put the supplier and the integrity of Stephen’s card in jeopardy while taking up Stephen’s time and attention that should have been focused elsewhere.
The worst part of all this is that this wasn’t an anomaly. This wasn’t some bizarrely incompetent or dishonest billing department that Stephen was dealing with. As we’ve said, we’ve seen this all too often with merchants.
The bottom line if you’re a merchant: you cannot legally store CVV numbers. They aren’t necessary for recurring billing, only for one-time purchases or billing setups. That’s it. Don’t compromise a customer’s card security or the integrity of your business by failing to understand this simple PCI compliance rule.
On a side note, if you are trying to save money by gathering and processing all cards with a CVV code, then you must let the customer enter the CVV code themselves through a self-serve system like the E-Complish HostPay system.