Secure Card Entry

When processing credit and bank card securely, several measures must be taken into account:

With Release 27.1 the manual entry of credit card numbers is more secure for Point to Point Encryption, aka Transactional Security (Option 1345=Y).  POS stations now have the ability to launch a secure card entry dialog that communicates directly to the Epicor Gateway in order to retrieve a token for use in card processing functions. This applies to bankcard entry on the POS Totals screen, stored credit card entry in Customer Maintenance (MCR’s Go To Menu A), and when adding a payment transaction in Credit Authorization Detail Viewer (CARD).

To enable manual entry:

  1. Navigate to Device Configuration.

  2. Enable the Secure Card Entry Device.

  3. Press Change. 

  4. Exit and re-enter POS.

Once enabled, when a clerk attempts to manually enter a credit card a secure connection is made to the Epicor Gateway’s Hosted Token Page website and the website’s Secure Card Entry dialog displays for the clerk to enter the card’s information. This information is securely passed to the Epicor Hosted Token website and a token is generated and pasted back into the POS credit card field. This eliminates the accidental entry or saving of an unencrypted card number in Eagle. 

Important: If your network employs content filtering (CFS) for your computers, you must have the https://sce.toogo.io URL open for Secure Card Entry.

 

Automatic Notifications for Cardholder Information

In Release 29.1, the system also automatically provides notifications based on specific triggers to adhere to new mandates for keeping customer credit card information on file. Issuers now have more specific requirements for storage and use of credit card data for future purchases and billing. Merchants must identify when a card is initially stored and subsequent authorization requests. The following triggers are applied:

Additionally, when clerks selects a stored credit card from the Misc. Menu > Credit Card option in the POS Totals dialog box, then they must use the Initiated By drop down to select if the transaction is merchant initiated or customer initiated. The system can then send the appropriate card-on-file indicators with the authorization request. The default is Customer Initiated.

Cardholder Disclosure and Consent

Merchants who store cardholder information on their system are now required to maintain written authorization and consent from the cardholder. This agreement must be retained for the duration that the card is stored and be provided to the Card Issuer upon request.

This signed consent must include the following:

Written Disclosure Consent Example

The following represents a traditional disclosure consent form used in these situations:

I/(we) hereby Authorize (Merchant) to store my (our) credit/debit card ending in (insert last 4 digits of the card number).   I further authorize (Merchant Name) to make repeated and/or unscheduled charges to my(our) credit/debit card for future purchases that I verbally or otherwise authorize from time to time and, if necessary, initiate adjustments for any transaction errors.  This authorization will remain in effect until (inset Merchants name) is notified by me to cancel this authorization.  

I further understand and agree to abide by (insert merchant name) refund policy related to this or any other purchases made with my credit/debit card on file.  Any future changes made to this agreement will be sent via email at the address listed below.

Cardholder Signature:                                                                                    Date Signed:  

 

Cardholder Name:  

Cardholder email address: