The general steps for setting up Theatre Manager to accept multiple currencies are:

• Merchant Account Setup:
  • Contact your bank or service provider to get a merchant account in the second currency
  • Enter the merchant account information into Theatre Manager using Setup Setup -> System Tables -> Merchant Accounts
  • Make sure to indicate the currency properly on the Currency Tab
• Payment Setup:
  • Create additional Visa/MC/Amex/Diners and/or Discover payment methods
  • Associate them with the second merchant account
• Conversion Rate Setup:
  • Enter an exchange rate to indicate the equivalent cost/conversion rate for the other currency
  • On an ongoing basis, add new currency exchange records when you want update the exchange rate. Theatre Manager always takes the one that is in effect as of the date of the transaction, so you can retain a history of past exchange rates.

Once you have completed the above 3 steps, you should test your setup on web site.

Testing Online Sales

On your ticketing web site:

• Log in as a patron
• Purchase some tickets
• Proceed to the checkout window where you will see the currency options (see screen shot below)
  • This contains the all currencies you have set up
  • Select the currency you wish to use for this order
  • Changing currencies will cause the price to be re-displayed in the currency chosen
  • You can change currencies as often as you want to see the price change

Please note: this means everyone can select any currency when purchasing online.

Example of a conversion

In the example, the site has been set up to convert Canadian dollars to American dollars. If the patron is purchasing $100 worth of tickets and the exchange rate is $1.00CAD = $0.70 USD

• The $100 purchase defaults to CAD, and the patron will pay $100 CAD
• If a patron selects USD; Theatre Manager makes the conversion, and the price will be changed to $70 USD
• After entering the card information $70 USD will now be sent through the new Merchant Account

What if the patron selects the wrong currency?

The onus is on the patron to select a currency that matches their credit card. Theatre Manager will send the amount and the currency to the merchant provider so that you are covered. If a patron selects USD on a Canadian card (or vice versa), the bank charges the right amount on their card and you will always end up with

• A fully paid order
• Multiple merchant accounts to settle for the right amount at the end of day process
• Money in your respective USD or CAD that you can transfer as needed to take advantage of exchange rates

• Card on File (COF)
  • Customer Initiated Transaction (CIT)
  • Merchant Initiated Transactions (MIT)
• Purchase Return Authorizations (PRA)

Authorize.Net is currently in the process of implementing support for the Visa, MasterCard, and Discover Card on File (COF) for Customer Initiated Transaction (CIT) and Merchant Initiated Transaction (MIT) as well as the separate Purchase Returns Authorization (PRA) Mandates. This article will provide you with the latest, up-to-date information available as well as links to available resources for more information.

What does this mean for Auth.net users (and potentially users of other merchant providers)

Card on file (COF) means that you, the merchant, are saving customer payment data for future reuse.

The vast majority of credit card authorizations in Theatre Manager result from cards entered online by patrons or typed/swiped/tapped at the box office as part of a transaction. These transactions are not the subject of this email from Authorize.net Theatre Manager supports post dated or recurring payments for donations and other purchases which may be affected by the Visa, MasterCard, Discover rules. If data is stored in Theatre Manager, post dated payments are considered Card Not Present transactions, and treated as the above - just like they are original transactions with all card data. If data is stored at the credit card company using merchant profiles they may be subject to any of the Visa/Mastercard/Discover data storage changes described by Authorize.net as 'in-progress'. In this case, as it pertains to Theatre Manager, your merchant processor will handle any changes required.

How to influence stored credit card data in Theatre Manager

Theatre Manager enables saving card data is via settings in system preferences PCI tab:

• for self hosted - you can pick schedule D in the PCI tab (see explanations of Schedule A/B/C/D) and decide how long you want to save data, or you can pick the other two options.
• for cloud hosted - you can decide to:
  • never store data (schedule C), or
  • only store card data for only post dated payments (schedule D)
• For either self hosted or cloud hosted, you can enable Merchant Profile and Theatre Manager will send card data to your merchant provider to get them to store it. This:
  • moves all responsibility for storing card data to your merchant provider -without-
  • diminishing your ability to use this stored card data for recurring payments.

• look at their shopping cart and
• review the cart logs on the cart detail->log page

Theatre Manager only tells the patron that the card did not work - it does not tell them why their credit card was declined. Their card could have been declined for a number of reasons. The bank does pass back the messages, such as:

• Do not honor - a general message that tells you the bank wont authorize the card
• Decline - another general message that the card is not accepted
• Hold Card - may mean that the card was stolen and the merchant is being asked to keep it
• Insufficient Funds - mean what it says
• Address Verification (AVS) Error - means that zip/postal code verification was incorrect. You may have overly strict AVS settings on your merchant account - so refer to your merchant account online setup or call your merchant provider directly
• Card Verification Value (CVV) Error - means that the CVV2 number was either not entered at all or not correct - TM is not allowed display what was entered for PCI reasons.
• etc.

On the off-hand possibility that the card was being used by an unauthorized person, PCI recommendations for online sales are to simply state the card cant be used and not give away any further information to the bad guys.

How to help the Patron?

If a patron calls in and tells you their card was declined, you need to look at their shopping cart, on the web logs page. The picture below shows the typical messages you would see if a card was successfully authorized. There are 6 main messages in process.

Anybody who is declined will not see the full 6 steps. -- it wlll probably stop on step 3 or 4 and have an error that you should read indicating why the card was declined.

Instead, some time after step 1, there will be a message indicating WHY the card was declined. In such as case, you can help the patron check out their shopping cart manually (see Checkout button).

If there are many declines in a day

If you received a rash of reports that cards are being declined, you can search for them en masse in the web listener logs to see if there is a trend.

PCI DSS requirements state that all payment systems must disable TLS 1.0 by June 30, 2016. Under that directive, Authorize.net and Orbital have sent messages to many customers that they intend to require TLS 1.2 at a date to be determined. Theatre Manager conforms with the PCI compliance rule ahead of that date and will connect to TLS 1.1 and/or TLS 1.2 only servers as long as you have either: Upgraded to version 10.06 or later -OR- Have manually installed a special version 10.05.45 on all workstations and the TM server using these download links Windows 10.05.45 with TLS 1.2 support Macintosh 10.05.45 with TLS 1.2 support

PCI DSS requires that web sites should not use low or insecure TLS encryption. Our standard NGINX installers only accept TLS 1.2 connecton.

Also some items in the Sept 2015 Authorize.net newsletter and Orbital communique were some other items of interest, specifically:

• Auth.net Transaction ID changes for character length up to 20 and arriving in sequential order. None of these affect Theatre Manager as Theatre Manager already permits 50 character authorizations and all we do is store them for reference.
• SHA2 certificates on the authorization servers. We have tested Theatre Manager and all current versions of TM will connect to a server that uses SHA2 certificates without any changes.
• Orbital will accept only TLS 1.2 as of May 31, 2017 - and this works in the latest TM

Side note: commerce web sites are going to require TLS 1.1 or later in the near future which could affect usage if some browsers are like the older Internet Explorer

In Canada, Theatre Manager the following using Moneris EMV integration and Verifone P400 devices: chip & pin, tap, swipe, Interac Apple Pay and manual card entry

Historically

Visa/Mastercard in the USA is implementing an October 1, 2015 policy change introducing EMV (short for Europay, Mastercard and Visa -- credit cards with chips in them) to assist fraud management. EMV cards have been used throughout the rest of the world for long time. This will be a good thing for US consumers doing walk up purchases at supermarkets, large box retailers, restaurants, gas stations etc.. Responsibility does not change one iota for web, mail and phone order sales - which are deemed cart not present.

Our thoughts are below. Interestingly, after writing this, a credit card authorization vendor that wants you to buy EMV reader had very similar things to say - meaning you have to think what it means to your venue.

Theatre Manager and EMV

We've been asked a number of times if Theatre Manager and people who own EMV credit cards can work together. The short answer is YES.

How does an EMV credit card affect Card Not Present sales?

There is no impact.

90% (i.e. the vast majority) of ticket sales by arts and entertainment organizations happen in advance of the event. This is simply because people want to guarantee they have tickets before they show up at the door. Most ticket sales occur:

• by calling the box office and telling the credit card info to staff
• using online web sales and entering the credit card number in a web form
• mailing subscription renewal forms along with check or card info for payment

The credit card companies refer to these payments as Card-Not-Present. It simply means that the patron did not come to a venue and physically present their credit card.

Card-not-Present purchases will continue to work as they currently do since it is the only way to do web and phone sales using existing technology. Online site will require a card to be typed and phone sales need it spoken over the phone . Canadians have been using chip enabled cards for years at Theatre Manager venues in this exact manner.

What about EMV and Box Office Card Present sales?

The direct processing service providers integrated with Theatre Manager work with card not present. There are a couple service providers that accept Track II card swipe information - providing a card present option. None of the service proividers currently have an API to interface with an EMV reader that we are aware of.

Essentially this means that box office sales are treated as if the credit card was typed (card swipes are just keyboard devices) so any existing technology continues to work without modification.

What about Merchants being responsible for non EMV Authorizations?

Visa and Mastercard are somewhat disingenuous stating that all Card Not Present transactions will be exempted from existing fraud protection efforts after October 1, 2015 (generally web and phone sales already are eligible for chargebacks). Furthermore, since a very large proportion of ticketing sales are phone/mail/web card-not-present transactions, there is nothing that a chip on the card will do to help. This is a convenient way for the banks to move all financial onus to merchants for most sales.

The remaining 10% +/- walk up business could be covered for fraud protection if an EMV card reader was used and the card had an EMV chip - which not all cards will have initially. Therefore, merchants have two possible options for box office sales:

• Get enough EMV chip/pin readers for their box office stations
• Continue with current credit card swipes or typing card numbers into TM

What would using an EMV card reader mean to the box office?

If you rent one or more EMV card machines from a bank, the process to integrate them is quite simple.

Setup

• Add payment options to the payment code table.. When setting them up:
  • make the payment type other
  • use short codes for the payment methods like EMVISA, EMV-MC, etc.
  • make the descriptions like 'EMV-Visa' , 'EMV-Master Card' so that they are obvious in the payment popup menu
  • make the card number and authorization number fields optional.
• Note: DO NOT CHANGE the existing credit card payments or merchant accounts. These will still be used for any card you will accept online and by phone. The additional payment methods are used to track payments put through an EMV machine

Taking a payment

At the box office, if somebody:

• uses a chip and pin card, then put it through the EMV machine and then use the EMV payment method in TM
• uses a card without chip and pin, then you might want to use the existing CC payment methods and let TM authorize it.

The End of Day Process

The end of day process hardly changes at all

• Any Card-Not-Present processed through Theatre Manager for web, phone or mail order sales will work the same
• Any payment taken through the new EMVxxx payment options will in each employee till balance, just like cash and check.
• you will need to compare the EMV totals in the till balance with closing tape balance from the EMV machine

What about the cost - is it worth using EMV terminals with TM

This is a very good question. Financially, we don't think so for most venues. We do for some.

Cost

It has been suggested that EMV terminals will rent for between $60 and $120 per month per terminal (payable to the merchant service provider).

Benefit

There has been no indication of rate reduction. Historically credit card companies may discount a small amount (eg 1/4%) to give a better rate for less risk. It will be small because they like profit and can justify the enhanced security as a benefit to you. So suppose it is 1/4%. That means you would need to:

Take $24,000 to $48,000 in CC authorizations per terminal per month in walk up sales to break even.

Multiply the amount above by each terminal you need and adjust for rate savings. The math is simple:

number of terminals * monthly rental * (100/rate saving %) (eg 1 * $60 * 100/0.25 = $24,000).

We don't think EMV would do much on preventing chargebacks because most business is via web/phone and mail sales. It seems a case of paying for limited benefit. It also affects the ability to refund credit cards taken for walk up sales - because you can't refund them if you don't have the number.

What if I didn't use an EMV card reader?

Theatre Manager and your current card swipes would continue to work.

Credit card charges continue be sent to the bank as Card not present or Card Present with Track II (if your merchant provider supports it). There really isn't any change to your business, other than you may now be responsible for fraudulent walk up chargebacks. In my experience, people who see a show rarely dispute a charge. On the other hand, you may save enough money to cover the occasional problem if you don't rent terminals - its like self insuring.

Do EMV cards have any impact on PCI compliance?

Absolutely Not - EMV credit card readers are merely an additonal fraud prevention technique.

PCI compliance is simply risk management and focused on how credit card numbers are stored/managed within your venue. You can choose any retention period for cards, including never storing them (a choice dependant on your venues needs). You reduce risk by storing only the card information you think you need and making sure you implement network security, firewalls and Apache updates that we recommend in our installation instructions. Risk is mitigated by using the PCI Schedule 'C' settings, or entering a short retention period for Schedule 'D'

What might ArtsMan do in the future?

There are so many EMV devices out there, the least expensive of them are stand-alone and programable ones are more expensive to rent. Each bank uses a different/custom EMV device., many of them are from Ingenico or Verifone.

If the vendors and Banks can settle on a standard API to talk to the machines and cause them to charge credit cards (that doesn't have to change for each device), then we will write some code that can talk to them. We've been in discussions with some vendors, but the banks are all about proprietary and never about standards and easy.

This means we will take a cautious approach regarding what machines to build and interface for -- mindful that the economics of EMV machine rental are really marginal for our venues because of the ratio of Card Not Present sales to Card Present EMV walkup.

1. the patron uses a card with a different billing address than what they have put into their online account in TM -AND-
2. your online merchant account settings have been set to very strict

The Online Portal for your merchant account defines the AVS settings

As expected, the banks preference is to be super-tight with AVS rules, so they usually default your online account to reject any non-matching addresses. For online sales, you can't expect the patron to make the address exactly match the bank so we suggest:

• Logging on to your bank portal. For example, if you use:
  • Paymentech Orbital, log in to the Orbital Virtual Terminal that you use for managing end of day.
  • Moneris e-select plus has a gateway
  • as do all the other merchant providers.
• find the section in the authorization options and disable all address verification options - i.e. tell the bank to accept the card even with address mis-matches

When your account is set this way at the bank portal, if there is an AVS mismatch, the authorization will still go through. If the AVS does match, it just helps verify the patron.

Your merchant account support people are usually better able to help with settings and using your virtual terminal. We may be able to help find it for you, but since the banks own their software, we are not always 100% familiar with each banking interface.