Credit Card Authorization FAQ's

The following links show some contact information for credit card service providers and other assorted questions.

Accepting Multiple Currencies

Accepting multiple currencies requires you to have a merchant account in each currency you wish to accept.

Contact your credit card processor to set up a second account to process funds in the other currency. When you have all the account information for the second currency, you can begin the process of creating the second Merchant Account in Theatre Manager.

The general steps for setting up Theatre Manager to accept multiple currencies are:

  • Merchant Account Setup:
    • Contact your bank or service provider to get a merchant account in the second currency
    • Enter the merchant account information into Theatre Manager using Setup Setup -> System Tables -> Merchant Accounts
    • Make sure to indicate the currency properly on the Currency Tab
  • Payment Setup:
  • Conversion Rate Setup:
    • Enter an exchange rate to indicate the equivalent cost/conversion rate for the other currency
    • On an ongoing basis, add new currency exchange records when you want update the exchange rate. Theatre Manager always takes the one that is in effect as of the date of the transaction, so you can retain a history of past exchange rates.

Once you have completed the above 3 steps, you should test your setup on web site.

 

Testing Online Sales

On your ticketing web site:

  • Log in as a patron
  • Purchase some tickets
  • Proceed to the checkout window where you will see the currency options (see screen shot below)
    • This contains the all currencies you have set up
    • Select the currency you wish to use for this order
    • Changing currencies will cause the price to be re-displayed in the currency chosen
    • You can change currencies as often as you want to see the price change
Currency Selection

Please note: this means everyone can select any currency when purchasing online.

 

Example of a conversion

In the example, the site has been set up to convert Canadian dollars to American dollars. If the patron is purchasing $100 worth of tickets and the exchange rate is $1.00CAD = $0.70 USD

  • The $100 purchase defaults to CAD, and the patron will pay $100 CAD
  • If a patron selects USD; Theatre Manager makes the conversion, and the price will be changed to $70 USD
  • After entering the card information $70 USD will now be sent through the new Merchant Account

What if the patron selects the wrong currency?

The onus is on the patron to select a currency that matches their credit card. Theatre Manager will send the amount and the currency to the merchant provider so that you are covered. If a patron selects USD on a Canadian card (or vice versa), the bank charges the right amount on their card and you will always end up with

  • A fully paid order
  • Multiple merchant accounts to settle for the right amount at the end of day process
  • Money in your respective USD or CAD that you can transfer as needed to take advantage of exchange rates

Card On File (COF) and Customer Initiated Transactions (CIT)

We have received some information from users of Authorize.net that discuss their approach to forthcoming mandates for using saved credit card data:

Authorize.Net is currently in the process of implementing support for the Visa, MasterCard, and Discover Card on File (COF) for Customer Initiated Transaction (CIT) and Merchant Initiated Transaction (MIT) as well as the separate Purchase Returns Authorization (PRA) Mandates. This article will provide you with the latest, up-to-date information available as well as links to available resources for more information.

 

What does this mean for Auth.net users (and potentially users of other merchant providers)

Card on file (COF) means that you, the merchant, are saving customer payment data for future reuse.

The vast majority of credit card authorizations in Theatre Manager result from cards entered online by patrons or typed/swiped/tapped at the box office as part of a transaction. These transactions are not the subject of this email from Authorize.net

Theatre Manager supports post dated or recurring payments for donations and other purchases which may be affected by the Visa, MasterCard, Discover rules.

  • If data is stored in Theatre Manager, post dated payments are considered Card Not Present transactions, and treated as the above - just like they are original transactions with all card data.
  • If data is stored at the credit card company using merchant profiles they may be subject to any of the Visa/Mastercard/Discover data storage changes described by Authorize.net as 'in-progress'. In this case, as it pertains to Theater Manager, your merchant processor will handle any changes required.
This directive from Authorize.net is targeted and reusable card data stored using merchant profiles at the credit card companies. It does not affect data stored locally in Theatre Manager since those are always processed with full card data in exactly the same manner as all card transactions.

 

How to influence stored credit card data in Theatre Manager

Theatre Manager enables saving card data is via settings in system preferences PCI tab:

  • for self hosted - you can pick schedule D in the PCI tab (see explanations of Schedule A/B/C/D) and decide how long you want to save data, or you can pick the other two options.
  • for cloud hosted - you can decide to:
    • never store data (schedule C), or
    • only store card data for only post dated payments (schedule D)
  • For either self hosted or cloud hosted, you can enable Merchant Profile and Theatre Manager will send card data to your merchant provider to get them to store it. This:
    • moves all responsibility for storing card data to your merchant provider -without-
    • diminishing your ability to use this stored card data for recurring payments.

Customer Initiated Transactions (CIT) using card on file

According to the Authorize.Net web site, Customer Initiated Transactions means:
  • A Cardholder Initiated Transaction (CIT) is any transaction where the cardholder actively initiates a transaction. This can be paying online, in a store, over the phone or through a pay link/QR code, etc. In a Card on File transaction, the cardholder initiates a transaction, opting to pay using card information previously used and stored on file with the merchant.

Theatre Manager does NOT support any form of Customer Initiated Transactions using saved data. The customer cannot select 'use saved card' online or at the box office.

If the box office uses a card on file, it becomes a Merchant Initiated Transaction.

Merchant Initiated Transactions (MIT) using card on file

According to the Authorize.Net web site, Merchant Initiated Transactions means:
  • A Merchant Initiated Transaction (MIT) is a payment initiated by a merchant without the cardholder. To do this, the cardholder must have previously given the merchant permission to store their card details for use in certain types of future payments. This means that an MIT can only happen after a cardholder has previously completed a CIT with the merchant. MITs can be split into two kinds of transactions:
    • Standing Instructions:

      These are transactions that reuse the cardholder's credentials on a regular basis or after a certain event occurs. Examples of Standing Instructions are:

      • Recurring Payments - transactions processed according to a fixed interval and fixed amount agreed upon by the cardholder and merchant. Recurring Transactions don't have a specified duration and can continue to be processed until the cardholder cancels the agreement
      • Unscheduled Card on File Transactions - transactions processed for a fixed or variable amount that are not tied to a schedule or recurring transaction date, but to a pre-defined event. For example, when your car's EZ-Pass highway toll booth account falls below a certain minimum, your card automatically gets charged to reload the account balance
    • Industry Practices

      These are transactions that reuse the cardholder's credentials on an ad hoc or one-off basis, with previous consent from the cardholder. Examples of Industry Practice Transactions are:

      • Resubmissions - used when the original authorization is not successfully funded to the merchant but goods or services were provided
      • Reauthorizations - used to obtain a new authorization after the previous authorization has expired
      • Delayed Charges - processes an additional charge after the original transaction has been completed
      • No Show - used to collect penalty fees for not showing up for a reservation or cancellation in accordance with the merchant's cancellation policy
Theatre Manager supports Customer Initiated Transactions for Standing instructions only using saved data for recurring payments (eg post dated, recurring donations, and season subscription auto-renewal).

Theatre Manager does not support unscheduled card on file transactions

You can do this in one of two ways. Use one of:

  • Scheduled 'D' compliance for post dated payments - in this case theatre manager stores the card data internally (encrypted) subject to PCI compliance
  • Merchant Profiles - in this case card data is sent to your merchant provider and they store it. From that point, the card provider is completely responsible for card storage. You can chose to store card data for longer periods of time.
Note: we do not recommend using Moneris Merchant Profiles - they charge too much money. Other merchant providers are not currently charging for this feature.
If you have Theatre Manager store card data (schedule D), it is a Merchant initiate TRansaction. however, the issue become mute - as Theatre Manager retrieves complete card data from the database and sends it to the merchant provider as a Card Not Present Transaction. That is exactly like the customer called you on the phone to give you the card or paid online by typing in their card.
Theatre Manager does not actively implement any of the aforementioned Industry Practice Transactions that cause additional since all transactions are completed when the customer provides card data in full.

Purchase Return Authorization (PRA)

According to Authorize.Net website, Purchase Return Authorizations mean:
  • The Visa, MasterCard and Discover card brands are now requiring that refunds made to customers be authorized in real-time, to validate the payment data in real-time and provide a real-time response of the success or failure of the refund attempt.
Theatre Manager has only ever supported real-time refunds to cards. Currently, the majority of merchant providers use linked refunds which the original card is refunded to the original order, patron and card number up to the original amount.

These requirements are implemented by your merchant provider. You have to contact your provider if you want to use independent refunds which is a refund to any card for any order (not always advised).

Credit Cards not Being Authorized Online

When a patron calls and says that their credit card was not accepted on line, you will need to:

Theatre Manager only tells the patron that the card did not work - it does not tell them why their credit card was declined. Their card could have been declined for a number of reasons. The bank does pass back the messages, such as:

  • Do not honor - a general message that tells you the bank wont authorize the card
  • Decline - another general message that the card is not accepted
  • Hold Card - may mean that the card was stolen and the merchant is being asked to keep it
  • Insufficient Funds - mean what it says
  • Address Verification (AVS) Error - means that zip/postal code verification was incorrect. You may have overly strict AVS settings on your merchant account - so refer to your merchant account online setup or call your merchant provider directly
  • Card Verification Value (CVV) Error - means that the CVV2 number was either not entered at all or not correct - TM is not allowed display what was entered for PCI reasons.
  • etc.
On the off-hand possibility that the card was being used by an unauthorized person, PCI recommendations for online sales are to simply state the card cant be used and not give away any further information to the bad guys.

 

How to help the Patron?

If a patron calls in and tells you their card was declined, you need to look at their shopping cart, on the web logs page. The picture below shows the typical messages you would see if a card was successfully authorized. There are 6 main messages in process.

Anybody who is declined will not see the full 6 steps. -- it wlll probably stop on step 3 or 4 and have an error that you should read indicating why the card was declined.

Instead, some time after step 1, there will be a message indicating WHY the card was declined. In such as case, you can help the patron check out their shopping cart manually (see Checkout button).

 

If there are many declines in a day

If you received a rash of reports that cards are being declined, you can search for them en masse in the web listener logs to see if there is a trend.

PCI requirement for TLS1.2 by June 2016

PCI DSS requirements state that all payment systems must disable TLS 1.0 by June 30, 2016. Under that directive, Authorize.net and Orbital have sent messages to many customers that they intend to require TLS 1.2 at a date to be determined.

Theatre Manager conforms with the PCI compliance rule ahead of that date and will connect to TLS 1.1 and/or TLS 1.2 only servers as long as you have either:

PCI DSS requires that web sites should not use low or insecure TLS encryption. Our standard NGINX installers only accept TLS 1.2 connecton.

Also some items in the Sept 2015 Authorize.net newsletter and Orbital communique were some other items of interest, specifically:

  • Auth.net Transaction ID changes for character length up to 20 and arriving in sequential order. None of these affect Theatre Manager as Theatre Manager already permits 50 character authorizations and all we do is store them for reference.
  • SHA2 certificates on the authorization servers. We have tested Theatre Manager and all current versions of TM will connect to a server that uses SHA2 certificates without any changes.
  • Orbital will accept only TLS 1.2 as of May 31, 2017 - and this works in the latest TM

Side note: commerce web sites are going to require TLS 1.1 or later in the near future which could affect usage if some browsers are like the older Internet Explorer

Theatre Manager and EMV credit cards

In Canada, Theatre Manager now supports:

 

Historically

Visa/Mastercard in the USA is implementing an October 1, 2015 policy change introducing EMV (short for Europay, Mastercard and Visa -- credit cards with chips in them) to assist fraud management. EMV cards have been used throughout the rest of the world for long time. This will be a good thing for US consumers doing walk up purchases at supermarkets, large box retailers, restaurants, gas stations etc.. Responsibility does not change one iota for web, mail and phone order sales - which are deemed cart not present.

Our thoughts are below. Interestingly, after writing this, a credit card authorization vendor that wants you to buy EMV reader had very similar things to say - meaning you have to think what it means to your venue.

 

Theatre Manager and EMV

We've been asked a number of times if Theatre Manager and people who own EMV credit cards can work together. The short answer is YES.

 

How does an EMV credit card affect Card Not Present sales?

There is no impact.

90% (i.e. the vast majority) of ticket sales by arts and entertainment organizations happen in advance of the event. This is simply because people want to guarantee they have tickets before they show up at the door. Most ticket sales occur:

  • by calling the box office and telling the credit card info to staff
  • using online web sales and entering the credit card number in a web form
  • mailing subscription renewal forms along with check or card info for payment

The credit card companies refer to these payments as Card-Not-Present. It simply means that the patron did not come to a venue and physically present their credit card.

Card-not-Present purchases will continue to work as they currently do since it is the only way to do web and phone sales using existing technology. Online site will require a card to be typed and phone sales need it spoken over the phone . Canadians have been using chip enabled cards for years at Theatre Manager venues in this exact manner.

 

What about EMV and Box Office Card Present sales?

The direct processing service providers integrated with Theatre Manager work with card not present. There are a couple service providers that accept Track II card swipe information - providing a card present option. None of the service proividers currently have an API to interface with an EMV reader that we are aware of.

Essentially this means that box office sales are treated as if the credit card was typed (card swipes are just keyboard devices) so any existing technology continues to work without modification.

 

What about Merchants being responsible for non EMV Authorizations?

Visa and Mastercard are somewhat disingenuous stating that all Card Not Present transactions will be exempted from existing fraud protection efforts after October 1, 2015 (generally web and phone sales already are eligible for chargebacks). Furthermore, since a very large proportion of ticketing sales are phone/mail/web card-not-present transactions, there is nothing that a chip on the card will do to help. This is a convenient way for the banks to move all financial onus to merchants for most sales.

The remaining 10% +/- walk up business could be covered for fraud protection if an EMV card reader was used and the card had an EMV chip - which not all cards will have initially. Therefore, merchants have two possible options for box office sales:

  • Get enough EMV chip/pin readers for their box office stations
  • Continue with current credit card swipes or typing card numbers into TM

 

What would using an EMV card reader mean to the box office?

If you rent one or more EMV card machines from a bank, the process to integrate them is quite simple.

Setup

  • Add payment options to the payment code table.. When setting them up:
    • make the payment type other
    • use short codes for the payment methods like EMVISA, EMV-MC, etc.
    • make the descriptions like 'EMV-Visa' , 'EMV-Master Card' so that they are obvious in the payment popup menu
    • make the card number and authorization number fields optional.
  • Note: DO NOT CHANGE the existing credit card payments or merchant accounts. These will still be used for any card you will accept online and by phone. The additional payment methods are used to track payments put through an EMV machine

Taking a payment

At the box office, if somebody:

  • uses a chip and pin card, then put it through the EMV machine and then use the EMV payment method in TM
  • uses a card without chip and pin, then you might want to use the existing CC payment methods and let TM authorize it.

The End of Day Process

The end of day process hardly changes at all

  • Any Card-Not-Present processed through Theatre Manager for web, phone or mail order sales will work the same
  • Any payment taken through the new EMVxxx payment options will in each employee till balance, just like cash and check.
  • you will need to compare the EMV totals in the till balance with closing tape balance from the EMV machine

 

What about the cost - is it worth using EMV terminals with TM

This is a very good question. Financially, we don't think so for most venues. We do for some.

Cost

It has been suggested that EMV terminals will rent for between $60 and $120 per month per terminal (payable to the merchant service provider).

Benefit

There has been no indication of rate reduction. Historically credit card companies may discount a small amount (eg 1/4%) to give a better rate for less risk. It will be small because they like profit and can justify the enhanced security as a benefit to you. So suppose it is 1/4%. That means you would need to:

Take $24,000 to $48,000 in CC authorizations per terminal per month in walk up sales to break even.

Multiply the amount above by each terminal you need and adjust for rate savings. The math is simple:

number of terminals * monthly rental * (100/rate saving %) (eg 1 * $60 * 100/0.25 = $24,000).

We don't think EMV would do much on preventing chargebacks because most business is via web/phone and mail sales. It seems a case of paying for limited benefit. It also affects the ability to refund credit cards taken for walk up sales - because you can't refund them if you don't have the number.

 

What if I didn't use an EMV card reader?

Theatre Manager and your current card swipes would continue to work.

Credit card charges continue be sent to the bank as Card not present or Card Present with Track II (if your merchant provider supports it). There really isn't any change to your business, other than you may now be responsible for fraudulent walk up chargebacks. In my experience, people who see a show rarely dispute a charge. On the other hand, you may save enough money to cover the occasional problem if you don't rent terminals - its like self insuring.

 

Do EMV cards have any impact on PCI compliance?

Absolutely Not - EMV credit card readers are merely an additonal fraud prevention technique.

PCI compliance is simply risk management and focused on how credit card numbers are stored/managed within your venue. You can choose any retention period for cards, including never storing them (a choice dependant on your venues needs). You reduce risk by storing only the card information you think you need and making sure you implement network security, firewalls and Apache updates that we recommend in our installation instructions. Risk is mitigated by using the PCI Schedule 'C' settings, or entering a short retention period for Schedule 'D'

 

What might ArtsMan do in the future?

There are so many EMV devices out there, the least expensive of them are stand-alone and programable ones are more expensive to rent. Each bank uses a different/custom EMV device., many of them are from Ingenico or Verifone.

If the vendors and Banks can settle on a standard API to talk to the machines and cause them to charge credit cards (that doesn't have to change for each device), then we will write some code that can talk to them. We've been in discussions with some vendors, but the banks are all about proprietary and never about standards and easy.

This means we will take a cautious approach regarding what machines to build and interface for -- mindful that the economics of EMV machine rental are really marginal for our venues because of the ratio of Card Not Present sales to Card Present EMV walkup.

Turning Off AVS

During Credit Card processing, Theatre Manager sends the patrons primary address information as a part of authorization request. The Bank has the option of using this for an additional level of fraud detection/prevention. Address Verification (AVS) may cause some online card rejection if:
  1. the patron uses a card with a different billing address than what they have put into their online account in TM -AND-
  2. your online merchant account settings have been set to very strict
The payment could be rejected due to an AVS mismatch.

 

The Online Portal for your merchant account defines the AVS settings

As expected, the banks preference is to be super-tight with AVS rules, so they usually default your online account to reject any non-matching addresses. For online sales, you can't expect the patron to make the address exactly match the bank so we suggest:

  • Logging on to your bank portal. For example, if you use:
  • find the section in the authorization options and disable all address verification options - i.e. tell the bank to accept the card even with address mis-matches

When your account is set this way at the bank portal, if there is an AVS mismatch, the authorization will still go through. If the AVS does match, it just helps verify the patron.

Your merchant account support people are usually better able to help with settings and using your virtual terminal. We may be able to help find it for you, but since the banks own their software, we are not always 100% familiar with each banking interface.