Can someone help?

My company helps consumers with claims against banks etc, and we get paid if and when we win. We have relied on old fashioned invoicing and chasing but it has led to large numbers of debtors.

We can take payments over the phone like with mail order, and clients provide their payment details to us. The thing we need to do, want to do, is request the clients payment details up front for use at a future date/event - i.e when we win your claim and you have your money we will take our fee.....

We would already have those paper details in our safe, and use them. the client would have authorized it both in our terms and conditions and also on the actual Payment Autrhority Form.

Are there any issues with this?

I worked somewhere they stored credit card details. I think they were stored with the permission of the credit card holder, some requested that each time payment was going to be made they wanted a phone call so they knew the amount before and others said take payment and send the receipt part. I think that if they do not give their permission you are not allowed to store the credit card details.

Alison

Its probably easier and less hassle in the long run to not store their details.

Clients have agreed to us taking details( they provided them), and they have agreed to us storing them too...

calling is a good idea but practically the reason we want to have these details upfront is because sadly many don;ty act in good faith and are very hard to get hold of when it comes to settling fees.

do we need consumer credit license?

I asppreciate your thoughts on this.

Take a look at this link: http://www.google.co.uk/search?hl=en&q=pci+compliant&btnG=Search&meta=

We use Protx - when a new trade account signs up we have their card details and they are advised that we will be debiting them with £1.00 which will be credited to ther account.

When we use the card details to debit this £1.00 we are provided with an authorisation number - it is this number that we use to perform a 'repeat payment' when needed for their first and future orders. Once this has been generated, we shred the written details - Protx have all the customer information then, name, address, telephone number etc, so we don't physically keep any of it.

You must of course ensure that the card expiry date is long enough for you not to need to contact them fo new details prior to you winning their compensation!

Kate

Brad,

As long as consent has been given, then you've essentially got nothing to worry about. All large firms do this - I used to work with one large retailer with a blue logo (not saying any more than that) who have/had till tables for each of their stores - these contained the full card numbers in unencrypted form.

If your volumes are high enough, I would consider using a system that will auto bill these card details for you.

I'm happy to advise further if needed.

I've just had a merchant services leaflet with an article about Cardholder Not Present Transactions.

I'll quote it in full

"Merchants who trade in a CNP environment are reminded of the need to flow CVV2 data with every telephone order and non 3-D secure internet transaction. CVV2 si the three digit security code found on the reverse of a card, typically on or alongside the signature strip.

This MUST happen on every occasion where the cardholder is connected to or in contact with you at the time of the transactionand can therefore relay the CVV2 information for that specific transaction AND the authorisation is carried out at the same time (to alleviate the need to store CVV2 as this is in direct breach of the PCI DSS requirements)."

That says to me that storing cardholder details won't help as you can't store the CVV2 under any circumstance, and you can't process a CNP without the CVV2.

That says to me that storing cardholder details won't help as you can't store the CVV2 under any circumstance, and you can't process a CNP without the CVV2.

Exactly - without the CVV digits, the merchant can't process anything. It would be far better to use the Protx (or similar) solution or Pre-Auth the card. Although I suspect that the time limits in Pre-Auth might be less than required by the OP.

Visa take a very dim view of people who do record CVV values.

That says to me that storing cardholder details won't help as you can't store the CVV2 under any circumstance, and you can't process a CNP without the CVV2.

While this may be the policy of your merchant (and is of course good practice), Visa do not mandate that a CVV2 number be entered each time a CNP transaction is processed.

Unless you can show me a link on a reputable website that shows this has been a very recent change.

Ditto mastercard for the CVC2 number.