Credit Cards in the ‘Cloud,’ With a Splash of PCI – A Winning Recipe

December, 2011

When was the last time you actually paid cash dollars for something? Fast-food lunch? Nope. A quick gas fill-up? I don’t think so. A song off the Internet? Not a chance. Parking your car? Think again!
Using a credit card to pay your parking fee has become commonplace as an expected payment method. Just as you would pull out your credit card to pay for that purchase at the shopping mall, you as a parking patron expect to have the opportunity to pull out that same credit card at some point in the parking process – either at a payment station or in an exit cashiering lane.
To the parking operator, accepting your credit card has much evolved from the old days of using the knuckle-buster imprinter or the dial-up credit-verification modems. Remember when the cashier would use a printed “black list” booklet to see if your credit card was stolen?
With today’s technology, use of a credit card is fast, efficiently using high-speed network connections and data communications afforded through the Internet, and using payment security methods conceived and approved by the Payment Card Industry (PCI) Security Standards Council.
So what’s the recipe? How do we best combine a credit card, a big dense “cloud” (otherwise known as the Internet) and the PCI’s security standards into a gourmet meal suitable for anyone’s palate? The answer is easy – hire a good chef!
OK, the analogy was to get your attention to what might appear on the surface as a rather mundane subject. But let’s face it – the Internet is as much a part of our daily lives as eating and sleeping. So why not utilize a good thing to our advantage?
The mix starts with the basics. What actually happens when your credit card is read at a parking payment device? It reads your credit card information, including the account number and expiration date, puts those data into a credit card approval request, and communicates that message to the payment gateway.
The solutions differ considerably among vendors, but the common pathway is for the request to be received by a payment processing company.
The payment processor manages all interactions between the merchant (the parking facility), the merchant’s bank and the credit card company. The payment processor receives a fee for each transaction it receives and manages – a cost that is typically negotiated with the merchant.
Once the credit card request is approved, the response is communicated back to the payment device, the transaction is completed and the patron exits the facility. The completed transaction is communicated to the facility management system’s revenue control, to be reconciled at the end of the day with data from the payment processor.
Essentially, the operator of the facility wants to ensure that the revenue charged to a credit card as reported by the parking software has been successfully communicated, cleared and deposited into their banking account by the payment processor.
So how can the Internet help in this process? Let’s focus on three features and their respective advantages:
• Security – Protects the patron’s credit card information and limits operator liability.
• Fast Response – Produces a positive customer experience.
• Quality Reconciliation – Provides end-to-end revenue accountability for the operator.
For the merchant, PCI compliance and certification have become a crucial need in order to minimize the liability associated with the acceptance and use of credit cards and credit card information.
As the industry continues to evolve, and the level of liability that merchants are willing to accept continues to decline, the concept of a credit card transaction being fully hosted by a secure third-party service is gaining in popularity. In typical entrepreneurial spirit, a new service sector has arisen that mitigates the burden of credit card approval and transaction management, and more to the point, the liability associated with the handling of such data.
With the reality of secure Internet connections, an approach gaining in popularity is to submit the credit card request directly from the point-of-sale (POS) to the “cloud,” bypassing the merchant’s private network entirely.
This concept isn’t new; anytime you interact with the Internet through a browser, you are utilizing this type of service. And when you make a credit card purchase, you are typically making a payment using a service that is totally independent of the merchant through which you are purchasing.
Why can’t the merchant be a parking facility? The answer, of course, is that it can.
Companies providing this service are required to be PCI-Data Security Standards (DSS)-certified. That means the companies have met end-to-end data security standards not just for the payment application, but for the entire process by which they receive, manage and store your credit card revenue transactions.
Is using the cloud fast? You bet it is. With the latest network and Internet technology, data zip along quickly and efficiently. In some cases, the patron may not even see any discernable delay between the time they swipe their credit card and transaction approval.
Using the Internet has become so commonplace that the question “Can you get access to the Internet?” might be met with an expression bordering on surprise, compassion and just a bit of stupefaction for anyone to even ask that question! Also, the concept of online or off-line is following the same pathway to obsolescence. When was the last time the Internet “broke”? You get the point.
Joe Wenzl, Director of Engineering at Federal APD, can be reached at jwenzl@federalapd.com.

Sidebar:
Reconciling, According to Joe…
So if I were to use one of those “cloud” computing services and not communicate or store any credit card information on my network, just how, Mr. Smart E. Pants, do I reconcile my revenue information or manage exceptions such as charge-backs or disputed fees, huh?
The answer is quite simple and rather elegant.
The POS (point-of-sale) sends the credit card request to the service provider. Rather than sending a response with the actual credit card data, the service returns a unique serial number, or “token,” representing the crucial credit card data associated with that transaction.
All the actual credit card data are now stored within the Internet “cloud,” and the merchant is free to store the returned token in their transaction revenue data and archive it for future reference. Any charge-back or disputed fee is easily submitted using the token. If the data containing the token are hacked, they are useless to the hacker.
Whether through a parking lane interface, a hosted service provider or back office solution, the use of credit cards in the industry will continue for the foreseeable future. Up-and-coming payment methods such as pay-by-phone are starting to take hold.
But as long as a parking fee is determined by the duration that a patron parks, and steady vehicle throughput is a crucial need, the credit card will continue to be one of the primary payment methods in the parking industry. – Joe Wenzl