Accepting Credit Cards for B2B Sales
Be Mindful of Customer's Privacy Rights
By Scott Blakeley,
Esq
Credit cards are transforming the way vendors receive
payment on their commercial sales. A customer paying by credit card
for the commercial sale allows the vendor immediate payment on the
sale. The credit professional receiving payment by credit card for
the first time may be surprised to find that an individual cardholder,
say the company's CEO, offers their personal card to pay for the
corporate sale. Frequent flier miles often prompt the individual
to use the personal card for the sale.
However, with the dramatic increase use of credit cards
to pay for commercial sales, is legislation protecting a customer's
privacy rights to financial information. California has recently
passed legislation that creates a duty for companies to protect electronic
personal information from being disclosed, and requires companies
to notify customers when their electronic information has possibly
been misused. The privacy law identifies a customer's personal information
to include their credit card number. Violation of the privacy law
may be the basis of a lawsuit against the vendor. The dramatic rise
of the crime of identity theft prompted the privacy legislation.
What does the privacy law mean to the credit professional in managing
a customer's credit card information?
Credit Cards May Make The Sale
The credit professional may find accepting credit cards
as a way to make a sale to a marginal account. Like CIA and COD transactions,
a customer's payment by credit card can be attractive to the vendor
as it provides for immediate payment, prior to release of the goods.
A credit card transaction acts like a credit enhancement, such as
with a letter of credit or corporate guarantee, where the credit
risk of the transaction can be managed. While a credit card transaction
does carry risk of a customer chargeback, the credit professional
can manage this risk through customer authorization which reduces
or eliminates the likelihood of a disputed transaction.
Websites have emerged to protect the vendor from chargebacks,
such as with the site www.nochargebacks.com. The vendor may also
insist that the customer sign a terms and conditions agreement for
payment by credit card that provides the customer will not report
a disputed charge until they have notified the vendor. This provides
the vendor with the opportunity to fix it.
Perhaps the biggest risk for the credit professional
is the credit card transaction in the card not present (CNP) transaction,
especially where payment is accepted through the Internet. There
is a greater risk of fraudulent transactions with the CNP transaction
as the vendor is not sure of the buyer's identity, and there is no
signature and no card to imprint. The general rule is that the vendor
assumes the risk of loss for these fraudulent payments.
To limit the risk of the fraudulent credit card transaction,
the credit professional may develop a credit risk profile on each
company seeking to pay with a credit card. The credit professional
may then set a maximum limit that each company can buy based on the
profile, regardless on whether the card company will authorize the
credit card charge over the phone or Internet.
A Cardholder's Privacy Rights Under Recently Enacted
Legislation
With the arrival of the electronic credit department
and storing of a customer's financial information, such as credit
card information, on a vendor's computers, there is a greater risk
of computer hackers stealing this personal financial information
for such crimes as identity theft. California's privacy law is intended
to combat this.
The privacy law requires a company that does business
in California to notify customers when there may have been unauthorized
access, or a security breach, to their electronic personal information,
including a customer's credit card information stored on the company's
computers. The law does not define what constitutes a security breach,
and the law requires notification even where the company only suspects
there has been a breach.
The privacy law also requires that safeguards are in
place to protect a customer's private information, including credit
cards. The privacy law may apply to all states. The law is intended
to protect customers from the risk of identity theft through notifying
them of misuse of their personal information so they can take steps
to protect their assets. The privacy law applies to those companies
that store personal information, such as credit card information,
on computers.
The privacy law requires a company give prompt notice
to customers after a security breach. Notice may be via e-mail or
regular mail. Should a company fail to disclose a security breach,
it may be liable even if the customer's personal information is never
used. A company is not required to notify law enforcement.
The privacy law is silent as to the mechanics for detecting
and responding to a security breach. However, a company that encrypts
the personal data may be exempt from it.
The credit professional should consider how a customer's
credit card information is stored. People's names should be kept
separate from their credit card number. The credit professional should
have its company adopt a policy as to notification of California
customers in the event of a security breach, storing credit card
information and sharing credit card information with others in the
company, such as the sales force, and third parties. To reduce the
risk of a security breach, employee access to customers' credit card
information should be restricted. The vendor should have a company
policy manual advising of its policy dealing with credit card information.
Credit Department's Privacy Policy And Credit Cards
A customer's privacy rights are at the forefront of
legislation and regulation, and these rights touch on the way the
credit department manages a customer's personal credit card information.
As the credit department goes electronic, a credit professional should
be mindful of a customer's privacy rights and the how credit card
information is stored. Given this, the credit professional should
consider implementing a privacy policy as to the storing of a customer's
credit card information.
Reprinted by permission from The Trade Vendor Quarterly, Winter
03 |