Accepting Credit Cards for B2B Sales
Be Mindful of Customer's Privacy Rights
By Scott Blakeley, Esq

Credit cards are transforming the way vendors receive payment on their commercial sales. A customer paying by credit card for the commercial sale allows the vendor immediate payment on the sale. The credit professional receiving payment by credit card for the first time may be surprised to find that an individual cardholder, say the company's CEO, offers their personal card to pay for the corporate sale. Frequent flier miles often prompt the individual to use the personal card for the sale.

However, with the dramatic increase use of credit cards to pay for commercial sales, is legislation protecting a customer's privacy rights to financial information. California has recently passed legislation that creates a duty for companies to protect electronic personal information from being disclosed, and requires companies to notify customers when their electronic information has possibly been misused. The privacy law identifies a customer's personal information to include their credit card number. Violation of the privacy law may be the basis of a lawsuit against the vendor. The dramatic rise of the crime of identity theft prompted the privacy legislation. What does the privacy law mean to the credit professional in managing a customer's credit card information?

Credit Cards May Make The Sale

The credit professional may find accepting credit cards as a way to make a sale to a marginal account. Like CIA and COD transactions, a customer's payment by credit card can be attractive to the vendor as it provides for immediate payment, prior to release of the goods. A credit card transaction acts like a credit enhancement, such as with a letter of credit or corporate guarantee, where the credit risk of the transaction can be managed. While a credit card transaction does carry risk of a customer chargeback, the credit professional can manage this risk through customer authorization which reduces or eliminates the likelihood of a disputed transaction.

Websites have emerged to protect the vendor from chargebacks, such as with the site www.nochargebacks.com. The vendor may also insist that the customer sign a terms and conditions agreement for payment by credit card that provides the customer will not report a disputed charge until they have notified the vendor. This provides the vendor with the opportunity to fix it.

Perhaps the biggest risk for the credit professional is the credit card transaction in the card not present (CNP) transaction, especially where payment is accepted through the Internet. There is a greater risk of fraudulent transactions with the CNP transaction as the vendor is not sure of the buyer's identity, and there is no signature and no card to imprint. The general rule is that the vendor assumes the risk of loss for these fraudulent payments.

To limit the risk of the fraudulent credit card transaction, the credit professional may develop a credit risk profile on each company seeking to pay with a credit card. The credit professional may then set a maximum limit that each company can buy based on the profile, regardless on whether the card company will authorize the credit card charge over the phone or Internet.

A Cardholder's Privacy Rights Under Recently Enacted Legislation

With the arrival of the electronic credit department and storing of a customer's financial information, such as credit card information, on a vendor's computers, there is a greater risk of computer hackers stealing this personal financial information for such crimes as identity theft. California's privacy law is intended to combat this.

The privacy law requires a company that does business in California to notify customers when there may have been unauthorized access, or a security breach, to their electronic personal information, including a customer's credit card information stored on the company's computers. The law does not define what constitutes a security breach, and the law requires notification even where the company only suspects there has been a breach.

The privacy law also requires that safeguards are in place to protect a customer's private information, including credit cards. The privacy law may apply to all states. The law is intended to protect customers from the risk of identity theft through notifying them of misuse of their personal information so they can take steps to protect their assets. The privacy law applies to those companies that store personal information, such as credit card information, on computers.

The privacy law requires a company give prompt notice to customers after a security breach. Notice may be via e-mail or regular mail. Should a company fail to disclose a security breach, it may be liable even if the customer's personal information is never used. A company is not required to notify law enforcement.

The privacy law is silent as to the mechanics for detecting and responding to a security breach. However, a company that encrypts the personal data may be exempt from it.

The credit professional should consider how a customer's credit card information is stored. People's names should be kept separate from their credit card number. The credit professional should have its company adopt a policy as to notification of California customers in the event of a security breach, storing credit card information and sharing credit card information with others in the company, such as the sales force, and third parties. To reduce the risk of a security breach, employee access to customers' credit card information should be restricted. The vendor should have a company policy manual advising of its policy dealing with credit card information.

Credit Department's Privacy Policy And Credit Cards

A customer's privacy rights are at the forefront of legislation and regulation, and these rights touch on the way the credit department manages a customer's personal credit card information. As the credit department goes electronic, a credit professional should be mindful of a customer's privacy rights and the how credit card information is stored. Given this, the credit professional should consider implementing a privacy policy as to the storing of a customer's credit card information.

Reprinted by permission from The Trade Vendor Quarterly, Winter 03