About the first of 2011, a new four letter word entered our vocabulary, COMPLIANCE. OK, I know that is more than four letters but it is still a word you want to muffle around many car dealers and even here in our office. Over the last couple of years dealers all across the country have been told they need to adhere to the Gramm, Leach, Bliley Act, the Red Flag Rule Act, and the Risked Based Pricing Policy rules, just to name a few. Soon we will watch the formation of the Consumer Financial Protection Bureau (CFPB), a government body mandated to help protect the American consumer.
It is still up in the air as to what impact the CFPB will have on your business because it is said they will not have jurisdiction over automotive transactions but even if that is true, you can bet the Federal Trade Commission (FTC), the body who does monitor our industry, will be paying attention to what this new group does and others will undoubtedly ask, “Why aren’t car dealers included in this new regulation?” These laws have mandated that all dealers adopt new forms and then throw out those forms for revised forms. It is becoming a full time job just keeping up with how to become and then remain compliant. This battle is not just fought by car dealers. Both VIADA and JTZ Enterprise have their own hoops to jump through, also.
For us, it all started when a client called and asked, “Is our website PCI DSS compliant?” My first answer to that was a question, “What is PCI DSS?” I will not bore you with the details but this is an acronym for Personal Card Industry Digitial Security Standards. The major credit card providers have teamed up and set guidelines on how transactions should take place between consumers and businesses when credit cards are used. In short, these standards state a merchant account holder may not under any circumstances store, record, or transmit card information in any other way other than through methods made available from the merchant account provider. This meant that instead of being able to capture a consumer’s shipping, billing and card information in a secure environment and processing it later is no longer enough.
This affected not only VIADA, but also dozens of our car dealer clients who have online payment pages included in their websites. Before now, when you went to www.VIADA.org to order forms, sign up or renew your membership, or sign up up for conventions and workshops, you would see that entire transaction take place in a secure environment through the use of a digital certificate. That means the address of the pages would start with “https:” (not just “http:”). The order information would be stored on our secure servers and the staff at VIADA would log into a secure site to retrieve the order and process the transaction. That now flies in the face of what the PCI DSS is all about and had to be changed in order for us to achieve compliance.
Now, when you go to the same ordering pages you really won’t notice much a change. The change is in how the transaction takes place. When you go online to place an order for forms or to renew your membership a credit card is required. When you give up that information you are actually dealing directly with the merchant account provider and not just inside VIADA’s secure website. That information gets verified and if the card is valid the transaction is processed in your account instantly. Once the money part is handled the home office gets a notice of the order and is able to retrieve it in the very same fashion they did before. But, instead of getting a card number and expiration date, the office gets an approval number. This update eliminated their first step of processign the payment because it is already done.
Online transactions for all online businesses now must take place in a virtual terminal. If you accept credit cards you have a box you use to swipe the card and that box is called a terminal. Many car dealers who accept online payments have had to go to their merchant account provider and ask to have a virtual terminal added to their account in order to remain compliant. For some, this has meant higher credit card expenses and for all it has meant a change in how they accept payments. Now, we can lament about the added work and expense caused by all these regulations placed on us, but there is a silver lining.
I remember when selling cars at my family’s BHPH lot we would offer our customers a break if they would allow us to keep a credit card on file so we could debit the payment on the due date automatically. Many went for it because it saved them money as well as a trip to the dealership or a stamp when making payments. We would create an index card with the customer’s information, card information and loan information. When the payment was due we would pull that card and process the payment by typing it into the terminal. That box of index cards was actually worth tens of thousands of dollars if it ever fell into the wrong hands. This obviously goes against the intent of the PCI DSS, but don’t fret. This type of arrangement is still fine, if done properly. You can still get this transaction agreement but now, with a virtual termnial, instead of recording the card information, you simply log into your virtual terminal and enter the card information there. Then you select to have a recurring payment against that card and set the due date(s) each month. If you set it to debit the card on the 1st of the month, you will see that payment automatically appear in your batch report on the 2nd. This is much easier to manage and a whole lot safer because you do not have to trust your staff with keeping this sensitive information safe.
Where will these regulations end? I doubt they ever will. That is why partnering with VIADA and having professional vendors who work hard to stay on top of tomorrow’s changes is imperative in today’s market. Compliance is not a choice but with a team of professionals on your side, it is possible.