API's don't connect themselves


You have been there.  You are reading the SDK and you think you know how it goes together.  Your payment provider has software people on the phone but they are the wrong ones.  How frustrating!!  

The key to a great integration is getting the right people together,  Just NOT people.  The right people.

Business & integrations have taken me to NYC, San Fran, Atlanta, Chicago, and even small towns you would never think would have programmers.  

Helping one programming group of people understand another group of people can be a true art form.  Conducting a meeting with these same people can be like conducting a symphony.  All parts need to work together to make a beautiful integration or sound. Do you know what I mean?  I can help. 

Tammy Zimmerman

Learn more about Tammy here.
read more view comments ()

Can you afford it?


So, you think you can't afford it?  Can you afford not to do it?

The best minds in business continue to talk about analytics and customer experience.  What can a business do to get both?  What can my mind think of to get to the end point of getting analytics and customer experience?

Here are a couple of ideas that businesses around the country are turning to........No. 1 and No. 2.

So THINK.  You can get a lot of bang for the buck with a little thinking.  

Good thought!

read more view comments ()

Business Plan


How to Write a Business Plan: A Beginner's Guide

Look, I know, you want to get going "doing" your business.  I need to make money now.   No time to waste planning I need to sell and make a profit.  My life depends on it!


You better make a plan or you will be back to square 1 in 6-months to a year.   

Take the time...................... your life and your families life may depend on it.

Here is a link to help you write that plan.
read more view comments ()

Got Signature?? Is it needed?


Things are changing.  Just like each of us gets older each day and things change.  So do rules and regulations in the credit card processing environment.  So what is the latest and what is happening?

Change in Card Brand Signature Requirement

Visa®, MasterCard®, Discover® and American Express® have all recently announced that the requirement for obtaining a signature on in-store sales transactions will be optional as of April 2018 in the U.S. and Canada. (Discover and American Express also include other countries such as Mexico and the Caribbean.) Please note that Visa's elimination of this requirement applies only to EMV contact or contactless chip-enabled merchants.

In making this decision, the card brands point out that they had already eliminated the need for a signature for sales below a certain amount, and the increased security measures built into point of sale technology now make obtaining a signature unnecessary at all levels. Additionally, removing the signature requirement for sales of any amount will help provide a more consistent and faster checkout for customers and reduce merchants' operating costs associated with retaining signatures.  

While the card brands will no longer require a signature, please note the following:  

  • Businesses may continue to obtain the cardholder's signature if they desire, regardless of the transaction amount. Chip-enabled point of sale systems will still support signature as a cardholder verification method (CVM) as part of standard EMV processing.
  • Point of sale solutions may be updated to not capture a signature or not print a signature line on a paper receipt. At this time, there are no immediate plans for updates to Elavon Class A products; however, we constantly monitor card brands' plans and will communicate any changes as decisions are made.
  • Dispute rules will reflect the changes, meaning that for applicable networks and in applicable regions where a signature was previously required as part of a re-presentment to a chargeback, it will no longer be necessary for merchants and acquirers to produce the receipt bearing a signature in supporting documentation.
So in the end the card brands say no signature necessary beginning April 2018 (note: Visa will allow this only for chip or NFC read cards).  As your payment processor consultant we recommend keeping all copies of your receipts with your customers signature on them until we can confirm a chargeback process has worked out to our merchants favor.  It most likely will be fine, but we like to error to the protection of our merchants. Better to have too much paperwork now to protect yourself.

The good news is it appears it isn't far away that you will not need to keep paper receipts or buy as much paper!

Is a complete paperless society far away?  Our industry is moving that way, BUT the rest of society I wouldn't hold my breath!

read more view comments ()

PCI - Stop the Credit Card Thieves!


Here's What You Should Understand About PCI Compliance

The Payment Card Industry Data Security Standard (PCI DSS) is managed by the PCI Security Standards Council (PCI SSC). Founded in 2006 by the five biggest credit card providers: MasterCard, Visa, Discover, Amex and JCB International, the Council ensures that merchants (sellers and organizations) protect their customers’ credit card information during transactions and when it’s being stored.

Being PCI compliant is not a requirement by law. However, it is highly advisable that merchants who accept card payments follow the regulations set by the PCI SSC to avoid any potential data infringement and to avoid hefty non-compliance fees. The requirements for becoming PCI compliant are relative to how your company operates.

There are many areas where your business could have security vulnerabilities, such as operating systems and devices which hackers could use to access your company’s private network. Data can be stolen from many areas, including but not limited to:

The Payment Card Industry Data Security Standard (PCI DSS) is managed by the PCI Security Standards Council (PCI SSC). Founded in 2006 by the five biggest credit card providers: MasterCard, Visa, Discover, Amex and JCB International, the Council ensures that merchants (sellers and organizations) protect their customers’ credit card information during transactions and when it’s being stored.

Being PCI compliant is not a requirement by law. However, it is highly advisable that merchants who accept card payments follow the regulations set by the PCI SSC to avoid any potential data infringement and to avoid hefty non-compliance fees. The requirements for becoming PCI compliant are relative to how your company operates.

There are many areas where your business could have security vulnerabilities, such as operating systems and devices which hackers could use to access your company’s private network. Data can be stolen from many areas, including but not limited to:

Identifying where your company’s weaknesses are when it comes to the protection of sensitive cardholder information, and securing how your business processes payments is paramount.

What do I need to do to become PCI Compliant?

There are various levels of PCI compliance which depend on the amount of payments your business processes each year (12 month period). There is one component that remains necessary across the board, which is that a business should really achieve 100% PCI compliance and maintain it, in order to keep the data of themselves and their customers safe.

Each of the five major credit card members of the PCI SSC have their own data security standards. Below is a simplified, general breakdown of potential PCI DSS requirements:

PCI requirements depend on which level is applicable to your business. Each level will require merchants to complete the relevant PCI DSS Self Assessment Questionnaire (SAQ), provide evidence that the merchant has completed and passed a vulnerability scan with a PCI SSC Approved Scanning Vendor (ASV), and complete and submit the Attestation of Compliance (AOC) to your acquirer.

If you would like any clarification on the information here, please visit the PCI Security Standards Council’s website.

What happens if I’m not PCI compliant?

As previously mentioned, being PCI compliant is not required by the law, however, you could incur major damage to your business, its reputation, brand image and a multitude of fines if your customers' data is breached. In the long term, it will cost your business a lot less to comply with PCI DSS requirements. Additionally, non-compliance fees can add up over the months. 

The State of PCI DSS Compliance

According to Verizon’s 2017 Data Breach Investigations Report (DBIR) the state of PCI DSS compliance is continuing on an upward trend, seeing growth of 44.3% since 2012. However, 44.6% of businesses still failed to pass an interim PCI CSS validation in 2016:

SecurityMetrics has predicted that data breaches and attacks from hackers will ‘likely follow similar trends from the latter half of 2016,’ referring to companies such as Yahoo, who notoriously fell victim to a series of attacks in which the personal information of millions was compromised.

SecurityMetrics forensic takeaways from 2016:

Payment Plus's Point-to-Point Encryption and Tokenization (safe-t)

Payment Plus can provide merchants with solutions that help to reduce PCI audit scope, with PCI validated point-to-point encryption through Elavons safe-t product which is applied in a retail (card-present) environment.

It’s part of the PPI solutions.

PPI's P2PE solution is designed to provide businesses with the highest degree of payment security and greatly reduce the scope of PCI DSS compliance requirements. 

Check out an overview of how a typical transaction works below:

PCI DSS Compliance FAQ’s

Q: What is the PCI DSS?

A: The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. The PCI DSS is administered and managed by the PCI SSCan independent organization that was created by the major payment card brands (Visa, MasterCard, American Express, Discover and JCB.).

Q: How does a merchant get educated about PCI compliance?

A: Merchants getting started with PCI compliance can find a wealth of information on the PCI Council website and download the PCI Council's Getting Started Guide and Quick Reference Guide. To learn what a merchant's specific compliance requirements are, the PCI Council recommends the merchant check directly with the card brands: American Express, Discover Financial Services, JCB International, MasterCard Worldwide, Visa Inc., Visa Europe.

Q: To whom does PCI compliance apply?

A: PCI compliance applies to ANY organization or merchant (includes international merchants/organizations), regardless of size or number of transactions, that accepts, transmits or stores any cardholder data.

Q: Is a merchant obligated to be PCI compliant?

A: PCI compliance is not a law. The PCI standards were created by the major card brands Visa, MasterCard, Discover, AMEX and JCB. At their acquirers’/service providers’ discretion, merchants that do not comply with PCI DSS may be subject to fines, card replacement costs, costly forensic audits, brand damage, etc., should a breach occur. The time and effort put into maintaining PCI compliance far outweighs the consequences of non-compliance.

Q: How often is PCI DSS validation required?

A: Merchants must demonstrate compliance annually via a Self-Assessment Questionnaire (SAQ) or Report on Compliance (ROC). Validation requirements vary depending on the number of transactions processed annually and the payment card brand. Compliance requires establishing and maintaining a PCI program that incorporates appropriate business policies, procedures and technologies to ensure ongoing compliance through continuous protection of payment card data.

Q: What are the requirements to be in compliance with the PCI Data Security Standard?

A: The PCI DSS is a multifaceted security standard that includes requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. It’s comprised of 12 general requirements designed to: build and maintain a secure network; protect cardholder data; ensure the maintenance of vulnerability management programs; implement strong access control measures; regularly monitor and test networks; and ensure the maintenance of information security policies.

Q: Which Self Assessment Questionnaire (SAQ) must be completed by a merchant?

A: The PCI DSS SAQ Instructions and Guidelines information provides a summary of the different SAQs and the types of environments that each SAQ is intended for. Merchants should also consult with their acquirer (merchant bank) or payment brand to determine if they are eligible or required to submit an SAQ, and if so, which SAQ is appropriate for their environment. Additional SAQs may apply depending on how the merchant is conducting business. For more information please visit the PCI Council website.

Q: How does Payment Plus help minimize PCI scope within a merchant environment?

A: Payment Plus provides cardholder data tokenization with safe-t. A token replaces the cardholder data that a merchant needs to store when handling transactions. The token is used when submitting the transaction to the payment processor. Since the token is not card data, the merchant can store the token and reduce the PCI scope of the system storing the token. Merchants with e-commerce sites can also reduce their PCI scope by making use of the available safe-t Converge tokenization solutions.

Q: If a merchant only accepts credit cards over the phone, does PCI compliance still apply to the merchant?

A: Yes. All businesses that store, process or transmit payment cardholder data must be PCI compliant.

Q: What are the penalties for failure to comply with PCI DSS?

A: The payment brands may, at their discretion, fine at a rate of  $5,000 to $100,000 per month for PCI compliance violations. Penalties are not openly discussed nor widely publicized, but they can be catastrophic to a small business.

Q: What is a vulnerability scan?

A: A vulnerability scan checks a merchant or service provider’s systems for security vulnerabilities. It is a tool that will conduct a non-intrusive scan to remotely review networks and Web applications based on the external-facing Internet protocol (IP) addresses provided by the merchant or service provider. The scan identifies vulnerabilities in operating systems, services and devices that could be used by hackers to target the company’s private network. The scan does not require the merchant or service provider to install any software on their systems, and no denial-of-service attacks are generally performed.

Q: How often does a merchant have to have a vulnerability scan?

A: Once every 90 days. Merchants requiring a vulnerability scan are required to submit a passing scan. Merchants and service providers should submit compliance documentation (successful scan reports) according to the timetable determined by their acquirer. Scans must be conducted by a PCI SSC Approved Scanning Vendor (ASV) such as Sysnet.

Q: Who is required to fill out a PCI SAQ document?

A: Any merchant handling credit card transactions is required to fill out a specific PCI SAQ document based on the nature of the cardholder data process in place. To determine which SAQ corresponds to a merchant, please visit our SAQ document summary section.

P2PE Frequently Asked Questions

Q: What is P2PE?

A: Point-to-point encryption (P2PE) cryptographically protects account data from the point at which a merchant accepts the payment card through the entire lifecycle of the transaction. By using P2PE, account data (cardholder data and sensitive authentication data) is unreadable until it reaches the secure decryption environment, which makes it less valuable if the data is stolen in a breach. Merchants using PCI-validated P2PE solutions also have fewer applicable PCI DSS requirements, which helps simplify compliance efforts. Payment Plus's P2PE safe-t solution by Elavon is validated by the PCI Council as one of few companies qualified to offer the solution. Click here to see the PCI Council’s list of validated solutions. 

Q: What are the benefits of P2PE?

A: A P2PE solution:

  1. Makes account data unreadable by unauthorized parties and protects customer data and therefore a company's reputation
  2. “De-values” account data because it can’t be decrypted even if stolen
  3. Simplifies compliance with PCI DSS requirements
  4. Reduces the P2PE Self-Assessment Questionnaire to only 26 requirements
read more view comments ()

Got Questions?


We want you happy and satisfied!!!

Everything working OK?   If not, let us know.

  1. Are you getting your money on time?
  2. Are you getting the information you need on a timely basis?
  3. Want to know how to get to your deposit information? 

If not, let us know.  You can call 888-523-8464 or use this contact form.

You see, we can only help you when we know you need help.  Perhaps you have a suggestion that would help you.   Let us know.   While the vast majority of our customers are having no problems we understand there might be a few.  Maybe your expectations are not being met and we don't know what those expectations are at this time.  Let us know and we will do everything in our power to try to meet them.

Be Happy and Satisfied!!

Then we will be Happy too!

read more view comments ()

AML & the contracts that are signed



Who instructs us to be so careful about Anti-Money Laundering procedures?

The Financial Crimes Enforcement Network (FinCEN) is the administrator of Banking Secrecy Act (BSA). Over the years, BSA has been strengthened through subsequent anti-money laundering (AML) laws. This includes parts of USA PATRIOT Act compliance, which focus on money laundering in the form of terrorist financing.

USA PATRIOT Act Compliance

On Oct. 26, 2001, Congress passed the USA PATRIOT Act to respond to the terrorist acts of 9/11. Its name literally means “Uniting and Strengthening America by Providing Appropriate Tools Required to Intercept and Obstruct Terrorism,” and it applies to the U.S. Treasury's very broad definition of financial institutions.

Customer Identification Program (CIP Compliance)

Section 326 of the act strengthens the Bank Secrecy Act (BSA) by requiring that all financial institutions implement a Customer Identification Program (CIP) to reasonably and practicably verify the identity of customers who are opening accounts. 

Section 326 compliance requires that CIP programs should:

  • Verify the identity of any person seeking to open an account using documentary and non-documentary verification
  • Maintain records of that CIP verification process for five years after the account is closed
  • Compare the customer’s name against the government’s list of known or suspected terrorists
  • Provide customers with adequate notice of the requirements for customer identification

The U.S. Treasury Department considers Section 326’s customer identification and record-keeping requirements as vital tools in its fight against such criminal enterprises as terrorism and the growing threat from identity theft. Financial institutions play a significant role in that fight through CIP compliance.

So...............now you know.  Welcome to regulations.

read more view comments ()

National Chamber of the Year - 2017


The 2017 Association of Chamber of Commerce Executives (ACCE)  convention was held this past week in Nashville, TN.  During the convention the Paducah Area Chamber of Commerce was up against two other highly decorated Chambers from Montana and Massachusetts in a competition to determine who was the best Chamber throughout the entire United States of America in their size category.  Chambers throughout the USA submitted paperwork to be considered for the award. After a thorough review by the ACCE 3 finalists were named.   Chamber Chair and CEO of Payment Plus Tammy Zimmerman and the Paducah Area Chamber President Sandra Wilson fielded questions from a panel of the ACCE for 45 minutes as did the other competitors. The results were thrilling for our area.  The Paducah Area Chamber of Commerce won.  

Tammy Zimmerman is quick to point out Sandra Wilson and herself should not get all the accolades for the win.  "We are just the two people that fielded the questions in a room.  The real reason we won is because of the leadership of our board and the totally engaged business community we have. The paperwork submitted was critical in documenting the number of businesses that are active in our area and the enthusiasm of our community.  I am thrilled to have just done a small part to help Paducah move from the Not so obvious to the Obvious place for business.  There is opportunity in that!   A BIG WAY TO GO!........... is in order for all the people of our area!"
read more view comments ()

ACCE Chamber of the Year Awards


The picture above is of President and CEO of Payment Plus 
Tammy Zimmerman (on right) who is acting Chair of the Paducah Area Chamber of Commerce and her friend Sandra Wilson (left) President of the Chamber prior to the ACCE Chamber of the Year interview.  Paducah is one of the top 3 finalists for ACCE Chamber of the Year in their size category and completed the final step with their interview with a panel of judges yesterday morning in Nashville, TN. 

The other Chamber finalist were from Massachusetts and Montana.

Tammy Zimmerman and Sandra  Wilson have put in a large number of hours planning and preparing for the final interview and have expressed that it is their  honor to represent our business and local community in this prestigious award.  

Our area as a whole are very fortunate to have these two representing us.

The final gala where the results will be announced will be Tuesday evening, July 18, 2017 in Nashville, TN.  Good luck Paducah!

Thank you to Sandra, Tammy and all the others in the Chamber office for your hard and dedicated work you accomplish on a day in and day out basis.  

To learn more of the Association of Chamber Executives award check this out.

read more view comments ()

Great Small Business Seminars Chamber! Way to go!


Cybercrime was the subject of today's Paducah Area Chamber small business seminar.  Businesses had their eyes wide open as they found out how important it is to "lock down" their digital information.   All the seminars this month were free.  You should have been there.

This month we have seen the Chamber create and hold significant seminars to benefit the small business community.   It is a wonderful thing to have such a caring Chamber of Commerce here that actually does something for the small business community. 

read more view comments ()