7.050 PCI mode workflow?

Alan Starrett

unread,

Jul 11, 2019, 8:51:44 AM7/11/19

to Stone Edge User Group

Does anybody have details on how the the new PCI mode in 7.050 functions with refunds, added charges, future orders and such? We currently use Miva with PayPal as a credit card processor and capture at checkout.

Thanks!

Alan N. Starrett

Bikeman.com

Paul Christel

unread,

Jul 11, 2019, 9:40:39 AM7/11/19

to Alan Starrett, Stone Edge User Group

If you use PayFlow Pro as your gateway, I’ve been told that it does not support new charges. It can capture against an authorization and issue refunds.

--
You received this message because you are subscribed to the Google Groups "Stone Edge User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to stoneedge+...@googlegroups.com.
To post to this group, send email to ston...@googlegroups.com.
Visit this group at https://groups.google.com/group/stoneedge.
To view this discussion on the web visit https://groups.google.com/d/msgid/stoneedge/d1f420ba-6a53-4d2e-8106-325a04840f8d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

tle...@earthsunmoon.com

unread,

Jul 11, 2019, 11:43:49 AM7/11/19

to Stone Edge User Group

Can this be confirmed? If so, that's a pretty severe limitation.

John Frazar

unread,

Jul 11, 2019, 12:23:34 PM7/11/19

to Stone Edge User Group

It absolutely DOES allow you to create new charges, that would be ridiculous if it didn't. Paul and I were talking about something entirely different.

If you have PCI mode enabled, you can enter a credit card number and perform a transaction at the CC terminal at View Orders or Manual Orders. At that time the card number will be scrubbed and the transaction details will be encrypted and stored. With that transaction (sales, capture, authorization) you will have a transaction ID that you can use to perform additional actions with that transaction in the future (credits, voids, captures, etc.) just like you've always been able to do.

It's important to understand that no credit card processing functionality changed with the introduction of PCI-mode. The major change that PCI mode introduces is that it prevents you from storing full credit card numbers... everything else is the same.

In our research we find that a slight majority of people are not handling transactions at all in SEOM except for credits and voids, which only need a transaction ID. For everyone else, the ability to initiate that transaction, get a transaction ID, then purge the sensitive data is appropriate for most other use cases.

Paul deals with lengthy backorders where he needs to store a full card number on file so he can initiate a credit card transaction months down the road.

Alan - how SEOM functions with PCI-mode should remain the same. You can capture, credit and void transactions in Stone Edge that initiated in Miva.

If you want to be able to create new manual orders for a customer without having to ask them for their credit card number then you should not use PCI-mode because you will no longer have those card numbers available. You need to determine if the convenience of not having to ask for a credit card outweighs the risk of holding on to sensitive cardholder data.

It's important to understand two things 1) PCI-DSS does allow merchants to store card numbers if there is a valid reason to do so (Paul's situation with backorders would be a valid reason). 2) Even without PCI-mode SEOM still encrypts all cardholder data which satisfies the PCI-DSS requirement of taking reasonable measures to secure and protect cardholder data.

I believe this is what Paul is referring to: Payflow Pro has a feature called "referenced transactions" that allows you to use a transaction ID from an old transaction to create a new transaction for a future order. We do not support that with Payflow Pro. However, we do support that with the Braintree (they call it "Cloned Transactions"). We do not have any plans to build support for that for Payflow Pro because we have been told by PayPal that Payflow Pro is dead and being replaced by Braintree. I see no point of investing valuable resources into a solution that is going away, but we have offered to build that for a fee if it's that important.

I hope this clears things up.

John Frazar

tle...@earthsunmoon.com

unread,

Jul 11, 2019, 12:36:27 PM7/11/19

to Stone Edge User Group

John - with Payflow Pro we would occasionally have customers that place an order online (with an auth done at the cart) and then call us up saying that they wanted to add an additional item. Our SOP is to preform a second auth for the additional amount when the customer calls and then capture both when the order ships. Does this mean that we would need the credit card number to preform the second auth?

Paul Christel

unread,

Jul 11, 2019, 12:40:24 PM7/11/19

to Stone Edge User Group

In addition to fulfilling backorders (days, weeks, or months later), we also run into this very often as well.

From: ston...@googlegroups.com [mailto:ston...@googlegroups.com] On Behalf Of tle...@earthsunmoon.com

Sent: Thursday, July 11, 2019 11:36 AM
To: Stone Edge User Group

--

You received this message because you are subscribed to the Google Groups "Stone Edge User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to stoneedge+...@googlegroups.com.
To post to this group, send email to ston...@googlegroups.com.
Visit this group at https://groups.google.com/group/stoneedge.

To view this discussion on the web visit https://groups.google.com/d/msgid/stoneedge/90bb8070-968a-427c-8155-ddafffaa1b66%40googlegroups.com.

Mike Yeager

unread,

Jul 11, 2019, 12:58:33 PM7/11/19

to Stone Edge User Group

We've been using the Monsoon SEOM 7.1 CC terminal for a few years. What differences in payment processing would we see moving from 7.1 to the 7.0 PCI mode? Do you have any screenshots of the 7.0 PCI CC terminal?

--Mike Yeager
Production and IT Manager

Phone: 662-498-0012 • Toll-Free: 800-624-6378 • Fax: 662-324-6011

17645 U.S. Highway 82

Mathiston, MS 39752

To view this discussion on the web visit https://groups.google.com/d/msgid/stoneedge/DM6PR16MB264977B76B16C010BB660D2DBEF30%40DM6PR16MB2649.namprd16.prod.outlook.com.

John Frazar

unread,

Jul 11, 2019, 3:22:41 PM7/11/19

to Stone Edge User Group

If your merchant account doesn't allow you to capture or authorize for a higher amount than was originally authorized, then yes, you would have to ask for the card number. Some banks allow this, some don't. This is going to be specific to your account.

Also in the case of back orders, the length of time that authorizations are valid is set by your Merchant account provider.

On Thursday, July 11, 2019 at 12:40:24 PM UTC-4, Paul Christel wrote:

In addition to fulfilling backorders (days, weeks, or months later), we also run into this very often as well.

From: ston...@googlegroups.com [mailto:stoneedge@googlegroups.com] On Behalf Of tle...@earthsunmoon.com
Sent: Thursday, July 11, 2019 11:36 AM
To: Stone Edge User Group
Subject: Re: [Stone Edge User Group] 7.050 PCI mode workflow?

John - with Payflow Pro we would occasionally have customers that place an order online (with an auth done at the cart) and then call us up saying that they wanted to add an additional item. Our SOP is to preform a second auth for the additional amount when the customer calls and then capture both when the order ships. Does this mean that we would need the credit card number to preform the second auth?

On Thursday, July 11, 2019 at 12:23:34 PM UTC-4, John Frazar wrote:

I believe this is what Paul is referring to: Payflow Pro has a feature called "referenced transactions" that allows you to use a transaction ID from an old transaction to create a new transaction for a future order. We do not support that with Payflow Pro. However, we do support that with the Braintree (they call it "Cloned Transactions"). We do not have any plans to build support for that for Payflow Pro because we have been told by PayPal that Payflow Pro is dead and being replaced by Braintree. I see no point of investing valuable resources into a solution that is going away, but we have offered to build that for a fee if it's that important.

--
You received this message because you are subscribed to the Google Groups "Stone Edge User Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to stoneedge+unsubscribe@googlegroups.com.

John Frazar

unread,

Jul 11, 2019, 3:30:05 PM7/11/19

to Stone Edge User Group

Mike,

It's the same as it was before the Monsoon Payment Module was introduced. The original CC Terminal is much easier to use IMHO. However, the "Customer Vault" capabilities are not in v7.0. So if you want to be able to keep credit card numbers on file for future orders, you would need to keep PCI mode turned off. But as I stated earlier, SEOM still secures and encrypts card numbers with or without PCI mode enabled. This means that most SEOM users (Tier 3 and Tier 4 merchants) can still maintain PCI compliance and keep card numbers in the database without PCI mode turn on. PCI-mode provides the extra piece-of-mind knowing that the card numbers are never stored, so in the off chance of a security breech, you're still safe.

John

On Thursday, July 11, 2019 at 12:58:33 PM UTC-4, Mike Yeager wrote:

We've been using the Monsoon SEOM 7.1 CC terminal for a few years. What differences in payment processing would we see moving from 7.1 to the 7.0 PCI mode? Do you have any screenshots of the 7.0 PCI CC terminal?

--Mike Yeager
Production and IT Manager

Phone: 662-498-0012 • Toll-Free: 800-624-6378 • Fax: 662-324-6011
17645 U.S. Highway 82
Mathiston, MS 39752

On Thu, Jul 11, 2019 at 11:40 AM Paul Christel <pchr...@trainsetsonly.com> wrote:

In addition to fulfilling backorders (days, weeks, or months later), we also run into this very often as well.

From: ston...@googlegroups.com [mailto:stoneedge@googlegroups.com] On Behalf Of tle...@earthsunmoon.com
Sent: Thursday, July 11, 2019 11:36 AM
To: Stone Edge User Group
Subject: Re: [Stone Edge User Group] 7.050 PCI mode workflow?

John - with Payflow Pro we would occasionally have customers that place an order online (with an auth done at the cart) and then call us up saying that they wanted to add an additional item. Our SOP is to preform a second auth for the additional amount when the customer calls and then capture both when the order ships. Does this mean that we would need the credit card number to preform the second auth?

On Thursday, July 11, 2019 at 12:23:34 PM UTC-4, John Frazar wrote:

I believe this is what Paul is referring to: Payflow Pro has a feature called "referenced transactions" that allows you to use a transaction ID from an old transaction to create a new transaction for a future order. We do not support that with Payflow Pro. However, we do support that with the Braintree (they call it "Cloned Transactions"). We do not have any plans to build support for that for Payflow Pro because we have been told by PayPal that Payflow Pro is dead and being replaced by Braintree. I see no point of investing valuable resources into a solution that is going away, but we have offered to build that for a fee if it's that important.

--
You received this message because you are subscribed to the Google Groups "Stone Edge User Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to stoneedge+unsubscribe@googlegroups.com.

To post to this group, send email to ston...@googlegroups.com.
Visit this group at https://groups.google.com/group/stoneedge.
To view this discussion on the web visit https://groups.google.com/d/msgid/stoneedge/90bb8070-968a-427c-8155-ddafffaa1b66%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Stone Edge User Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to stoneedge+unsubscribe@googlegroups.com.

Paul Christel

unread,

Jul 11, 2019, 3:47:15 PM7/11/19

to Stone Edge User Group

Yes, when capturing against the original authorization, there is an expiration period. If an entire order is backordered and shipped together, we simply capture against the original authorization (assuming it hasn’t yet expired) upon approval. However, we often ship a partial order now at which time we capture the balance due (would be less than the full authorization in this case). Then, at a later date (could even be the next day), when we fulfill the unshipped portion, we have to charge them again for the shippable-backorder portion. PFP does not allow multiple captures against one authorization, so our current process is to simply initiate another sale. This is also the same process we follow for order additions as described by Tim.

From: ston...@googlegroups.com [mailto:ston...@googlegroups.com] On Behalf Of John Frazar
Sent: Thursday, July 11, 2019 2:23 PM
To: Stone Edge User Group
Subject: Re: [Stone Edge User Group] 7.050 PCI mode workflow?

If your merchant account doesn't allow you to capture or authorize for a higher amount than was originally authorized, then yes, you would have to ask for the card number. Some banks allow this, some don't. This is going to be specific to your account.

Also in the case of back orders, the length of time that authorizations are valid is set by your Merchant account provider.

On Thursday, July 11, 2019 at 12:40:24 PM UTC-4, Paul Christel wrote:

In addition to fulfilling backorders (days, weeks, or months later), we also run into this very often as well.

From: ston...@googlegroups.com [mailto:ston...@googlegroups.com] On Behalf Of tle...@earthsunmoon.com
Sent: Thursday, July 11, 2019 11:36 AM
To: Stone Edge User Group
Subject: Re: [Stone Edge User Group] 7.050 PCI mode workflow?

John - with Payflow Pro we would occasionally have customers that place an order online (with an auth done at the cart) and then call us up saying that they wanted to add an additional item. Our SOP is to preform a second auth for the additional amount when the customer calls and then capture both when the order ships. Does this mean that we would need the credit card number to preform the second auth?

On Thursday, July 11, 2019 at 12:23:34 PM UTC-4, John Frazar wrote:

I believe this is what Paul is referring to: Payflow Pro has a feature called "referenced transactions" that allows you to use a transaction ID from an old transaction to create a new transaction for a future order. We do not support that with Payflow Pro. However, we do support that with the Braintree (they call it "Cloned Transactions"). We do not have any plans to build support for that for Payflow Pro because we have been told by PayPal that Payflow Pro is dead and being replaced by Braintree. I see no point of investing valuable resources into a solution that is going away, but we have offered to build that for a fee if it's that important.

--
You received this message because you are subscribed to the Google Groups "Stone Edge User Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to stoneedge+...@googlegroups.com.

To post to this group, send email to ston...@googlegroups.com.
Visit this group at https://groups.google.com/group/stoneedge.
To view this discussion on the web visit https://groups.google.com/d/msgid/stoneedge/90bb8070-968a-427c-8155-ddafffaa1b66%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--

You received this message because you are subscribed to the Google Groups "Stone Edge User Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to stoneedge+...@googlegroups.com.

To post to this group, send email to ston...@googlegroups.com.
Visit this group at https://groups.google.com/group/stoneedge.

To view this discussion on the web visit https://groups.google.com/d/msgid/stoneedge/222712c0-dca4-431b-87c2-2b2a6e108781%40googlegroups.com.

John Frazar

unread,

Jul 11, 2019, 4:00:19 PM7/11/19

to Stone Edge User Group

It seems clear to me that you're definitely not a candidate to use the PCI mode feature.

On Thursday, July 11, 2019 at 3:47:15 PM UTC-4, Paul Christel wrote:

Yes, when capturing against the original authorization, there is an expiration period. If an entire order is backordered and shipped together, we simply capture against the original authorization (assuming it hasn’t yet expired) upon approval. However, we often ship a partial order now at which time we capture the balance due (would be less than the full authorization in this case). Then, at a later date (could even be the next day), when we fulfill the unshipped portion, we have to charge them again for the shippable-backorder portion. PFP does not allow multiple captures against one authorization, so our current process is to simply initiate another sale. This is also the same process we follow for order additions as described by Tim.

From: ston...@googlegroups.com [mailto:stoneedge@googlegroups.com] On Behalf Of John Frazar
Sent: Thursday, July 11, 2019 2:23 PM
To: Stone Edge User Group
Subject: Re: [Stone Edge User Group] 7.050 PCI mode workflow?

If your merchant account doesn't allow you to capture or authorize for a higher amount than was originally authorized, then yes, you would have to ask for the card number. Some banks allow this, some don't. This is going to be specific to your account.

Also in the case of back orders, the length of time that authorizations are valid is set by your Merchant account provider.

On Thursday, July 11, 2019 at 12:40:24 PM UTC-4, Paul Christel wrote:

In addition to fulfilling backorders (days, weeks, or months later), we also run into this very often as well.

From: ston...@googlegroups.com [mailto:stoneedge@googlegroups.com] On Behalf Of tle...@earthsunmoon.com
Sent: Thursday, July 11, 2019 11:36 AM
To: Stone Edge User Group
Subject: Re: [Stone Edge User Group] 7.050 PCI mode workflow?

John - with Payflow Pro we would occasionally have customers that place an order online (with an auth done at the cart) and then call us up saying that they wanted to add an additional item. Our SOP is to preform a second auth for the additional amount when the customer calls and then capture both when the order ships. Does this mean that we would need the credit card number to preform the second auth?

On Thursday, July 11, 2019 at 12:23:34 PM UTC-4, John Frazar wrote:

I believe this is what Paul is referring to: Payflow Pro has a feature called "referenced transactions" that allows you to use a transaction ID from an old transaction to create a new transaction for a future order. We do not support that with Payflow Pro. However, we do support that with the Braintree (they call it "Cloned Transactions"). We do not have any plans to build support for that for Payflow Pro because we have been told by PayPal that Payflow Pro is dead and being replaced by Braintree. I see no point of investing valuable resources into a solution that is going away, but we have offered to build that for a fee if it's that important.

--
You received this message because you are subscribed to the Google Groups "Stone Edge User Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to stoneedge+unsubscribe@googlegroups.com.

To post to this group, send email to ston...@googlegroups.com.
Visit this group at https://groups.google.com/group/stoneedge.
To view this discussion on the web visit https://groups.google.com/d/msgid/stoneedge/90bb8070-968a-427c-8155-ddafffaa1b66%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

--
You received this message because you are subscribed to the Google Groups "Stone Edge User Group" group.

To unsubscribe from this group and stop receiving emails from it, send an email to stoneedge+unsubscribe@googlegroups.com.

Paul Christel

unread,

Jul 11, 2019, 4:12:56 PM7/11/19

to Stone Edge User Group

Definitely not as currently designed. It’s a shame, because we actually moved to PFP from Authorize.net (I’m guessing this was about 9 years ago) because this was the direction SE was headed (use PFP’s reference transaction capability) to avoid needing to store the card number.

Found this old discussion while Googling for solutions: http://www.stoneedge.net/forum/pop_printer_friendly.asp?TOPIC_ID=9754

We’re in discussions with a consultant to have custom code implemented that should work as we’d like.

Paul

From: ston...@googlegroups.com [mailto:ston...@googlegroups.com] On Behalf Of John Frazar
Sent: Thursday, July 11, 2019 3:00 PM
To: Stone Edge User Group
Subject: Re: [Stone Edge User Group] 7.050 PCI mode workflow?