Braintree Payment Solutions

Account Verification with a Zero Dollar Value authorization request

Tue, 09 Jun 2009 14:55:00 GMT

We've been getting a lot of questions about Visa's new Account Verification service. Hopefully this will help clear things up a little.

For years, card not present merchants (ecommerce, phone, fax, mail) have needed to verify a cardholder's information upon acceptance when there was a delay between collecting the credit card data and actually charging the card. For example, a merchant may collect the credit card information during the initial sign up process but offer a 30 day trial period before charging the card. In this situation, it's in the best interest of the merchant to verify the cardholder's information including the credit card number, expiration date, address and CVV value for accuracy and legitimacy. The only way of doing this today is by doing a $1.00 authorization (Visa refers to these as Ghost Authorizations). While the authorization does eventually expire, some banks will show the pending $1.00 authorization which leads to merchants inevitably getting support questions regarding an improper charge.

Visa's new Account Verification program is an alternative to the $1.00 authorization. With this program, a merchant will be able to do a Zero Dollar Value authorization request which can include Address Verification (AVS) and CVV verification. MasterCard has as similar verification process for card not present recurring billing merchants with a $1.00 'test transaction'. Visa is charging for this service but MasterCard is not.

Interestingly, according to Visa, the problem that merchants have was not the primary driver behind creating the Account Verification program. Visa is trying to eliminate $1.00 authorization request because it has a negative impact on cardholder spending. For those us who live in the space and deal with the shortcomings and problems caused by the $1.00 auth, we're pleased with the creation of the Account Verification product whether we (merchants and service providers) were considered or not.

Related posts:
Visa Misuse of Authorization

Visa Acquirer Processing Fee (APF) and MasterCard Network Access Brand Usage Fee (NABU)

Mon, 08 Jun 2009 20:32:00 GMT

Increasing fees for existing users of a product or service is never an easy thing. While there is rarely a perfect time to raise prices, there certainly are some times that are better than others. In the midst of some of the most intense dialogs that have taken place over credit card interchange, the fees that merchants pay the issuing banks to accept credit cards, Visa and MasterCard have announced one of the largest fee increases in years. The timing of their fee increase could possibly be written up in a case study as an example of what not to do.

Starting on July 1, 2009, Visa is introducing a U.S. Acquirer Processing Fee (APF). The fee will be $0.0195 on all Visa branded authorizations acquired in the U.S. regardless of where the issuer/cardholder is located. On April 18, 2009, MasterCard implemented a new Network Access and Brand Usage (NABU). Fee of $0.0185 for all U.S. based sales and credit/refund transactions.

For merchants that have a larger average ticket of $150, the Visa fee increase is pretty insignificant and amounts to 1 basis point (100 basis points = 1%). For a lower average ticket of $15, it amounts to a more significant 13 basis point increase.

The timing of the fee increase, while bad, may have been strategic in the wake of all the congressional activity surrounding the credit card reform that passed last month. I'm speculating, but I wonder if both Visa and MasterCard, facing some legislative risk, were trying to re-anchor the pricing discussion at a higher starting point in case congressional mood were to turn in favor of the groups lobbying for action. Alternatively, the fee increase could have had nothing to do with this 'chatter' and was fueled by that fact that both are now a public companies and need to take care of their shareholders and stock prices.

I spoke to a Visa representative recently at an industry conference and asked about the fee. I was told that they were increasing the price to more fairly align value created and price. Even if that is the case, and it's quantitatively supported, they need to do a better job selling these measurements with everyone actively engaged in the interchange pricing debate.

Visa Misuse of Authorization

Mon, 18 May 2009 14:47:00 GMT

Starting October 1, 2009, Visa will start assessing a 'misuse' fee for authorizations that are not either settled or reversed within certain timeframes. Visa refers to these as 'ghost authorizations'.

In the past, merchants frequently performed a $1.00 authorization only (without settlement) for verification and to retreive address verification (AVS) and CVV match or mismatch information. Visa explains that they're trying to reduce ghost authorizations because they restrict a cardholders ability to buy and increases declines.

Here is what merchants will need to do in order to comply with the new processing guideline and avoid the misuse fee. Card present authorizations must be reversed within 24 hours that have been submitted in error and/or cardholder cancelled. For card not present transactions, full or partial authorization reversals must be processed within 72 hours. Settlement must occur within 10 days of authorization for all merchants except Travel and Entertainment segments, which must clear within 20 days of authorization regardless of transaction date.

Visa has stated that they will be monitoring ghost authorizations and reversal levels to prevent abuse of the system and even levying fines in excessive cases. They've not revealed any thresholds or fine potential details.

As an alternative method to verify cardholder data, Visa has introduced Account Verification which will allow for a Zero Dollar Value authorization request and can include AVS and CVV data. MasterCard has as similar verification process for card not present recurring billing merchants with a $1.00 'test transaction'. Visa is charging for this service but MasterCard is not.

Yet obstacles remain with the implementation of these new changes. Many of the larger processors do not support authorization reversals and some don't have an ETA yet on supporting Visa or MasterCard's Account Verification services. Many of the the Visa and MasterCard issuers (financial institutions that issue the debit/credit cards) are not able to support these services today. Visa has mandated compliance from all their issuers and MasterCard is expected to follow.

Why do merchant account providers ask for a personal guaranty?

Tue, 03 Feb 2009 21:32:00 GMT

Nearly all merchant account providers will require that a personal guaranty be signed by the owner(s) before approving an account for credit card acceptance. Some owners are justifiably reluctant to sign a personal guaranty. After all, that's one of the main reasons a legal entity was set up in the first place: to protect individuals in the organization from being subject to the company's liabilities. Most providers will waive the requirement if a) the company is public, or b) the organization is a registered 501c3 or 501c4, or c) the company's financials are adequate to satisfy the underwriters' concern about the underlying risk.

So where is the risk? Basically, a merchant account provider is at risk for every dollar that passes through the merchant account during a 6 month period. Here is a risk scenario:

Widget Company comes out with a new electronic gadget for $30.00. During their first month, sales are over $100,000 and everyone in the company is ecstatic. To try and build upon the momentum, Widget Company decides to spend all their cash on an AdWords campaign. Ten days later, Widget finds out that all the gadgets they sold have a bug and need to be replaced. Widget doesn't have the cash to replace them so they tell customers that they are sorry, they won't be able to honor the 90 warranty that was included. The cardholders who bought those gadgets are going to be unhappy with the response and will call their bank to initiate a chargeback (a formal dispute process). The merchant account provider will in turn attempt to debit Widget's bank account for the amount being disputed to cover their loss but their are insufficient funds at that point. At that point, the merchant account provider is financially responsible to refund all those customers who bought the gadget and filed a dispute with their bank.

Merchant account face this risk with every product or service sold including services, software, memberships, consulting and anything else that is purchsed with a credit card. Therefore, when a merchant account underwriter reviews an account, they try to calculate the risk associated with the account. Their risk analysis will include the merchants projected sales, the product or service being sold, company history, company financials and owner(s) credit. The exposure window for credit card transacions is six months (or up to 18 months in special circumstances), which is how long a cardholder technically has to dispute a charge (chargeback). This is also why annual billing and lifetime memberships present underwriting and risk challenges.

The example above is an honest mistake. But merchant account providers are also cognizant of classic merchant account fraud: set up a merchant account, sell a bunch of goods or services, receive the money within 48 hours and then pack it up and skip town without delivering the items or services that were sold. Without a personal guaranty, the business can declare bankruptcy and the owners would be shielded from any consequence. In this scenario, the personal guaranty is primarily used as a deterrent to prevent bad behavior.

Merchants can always ask for exceptions and underwriters may or may not provide them. There are alternative arrangments that underwriters will ocassionally propose in place of a personal guaranty such as a rolling reserve or a fixed amount up front.

Cost of Data Breach up 2.7%

Mon, 02 Feb 2009 15:37:00 GMT

The WSJ reports that a new Ponemon Institute found that the cost of a breach was up 2.7% during 2008 to $202 per compromised record. The average expense to an organization was $6.6 million in direct and indirect costs, which includes the cost of notifying victims and maintaining information hot lines as well as legal, investigative and administrative expenses.

Report Highlights:

Industries with the highest number of breaches: Health care and financial services
Most common causes of breaches: negligence, third-party providers, and portable devices including laptops

The survey examined costs incurred by 43 organizations in 17 industries after a data breach and included breaches of between 4,200 records and more than 113,000.

Data Breaches up in 2008

Fri, 09 Jan 2009 18:44:00 GMT

A report out this week by the Identity Theft Resource Center claimed the reported data breaches were up by 47% duing 2008, reaching 656. Some interesting highlights (NOTE: this is not only credit card data):

Only 2.4% of breaches had encryption or other strong protection in use
Only 8.5% had password protection

About their method:

The ITRC tracks five categories of data loss methods: data on the move, accidental exposure, insider theft, subcontractors, and hacking. Subcontractor breaches, whild counted as one breach each, in some cases affected dozens of companies. The number of breaches does not affect the number of companies affected. ITRC uses media, notification lists and government agencies to confirm breaches. To be considered a breach, it must include the loss of personal identiying information like a SSN.

Costco, your marketing department has gone rogue

Fri, 05 Dec 2008 16:47:00 GMT

Costco advertises unbeatable credit card processing rates of 1.64% and 1.99% in their November magazine. The problem? It's like a national long distance provider advertising a flat $.05 per minute that actually only includes your zip code.

And the first benefit Costco touts regarding their services? "No Hidden Fees"

Any business that accepts credit cards will tell you that this advertisement is misleading. If a merchant were to actually sign up, expecting to pay these rates, they would be unpleasantly surprised to find out that the actual rates are:

* 1.64% and $.20 for swiped transactions
* 1.99% and $.27 for non swiped transactions
* 2.96% $.32 for rewards, business, corporate, non-AVS, authorizations not settled within 24 hours, and a host of other conditions.
* 3.80% $.32 for government or international cards

I don't know about you, but that's a minor * that I would want to know about before buying.

Come on Costco, you're a brand we trust. We realize others in the industry do the exact same thing, but your customers deserve better.

2008 Credit Card Data Breach Trends

Tue, 25 Nov 2008 14:13:00 GMT

I recently listened to a presentation by a security group that performs forensics work when a merchant experiences a credit card data breach. Here are the breach trends they've seen during 2008:

Methods of entry - largely unchanged

Insecure remote access software
SQL injection

Breaching credit card data - evolved strategies

Capturing credit card data in transit over the network between devices
Via program modification after a vulnerable application was breached
Via collection of Random Access Memory (RAM) contents

Techniques used - most apply to software POS

Key-logging
Network sniffers
Serial port sniffers

Case Study

In one case study they shared the criminal was able to penetrate the network via remote access software. They then installed a debugging tool to collect RAM contents and malware to parse track data. The malware then uploaded the data to a Russian website. The merchant was using a PABP POS that was not collecting prohibited cardholder data.

MasterCard interchange changes for Utility, Real Estate and Insurance merchants

Wed, 15 Oct 2008 19:23:00 GMT

MasterCard announced some changes to their interchange pricing today that will be effective October 3, 2008.

As some quick context if you are new to this. Here is an oversimplification: merchants pay fees to accept credit cards. Financial institutions that issue credit and debit cards make roughly 75% of the fees that merchants pay (merchant account providers charge the other 25% of the fees). When MasterCard makes changes to 'Interchange', they are adjusting the wholesale pricing of the fees that make up MasterCard and their financial issuing institution's 75% of fees. To the casual observer in this industry - these updates below won't make a lot of sense without some additional context.

Utilities

Merchants no longer need to register for their Utility Program
MC is discontinuing their Service Industries Incentive Program (SIIP). The SIIP program offered a lower discount rate and transaction fee. Utilities will now be charged a fixed fee per transaction which is lower on average than rates paid on SIIP and closer to pin debit rates.

Real Estate

Discontinuing two Debit interchange categories (Merit III and UCAF), otherwise pricing stays the same.

Insurance

Similar to utilities, discontinuing the discounted SIIP rates. Merit III, Merit I Merchant/Full UCAF Debit are no longer eligible.

Telecommunications

Similiar to utilities and insurance, discontinuing the discounted SIIP rates but Merit III, Merit I Merchant/Full UCAF Debit are still eligible.

Related Posts
Where do credit card fees come from?

California Data Breach Law Vetoed - Again

Fri, 03 Oct 2008 22:12:00 GMT

Computer World reports the following today:

For the second time in 12 months, California Gov. Arnold Schwarzenegger has vetoed proposed legislation that would have required retailers and other businesses operating in the state to take specific steps to prevent credit and debit card data from being compromised.

The latest version of the bill — known as the Consumer Data Protection Act, or AB 1656 (download PDF) — would also have required retailers that accept payment card transactions to disclose more details about any data breaches to the individuals affected by them. The bill was approved by the California State Assembly on a 74-1 vote last month, a week after the state Senate passed it by a 34-3 margin.

But in a veto message that he sent to state legislators on Tuesday (download PDF), Schwarzenegger said he was refusing to sign the bill for the same reasons he turned down the original version of the measure last October. "As I stated in last year's veto of a similar bill, this bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers," Schwarzenegger wrote.

The governor said that requiring companies to notify consumers about breaches, even when there is no evidence of any personal data actually being stolen, would result in "significant costs" for businesses and the state government. In addition, he said, the controls mandated in AB 1656 would lock companies into current credit card data security best practices, creating a disincentive for them to adopt new and more comprehensive industry standards and ensuring that the law would remain "static in the face of future, unseen concerns."

Seems like practical, good decision making to me. Nice work Schwarzenegger.

Annual Credit Card Billing Subscriptions

Thu, 02 Oct 2008 20:25:00 GMT

Coming up with the optimal pricing structure for a product or service is tough. Beyond factors such as competitor pricing and target market price point analysis, merchants need to consider the limitations that accompany collecting money via a credit card.

The reason behind the limitation: financial risk. Merchant account providers are on the hook for the money their customers process. For example, if a company accepts 1,000 annual subscriptions at $129 and then declares bankruptcy two months later, the merchant account provider is responsible for paying back the full $129,000 to cardholders when they file chargebacks.

Some merchant account providers will maintain a hardline for anything greater than 30 day recurring billing cycles while others with a bigger appetite for risk may allow quarterly, semi-annual or annual billing from the start. This becomes less of an issue if a company has a demonstrated track record and financial strength.

Whatever billing strategy a company pursues, it's a good idea to make sure that all billing intentions and practices are fully disclosed upfront to avoid future problems.

Related:
Jason Fried of 37signals has a good post about their experience with this.

Visa working on payment applications for Android

Tue, 30 Sep 2008 19:48:00 GMT

Last month Visa announced that they are moving to alert customers of suspected credit card fraud via mobile phone. This week they announced more ambitious plans to build online payment applications with Nokia for Google’s Android.

The goal is to allow users to make remote and contactless payments as well as transfer money. Remote payments should be marked user convenience and transferring money is a big move for Visa into a space they've not been before. The biggest barrier to contactless payments will be the required point of sale upgrades to allow for Near-Field Communications (NFC) where users just wave their phone a few inches from the device.

Visa Transaction Alerts via email and mobile phone

Fri, 22 Aug 2008 14:12:00 GMT

Digital Transactions reports today that in 2009, in an effort to reduce credit card fraud, Visa will provide cardholders the ability to be instantly notified via email or text message of any usage of their debit, credit or ATM card. The service is in beta with a number of U.S. and Canadian banks.

The system will allow users to set transaction amount notification thresholds. If a transaction is suspicious users can immediately call a 800 number to report it. Today it takes 98 days on average to detect identify theft and 72 days for bank card fraud (Javelin Research).

This type of notification service has the potential to dramatically reduce that. So in short, Visa is shifting fraud screening and prevention costs to cardholders. Nice work Visa.

Gen Y Preferred Online Payment Method

Wed, 13 Aug 2008 13:23:00 GMT

Interesting because I thought PayPal would have much higher preferred status among this demographic.

Credit Card: 65%
Debit Card: 22%
Checking: 8%
PayPal: 3%
Other: 2%

Generation Y includes those born in 80's to 90's (18 - 28 year olds). Thank you First Annapolis for the data and Transaction Trends for publishing.

Largest indictment of credit card hackers to date

Wed, 06 Aug 2008 09:39:00 GMT

The Justice Department unveiled possibly their largest indictment of credit card data hackers yesterday. Nine people from the U.S. Estonia, Ukraine, China and Belarus are being charged for allegedly stealing over 40 million credit card records from nine retailers.

They successfully stole credit card data by using 'sniffing' programs on both wireless networks and on cash registers. Once captured, the criminals would load the data onto the magnetic strip of blank credit cards and then withdraw cash from ATM's.

The issuing financial institutions of the stolen cards take large financial losses because cardholders are not responsible for fraud - they are. For example, Justice Department reports that at one Dave & Busters restaurant location the sniffing program captured roughly 5,000 cards that resulted in over $600,000 of losses to the finanical institutions that issued those cards.

The affected retailers include Sports Authority, Office Max, BJ's Wholesale Club, Marshall's, T.J. Maxx and a few others.

Tax, Fuel, Debt, Recurring and GSA V/MC Interchange Updates

Wed, 23 Jul 2008 13:37:00 GMT

Visa & MasterCard have announced some pretty significant changes. Visa is out with two new categories: Debt Repayment and Government to Government. Tax Payment is officially coming out of pilot and interchange reductions at the pump. MasterCard introduces a recurring billing 'preauthorized request' - a great idea. All these will be effective October 3rd, 2008:

Visa Updates
Debt Repayment Programs for U.S. consumer auto loan, credit card, residential mortgage and student loan for debit card only.

Availability for Financial Institutions Merchandise & Services, Non Financial Foreign Currency Money Orders (no wire transfers) and Travelers Cheques).
Cannot be used for bad debt, uncollectible debt charge-off debt and debt sold to collection agencies.

Fuel - Trying to reduce the pain at the pump (and appease angry gas station owners):

Consumer Debit Cards: a maximum interchange amount is now in place, replacing what was formerly a discount rate and transaction fee that varied with amount.
Consumer Credit Cards: lowered by as much as .50 bps on certain cards and consolidated into a single rate for 6 different card types- Automated Fuel Dispenser (AFD) Partial Authorization
Partial Authorization: POS Vendors will be required to support this functionality by 10/3/08. As some context, when a consumer swipes a card today today at an AFD an authorization is done for $50 to check validity and availability of funds before approving to pump. That's referred to as a 'Partial Authorization' so if the consumer only pumps $40 of fuel the initial $50 authorization, the merchant can capture for the $40. A problem with that method is that if a check (Signature Debit) or pre-paid card is used and the card does not have the available funds it will be denied. With the Partial Authorization implemented, the issuer would respond with the available amount instead of denying the transaction.

Tax Payments - Visa has had this program in pilot mode for several years now:

Merchants are required to register for this - no sign up fees before April 1, 2009.
Existing interchange rates will apply * Interchange rate of $2.50 will apply to consumer debit transactions that are qualified
Service or convenience fee may be assessed. Fee can be variable for consumer credit and commercial cards but a flat fee must be charged for consumer debit transactions and may not exceed $3.95 (could they make it any more difficult?)

Commercial Card GSA - Introduction of Government-to-Government interchange program (G2G). Level II & III data is not required.

$5,000 minimum has been removed * Special interchange rate for transactions over $8,750 is removed with interchange rate increasing .25 bps and $4.
GSA Purchase cards will not be available for Commercial Card Level III rates.

MasterCard
Test transaction for Recurring Billing

$1 authorization for account status before requesting full amount authorization. (nice work whomever came up with this idea!)
What's going on MasterCard? Only 1 Update?

Merchant Account Basics

Fri, 11 Jul 2008 07:00:00 GMT

There is a lot of confusion surrounding credit card processing and merchant accounts. Some of the most common areas of confusion are the different types of organizations that sell the services, what entities actually process the transactions and the fees and pricing structures that continue to form an unsolvable mystery for most merchants. I'm going to provide a broad overview that will hopefully help make sense of this complicated industry.

The necessity of merchant accounts
Some merchants prefer accepting credit cards because they are a much more convenient and cost effective way of collecting payments from customers. Other merchants, while it still may be convenient, struggle to pay the relatively high fees on their already- thin margins. Either way, merchants can make a number of improvements in their credit card processing by becoming more informed.

Providers of merchant accounts
If you want to get a new merchant account or switch from your existing provider, one thing is for sure: there is no shortage of companies that are anxious to earn your business. You can find merchant service providers by looking in the yellow pages, searching online, talking to your bank, or just waiting for the next sales person to either call you or walk into your business (which shouldn't be long). The key is choosing the RIGHT provider for your business.

Not all service providers are made equal
There are really two types of merchant service providers: processors and resellers (resellers are known in the industry as Independent Sales Organizations (ISO's) and/or Merchant Service Providers (MSP's)). Your first thought is probably that you would rather go with a processor to cut out the middle man, but I'll show you why it's not that clean cut. Before I started Braintree, I worked for a processor and saw first hand some of the limitations they had in providing solutions to merchants. I'll provide more detailed descriptions of both options and then offer an assessment of their differences.

1) Processors - Also known as Acquirers, processors are distinguished by their ability to actually process a transaction. To be a processor, a company must have the technical capability to receive transaction data from a merchant via a telephone line or the internet and then communicate with the appropriate financial institutions to approve or decline transactions. Processors must also be able to settle completed transactions through financial institutions in order to deposit funds into the merchant's bank account.

The processing industry is highly concentrated with the top five processors maintaining over 70% of all transaction volume. Processors can be banks or non-banks. While processors do maintain a direct sales force of their own, they primarily work through ISOs to acquire and maintain their merchant base. A processor's business model is really one of economies of scale. They're volume shops. They essentially outsource the sales function to ISOs. I don't have data on this but I would guess that over 80% of the 7 million U.S. merchants work with an ISO.

Below is simple diagram of the transaction flow. I took the liberty of putting my company in the value chain, but because Braintree is an ISO, there is a processor behind the scenes doing the actual transaction processing. Because most everything is private labeled, it's difficult for most merchants to discern whether their service provider is a processor or an ISO. Be careful not to be improperly influenced by this. Most sales people try to use the 'we are the processor' line to gain additional credibility when in reality it doesn't really matter.

2) ISOs - ISOs resell the products or services of one or multiple processors. They can also develop their own or aggregate other value added products and services. ISO's range from a little sketchy to best in class providers.

There are two types of ISOs:
a. Banks - Banks of all shapes and sizes are ISOs. Wells Fargo, for example, is an ISO of First Data. Your local community and large regional banks are most likely ISOs. Banks entered into the merchant services business because it was a natural fit with their product and service offerings. It's a way to increase revenue per customer. Most, but not all banks, will private label the services so that it's difficult to distinguish whether they are a processor or ISO. The benefit of working with a bank is that you can consolidate your financial services. The drawback is the you usually get out of the box solutions and service.

b. Non-banks - These types of ISOs range from some of the most dynamic and capable providers to firms who don't represent the industry very well.

Industry Dynamics There are a few dynamics that make the industry landscape quite interesting. First, there are few barriers to entry due to the lack of certifications, licenses, and capital requirements. Secondly, there really is no active regulatory body that oversees and enforces acceptable practices. So naturally, with these two market conditions, merchants need to be mindful and thorough in selecting a provider.

Processors versus ISOs In comparing the two, ISOs offer all of the products and services that processors do (because they are reselling) but processors can't always offer the same products and services as ISOs. This is because ISOs can resell for multiple processors and can either develop their own technologies or aggregate solutions from other providers. ISOs have largely been the most successful creators of value-added services while attempts by processors have usually been pretty clunky. ISO's also tend to be smaller, which usually (but not always) leads to better customer service.

Processors are usually a safer bet for newer merchants that are still learning about the industry. Most still maintain what I consider less-than-upfront pricing practices, but with their services it is less common to hear about some of the more serious problems that merchants encounter when they deal with the wrong ISO. As for price, in most cases, there really is very little to no difference. I argue, and fully disclose my vested interest, that in nearly any situation a best in class, non-bank ISO can provide more value than a processor. For some other considerations about what to bear in mind when evaluating different providers, you can read How to choose a merchant service provider.

Business specific merchant accounts The rates, terms, and conditions of your merchant account will largely depend on your type of business and the provider you choose. Business types are first divided into two buckets: card present (swiped) and card-not-present (non-swiped). Card present merchants, such as restaurants and brick and mortar retailers are low risk and have fairly simple needs. Card-not-present merchants are much more difficult because the risk level is substantially higher when people are transacting business via the internet, telephone, etc. Other risk factors that will affect your merchant account are the types of goods that you're selling, delivery times, whether or not a deposit is required, and about 20 other variables. Most underwriting groups use some sort of actuarial model to determine their guidelines.

To give you an idea of one risk merchant service provider face, here is an example. Let's say that you sell $100,000 in books online. Within 48 hours of selling those items, the customer's money is deposited into your bank account. If you take that $100k and skip town without shipping the books to the people who bought them, the merchant service provider is stuck with the $100k bill because customers are going to contest and win the charge with their banks. So for a few hundred dollars a month in revenue, the risk better be pretty manageable for the provider.

Paperwork and underwriting Most companies have a two page application that will require you to fill out both personal and business information. Many people are justifiably concerned about giving out personal information including their social security number. However, unless you are a publicly traded or non-profit, I don't know of a merchant provider that will underwrite a business without it. When asked why all of the personal information is needed, most companies will point to the Patriot Act that was passed in Congress shortly after 9/11. It basically requires all financial institutions, which include credit card processors, to collect specific identifying information about their customers. Click here for more information on this. You will also be required to sign a personal guarantee before the application is approved.

Most business owners will respond that they incorporated so that they wouldn't be required to sign a personally guarantee. The underwriter will respond by asking why they should have more faith in your business than you do. Both sides have valid points. I think that the issue boils down to whether or not the business will deliver the goods or services that were purchased under the accepted terms and conditions. The personal guarantee is not so much useful in collecting money, but instead used as a deterrent against fraudulent and irresponsible behavior.

Be Careful As you can see in this very high level introduction to the industry, there are a lot of complexities and much to learn. You can also read my post on Some advice to help you avoid common mistakes.

PCI DSS Requirement 6.6 - Code Review or Web Application Firewall (WAP)

Thu, 10 Jul 2008 14:09:00 GMT

The deadline to comply with PCI DSS Requirement 6.6 was June 30th, 2008. Merchants have been given two options:

1. Have all custom application code reviewed for common vulnerabilities by an organization that specializes in application security.
2. Install an application-layer firewall in front of web-facing applications.

The driver behind this new requirement is that a large percentage of credit card breaches are due to SQL Injection, Cross Site Scripting (XSS) and Buffer Overflow attacks. The intent of this requirement is to eliminate those vulnerabilities which would contribute to a significant reduction in breaches. Here is the Information Supplement supplied by the PCI Security Standards Council.

What does it cost to become PCI Compliant?

Wed, 25 Jun 2008 16:18:00 GMT

The cost of becoming PCI DSS Compliant depends on a number of factors including your business type, number of transactions processed annually, existing IT infrastructure, and current credit/debit card processing and storage practices. Gartner estimates that during 2007, the nation's largest merchants, classified as Level 1 (processing in excess of 6 million transactions of a single card type per year), will spend $125,000 assessing the scope of required PCI-related work and another $568,000 to meet the requirements.

As an example, Robin Sidel and Pui-Wing Tam of the WSJ recently reported that Guitar Center, a national retailer of 210 stores, recently spent nearly $500,000 to become compliant. Gartner also concluded that Level 2 merchants, those processing between 1 and 6 million annual transactions, will spend $105,000 to determine scope and another $267,000 for compliance. Level 3 merchants, processing between 20,000 and 1,000,000 e-commerce transactions, are expected to spend $44,000 assessing and $81,000 for compliance. The costs associated with Level 4 merchants, those doing less than 20,000 ecommerce transactions or up to 1,000,000 non-ecommerce transactions, varies widely.

Only Level 1 merchants are required to have an on-site audit. Levels 2, 3 and 4 need to fill out the Self Assessment Questionnaire and sign up for a quarterly scan to check vulnerabilities on all outward-facing IP addresses. A rough estimate for the scans is $150 to $2,500 per IP address per year.

Other costs may include software and hardware upgrades if information is stored in house. Gartner estimates that a company with 100,000 credit cards on file will pay $6 dollars in encryption costs per card. Alternatively, merchants can use technologies such as tokenization where the data storage is remote, which typically have per transaction fees instead of upfront costs. All of these estimates exclude the cost of labor and the opportunity cost of pursuing other profit-making endeavors.

Smaller restaurants and retailers that only have a single terminal or POS system are still required to become compliant. Both need to fill out the Self Assessment Questionnaire, but the compliance process is usually much less involved. Merchants that are using POS systems to process credit cards need to make sure they are not improperly storing prohibited card data and need to verify that their vendor is PABP compliant (soon to become PA DSS). To verify that your POS system is not storing prohibited information and is compliant, see this updated list was published in November 2007. Some merchants such as Brad Friedlander, a restaurant owner in Cleveland with two stores, paid $50,000 on technology upgrades to become compliant. Any merchant that accepts, stores, or processes credit card information is required to already be compliant.

The Card Associations have determined specific dates about when merchants need to validate compliance. Level 1 merchants were required to validate compliance by 9/30/07. Level 2 are expected to validate compliance by 12/31/07. Level 3 and 4 validation deadlines will come, but at this point they have been left up to the merchant's specific acquirer to be determined. Not only is becoming compliant not optional, but Card Associations have threatened larger merchants with the imposition of monthly fines until compliance is obtained. They've also threatened to increase the cost of interchange, which would increase these merchants' processing costs. But perhaps most importantly, the Card Associations will levy fines and penalties if a merchant is not PCI Compliant at the time of breach. The fines can be devastating to merchants. I've written about two breaches, both of which had significant consequences. One merchant is large, the other is small.

In addition, merchants face remediation and discovery costs can be just as costly, if not more so, than the fines. For a cumulative number, Gartner estimates that the cost of a data security breach can range from $90 to $305 per customer record. Some merchants are frustrated about the PCI requirements, while others see them as basic security requirements that should already be in place. A common misconception is that compliance equals security, but a number of recent breaches have proven that not to be the case. Other related posts: PCI DSS Compliance basics for credit card security PCI DSS Compliance and the cost of a credit card breach Braintree solutions: The Smart Approach to PCI DSS Compliance

Where do credit card fees come from?

Thu, 12 Jun 2008 07:00:00 GMT

It is known by some, but not all, that businesses pay fees in order to accept credit cards as a form of payment. In fact, over 7 million merchants in the U.S. accept credit cards. During 2006 they collectively paid over 30 billion in credit card acceptance fees.

Despite the size of the industry, its a mystery to most who is pocketing all this money and how prices are determined and reported. I had a CPA tell me the other day, “I’m a smart guy. I understand numbers, pricing and reconciliation, but for whatever reason I just cannot get my head around credit card processing fees and the unbelievably complicated way companies report them.” He’s not alone. Hopefully this article will clear up some of that confusion as I provide some context about where credit card fees come from, who’s making the money, and how fees and rates are determined.

Issuing Financial Institutions make roughly 85% of all credit and debit card processing fees The financial institutions that issue credit and debit cards are the biggest benefactors. Some financial institutions such as banks co-issue debit and credit cards with Visa and or MasterCard while others such as American Express and Discover issue them directly (though now after years of litigation, some banks are now issuing American Express to cardholders). Visa and MasterCard are now public membership associations owned by the issuing banks, and collectively own roughly 75% of the credit cards in the market. For example, Visa is a membership association of over 13,000 banks nationwide.

These issuing financial institutions make money every time a card they issued is used to purchase something. For example, let’s assume that a business is paying an effective rate of 3.5% to accept credit cards (that 3.5% is usually comprised of a discount rate and a per transaction fee but I just used a flat rate for simplification purposes). Roughly 85% of that 3.5% is going to the issuing bank. The remaining 15% is divided among Visa or MasterCard, the credit card processor, and if there is one, the Independent Sales Organization (ISO).

How do financial institutions justify their fees? Credit card usage has seen explosive growth in the past 20 years for a number of reasons. Benefits of using plastic include 15 to 45 days to pay original purchases, rewards, a line of credit for extra spending power, fraud protection, a monthly accounting of all purchases and general convenience. The use of Purchase Cards by Corporations or the government (GSA) has also been growing rapidly to lower the cost and to streamline Accounts Receivable and Payables.

An example of some of the costs these financial institutions incur providing and maintaining card holders include fraud, bad debt, customer support, rewards and other perks, and float (they pay for your purchases before you pay them). Usage rewards alone account for roughly 40% of the fees they generate and end up back in the pockets of cardholders. They fiercely compete for new cardholders primarily on their rewards programs.

Continuing our example from above, if you buy movie tickets for $20 and the movie theater is paying 3.5%, the financial institution that issued that credit card would make $0.60 ($20×3.5% = $0.70, x 85% equals $0.60). Visa and MasterCard add their respective fees of .0925% and .0950% on top of what the banks charge (Note: that’s 9.25 and 9.50 basis points. 100 basis points equals 1%). Adding the fees from the bank and Visa or MasterCard together form what is called ‘interchange’.

You now understand why you find a credit card offer in your mailbox everyday. Outside of the 18% interest rates, annual fees, and late fees, being a card issuer is a lucrative business! The issuing institutions are making money on both the front and back end.

That seems simple enough, why does everyone say it’s so complex? From a high level, the rate structure seems pretty simple, but it gets messy fast once we get into the details. There are over 100 different interchange ‘rates’ or ‘categories’. The particular rate that is charged on any given transaction depends on a number of variables, including:

1) The type of card that is used in the transaction i.e. debit, credit, rewards, or business card, international, etc. 2) Where the card is used i.e. restaurant, retail, gas, business to business, ecommerce, etc. 3) The method of usage i.e. swiped, over the phone, or via ecommerce. 4) What information the business captures during the transaction i.e. name, address, tax ID, tax amount, unit description, etc. (the information required is a whole other layer of complexity). 5) When the transaction is submitted to the processor for settlement and funds transfer after the initial authorization.

As you can see, it’s a very complicated matrix. Very few people, including those who’ve been in the industry for years, really understand interchange.

Qualifying for different rate categories and getting hit with downgrades Merchants can often do more than they think to better manage the credit card fees they pay. For example, transactions can be ‘downgraded’ (penalized) when they don’t meet interchange requirements. Example reasons for downgrades include not capturing the correct information when processing (such as billing zip), settling the transaction after a certain period of time, not swiping the transaction and many more. Learning how to recognize these penalties and then making the appropriate adjustments can help you lower the fees that are paid.

One downgrade example is if an a restaurant employee hand keys a credit card number into the point of sale system because the magnetic strip can’t be read, the transaction falls into a different and higher rate category . The transaction is penalized because ‘non swiped’ transactions carry more risk and therefore higher interchange fees. The increase in rate can be significant ranging from 30 basis points to 2%, or more depending on how the service provider has the account priced.

Different rate categories and downgrades are the dirty little secret for merchant service providers. It’s where they make most of their margin because they offer artificially low rates and don’t disclose higher market ups on transactions that don’t fall into a specific rate category. Too many merchants fall for this and think they’re paying the single, highly competitive rate that was advertised.

A quick search of merchant service providers will demonstrate that non disclosure of fees is a standard practice. See two examples here.

The undecipherable monthly credit card statement As icing on the cake, the unreadable format most merchant service providers use to present this information to you on a monthly basis doesn’t help. Of course, the format used is not because they have no other option, it’s because that’s what makes them the most amount of money.

The frustration with credit card fees Some merchants accept credit cards because they find them to be a easier and more efficient method of accepting money from customers. Most merchants however accept them because they have no other choice. Many merchants and advocacy groups have cried foul lately with Visa and MasterCard increasing ‘interchange’ fees over 117% in the past five years while maintaining over 75% market share. The Card Associations have been accused of being monopolistic.

Interchange has come under increased pressure lately A few years ago, Wal-Mart won a class action lawsuit against Visa and MasterCard. They claimed that debit card interchange was being improperly priced because it had the same interchange rate as credit cards. Among other things, they argued that debit cards should be have a lower interchange rate because money comes directly out of the cardholders account versus a credit card where there is 15 to 45 days between purchase and payment. The courts agreed and awarded Wal-Mart and other retailers billions of dollars in compensatory damages. There are currently a number of other legal battles against the Card Associations surrounding interchange.

ACH and e-check validation and processing

Fri, 30 May 2008 09:00:00 GMT

E-checks and ACH debits are not direct alternative payment types to credit cards. This is primarily due to their respective validation and authorization capabilities.

With a credit card, a merchant can submit a request to the issuing financial institution and the approval or decline is returned in under 3 seconds. That 'authorization amount' is then guaranteed to the merchant for up to 30 days (depending on the institution and card type). With an e-check or ach debit, there is 'no real time validation' capability.

The closest thing to it is 'networks' owned by bank and company conglomerates that serve up a 'scoring' system based on shared data. They use this information to make their best prediction regarding whether an account is open or closed. If there is insufficient information to provide a score, that response is provided as well.

These networks typically cover a high percentage of financial institutions (~95%). The most important thing to note however is that no e-check or ACH validation service verifies sufficient or insufficient funds. Even if it could, an authorization request can't 'hold' or 'guarantee' the funds like a credit card transaction. These limitations are why e-check and ACH payment methods have not been as widely adopted as credit cards.

They are great payment types for 'trusted' payments such as recurring billing for gym membership and utilities, etc. but inadequate for ecommerce or other 'arms length' transactions. Realizing these short comings, the industry has been trying to get their foot in the door by coming up with a better solution. One such approach allows consumers to choose to pay via their online banking. When that option is selected, the merchant redirects the consumer to their own financial institution's website where they log in and complete the payment.

Thumbs up for the innovation, but as a consumer, I love my credit card and the convenience and protection it provides. It's certainly a hot topic right now and will be interesting to watch how this plays out.

PCI DSS Compliance basics for credit card data security

Fri, 23 May 2008 14:52:00 GMT

PCI DSS Compliance is an industry-mandated security standard that applies to all businesses that handle, process or store credit cards.

There are 12 core requirements and roughly 250 controls, but as an oversimplification it boils down to three things: 1) all merchants, regardless if credit card data is stored, must achieve and maintain compliance at all times (all deadlines have passed); 2) merchants cannot store certain credit card information including CVV2, CVC2 and CID codes (three or four-digit numbers), track data from the magnetic strip or PIN data; 3) if permitted credit card information such as name, credit card number and expiration date is stored, certain security standards are required. A number of recent high profile breaches have been raising awareness and risks associated with PCI Compliance.

The motivation to become compliant The major credit card companies have provided both carrots and sticks in order to compel merchants to become and maintain compliance. The incentives include 'safe harbor' from certain penalties and fines if a merchant is compliant at the time of breach.

Without compliance, if a merchant is breached and has credit card information stolen, depending on the size of the breach, PCI related fines can be as high as $500,000 per incident. In severe cases, merchants can even be given the 'Death Penalty,' preventing them from accepting credit cards. In all, depending on the number of cards stolen, merchants are estimated to spend between $90 and $302 per record (see graph below).

The Payment Card Industry Data Security Standard (PCI DSS)

What is PCI DSS?
It's a comprehensive security standard that establishes common processes and precautions for handling, processing, storing and transmitting credit card data.

Who created it? While Visa and MasterCard originally developed it, as of September of 2006 American Express, Discover, JCB, MasterCard and Visa jointly formed the PCI Security Standards Council.

Why was it created? It was created in response to a spike in data security breaches over the last few years. A large number of both small and large businesses have been breached including TJX, Bank of America, Citigroup, BJ's Wholesale Club, Hotels.com, LexisNexis, Polo Ralph Lauren and Wachovia.

Who's at risk? Any business that processes, transmits, or stores credit card information. While the publicity of security breaches has recently been focused on larger companies, Visa reports that the majority of breaches are occurring at small businesses.

What are the 12 mandated security requirements?
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored data
4. Encrypt transmission of cardholder data and sensitive information across public networks
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security

What credit card information can and cannot be stored?

How much does it cost to become compliant?
It depends on business type, credit card processing and storage practices and existing IT environment. Read here for a more complete overview.

What do merchants have at risk if credit card information is breached? Fines up to $500,000 per incident Remediation costs estimated at $90 to $302 per record Potential customer lawsuits Company reputation and brand damage

Are their different requirements for large and small businesses? Yes. Merchants belong to one of four levels that is determined by annual transaction volumes. These transactions volumes apply to the highest number of a single card type per year, e.g. a merchant doing 5,000,000 Visa and 2,000,000 MasterCard transactions annually, even though cumulatively equal 7,000,000, would qualify as Level 2.

Definitions from above:

On-Site Security Audit The audit must be completed by Level 1 merchants. Merchants can choose to complete the audit internally or hire an outside Qualified Security Assessor to complete the Report on Compliance (ROC). PCI Security Audit Procedures & Reporting

Self-Assessment Questionnaire (SAQ) Initially the Council had a one size fits all SAQ but it proved too challenging and complicated for the different types and sizes of merchants. In February 2008, the merchant released four versions of the SAQ in an attempt to better accommodate merchant profiles. Here is a summary:

SAQ A: Addresses requirements applicable to merchants who have outsourced all processing, transmission and storage of cardholder data.

SAQ B: Created to address requirements pertinent to merchants who process cardholder data via imprint machines or stand-alone dial-up terminals only.

SAQ C: Constructed to focus on requirements applicable to merchants whose payment applications systems are connected to the Internet.

SAQ D: Designed to address requirements relevant to all service providers defined by a payment brand as eligible to complete an SAQ and those merchants who do not fall under the types addressed by SAQ A, B or C.

Network Vulnerability Scans The PCI Standard requires merchants to scan all outward facing IP addresses. These IP addresses are not protected by a firewall and can be hacked through an open port. The SAQ identifies and mitigates risk from the inside (behind the firewall) while the IP scans identify and mitigate risk from the outside. Validation Dates The Card Associations have set specific dates for validation. Level 1 merchants were required to validate compliance by 9/30/2007, Level 2 by 12/31/07, and the Level 3 and 4 deadlines are processor/acquirer specific.

How to Get Started
1. Identify the individuals that will be responsible for PCI compliance in your organization and assemble a team that includes members from each area.
2. Determine your merchant level (1-4).
3. Determine which SAQ your organization will need to complete.
4. Evaluate whether your organization will try to achieve compliance internally or engage with a Qualified Security Assessor (QSA).
5. Engage with an Approved Scanning Vendor (ASV) to start the required external IP vulnerability scans.
6. Make sure that your organization has an Information Security Policy and that it is being enforced.
7. Immediately address any significant deficiencies discovered during the assessment or scan.
8. Retain record of self-assessments, scans, and follow-up activities. Be prepared to provide these documents upon request.

What should you do if breached? In the event of a security incident, merchants must take immediate action to:
1. Contain and limit the exposure. Conduct a thorough investigation of the suspected or confirmed loss or theft of account information within 24 hours of the compromise
2. Alert all necessary parties. Be sure to notify: * Merchant Account Provider * Visa Fraud Control Group at (650) 432-2978 * Local FBI Office * U.S. Secret Service (if Visa payment data is compromised)
3. Provide the compromised Visa accounts to Visa Fraud Control Group within 24 hours.
4. Within four business days of the reported compromise, provide Visa with an incident report.

Here is a step-by-step guide from Visa - What To Do If Compromised.

Additional resources: A non-profit organization, RSPA produced a 12-minute video aimed at educating smaller restaurant and retail merchants about the risks associated with PCI Compliance.

Other related posts:
PCI DSS Compliance and the cost of a credit card breach
PCI DSS Payment Card Industry Self-Assessment Questionnaire (SAQ)
Vulnerability and security assessment scans for PCI DSS Compliance

Braintree solutions: The Smart Approach to PCI DSS Compliance

Credit card validation

Mon, 19 May 2008 15:00:29 GMT

In a card-not-present environment, there are two levels of credit card validation. First, is the Luhn Algorithm which is also known as a ‘mod 10’ check. The Luhn algorithm will validate the number of characters for a particular card type. It doesn’t perform any other type of validation. I’d say almost all payment processing systems have this in place as a standard offering.

If merchants want to further validate the card they can do an authorization request to the issuing bank for 1) address verification (AVS) and 2) cvv2 – the three our four digit code on the card. When the auth is submitted the bank will respond with match or mismatch codes for street address, zip (5 and or 9 digits) and cvv2.

In most payment processing systems merchants can set up acceptance or denial rules so that if an authorization comes back as having an incorrect billing address, zip or cvv2 code, the transaction will be automatically accepted, denied or flagged.

For merchants that want to validate the card upon accepting a new customer but not charge them they can do a $1.00 authorization which will then usually fall off the card in a few days. Note however, that there is no standard in the amount of time a particular authorization stays on a debit or credit card. Issuing banks determine the exact duration but generally speaking, most stay valid for between 3 and 10 days but some up to 30 days. In a situation where a merchant accidentally authorizes a card 10 times for $1,000, tying up a customers entire credit limit, they can call the issuing bank and ask to void the transaction.

A few other related points: 1. AMEX recently stopped returning CID (their version of CVV2) responses leaving address verification as the only validation tool. 2. CVV2 does not affect credit card rates. 3. CVV2 data cannot be stored.

PCI DSS Compliance Charge On My Merchant Statement?

Thu, 08 May 2008 05:09:00 GMT

Most merchants gave up trying to read their monthly credit card processing statements a long time ago because of how unbelievable complex most providers choose to make them.

For those merchants that occasionally look at them, they may be surprised to see a new 'PCI DSS Compliance' fee in the amount of $4 to $20 per month. This fee is a bit perplexing to me because the merchant account provider, in all the cases I'm familiar with, is not actually providing any product or service to the merchant related to PCI DSS Compliance.

If a merchant gets breached, the Card Associations fine the acquirer and then the acquirer passes the fine down to the merchant. So while the Card Associations have put the responsibility on the processors to make sure that their merchants are compliant, the merchant is ultimately responsible for becoming compliant and paying the fines if breached. So why again are merchant account providers charging businesses this fee?

High Risk Mechant Account: Third Party Payments Aggregation

Thu, 24 Apr 2008 11:44:00 GMT

Third party payments aggregation (TPPA) is a description used for merchants that are selling a product or service that they do not own. The best example of a TPPA (aggregator) is PayPal. They simply facilitate the exchange of money between two parties.

There are, however, different shades of TPPA's. For example, an online air travel booking site may charge both their service fee and the actual airfare in a single transaction. If the merchant were only charging their service fee, they would not fall into the TPPA category as they are simply charging for the service they provide. But because they are also charging a credit card for a product they do not own, an airfare ticket, they fall into the TPPA category.

The value proposition of a TPPA is clear to both consumers and merchants, but the increased risk is not normally understood as well by the merchant. There are two reasons why TPPA's are considered higher risk in the credit card processing industry: 1) The merchant has reduced control over the quality and delivery of the product being sold, and 2) The merchant is being trusted to pay the third party for the money they've collected on their behalf.

Here is an example of TPPA risk. Let's say over a 30 day period a merchant sells 5,000 sporting event tickets for $1,000,000 (that they don't control/own). The merchant then pays the event sponsor the monies due minus their fees. At the last minute, one of the athletes scheduled for the event get's hurt and is unable to participate. The event sponsor would normally refund the merchant for any cancelled event but this case happens to fall into a gray area and the event sponsor refuses to pay the money back. The cardholders who purchased the tickets then begin calling the merchant for a refund but the merchant doesn't have a sufficient amount of money to refund all the requests. When the cardholders don't get the refund they're demanding, they call their bank to file a chargeback. Before long, the merchant is facing thousands of chargeback disputes totaling in the $800,000 range. The merchant defaults on their obligation and the merchant account provider is next in line with the responsiblity of paying the $800,000. All that risk and work for a measly few thousand dollars in gross revenue.

Because the Card Associations have discouraged the practice of TPPA and because of it's increased risk, most merchant account providers are justifiably reluctant to underwrite these types of accounts. That is not to say that merchants cannot be approved for TPP processing, it's just more difficult and the underwriting conditions will more likely include a reserve and other similar safeguards.

Braintree Solutions:
Multi-Merchant - enabling multiple merchant accounts in a single application

Amazon FPS

Wed, 23 Apr 2008 13:56:00 GMT

Jim Daly of Digital Transactions wrote a good piece on Amazon's Flexible Payment System (FPS) in the April 08 issue. Here are some of the key takeaways:

Amazon's investment in alternative payment provider Bill Me Later last December was their first public move into the payment processing space. Using Bill Me Later, Amazon expects to not only lower their own transaction costs (by ~.50 bps) but hopes to also increase sales by capturing more impulse buyers.
The launch of FPS is most likely part of a larger play for Amazon, like......
FPS pricing has some customers unhappy. For example, the 1.5% on bank transfers and amounts charged on stored value balances (Amazon essentially double dipping).
Beta user Buxfer gave the FPS technology high reviews but cited the requirement that both buyer and seller need an Amazon account as the biggest drawback.

From my standpoint, I would call out two things. First, I wonder how many ewallet providers will be able to cross the tipping point of scale with both the consumer and merchant. If there aren't enough consumers demanding the payment option merchants won't offer it as an option and if merchants don't offer it as an option consumers won't use it.

Of the three major players, PayPal has become much more inclusive in their offering, Amazon remains exclusive (both buyer and seller must have an account), and without a larger user base to begin with, I just don't think Google checkout will be able to pick up enough steam.

Then of course there is a rush of new ewallet type providers (using a device like a mobile phone or payment instrument such as a phone number) crowding their way into the market as a preferred payment providers. Secondly, I think the most significant thing FPS did was build sophisticated payment processing logic on their end - instead of making that the merchants responsibility. In nearly all the payment systems today, the logic is built and maintained by the merchant. At the same time, in reading through all of it's capabilities - I'm left wondering, who again needs this?

The article is only available in pdf format and I had to post the entire April issue. If you're interested in reading the article it starts on page 24.

Payment Application Data Security Standard (PA-DSS) v1.1

Wed, 16 Apr 2008 10:18:00 GMT

The PCI Security Standards Council released version 1.1 of the PA-DSS today. The purpose of this program, which was formerly managed by Visa, is to ensure that software vendors and others that develop secure payment applications are not storing prohibited data and are complying with the PCI DSS. It applies to payment applications that are sold, distributed, or licensed to third parties.

Here are a few take aways:

This fall the council will roll out a program to maintain a list of validated payment applications.
The Council will begin qualifying companies to become Payment Application Qualified Security Assessors (PA-QSAs) who can perform PA-DSS assessments and audits. (see also this post on QSA’s)
PA-DSS FAQ’s

Here is the entire press release:

PCI Compliance and the cost of a credit card breach

Tue, 15 Apr 2008 12:03:00 GMT

TJX is now the poster child for credit card data breaches. Starting in July 2005, hackers spent 18 months exploiting weak wireless network security outside of thousands of TJX owned stores and downloaded nearly 100 million credit card numbers and other personal information. TJX recently estimated that the breach will cost them $118 million. Others, such as Forrester, estimate it will cost them $1.35 billion after including legal fees, call center costs, regulatory fines, etc.

While TJX has received all the recent attention, breaches are occurring more often than many realize. The exact number is unknown because only 31 states currently have laws requiring disclosure. One thing is for sure: if a business gets breached, the financial, business and PR risks are tremendous. A Forrester report determined that the cost per breached record will be anywhere from $90 to $305.

The profitable world of stealing credit card data The spike in this type of criminal activity is attributable to the lucrative business of selling stolen credit card information. Depending on the quality, the selling price of a single record can easily be $100. Criminals are using a host of tactics to steal credit card data.

One of the most common methods is remote access to servers that house the data, like in the case of TJX. WEP 104-bit encryption can be cracked in under a minute on an 802.11g network by using active ARP-relay packet-injection techniques. Another very common approach is "skimming", a practice through which an employee attaches an electronic reader to the point of sale machine to steal cardholder information including name, credit card number, and the CVV2 code (three or four-digit number on the front or back of the card). Employees have also been known to write down this information. In ecommerce environments, cyber criminals are using SQL Injection, Cross Site Scripting (XSS), and Buffer Overflow attacks.

PCI Compliance overview
The driving force behind the effort to secure all credit card data is the PCI Security Standards Council, which was founded by Visa, MasterCard, American Express, Discover and JCB. They have mandated that businesses meet 12 security requirements in order to protect cardholder data. To provide proper incentives, the Card Associations have offered both carrots and sticks. As a carrot, merchants are offered protection from PCI-related fines, which can be as high as $500,000 per incident, if they are compliant at the time of the breach - something called Safe Harbor.

As a stick, merchants can face the above-mentioned fines when breached as well as be fined for non-compliance. Some card brands have threatened to levy fines against larger merchants, up to $25,000 per month, until they obtain compliance. To start the process of becoming PCI compliant, a company should consider engaging a Qualified Security Assessor (QSA) who can advise regarding remediation and are approved to complete the official assessments for the Card Associations. There are fewer than 100 companies that offer these services. A few examples include Accuvant, Security Metrics, and Trustwave. The process of becoming compliant may take anywhere from 3 month to 2 years, depending on the business size and current IT and security infrastructure.

The cost and process of becoming PCI Compliant Becoming compliant can be a time-consuming, costly, and considerably complex effort. Gartner recently estimated that the nation's largest merchants will spend $568,000 on average during 2007 to meet the mandated requirements.

Taking matters into your own hands A few things that can be done right away is making sure prohibited information is being purged after authorization. That information includes full track data (on the magnetic strip), CVV2, CVC2 and CID codes (three and four-digit codes) and PIN data. If businesses need to store name, credit card number and expiration date, it needs to be secured either internally or stored remotely. Credit card tokenization, a remote storage technology, allows for a unique customer ID to be created for each record which is then used to remotely initiate transactions or change customer files without ever handling any sensitive credit card data.

Other simple ways to better protect from breaches include tightening remote access controls, changing wireless network security from WEP to WPA, properly configuring firewalls, changing vendor default passwords, and using encryption to transmit all sensitive data.

In summary
Regardless of a business's current situation, the cost of a breach can be enormous. TJX, a $17 billion dollar retailer will be able to weather the storm, but a smaller organization may not have the same financial depth, which means the consequences may be much more severe. So whether or not the required resources are available to pursue PCI Compliance and proper data storage, it might not be a bad idea to make it a priority in your organization.

Other related posts:
PCI DSS Compliance basics for credit card security
Braintree solutions: The Smart Approach for PCI DSS Compliance