Braintree Payment Solutions

Practical Ecommerce Gives Braintree 4.5/5 Star Rating

Tue, 29 Sep 2009 17:03:00 GMT

Our credit card processing and credit card storage solutions were recently reviewed by Armando Roggio at Practical Ecommerce. He gave us 4.5 out of 5 stars. Our favorite part, "Braintree is a no-brainer...". Here is an excerpt:

Without a safe, reliable means of processing payments, there would be no ecommerce. So it is not a surprise that managing payments and securing credit card and customer information is a major concern for online retailers.

Braintree Payment Solutions offers merchants a complete electronic payment service that quickly processes payments and keeps customer data secure, in most cases slashing a merchant’s payment card industry (PCI) compliance costs by 90 percent or more, according to the company.

I was a little skeptical when I was first introduced to the Braintree solution, but after reviewing its products, asking about IP spoofing (a hacking tactic wherein the hacker pretends to be a server it is not), and consulting with an experienced developer friend, I find myself awarding Braintree Payment Solutions, four and a half out of a possible five stars in this, “The PeC Review,” my weekly attempt to introduce you to products or services that have the potential to improve your ecommerce business.

PCI Compliance a Check-Box for 70 Percent of Retailers

Wed, 23 Sep 2009 19:50:00 GMT

According to a report released today, 70% of retailers treat PCI Compliance as a check-box. The remaining 30% are apparently taking it seriously.

PCI Compliance, whether taken seriously or as a check-box, really is an economic decision: (financial cost + reputational cost + business disruptions cost) x probability of breach is ≤ or ≥ the cost, effort and distraction of 'serious' compliance efforts. 30% apparently think the risk is too great and 70% take the business risk and do just enough to avoid being labeled as negligent.

My guess is that this 70% is also observing that no matter how intense compliant efforts are, post breach forensics will always find non-compliance (large or small) somewhere, which will eliminate much of the benefit for trying anyways.

I think that solution providers will help bridge this gap and make compliance and security achievable and worth the cost and effort regardless of risk preference.

OpenTable

Mon, 31 Aug 2009 12:48:00 GMT

We announced today that OpenTable selected us as their global PCI Compliance solutions partner. Our solution helps OpenTable comply with PCI Compliance requirements and increases credit card data security. The solution is currently being rolled out in the latest version of their Electronic Reservation Book that is used by 11,000 restaurants around the world.

The OpenTable team has been great to work with and we couldn't be more excited about the partnership.

Post Heartland breach analysis and PCI Compliance limitations

Wed, 19 Aug 2009 19:19:00 GMT

Eric Ogren, writing for SearchSecurity.com and Evan Schuman and Fred Aun, from StorefrontBacktalk.com, have some insightful commentary regarding the tactics used by hackers to breach Heartland and how they relate to the limitations of the current PCI Compliance standard.

I think the key take away here is that compliance does not necessarily equal security. Here are a few highlights from their articles:

Eric Ogren
1. The hackers ran their malware through 20 AV products to test detection avoidance. AV is very good at stopping known attacks of mass destruction, but is quite a bit less good about catching low profile designer attacks. Effective security should augment AV filters with technology that reflects control over the unique aspects of the organization's server and endpoint configurations. IT has choices here – application whitelisting on locked-down servers will prevent execution of unauthorized software, thin clients prevent attacks from persisting at endpoints, virtual desktops and servers give IT control over endpoint configurations and automated patching systems close windows of vulnerabilities. PCI should be more assertive in recognizing that signature-based schemes and reputation services will not catch low volume activity that is the trademark of malware designed to steal information.

2. It would be nice if PCI could have protected 7-Eleven and others from the same attack technique that befell TJX years earlier.

Evan Schuman and Fred Aun
1. One retail security expert, who has firsthand knowledge of defending against these defendants and who agreed to discuss the indictment if neither her name nor employer was identified, said much in the indictment points out inherent weaknesses in PCI. The back door approach used, a time-honored hacking technique for decades, is a red flag. “Being on the inside, these probably would have passed right through firewalls as the data would be travelling in the ’safe’ direction. Also note that any gains a company would have from a password rotation scheme would be negated by the installation of a back door. My main point there is that password rotation schemes are not an effective defense, and shouldn’t be elevated to such by PCI or corporate ’security policies.’ In any case, Hackers 2, PCI 0.”

2. The SQL injection tactic points out an especially significant PCI flaw, the expert said. “PCI doesn’t say boo about SQL injection attacks. It only says you must maintain secure systems and applications and review the applications annually. But reviews are ineffective on unknown bugs – they can only help recognize bugs the reviewer actually knows about.”

3. Another concern that she listed involved Heartland details. “The attackers installed sniffers to capture the traffic, they did not harvest data intentionally stored by Heartland on hard drives. PCI doesn’t say anything about encrypting data on private networks, only that you must protect stored cardholder data or encrypt data traveling over open, public networks. And the networks obviously have the business need-to-know, that’s what they do: carry data. That’s a three-point shot for the Hackers; Hackers 6, PCI 0.”

4. Yes, PCI compliance may have successfully defended Heartland against lesser attackers. But the bottom line is that Heartland could have been (and probably was) breached while being 100 percent PCI 1.1 compliant on all their points. The real observation here is that PCI DSS compliance was completely ineffective against these guys, no matter how the PCI guys spin it.

“PCI says that you must regularly test security systems. These hackers dodged every bullet point of PCI. A test would (and probably did) prove nothing more than PCI-test-detectable breaches would have been detected. And finally, the hackers apparently didn’t feel compelled to comply with corporate security policies. Game, set, and match: Hackers 12, PCI 0,”

PayPal reserves. Surprise!

Thu, 13 Aug 2009 15:07:00 GMT

I've wondered how PayPal seemingly signs up any merchant without doing any underwriting or risk assessment. Well, now I think I have my answer. They do it after the fact.

There is a lot of risk associated with providing credit card processing services to a business. If a merchant sells something that they can't deliver, don't deliver, partially deliver, deliver poorly, or that is defective in some way, and the business can't remedy the situation with their own financial resources, the credit card processor is on the hook for all the chargebacks and losses.

Merchant account providers can do a number of things to address these risks including a reserve requirement. Reserve requirements come in different shapes, sizes and flavors. Some are 6 month rolling reserves, some are fixed amounts, some require upfront money and others are collected as part of the processing volume.

When cash flow management is one of the most important components of running a business, a reserve requirement is probably something better identified before, rather than after, the fact.

PayPal Adaptive Payments

Thu, 09 Jul 2009 02:02:00 GMT

Following in the footsteps of Amazon's efforts in the payments space, PayPal announced a new service they're calling Adaptive Payments (TechCrunch has the new API posted). It allows merchants/developers to become payment aggregators whereby they can accept and dynamically distribute payments among multiple parties. It's a great move by Paypal that leverages the network of users they've built over the past decade as well as their global payments capabilities, but there are some limitations. I think there are a few things to note.

Context
Paypal has overcome several limitations and or unappealing features of traditional payment methods (check and credit card - I'm excluding cash in this discussion) and payment channels (banks and wire transfer services). For example, for an individual to pay someone, instead of writing a check or sending a wire transfer, a Paypal user can easily send money to another Paypal user.

Credit cards, which are used for a substantial percentage of all commerce in the U.S. and around the world, were built around a 1:1 relationship between cardholder and merchant. However, not user to user (though MasterCard just recently announced a transfer service using Obopay's platform). This is one structural limitation that has provided Paypal the opportunity to grow like it has.

Target Opportunity
Adaptive Payments solves a few key problem for merchants and developers: 1) global B2B, B2C and C2C money transfers. A U.S. business can accomplish the same payment flexibility as Paypal's new service by using electronic funds transfers (EFT) domestically, and not require that the recipient have a Paypal account. However, things get complex and there are several limitations when expanding outside of the U.S. 2) Paypal service eliminates the need for recipients to have a bank account and 3) dynamic, global and multi-party payment distribution.

Limitations of Adaptive Payments
According to Paypal's API's, all payment participants are required to have a Paypal account: “The payment sender, receiver(s), and application owner must each have a PayPal account. Senders and receivers may have personal accounts; however, application owners must have business accounts.” The solution works for prearranged payment distribution relationships as the barrier to participate is setting up a new Paypal account beforehand.

For realtime, non-prearranged payment situations, this solution has a serious drawback which could hinder it's adoption. Paypal has no choice but to maintain this requirement because payments have to stay on it's network. In other words, in some situations, its greatest strategic asset may also turn out to be its Achilles heel.

Network Effect
I think the big story in all of this is the following: the major card brands such as Visa, MasterCard, American Express and Discover have done an exceptional job over the years building a global network of cardholders and accepting merchants to facilitate commerce. It's now a global standard. They have built substantial barriers to entry for others (look at Revolution Money who has raised around a $100 million to try and penetrate the U.S. market).

Collectively, the internet, globalization, social networks, and mobile phones have been shifting the payments landscape and reducing these barriers. It's the wave that Paypal and other innovators have been riding and has turned what was a potential threat and minor scratch for the card brands into an open wound.

PCI DSS Compliance basics for credit card data security

Tue, 07 Jul 2009 14:52:00 GMT

PCI DSS Compliance is an industry-mandated security standard that applies to all businesses that handle, process or store credit cards.

There are 12 core requirements and roughly 250 controls, but as an oversimplification it boils down to three things: 1) all merchants, regardless if credit card data is stored, must achieve and maintain compliance at all times (all deadlines have passed); 2) merchants cannot store certain credit card information including CVV2, CVC2 and CID codes (three or four-digit numbers), track data from the magnetic strip or PIN data; 3) if permitted credit card information such as name, credit card number and expiration date is stored, certain security standards are required. A number of recent high profile breaches have been raising awareness and risks associated with PCI Compliance.

The motivation to become compliant The major credit card companies have provided both carrots and sticks in order to compel merchants to become and maintain compliance. The incentives include 'safe harbor' from certain penalties and fines if a merchant is compliant at the time of breach.

Without compliance, if a merchant is breached and has credit card information stolen, depending on the size of the breach, PCI related fines can be as high as $500,000 per incident. In severe cases, merchants can even be given the 'Death Penalty,' preventing them from accepting credit cards. In all, depending on the number of cards stolen, merchants are estimated to spend between $90 and $302 per record (see graph below).

The Payment Card Industry Data Security Standard (PCI DSS)

What is PCI DSS?
It's a comprehensive security standard that establishes common processes and precautions for handling, processing, storing and transmitting credit card data.

Who created it? While Visa and MasterCard originally developed it, as of September of 2006 American Express, Discover, JCB, MasterCard and Visa jointly formed the PCI Security Standards Council.

Why was it created? It was created in response to a spike in data security breaches over the last few years. A large number of both small and large businesses have been breached including TJX, Bank of America, Citigroup, BJ's Wholesale Club, Hotels.com, LexisNexis, Polo Ralph Lauren and Wachovia.

Who's at risk? Any business that processes, transmits, or stores credit card information. While the publicity of security breaches has recently been focused on larger companies, Visa reports that the majority of breaches are occurring at small businesses.

What are the 12 mandated security requirements?
1. Install and maintain a firewall configuration to protect data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
3. Protect stored data
4. Encrypt transmission of cardholder data and sensitive information across public networks
5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and applications
7. Restrict access to data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
12. Maintain a policy that addresses information security

What credit card information can and cannot be stored?

How much does it cost to become compliant?
It depends on business type, credit card processing and storage practices and existing IT environment. Read here for a more complete overview.

What do merchants have at risk if credit card information is breached? Fines up to $500,000 per incident Remediation costs estimated at $90 to $302 per record Potential customer lawsuits Company reputation and brand damage

Are their different requirements for large and small businesses? Yes. Merchants belong to one of four levels that is determined by annual transaction volumes. These transactions volumes apply to the highest number of a single card type per year, e.g. a merchant doing 5,000,000 Visa and 2,000,000 MasterCard transactions annually, even though cumulatively equal 7,000,000, would qualify as Level 2.

Definitions from above:

On-Site Security Audit The audit must be completed by Level 1 merchants. Merchants can choose to complete the audit internally or hire an outside Qualified Security Assessor to complete the Report on Compliance (ROC). PCI Security Audit Procedures & Reporting

Self-Assessment Questionnaire (SAQ) Initially the Council had a one size fits all SAQ but it proved too challenging and complicated for the different types and sizes of merchants. In February 2008, the merchant released four versions of the SAQ in an attempt to better accommodate merchant profiles. Here is a summary:

SAQ A: Addresses requirements applicable to merchants who have outsourced all processing, transmission and storage of cardholder data.

SAQ B: Created to address requirements pertinent to merchants who process cardholder data via imprint machines or stand-alone dial-up terminals only.

SAQ C: Constructed to focus on requirements applicable to merchants whose payment applications systems are connected to the Internet.

SAQ D: Designed to address requirements relevant to all service providers defined by a payment brand as eligible to complete an SAQ and those merchants who do not fall under the types addressed by SAQ A, B or C.

Network Vulnerability Scans The PCI Standard requires merchants to scan all outward facing IP addresses. These IP addresses are not protected by a firewall and can be hacked through an open port. The SAQ identifies and mitigates risk from the inside (behind the firewall) while the IP scans identify and mitigate risk from the outside. Validation Dates The Card Associations have set specific dates for validation. Level 1 merchants were required to validate compliance by 9/30/2007, Level 2 by 12/31/07, and the Level 3 and 4 deadlines are processor/acquirer specific.

How to Get Started
1. Identify the individuals that will be responsible for PCI compliance in your organization and assemble a team that includes members from each area.
2. Determine your merchant level (1-4).
3. Determine which SAQ your organization will need to complete.
4. Evaluate whether your organization will try to achieve compliance internally or engage with a Qualified Security Assessor (QSA).
5. Engage with an Approved Scanning Vendor (ASV) to start the required external IP vulnerability scans.
6. Make sure that your organization has an Information Security Policy and that it is being enforced.
7. Immediately address any significant deficiencies discovered during the assessment or scan.
8. Retain record of self-assessments, scans, and follow-up activities. Be prepared to provide these documents upon request.

What should you do if breached? In the event of a security incident, merchants must take immediate action to:
1. Contain and limit the exposure. Conduct a thorough investigation of the suspected or confirmed loss or theft of account information within 24 hours of the compromise
2. Alert all necessary parties. Be sure to notify: * Merchant Account Provider * Visa Fraud Control Group at (650) 432-2978 * Local FBI Office * U.S. Secret Service (if Visa payment data is compromised)
3. Provide the compromised Visa accounts to Visa Fraud Control Group within 24 hours.
4. Within four business days of the reported compromise, provide Visa with an incident report.

Here is a step-by-step guide from Visa - What To Do If Compromised.

Additional resources: A non-profit organization, RSPA produced a 12-minute video aimed at educating smaller restaurant and retail merchants about the risks associated with PCI Compliance.

Other related posts:
PCI DSS Compliance and the cost of a credit card breach
PCI DSS Payment Card Industry Self-Assessment Questionnaire (SAQ)
Vulnerability and security assessment scans for PCI DSS Compliance

Braintree solutions: The Smart Approach to PCI DSS Compliance

Where do credit card fees come from?

Fri, 12 Jun 2009 07:00:00 GMT

It is known by some, but not all, that businesses pay fees in order to accept credit cards as a form of payment. In fact, over 7 million merchants in the U.S. accept credit cards. During 2007 they collectively paid over 30 billion in credit card acceptance fees.

Despite the size of the industry, its a mystery to most who is pocketing all this money and how prices are determined and reported. I had a CPA tell me the other day, “I’m a smart guy. I understand numbers, pricing and reconciliation, but for whatever reason I just cannot get my head around credit card processing fees and the unbelievably complicated way companies report them.” He’s not alone. Hopefully this article will clear up some of that confusion as I provide some context about where credit card fees come from, who’s making the money, and how fees and rates are determined.

Issuing Financial Institutions make roughly 85% of all credit and debit card processing fees The financial institutions that issue credit and debit cards are the biggest benefactors. Some financial institutions such as banks co-issue debit and credit cards with Visa and or MasterCard while others such as American Express and Discover issue them directly (though now after years of litigation, some banks are now issuing American Express to cardholders). Before Visa and MasterCard went public, they were associations primarily owned by the issuing financial institutions. Collectively Visa and MasterCard own roughly 75% of the credit cards in the market.

These issuing financial institutions make money every time a card they issued is used to purchase something. For example, let’s assume that a business is paying an effective rate of 3.5% to accept credit cards (that 3.5% is usually comprised of a discount rate and a per transaction fee but I just used a flat rate for simplification purposes). Roughly 85% of that 3.5% is going to the issuing bank. The remaining 15% is divided among Visa or MasterCard, the credit card processor, and if there is one, the Independent Sales Organization (ISO).

How do financial institutions justify their fees? Credit card usage has seen explosive growth in the past 20 years for a number of reasons. Benefits of using plastic include 15 to 45 days to pay original purchases, rewards, a line of credit for extra spending power, fraud protection, a monthly accounting of all purchases and general convenience. The use of Purchase Cards by Corporations or the government (GSA) has also been growing rapidly to lower the cost and to streamline Accounts Receivable and Payables.

An example of some of the costs these financial institutions incur providing and maintaining card holders include fraud, bad debt, customer support, rewards and other perks, and float (they pay for your purchases before you pay them). Usage rewards alone account for roughly 40% of the fees they generate and end up back in the pockets of cardholders. They fiercely compete for new cardholders primarily on their rewards programs.

Continuing our example from above, if you buy movie tickets for $20 and the movie theater is paying 3.5%, the financial institution that issued that credit card would make $0.60 ($20×3.5% = $0.70, x 85% equals $0.60). Visa and MasterCard add their respective fees of .0925% and .0950% on top of what the banks charge (Note: that’s 9.25 and 9.50 basis points. 100 basis points equals 1%). Adding the fees from the bank and Visa or MasterCard together form what is called ‘interchange’.

You now understand why you find a credit card offer in your mailbox everyday. Outside of the 18% interest rates, annual fees, and late fees, being a card issuer is a lucrative business! The issuing institutions are making money on both the front and back end.

That seems simple enough, why does everyone say it’s so complex? From a high level, the rate structure seems pretty simple, but it gets messy fast once we get into the details. There are over 100 different interchange ‘rates’ or ‘categories’. The particular rate that is charged on any given transaction depends on a number of variables, including:

1) The type of card that is used in the transaction i.e. debit, credit, rewards, or business card, international, etc. 2) Where the card is used i.e. restaurant, retail, gas, business to business, ecommerce, etc. 3) The method of usage i.e. swiped, over the phone, or via ecommerce. 4) What information the business captures during the transaction i.e. name, address, tax ID, tax amount, unit description, etc. (the information required is a whole other layer of complexity). 5) When the transaction is submitted to the processor for settlement and funds transfer after the initial authorization.

As you can see, it’s a very complicated matrix. Very few people, including those who’ve been in the industry for years, really understand interchange.

Qualifying for different rate categories and getting hit with downgrades Merchants can often do more than they think to better manage the credit card fees they pay. For example, transactions can be ‘downgraded’ (penalized) when they don’t meet interchange requirements. Example reasons for downgrades include not capturing the correct information when processing (such as billing zip), settling the transaction after a certain period of time, not swiping the transaction and many more. Learning how to recognize these penalties and then making the appropriate adjustments can help you lower the fees that are paid.

One downgrade example is if an a restaurant employee hand keys a credit card number into the point of sale system because the magnetic strip can’t be read, the transaction falls into a different and higher rate category . The transaction is penalized because ‘non swiped’ transactions carry more risk and therefore higher interchange fees. The increase in rate can be significant ranging from 30 basis points to 2%, or more depending on how the service provider has the account priced.

Different rate categories and downgrades are the dirty little secret for merchant service providers. It’s where they make most of their margin because they offer artificially low rates and don’t disclose higher market ups on transactions that don’t fall into a specific rate category. Too many merchants fall for this and think they’re paying the single, highly competitive rate that was advertised.

A quick search of merchant service providers will demonstrate that non disclosure of fees is a standard practice. See two examples here.

The undecipherable monthly credit card statement As icing on the cake, the unreadable format most merchant service providers use to present this information to you on a monthly basis doesn’t help. Of course, the format used is not because they have no other option, it’s because that’s what makes them the most amount of money.

The frustration with credit card fees Some merchants accept credit cards because they find them to be a easier and more efficient method of accepting money from customers. Most merchants however accept them because they have no other choice. Many merchants and advocacy groups have cried foul lately with Visa and MasterCard increasing ‘interchange’ fees over 117% in the past five years while maintaining over 75% market share. The Card Associations have been accused of being monopolistic.

Interchange has come under increased pressure lately A few years ago, Wal-Mart won a class action lawsuit against Visa and MasterCard. They claimed that debit card interchange was being improperly priced because it had the same interchange rate as credit cards. Among other things, they argued that debit cards should be have a lower interchange rate because money comes directly out of the cardholders account versus a credit card where there is 15 to 45 days between purchase and payment. The courts agreed and awarded Wal-Mart and other retailers billions of dollars in compensatory damages. There are currently a number of other legal battles against the Card Associations surrounding interchange.

Account Verification with a Zero Dollar Value authorization request

Tue, 09 Jun 2009 14:55:00 GMT

We've been getting a lot of questions about Visa's new Account Verification service. Hopefully this will help clear things up a little.

For years, card not present merchants (ecommerce, phone, fax, mail) have needed to verify a cardholder's information upon acceptance when there was a delay between collecting the credit card data and actually charging the card. For example, a merchant may collect the credit card information during the initial sign up process but offer a 30 day trial period before charging the card. In this situation, it's in the best interest of the merchant to verify the cardholder's information including the credit card number, expiration date, address and CVV value for accuracy and legitimacy. The only way of doing this today is by doing a $1.00 authorization (Visa refers to these as Ghost Authorizations). While the authorization does eventually expire, some banks will show the pending $1.00 authorization which leads to merchants inevitably getting support questions regarding an improper charge.

Visa's new Account Verification program is an alternative to the $1.00 authorization. With this program, a merchant will be able to do a Zero Dollar Value authorization request which can include Address Verification (AVS) and CVV verification. MasterCard has as similar verification process for card not present recurring billing merchants with a $1.00 'test transaction'. Visa is charging for this service but MasterCard is not.

Interestingly, according to Visa, the problem that merchants have was not the primary driver behind creating the Account Verification program. Visa is trying to eliminate $1.00 authorization request because it has a negative impact on cardholder spending. For those us who live in the space and deal with the shortcomings and problems caused by the $1.00 auth, we're pleased with the creation of the Account Verification product whether we (merchants and service providers) were considered or not.

Related posts:
Visa Misuse of Authorization

Visa Acquirer Processing Fee (APF) and MasterCard Network Access Brand Usage Fee (NABU)

Mon, 08 Jun 2009 20:32:00 GMT

Increasing fees for existing users of a product or service is never an easy thing. While there is rarely a perfect time to raise prices, there certainly are some times that are better than others. In the midst of some of the most intense dialogs that have taken place over credit card interchange, the fees that merchants pay the issuing banks to accept credit cards, Visa and MasterCard have announced one of the largest fee increases in years. The timing of their fee increase could possibly be written up in a case study as an example of what not to do.

Starting on July 1, 2009, Visa is introducing a U.S. Acquirer Processing Fee (APF). The fee will be $0.0195 on all Visa branded authorizations acquired in the U.S. regardless of where the issuer/cardholder is located. On April 18, 2009, MasterCard implemented a new Network Access and Brand Usage (NABU). Fee of $0.0185 for all U.S. based sales and credit/refund transactions.

For merchants that have a larger average ticket of $150, the Visa fee increase is pretty insignificant and amounts to 1 basis point (100 basis points = 1%). For a lower average ticket of $15, it amounts to a more significant 13 basis point increase.

The timing of the fee increase, while bad, may have been strategic in the wake of all the congressional activity surrounding the credit card reform that passed last month. I'm speculating, but I wonder if both Visa and MasterCard, facing some legislative risk, were trying to re-anchor the pricing discussion at a higher starting point in case congressional mood were to turn in favor of the groups lobbying for action. Alternatively, the fee increase could have had nothing to do with this 'chatter' and was fueled by that fact that both are now a public companies and need to take care of their shareholders and stock prices.

I spoke to a Visa representative recently at an industry conference and asked about the fee. I was told that they were increasing the price to more fairly align value created and price. Even if that is the case, and it's quantitatively supported, they need to do a better job selling these measurements with everyone actively engaged in the interchange pricing debate.

Visa Misuse of Authorization

Mon, 18 May 2009 14:47:00 GMT

Starting October 1, 2009, Visa will start assessing a 'misuse' fee for authorizations that are not either settled or reversed within certain timeframes. Visa refers to these as 'ghost authorizations'.

In the past, merchants frequently performed a $1.00 authorization only (without settlement) for verification and to retreive address verification (AVS) and CVV match or mismatch information. Visa explains that they're trying to reduce ghost authorizations because they restrict a cardholders ability to buy and increases declines.

Here is what merchants will need to do in order to comply with the new processing guideline and avoid the misuse fee. Card present authorizations must be reversed within 24 hours that have been submitted in error and/or cardholder cancelled. For card not present transactions, full or partial authorization reversals must be processed within 72 hours. Settlement must occur within 10 days of authorization for all merchants except Travel and Entertainment segments, which must clear within 20 days of authorization regardless of transaction date.

Visa has stated that they will be monitoring ghost authorizations and reversal levels to prevent abuse of the system and even levying fines in excessive cases. They've not revealed any thresholds or fine potential details.

As an alternative method to verify cardholder data, Visa has introduced Account Verification which will allow for a Zero Dollar Value authorization request and can include AVS and CVV data. MasterCard has as similar verification process for card not present recurring billing merchants with a $1.00 'test transaction'. Visa is charging for this service but MasterCard is not.

Yet obstacles remain with the implementation of these new changes. Many of the larger processors do not support authorization reversals and some don't have an ETA yet on supporting Visa or MasterCard's Account Verification services. Many of the the Visa and MasterCard issuers (financial institutions that issue the debit/credit cards) are not able to support these services today. Visa has mandated compliance from all their issuers and MasterCard is expected to follow.

Why do merchant account providers ask for a personal guaranty?

Tue, 03 Feb 2009 21:32:00 GMT

Nearly all merchant account providers will require that a personal guaranty be signed by the owner(s) before approving an account for credit card acceptance. Some owners are justifiably reluctant to sign a personal guaranty. After all, that's one of the main reasons a legal entity was set up in the first place: to protect individuals in the organization from being subject to the company's liabilities. Most providers will waive the requirement if a) the company is public, or b) the organization is a registered 501c3 or 501c4, or c) the company's financials are adequate to satisfy the underwriters' concern about the underlying risk.

So where is the risk? Basically, a merchant account provider is at risk for every dollar that passes through the merchant account during a 6 month period. Here is a risk scenario:

Widget Company comes out with a new electronic gadget for $30.00. During their first month, sales are over $100,000 and everyone in the company is ecstatic. To try and build upon the momentum, Widget Company decides to spend all their cash on an AdWords campaign. Ten days later, Widget finds out that all the gadgets they sold have a bug and need to be replaced. Widget doesn't have the cash to replace them so they tell customers that they are sorry, they won't be able to honor the 90 warranty that was included. The cardholders who bought those gadgets are going to be unhappy with the response and will call their bank to initiate a chargeback (a formal dispute process). The merchant account provider will in turn attempt to debit Widget's bank account for the amount being disputed to cover their loss but their are insufficient funds at that point. At that point, the merchant account provider is financially responsible to refund all those customers who bought the gadget and filed a dispute with their bank.

Merchant account face this risk with every product or service sold including services, software, memberships, consulting and anything else that is purchsed with a credit card. Therefore, when a merchant account underwriter reviews an account, they try to calculate the risk associated with the account. Their risk analysis will include the merchants projected sales, the product or service being sold, company history, company financials and owner(s) credit. The exposure window for credit card transacions is six months (or up to 18 months in special circumstances), which is how long a cardholder technically has to dispute a charge (chargeback). This is also why annual billing and lifetime memberships present underwriting and risk challenges.

The example above is an honest mistake. But merchant account providers are also cognizant of classic merchant account fraud: set up a merchant account, sell a bunch of goods or services, receive the money within 48 hours and then pack it up and skip town without delivering the items or services that were sold. Without a personal guaranty, the business can declare bankruptcy and the owners would be shielded from any consequence. In this scenario, the personal guaranty is primarily used as a deterrent to prevent bad behavior.

Merchants can always ask for exceptions and underwriters may or may not provide them. There are alternative arrangments that underwriters will ocassionally propose in place of a personal guaranty such as a rolling reserve or a fixed amount up front.

Cost of Data Breach up 2.7%

Mon, 02 Feb 2009 15:37:00 GMT

The WSJ reports that a new Ponemon Institute found that the cost of a breach was up 2.7% during 2008 to $202 per compromised record. The average expense to an organization was $6.6 million in direct and indirect costs, which includes the cost of notifying victims and maintaining information hot lines as well as legal, investigative and administrative expenses.

Report Highlights:

Industries with the highest number of breaches: Health care and financial services
Most common causes of breaches: negligence, third-party providers, and portable devices including laptops

The survey examined costs incurred by 43 organizations in 17 industries after a data breach and included breaches of between 4,200 records and more than 113,000.

Data Breaches up in 2008

Fri, 09 Jan 2009 18:44:00 GMT

A report out this week by the Identity Theft Resource Center claimed the reported data breaches were up by 47% duing 2008, reaching 656. Some interesting highlights (NOTE: this is not only credit card data):

Only 2.4% of breaches had encryption or other strong protection in use
Only 8.5% had password protection

About their method:

The ITRC tracks five categories of data loss methods: data on the move, accidental exposure, insider theft, subcontractors, and hacking. Subcontractor breaches, whild counted as one breach each, in some cases affected dozens of companies. The number of breaches does not affect the number of companies affected. ITRC uses media, notification lists and government agencies to confirm breaches. To be considered a breach, it must include the loss of personal identiying information like a SSN.

Costco, your marketing department has gone rogue

Fri, 05 Dec 2008 16:47:00 GMT

Costco advertises unbeatable credit card processing rates of 1.64% and 1.99% in their November magazine. The problem? It's like a national long distance provider advertising a flat $.05 per minute that actually only includes your zip code.

And the first benefit Costco touts regarding their services? "No Hidden Fees"

Any business that accepts credit cards will tell you that this advertisement is misleading. If a merchant were to actually sign up, expecting to pay these rates, they would be unpleasantly surprised to find out that the actual rates are:

* 1.64% and $.20 for swiped transactions
* 1.99% and $.27 for non swiped transactions
* 2.96% $.32 for rewards, business, corporate, non-AVS, authorizations not settled within 24 hours, and a host of other conditions.
* 3.80% $.32 for government or international cards

I don't know about you, but that's a minor * that I would want to know about before buying.

Come on Costco, you're a brand we trust. We realize others in the industry do the exact same thing, but your customers deserve better.

2008 Credit Card Data Breach Trends

Tue, 25 Nov 2008 14:13:00 GMT

I recently listened to a presentation by a security group that performs forensics work when a merchant experiences a credit card data breach. Here are the breach trends they've seen during 2008:

Methods of entry - largely unchanged

Insecure remote access software
SQL injection

Breaching credit card data - evolved strategies

Capturing credit card data in transit over the network between devices
Via program modification after a vulnerable application was breached
Via collection of Random Access Memory (RAM) contents

Techniques used - most apply to software POS

Key-logging
Network sniffers
Serial port sniffers

Case Study

In one case study they shared the criminal was able to penetrate the network via remote access software. They then installed a debugging tool to collect RAM contents and malware to parse track data. The malware then uploaded the data to a Russian website. The merchant was using a PABP POS that was not collecting prohibited cardholder data.

MasterCard interchange changes for Utility, Real Estate and Insurance merchants

Wed, 15 Oct 2008 19:23:00 GMT

MasterCard announced some changes to their interchange pricing today that will be effective October 3, 2008.

As some quick context if you are new to this. Here is an oversimplification: merchants pay fees to accept credit cards. Financial institutions that issue credit and debit cards make roughly 75% of the fees that merchants pay (merchant account providers charge the other 25% of the fees). When MasterCard makes changes to 'Interchange', they are adjusting the wholesale pricing of the fees that make up MasterCard and their financial issuing institution's 75% of fees. To the casual observer in this industry - these updates below won't make a lot of sense without some additional context.

Utilities

Merchants no longer need to register for their Utility Program
MC is discontinuing their Service Industries Incentive Program (SIIP). The SIIP program offered a lower discount rate and transaction fee. Utilities will now be charged a fixed fee per transaction which is lower on average than rates paid on SIIP and closer to pin debit rates.

Real Estate

Discontinuing two Debit interchange categories (Merit III and UCAF), otherwise pricing stays the same.

Insurance

Similar to utilities, discontinuing the discounted SIIP rates. Merit III, Merit I Merchant/Full UCAF Debit are no longer eligible.

Telecommunications

Similiar to utilities and insurance, discontinuing the discounted SIIP rates but Merit III, Merit I Merchant/Full UCAF Debit are still eligible.

Related Posts
Where do credit card fees come from?

California Data Breach Law Vetoed - Again

Fri, 03 Oct 2008 22:12:00 GMT

Computer World reports the following today:

For the second time in 12 months, California Gov. Arnold Schwarzenegger has vetoed proposed legislation that would have required retailers and other businesses operating in the state to take specific steps to prevent credit and debit card data from being compromised.

The latest version of the bill — known as the Consumer Data Protection Act, or AB 1656 (download PDF) — would also have required retailers that accept payment card transactions to disclose more details about any data breaches to the individuals affected by them. The bill was approved by the California State Assembly on a 74-1 vote last month, a week after the state Senate passed it by a 34-3 margin.

But in a veto message that he sent to state legislators on Tuesday (download PDF), Schwarzenegger said he was refusing to sign the bill for the same reasons he turned down the original version of the measure last October. "As I stated in last year's veto of a similar bill, this bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers," Schwarzenegger wrote.

The governor said that requiring companies to notify consumers about breaches, even when there is no evidence of any personal data actually being stolen, would result in "significant costs" for businesses and the state government. In addition, he said, the controls mandated in AB 1656 would lock companies into current credit card data security best practices, creating a disincentive for them to adopt new and more comprehensive industry standards and ensuring that the law would remain "static in the face of future, unseen concerns."

Seems like practical, good decision making to me. Nice work Schwarzenegger.

Annual Credit Card Billing Subscriptions

Thu, 02 Oct 2008 20:25:00 GMT

Coming up with the optimal pricing structure for a product or service is tough. Beyond factors such as competitor pricing and target market price point analysis, merchants need to consider the limitations that accompany collecting money via a credit card.

The reason behind the limitation: financial risk. Merchant account providers are on the hook for the money their customers process. For example, if a company accepts 1,000 annual subscriptions at $129 and then declares bankruptcy two months later, the merchant account provider is responsible for paying back the full $129,000 to cardholders when they file chargebacks.

Some merchant account providers will maintain a hardline for anything greater than 30 day recurring billing cycles while others with a bigger appetite for risk may allow quarterly, semi-annual or annual billing from the start. This becomes less of an issue if a company has a demonstrated track record and financial strength.

Whatever billing strategy a company pursues, it's a good idea to make sure that all billing intentions and practices are fully disclosed upfront to avoid future problems.

Related:
Jason Fried of 37signals has a good post about their experience with this.

Visa working on payment applications for Android

Tue, 30 Sep 2008 19:48:00 GMT

Last month Visa announced that they are moving to alert customers of suspected credit card fraud via mobile phone. This week they announced more ambitious plans to build online payment applications with Nokia for Google’s Android.

The goal is to allow users to make remote and contactless payments as well as transfer money. Remote payments should be marked user convenience and transferring money is a big move for Visa into a space they've not been before. The biggest barrier to contactless payments will be the required point of sale upgrades to allow for Near-Field Communications (NFC) where users just wave their phone a few inches from the device.

Visa Transaction Alerts via email and mobile phone

Fri, 22 Aug 2008 14:12:00 GMT

Digital Transactions reports today that in 2009, in an effort to reduce credit card fraud, Visa will provide cardholders the ability to be instantly notified via email or text message of any usage of their debit, credit or ATM card. The service is in beta with a number of U.S. and Canadian banks.

The system will allow users to set transaction amount notification thresholds. If a transaction is suspicious users can immediately call a 800 number to report it. Today it takes 98 days on average to detect identify theft and 72 days for bank card fraud (Javelin Research).

This type of notification service has the potential to dramatically reduce that. So in short, Visa is shifting fraud screening and prevention costs to cardholders. Nice work Visa.

Gen Y Preferred Online Payment Method

Wed, 13 Aug 2008 13:23:00 GMT

Interesting because I thought PayPal would have much higher preferred status among this demographic.

Credit Card: 65%
Debit Card: 22%
Checking: 8%
PayPal: 3%
Other: 2%

Generation Y includes those born in 80's to 90's (18 - 28 year olds). Thank you First Annapolis for the data and Transaction Trends for publishing.

Largest indictment of credit card hackers to date

Wed, 06 Aug 2008 09:39:00 GMT

The Justice Department unveiled possibly their largest indictment of credit card data hackers yesterday. Nine people from the U.S. Estonia, Ukraine, China and Belarus are being charged for allegedly stealing over 40 million credit card records from nine retailers.

They successfully stole credit card data by using 'sniffing' programs on both wireless networks and on cash registers. Once captured, the criminals would load the data onto the magnetic strip of blank credit cards and then withdraw cash from ATM's.

The issuing financial institutions of the stolen cards take large financial losses because cardholders are not responsible for fraud - they are. For example, Justice Department reports that at one Dave & Busters restaurant location the sniffing program captured roughly 5,000 cards that resulted in over $600,000 of losses to the finanical institutions that issued those cards.

The affected retailers include Sports Authority, Office Max, BJ's Wholesale Club, Marshall's, T.J. Maxx and a few others.

Tax, Fuel, Debt, Recurring and GSA V/MC Interchange Updates

Wed, 23 Jul 2008 13:37:00 GMT

Visa & MasterCard have announced some pretty significant changes. Visa is out with two new categories: Debt Repayment and Government to Government. Tax Payment is officially coming out of pilot and interchange reductions at the pump. MasterCard introduces a recurring billing 'preauthorized request' - a great idea. All these will be effective October 3rd, 2008:

Visa Updates
Debt Repayment Programs for U.S. consumer auto loan, credit card, residential mortgage and student loan for debit card only.

Availability for Financial Institutions Merchandise & Services, Non Financial Foreign Currency Money Orders (no wire transfers) and Travelers Cheques).
Cannot be used for bad debt, uncollectible debt charge-off debt and debt sold to collection agencies.

Fuel - Trying to reduce the pain at the pump (and appease angry gas station owners):

Consumer Debit Cards: a maximum interchange amount is now in place, replacing what was formerly a discount rate and transaction fee that varied with amount.
Consumer Credit Cards: lowered by as much as .50 bps on certain cards and consolidated into a single rate for 6 different card types- Automated Fuel Dispenser (AFD) Partial Authorization
Partial Authorization: POS Vendors will be required to support this functionality by 10/3/08. As some context, when a consumer swipes a card today today at an AFD an authorization is done for $50 to check validity and availability of funds before approving to pump. That's referred to as a 'Partial Authorization' so if the consumer only pumps $40 of fuel the initial $50 authorization, the merchant can capture for the $40. A problem with that method is that if a check (Signature Debit) or pre-paid card is used and the card does not have the available funds it will be denied. With the Partial Authorization implemented, the issuer would respond with the available amount instead of denying the transaction.

Tax Payments - Visa has had this program in pilot mode for several years now:

Merchants are required to register for this - no sign up fees before April 1, 2009.
Existing interchange rates will apply * Interchange rate of $2.50 will apply to consumer debit transactions that are qualified
Service or convenience fee may be assessed. Fee can be variable for consumer credit and commercial cards but a flat fee must be charged for consumer debit transactions and may not exceed $3.95 (could they make it any more difficult?)

Commercial Card GSA - Introduction of Government-to-Government interchange program (G2G). Level II & III data is not required.

$5,000 minimum has been removed * Special interchange rate for transactions over $8,750 is removed with interchange rate increasing .25 bps and $4.
GSA Purchase cards will not be available for Commercial Card Level III rates.

MasterCard
Test transaction for Recurring Billing

$1 authorization for account status before requesting full amount authorization. (nice work whomever came up with this idea!)
What's going on MasterCard? Only 1 Update?

Merchant Account Basics

Fri, 11 Jul 2008 07:00:00 GMT

There is a lot of confusion surrounding credit card processing and merchant accounts. Some of the most common areas of confusion are the different types of organizations that sell the services, what entities actually process the transactions and the fees and pricing structures that continue to form an unsolvable mystery for most merchants. I'm going to provide a broad overview that will hopefully help make sense of this complicated industry.

The necessity of merchant accounts
Some merchants prefer accepting credit cards because they are a much more convenient and cost effective way of collecting payments from customers. Other merchants, while it still may be convenient, struggle to pay the relatively high fees on their already thin margins. Either way, merchants can make a number of improvements in their credit card processing by becoming more informed.

Providers of merchant accounts
If you want to get a new merchant account or switch from your existing provider, one thing is for sure: there is no shortage of companies that are anxious to earn your business. You can find merchant service providers by looking in the yellow pages, searching online, talking to your bank, or just waiting for the next sales person to either call you or walk into your business (which shouldn't be long). The key is choosing the RIGHT provider for your business.

Not all service providers are made equal
There are really two types of merchant service providers: processors and resellers (resellers are known in the industry as Independent Sales Organizations (ISO's) and/or Merchant Service Providers (MSP's)). Your first thought is probably that you would rather go with a processor to cut out the middle man, but I'll show you why it's not that clean cut. Before I started Braintree, I worked for a processor and saw first hand some of the limitations they had in providing solutions to merchants. I'll provide more detailed descriptions of both options and then offer an assessment of their differences.

1) Processors - Also known as Acquirers, processors are distinguished by their ability to actually process a transaction. To be a processor, a company must have the technical capability to receive transaction data from a merchant via a telephone line or the internet and then communicate with the appropriate financial institutions to approve or decline transactions. Processors must also be able to settle completed transactions through financial institutions in order to deposit funds into the merchant's bank account.

The processing industry is highly concentrated with the top five processors maintaining over 70% of all transaction volume. Processors can be banks or non-banks. While processors do maintain a direct sales force of their own, they primarily work through ISOs to acquire and maintain their merchant base. A processor's business model is really one of economies of scale. They're volume shops. They essentially outsource the sales function to ISOs. I don't have data on this but I would guess that over 80% of the 7 million U.S. merchants work with an ISO.

Below is simple diagram of the transaction flow. I took the liberty of putting my company in the value chain, but because Braintree is an ISO, there is a processor behind the scenes doing the actual transaction processing. Because most everything is private labeled, it's difficult for most merchants to discern whether their service provider is a processor or an ISO. Be careful not to be improperly influenced by this. Most sales people try to use the 'we are the processor' line to gain additional credibility when in reality it doesn't really matter.

2) ISOs - ISOs resell the products or services of one or multiple processors. They can also develop their own or aggregate other value added products and services. ISO's range from a little sketchy to best in class providers.

There are two types of ISOs:
a. Banks - Banks of all shapes and sizes are ISOs. Wells Fargo, for example, is an ISO of First Data. Your local community and large regional banks are most likely ISOs. Banks entered into the merchant services business because it was a natural fit with their product and service offerings. It's a way to increase revenue per customer. Most, but not all banks, will private label the services so that it's difficult to distinguish whether they are a processor or ISO. The benefit of working with a bank is that you can consolidate your financial services. The drawback is the you usually get out of the box solutions and service.

b. Non-banks - These types of ISOs range from some of the most dynamic and capable providers to firms who don't represent the industry very well.

Industry Dynamics There are a few dynamics that make the industry landscape quite interesting. First, there are few barriers to entry due to the lack of certifications, licenses, and capital requirements. Secondly, there really is no active regulatory body that oversees and enforces acceptable practices. So naturally, with these two market conditions, merchants need to be mindful and thorough in selecting a provider.

Processors versus ISOs In comparing the two, ISOs offer all of the products and services that processors do (because they are reselling) but processors can't always offer the same products and services as ISOs. This is because ISOs can resell for multiple processors and can either develop their own technologies or aggregate solutions from other providers. ISOs have largely been the most successful creators of value-added services while attempts by processors have usually been pretty clunky. ISO's also tend to be smaller, which usually (but not always) leads to better customer service.

Processors are usually a safer bet for newer merchants that are still learning about the industry. Most still maintain what I consider less-than-upfront pricing practices, but with their services it is less common to hear about some of the more serious problems that merchants encounter when they deal with the wrong ISO. As for price, in most cases, there really is very little to no difference. I argue, and fully disclose my vested interest, that in nearly any situation a best in class, non-bank ISO can provide more value than a processor. For some other considerations about what to bear in mind when evaluating different providers, you can read How to choose a merchant service provider.

Business specific merchant accounts The rates, terms, and conditions of your merchant account will largely depend on your type of business and the provider you choose. Business types are first divided into two buckets: card present (swiped) and card-not-present (non-swiped). Card present merchants, such as restaurants and brick and mortar retailers are low risk and have fairly simple needs. Card-not-present merchants are much more difficult because the risk level is substantially higher when people are transacting business via the internet, telephone, etc. Other risk factors that will affect your merchant account are the types of goods that you're selling, delivery times, whether or not a deposit is required, and about 20 other variables. Most underwriting groups use some sort of actuarial model to determine their guidelines.

To give you an idea of one risk merchant service provider face, here is an example. Let's say that you sell $100,000 in books online. Within 48 hours of selling those items, the customer's money is deposited into your bank account. If you take that $100k and skip town without shipping the books to the people who bought them, the merchant service provider is stuck with the $100k bill because customers are going to contest and win the charge with their banks. So for a few hundred dollars a month in revenue, the risk better be pretty manageable for the provider.

Paperwork and underwriting Most companies have a two page application that will require you to fill out both personal and business information. Many people are justifiably concerned about giving out personal information including their social security number. However, unless you are a publicly traded or non-profit, I don't know of a merchant provider that will underwrite a business without it. When asked why all of the personal information is needed, most companies will point to the Patriot Act that was passed in Congress shortly after 9/11. It basically requires all financial institutions, which include credit card processors, to collect specific identifying information about their customers. Click here for more information on this. You will also be required to sign a personal guarantee before the application is approved.

Most business owners will respond that they incorporated so that they wouldn't be required to sign a personally guarantee. The underwriter will respond by asking why they should have more faith in your business than you do. Both sides have valid points. I think that the issue boils down to whether or not the business will deliver the goods or services that were purchased under the accepted terms and conditions. The personal guarantee is not so much useful in collecting money, but instead used as a deterrent against fraudulent and irresponsible behavior.

Be Careful As you can see in this very high level introduction to the industry, there are a lot of complexities and much to learn. You can also read my post on Some advice to help you avoid common mistakes.

PCI DSS Requirement 6.6 - Code Review or Web Application Firewall (WAP)

Thu, 10 Jul 2008 14:09:00 GMT

The deadline to comply with PCI DSS Requirement 6.6 was June 30th, 2008. Merchants have been given two options:

1. Have all custom application code reviewed for common vulnerabilities by an organization that specializes in application security.
2. Install an application-layer firewall in front of web-facing applications.

The driver behind this new requirement is that a large percentage of credit card breaches are due to SQL Injection, Cross Site Scripting (XSS) and Buffer Overflow attacks. The intent of this requirement is to eliminate those vulnerabilities which would contribute to a significant reduction in breaches. Here is the Information Supplement supplied by the PCI Security Standards Council.

What does it cost to become PCI Compliant?

Wed, 25 Jun 2008 16:18:00 GMT

The cost of becoming PCI DSS Compliant depends on a number of factors including your business type, number of transactions processed annually, existing IT infrastructure, and current credit/debit card processing and storage practices. Gartner estimates that during 2007, the nation's largest merchants, classified as Level 1 (processing in excess of 6 million transactions of a single card type per year), will spend $125,000 assessing the scope of required PCI-related work and another $568,000 to meet the requirements.

As an example, Robin Sidel and Pui-Wing Tam of the WSJ recently reported that Guitar Center, a national retailer of 210 stores, recently spent nearly $500,000 to become compliant. Gartner also concluded that Level 2 merchants, those processing between 1 and 6 million annual transactions, will spend $105,000 to determine scope and another $267,000 for compliance. Level 3 merchants, processing between 20,000 and 1,000,000 e-commerce transactions, are expected to spend $44,000 assessing and $81,000 for compliance. The costs associated with Level 4 merchants, those doing less than 20,000 ecommerce transactions or up to 1,000,000 non-ecommerce transactions, varies widely.

Only Level 1 merchants are required to have an on-site audit. Levels 2, 3 and 4 need to fill out the Self Assessment Questionnaire and sign up for a quarterly scan to check vulnerabilities on all outward-facing IP addresses. A rough estimate for the scans is $150 to $2,500 per IP address per year.

Other costs may include software and hardware upgrades if information is stored in house. Gartner estimates that a company with 100,000 credit cards on file will pay $6 dollars in encryption costs per card. Alternatively, merchants can use technologies such as tokenization where the data storage is remote, which typically have per transaction fees instead of upfront costs. All of these estimates exclude the cost of labor and the opportunity cost of pursuing other profit-making endeavors.

Smaller restaurants and retailers that only have a single terminal or POS system are still required to become compliant. Both need to fill out the Self Assessment Questionnaire, but the compliance process is usually much less involved. Merchants that are using POS systems to process credit cards need to make sure they are not improperly storing prohibited card data and need to verify that their vendor is PABP compliant (soon to become PA-DSS). To verify that your POS system is not storing prohibited information and is compliant, see this updated list was published in November 2007. Some merchants such as Brad Friedlander, a restaurant owner in Cleveland with two stores, paid $50,000 on technology upgrades to become compliant. Any merchant that accepts, stores, or processes credit card information is required to already be compliant.

The Card Associations have determined specific dates about when merchants need to validate compliance. Level 1 merchants were required to validate compliance by 9/30/07. Level 2 are expected to validate compliance by 12/31/07. Level 3 and 4 validation deadlines will come, but at this point they have been left up to the merchant's specific acquirer to be determined. Not only is becoming compliant not optional, but Card Associations have threatened larger merchants with the imposition of monthly fines until compliance is obtained. They've also threatened to increase the cost of interchange, which would increase these merchants' processing costs. But perhaps most importantly, the Card Associations will levy fines and penalties if a merchant is not PCI Compliant at the time of breach. The fines can be devastating to merchants. I've written about two breaches, both of which had significant consequences. One merchant is large, the other is small.

In addition, merchants face remediation and discovery costs can be just as costly, if not more so, than the fines. For a cumulative number, Gartner estimates that the cost of a data security breach can range from $90 to $305 per customer record. Some merchants are frustrated about the PCI requirements, while others see them as basic security requirements that should already be in place. A common misconception is that compliance equals security, but a number of recent breaches have proven that not to be the case.

Other related posts: PCI DSS Compliance basics for credit card security
PCI DSS Compliance and the cost of a credit card breach
Braintree solutions: The Smart Approach to PCI DSS Compliance

ACH and e-check validation and processing

Fri, 30 May 2008 09:00:00 GMT

E-checks and ACH debits are not direct alternative payment types to credit cards. This is primarily due to their respective validation and authorization capabilities.

With a credit card, a merchant can submit a request to the issuing financial institution and the approval or decline is returned in under 3 seconds. That 'authorization amount' is then guaranteed to the merchant for up to 30 days (depending on the institution and card type). With an e-check or ach debit, there is 'no real time validation' capability.

The closest thing to it is 'networks' owned by bank and company conglomerates that serve up a 'scoring' system based on shared data. They use this information to make their best prediction regarding whether an account is open or closed. If there is insufficient information to provide a score, that response is provided as well.

These networks typically cover a high percentage of financial institutions (~95%). The most important thing to note however is that no e-check or ACH validation service verifies sufficient or insufficient funds. Even if it could, an authorization request can't 'hold' or 'guarantee' the funds like a credit card transaction. These limitations are why e-check and ACH payment methods have not been as widely adopted as credit cards.

They are great payment types for 'trusted' payments such as recurring billing for gym membership and utilities, etc. but inadequate for ecommerce or other 'arms length' transactions. Realizing these short comings, the industry has been trying to get their foot in the door by coming up with a better solution. One such approach allows consumers to choose to pay via their online banking. When that option is selected, the merchant redirects the consumer to their own financial institution's website where they log in and complete the payment.

Thumbs up for the innovation, but as a consumer, I love my credit card and the convenience and protection it provides. It's certainly a hot topic right now and will be interesting to watch how this plays out.