Posts filed under 'Fraud'
After reading an article this morning, the author states that merchant’s are prohibited from asking for an ID to process a transaction. Sounding completely ridiculous, I decided to further investigate.
I stumbled on a Visa operating regulation that I was not aware of. “You cannot require an ID in order to complete a Credit transaction.” Furthermore, you cannot decline or refuse a transaction if your customer refuses to provide an ID.
Although Visa rules do not preclude merchants from asking for cardholder ID, merchants cannot make an ID a condition of acceptance. Therefore, merchants cannot refuse to complete a purchase transaction because a cardholder refuses to provide ID. Visa believes merchants should not ask for ID as part of their regular card acceptance procedures.
The author was completely wrong as far as MasterCard goes, who takes a different approach to the situation…
For unique transactions processed in a face-to-face environment (with the exception of truck stop transactions and card-read transactions where a non-signature CVM is used), request personal identification of the cardholder in the form of an unexpired, official government document. Compare the signature on the personal identification with the signature on the card.
American express is a little vague, but still states that the identity should be verified…
Verify that the customer is the Card-member. Cards are not transferable.
It’s actually hard for me to believe that Visa goes this far in trying to protect their cardholder’s convenience at the expense of their merchants being exposed to potential fraud. I strongly recommend checking the ID of every card holder. No regulation prevents a merchant from asking for an ID, and I can’t imagine a customer seriously refusing under any normal circumstance. Merchants are not allowed to ask for an ID on “PIN” debit transactions where a customer enters their PIN number into a pinpad. For signature debit, where the card is processed like a credit card, treat the transaction just like credit and ask for an ID.
If anyone would like to see the various card regulations, they can be found here:
Visa
MasterCard Chargeback Guide
AMEX
Discover’s site requires registration, and I was unable to register with the Discover numbers of the 4 merchant accounts that we have. If anyone has a copy of Discover operating regulations, I would love to see them.
January 21st, 2010
PA-DSS, is a security standard set for payment application developers, outlining security and auditing procedures for electronic payment applications. Software that falls under the PA-DSS envelope could include anything from a POS system to online shopping cart software. PA-DSS requires that a program be audited by a 3rd party and pass a series of security test and adhere to best-practices before it can be distributed. If it is not audited or fails any part of the audit, it cannot be used as a payment application.
Phase V – July 1, 2010
Phase V mandates the use of payment applications that support PCI OSS compliance, requiring acquirers, merchants and agents to use only those payment applications that can be validated as PA-DSS compliant.
If you process credit card online and this doesn’t scare you, it should!
Put this into perspective. There are currently millions of websites using paid and open source software for their online stores. Software like Oscommerce, Zen Cart, Magento, and others have millions of users. There are only 2, online store software packages that are PA-DSS compliant. If there is not a mass-movement to get software PA-DSS compliant in the next year, almost every single online store will be out of compliance and subject to fines, or being shut down. This is only a small part of the problem. There’s still thousands of retail businesses using older payment software and the cost of upgrading would be in the millions, assuming it’s even possible.
As written by Evan Schuman
“Essentially, this standard could cause merchants of all sizes in all industries to have to switch payment application vendors.”
Where the real mess begins…
There are currently about 40 companies certified to perform PA-DSS validation. The cost to certify a single payment application could be $100,000 or more if the application is extremely complicated. There is an additional “mandatory” yearly fee of $1250 just to be listed as a Validated Payment Application. Based on cost, and complexity, there’s not many shopping cart software providers that can come close to getting PA-DSS certified in the next year. Even then, that still leaves the open source solutions, which the majority of all ecommerce sites are using.
From Rick Wilson
“What about home grown and open source shopping cart solutions? What happens to them on July 1st, 2010. I asked this question to our auditor and his answer was telling, he said that “essentially if an application can’t be PA-DSS certified because it’s not developed by a single entity for example, then the service provider of that entity will need to become PCI Level 1 certified in order to keep offering that and be in compliance”.
Level 1 certification is nearly as expensive as PA-DSS certification, so don’t expect any relief from if you’re using a custom or open source solution. They’ve truly left no way out this time…
In conclusion…
We’re about to experience a payment industry nightmare potentially having the ability to halt commerce as we know it. If you thought that the $20 per month fee from your processor was bad, you’ll really hate the $50,000 bill when you go to get level 1 certified. If Visa takes the hard-line stance that merchants not using PA-DSS certified software get shut down, it’s going to get really ugly. The current focus of the processing industry is on PCI-DSS compliance and a slew of new fees and charges related to it. But, in about a year, we’re going to see the true fallout of implementing ineffective regulations without foresight into what it actually takes to adopt them, or whether they actually do anything. The only thing we got out of the congressional hearing on PCI is that congress thinks it’s not enough, and merchants think it’s way too much.
Houston, we’re about to have a problem!
Related reading…
PA DSS in One Easy Lesson…Sort Of
PA DSS Is Remarkably Misunderstood
PA-DSS and Ecommerce Web Hosting
May 22nd, 2009
Much to the surprise of the merchant account industry, the congressional bill proposing to regulate interchange, is being attached to the credit reform act and is potentially being voted on tomorrow. Although the interchange regulation bill is related to credit cards and the credit industry, it has nothing to do with the credit reform act, and is an irresponsible means of passing an already poorly supported bill. The US Government Accountability Office, the US Justice Department, the American Banking Association, and the Federal Trade Commission have all directly warned congress against regulating interchange. To not even have a real vote on the bill is simply irresponsible governing.
Bloggers and advocacy groups like the NRF argue that this bill will level the playing field when it comes to processing costs. This may be true for huge retailers like Walmart, but will almost certainly reduce the quality of processing services to the small business in addition to a much greater overall cost. Just name a situation where government regulation ends in better quality services at a lower cost…
The argument against interchange has been fought by twisting the reality in what interchange is, who it goes to, why it’s charged, all by large corporations and angry merchants. While the US has some of the highest interchange costs in the world, we also have the lowest overall processing costs, the lowest setup cost, and by far the highest quality services in the world. In some countries, you would have to pay over a thousand dollars just to get setup processing credit cards, and your monthly bill could easily be double for the exact same services, all with lower interchange. Creating a non-competitive environment like the one proposed by regulating interchange, will create a situation much like the one described above.
I urge anyone in the processing industry, and anyone that stands against huge corporations like Walmart leveraging the government and small business owners to fight a cause that hurts everyone, to contact their representation.
March 31st, 2009
Visa issued another security alert today specifically for Floral Merchants. Given that Valentines Day is a few days off, this is important for many businesses out there. None of this is ground breaking news, but extra care should be taken by floral merchants when accepting payments over the phone, fax or online. If you aren’t, take some extra steps to prevent fraud, CVV2 may help in this case which cost nothing extra to process with. Also, be very wary of extremely large orders.
Typically fraudsters look for times when business are most vulnerable, and when business picks up a lot, oversight is often the result.
Illegitimate customers are placing orders for flowers using stolen credit card information. The orders are typically placed via fax, e-mail, and/or hearing-impaired relay calls. The perpetrator then requests that the florists wrap the flower arrangements in various amounts of cash and bill the difference to the credit card number(s) provided. These orders have been known to reach $4,000.00. A shipping address for the order is then provided to the merchant.
In some instances, the perpetrators have been known to hire an unsuspecting accomplice to pick up the flowers in person. This accomplice is then instructed to ship the flowers via UPS or the U.S. Postal Service.
When the true cardholder receives the floral charge on their monthly statement, they will initiate a chargeback, as the order was placed without their authorization. As a result, the merchant will become liable for the fraudulent sale.
February 11th, 2009
Card issuers have massive computer systems that handle transaction processing. These companies also have some very advanced and large scale fraud detection systems.
Every time a credit card is reported as stolen, a huge amount of past data about that card is put into a big database. This database of pre-fraud activity is used in a large algorithm to look for similarities, which can signal the origination of stolen or lost credit card numbers. Since Visa and MasterCard have access to billions of transactions worth of information, they can screen for events that may signal that a business is losing card numbers.
If you were to greatly simplify this system and a map from it, it would look something like this:
In this case, the similarity is a single business where all of the stolen credit cards had been used before the cards had been involved in fraudulent activity. This could potentially be the sign of an employee skimming card numbers, or a breach in a database. There are always going to be coincidences involving data on a large scale, but because of the scale, it’s very difficult to end up with false positive fraud once a margin of error is established.
Let’s assume there isn’t any conclusive evidence that cards were stolen from a single business. Issuers are also looking at the processor a business is using. If there is a common processor or processing network that many businesses are using, it could be a signal of a data breach on a processor level.
The similarity in this case is the processor that many of the businesses were using. This is basically how the Heartland breach was discovered. Unfortunately, the only companies that can see fraud like this are ones that have access to huge amounts of past card usage. Their computer systems basically load billions of pieces of data about transactions, the businesses that accepted a customer’s card, and the processors who processed them. When enough lines meet up at a single point, there’s a chance that something happened there. It really doesn’t matter where in the process of a transaction the lines all cross, just that they do cross.
Keep in mind that these diagrams are grossly simplified, think a billion times simplified. But, it’s easy to see that if you have the right data and know what to look for, fraud can be easy to spot.
February 4th, 2009
A few days ago, Visa issued a security alert (possibly in reaction to the recent Heartland breach) outlining some specific applications and IP addresses to look out for. What is unique about this alert that I’ve never seen before is that Visa gave a very specific list of malicious applications to search for on a network/computer, and a specific list of IP’s to block.
This tells me that Visa has explicitly identified threats, where they are originating from, and these locations are static enough that blocking them would actually do some good (IP blocking is a terrible way to prevent/stop malicious behavior).
Download the security alert »
| Table 1, Search for these programs: |
| Filename |
Purpose |
MD5/SHA-1 Hash(s) or Registry Key |
| appsqlio.exe |
Reverse shell tool |
387cda6eb91f0b3a054de20c02320338 |
| obsqlio.exe |
SQL output redirector |
f640e53718bc83cb8bb10b1eafb50edf |
| blobsqlio.exe |
Packed version of gsecdump |
959523fc10584da9bfb31a524ff472aa |
| sn.exe |
Packet sniffer |
e07b83abda5b566b3e9a30515a59ecc3 |
| msdtsc.exe |
Packet sniffer |
4724103b13e6ce832fbb2c08a419eac6 |
| svclhost.exe |
Network communication tool |
da4ab50185c7b246d1d2c8fa7bd7a5ed |
| rexesvr.exe |
Command line execution |
003f6cda98a40529cc87fd1387714fd7 |
| svcl.exe |
Renamed version of sn.exe |
e07b83abda5b566b3e9a30515a59ecc3 |
| eqslquery.exe |
Script that automates the installation of rexesvr.exe |
bc354dcf5221aea9fae8a3283c09504d |
| rarx.exe |
Compression tool |
fd729427144044730c572fd5b9be7dd9 |
| Soft.exe |
Backdoor |
ea75939da539a3879e5b442b11b51f24 |
| lsasstd.exe |
Backdoor |
07536e77ece9e70f5bf3d6f357c77b04 |
| lsasstm.exe |
Backdoor |
e2736b8e0628a07fc3a6dcccad99245e |
| smn.exe |
Backdoor |
b0ff54c190455feda3f67b53c4a4453d |
| mstsk.exe |
Utility to inject code on running processes |
ddfd9073a5f222e223f5f2156c71629d |
| Download original… |
Please note that normal windows processes may run under the same filename. Do not assume that a process is suspect unless the MD5 hash matches the one in the table. If you need a MD5 hash generator, try this one for free.
| Table 2, Block these IP addresses: |
| 90.15.59.86 |
85.221.136.196 |
216.55.164.44 |
82.13.14.61 |
| 85.221.196.131 |
77.253.115.137 |
200.115.173.25 |
83.99.227.209 |
| 85.221.138.252 |
213.84.163.246 |
85.17.239.11 |
89.114.215.182 |
| 64.247.58.239 |
83.110.17.228 |
82.13.14.61 |
91.177.6.209 |
| 89.37.241.180 |
12.210.14.103 |
193.11.110.32 |
216.55.126.167 |
| 83.4.164.214 |
74.138.172.183 |
207.255.204.160 |
216.55.185.9 |
| 72.36.215.253 |
85.17.239.11 |
216.244.34.155 |
212.126.1.244 |
| 202.71.103.77 |
69.244.206.15 |
24.159.22.70 |
212.126.9.154 |
| 194.146.248.7 |
69.141.149.138 |
67.182.137.29 |
212.126.11.27 |
| 85.17.105.34 |
88.156.44.152 |
67.85.92.181 |
212.126.12.89 |
| 91.193.63.15 |
216.80.124.225 |
68.50.185.130 |
212.126.14.197 |
| 89.37.240.118 |
76.100.75.1 |
68.94.212.161 |
212.126.18.171 |
| 91.145.136.65 |
216.196.173.93 |
69.110.26.21 |
212.126.20.83 |
| 82.232.177.64 |
75.64.114.45 |
69.14.110.49 |
212.126.22.64 |
| 89.76.218.105 |
89.32.130.86 |
69.212.211.243 |
212.126.25.247 |
| 89.37.241.241 |
58.65.239.58 |
70.162.2.249 |
212.126.31.182 |
| 89.76.220.36 |
66.36.229.201 |
71.238.147.129 |
212.126.32.67 |
| 83.55.141.204 |
74.54.131.130 |
71.239.155.202 |
212.126.46.199 |
| 216.55.169.234 |
74.53.114.16 |
72.242.241.189 |
212.126.47.93 |
| 89.43.45.232 |
203.190.175.39 |
74.62.212.143 |
212.126.53.23 |
| 62.21.81.104 |
203.190.172.18 |
75.118.180.255 |
212.126.55.166 |
| 89.37.242.28 |
69.70.122.98 |
76.204.117.205 |
212.126.57.215 |
| 89.43.45.159 |
65.111.171.20 |
76.22.3.137 |
212.126.72.14 |
| 77.253.108.16 |
65.111.171.21 |
76.239.29.46 |
212.126.73.220 |
| 91.189.139.168 |
174.36.196.207 |
76.242.106.40 |
212.126.78.153 |
| 79.9.108.226 |
208.43.74.19 |
79.118.160.231 |
212.126.83.57 |
| 88.214.208.44 |
216.55.162.167 |
79.139.245.79 |
212.126.84.117 |
| 212.126.94.174 |
212.126.92.167 |
|
|
| Download original… |
The IP’s above have somehow been identified as being related to malicious behavior, but by just blocking them you are not making your system inherently secure. Blocking IP addresses is generally not an effective or long-term method of preventing malicious access. There are over 2 Billion possible IP addresses, and each IP can have a virtually unlimited number of computers and networks behind it. If you block an IP address, there are a billion others that could be used for malicious behavior. Also, wrongfully blocking an IP address could potentially restrict a huge number of people from your network. In the case of a website, this could result in significant loss of business. Please make sure you understand exactly what you are doing when searching for applications, or blocking IP’s. If in doubt, contact someone more qualified in network security.
February 2nd, 2009
I have been looking over a 2007 Nilson Report, specifically about the number of credit cards being used in the US. I then though, how much of an impact could the heartland security breach have on the US credit card industry as a whole? How big is the US credit card industry?
To start off, it is still unknown how many card numbers were actually stolen in the Heartland Breach. But, it is known that as many as 600 Million card numbers were exposed to malicious software. In terms of security (and logic in general), you can only assume the worst case until you can later prove that the situation is better (There is no innocent until proven guilty when it comes to security). So how many cards is 600 Million?
These are not exact numbers but are close… In 2007, there were about 200 Million card holders in the US. Of these card holders, they owned 321 Million Visa cards, 279 Million MasterCard cards, 52 Million AMEX cards, and 57 Million Discover cards. This makes a total of 709 Million credit cards. Since the account activity averages about 60% across all cards, there are roughly 420 Million active credit cards being used in the US.
Now putting this all together, the number of cards potentially stolen is about 50% more than every single active card of every cardholder in the entire country. Given the size of the breach, it’s unlikely that your card was not compromised if you made a purchase in the US between April and December.
Unfortunately a breach like this will have a negative impact of the entire credit card industry. I’ve heard a lot of “they had it coming” and cheers of joy from other people in my industry, but make no mistake, this is bad for everyone! We have yet to see the real start of what this is going to cost heartland and the credit card industry as a whole. I cannot imagine a scenario where Heartland comes out of this in one piece. They may prove me wrong, but the damage from this looks to be too great for any processor in the world to reasonable handle.
January 27th, 2009
CVV or card verification, (also known as CVV2, CVC2, CID) is that small 3 or 4 digit number on the back of your credit card (front for AMEX) that is not encoded on the magnetic stripe, and is designed to help prevent fraud.
CVV offers a little protection against fraud, but nonetheless should be used whenever possible.
Why CVV is worthless
CVV cannot be written down, ever:
Avoid CVV2 Storage. All merchants are prohibited from storing CVV2 data. When asking a cardholder for CVV2, merchants must not document this information on any kind of paper order form or store it on any database.
CVV can only be used in call centers where the card is directly keyed into a processing system that instantly authorizes the transaction. It can be used on a website where an automatic authorization is made. Other than those two circumstances, it really can’t be used. The fines for storing a CVV number are steep and could easily cost a merchant hundreds of thousands of dollars, not to mention loosing your ability to process credit cards forever.
Just to clarify CVV must not be written down, sent in an email, stored in a database, saved for later in any way, at any time, for any reason!
CVV wears off:
It’s almost like they printed the CVV number in some special fast-fading ink. CVV numbers wear off quickly, and are often unreadable after a month or two. This creates an unnecessary burden for customers who are forced to use their CVV number for a payment. No wonder why 50% of the top 100 retailers don’t use CVV.
The CVV system isn’t always available:
If you’ve ever looked at an error log of an active payment gateway, you you see a mess of CVV not available, not supported, and other non-mismatch errors. The CVV system is definitely not rock-solid at this point, and there’s a potential to lose legitimate business due to these erroneous errors.
It doesn’t guarantee anything:
My biggest complaint, a positive CVV match doesn’t guarantee anything except that whoever placed the order had the card in hand (or wrote down the CVV number). It doesn’t automatically win chargebacks, and it doesn’t remove any accountability for a transaction from the merchant. It is strictly a preventive measure to combat fraud.
Why CVV is still a good system
It’s FREE:
That’s right. Unlike the AVS system, there is no additional fee for using CVV. At the very least, there’s no reason at all not to use CVV for online processing. Whether you want to actually decline transactions based on a CVV response is a different story.
I’ll come straight out and say, I don’t recommend requiring a positive CVV match to approve a transaction. However, if you decide not to require it, I strongly recommend implementing a transaction flagging system forcing transactions with a CVV mismatch to be manually reviewed before shipping. You can easily implement your own system using the response from a payment gateway. Most payment gateways also have additional fraud prevention tools, that will automatically flag these transactions.
It protects against skimming:
It is signifigantly more complicated for a card skimmer to record the CVV number in addition to the magnetic stripe data. In almost all cases, using CVV will prevent fraudulent transactions from skimmed cards.
It works, when it works:
CVV does actually deter and prevent fraud for unattended situations. It can completely eliminate card testing (carding), and does ensure that your customer had the physical card in their hand at some point. The same thing goes for call centers, where there are high fraud percentages because customers still can’t be verified.
The bottom line is that using CVV and requiring it, or flagging mismatch transactions will save you money and will prevent fraud. Use it, if you have the option to!
November 18th, 2008
Lately I’ve been hearing reports of processors that are starting to charge their customers $19.95 per month for not being PCI compliant. To fix this problem, these processors are requiring their customers to install some PC based scanning software that is supposed to magically make the business PCI compliant, thereby allowing them to avoid the monthly charge.
Let me start out by saying: This is a bunch of crap!
There is nothing that you can just put on your PC that will make your business PCI compliant. This is so far off course that it hardly can be related to PCI. PCI compliance is in reference to networks, computers, hardware and software that play a part in the processing, storage, or transfer of a credit card transaction.
It is now required that every business be PCI compliant, but let me assure you that there is no simple computer program that will do this for any business. Even if only a single computer is used to enter card data, it is unlikely that it is the only piece of the puzzle, and even more unlikely that a single piece of software can guarantee PCI compliance.
Steps to get compliant:
- Determine whether you need to be PCI compliant. (If you accept credit cards, or play any part in the processing of a credit card, you need to be PCI compliant.)
- Determine which Level of compliance is required for your business.
- Level 1: Greater than 6 million credit card transactions per year or any business that has suffered a hack or data breach, or any business deemed Level 1 by card associations.
- Level 2: 1 to 6 Million credit card transactions per year.
- Level 3: 20K to 1 Million credit card transactions per year.
- Level 4: Less than 20K ecommerce, or 1 Million total transactions per year.
- Fill out the self assessment questionaire (SAQ).
- Fix every area that you answered ‘NO’ to on the SAQ.
- Hire an approved scanning vendor (ASV) to perform quarterly scans of any external networks. – All Levels
- Fix and maintain any failed area of the scan.
- Level 1 Only: Complete an annual on-site audit by a Qualified Security Assessor (QSA).
- ** Continue to maintain security of networks and card information! **
Once you complete all of those requirements, and maintain a secure network and business environment, you are PCI compliant. Most of the details of PCI compliance can be found in the SAQ, and on the PCI Security Standards website.
If you’re trying to determine whether PCI compliance is worth it to you, consider this: A security breach will result in a business requiring Level 1 compliance. The cost for level 2, 3, and 4 compliance can be as low as a few hundred dollars per year. The cost of Level 1 compliance can easily reach into the 6 and 7 figures per year.
Some Good PCI Resources:
PCI Answers Blog
PCI Security Standards website
Visa Cardholder Information Security Program
MasterCard SDP Program
May 6th, 2008
Slamming is a situation in the credit card processing industry where a sales agent or an ISO will steal a merchant account from another processor.
This deceitful tactic has been observed in every area of credit card processing, from the retail to ecommerce. It is most common with smaller retail shops and restaurants, and seems to be especially prevalent in rural areas where business owners often have a first name relationship with their merchant account rep. Slamming has a negative impact of both the business that switched, the company whom they switched from, and the processing industry in general.
How slamming happens:
Picture this scenario. You own a clothing shop in a small town in Colorado. One day a person calls or walks into your business claiming he is with your credit card processing company and needs to update your terminal because of new security regulations. He tells you he works with your rep, Sam, who set up your merchant account initially. You know Sam and assume that he must have sent this person to correct your terminal. He has you sign some paperwork, he makes a few phone calls, messes around with your credit card terminal, thanks you and leaves… You’ve just been slammed!
At the end of the month, you get two bills for your credit card processing. One from the company you originally signed up with which is basically blank, and the other that has all of your transactions on it, but you don’t quite recognize the name on it.
What you didn’t realize when that person was reprogramming your terminal was that he worked for a different company, and he just switched you to his service. He knew your sales rep Sam’s name because most of the businesses in the area process through the same company and Sam is their rep. You may not have even signed an actual contract with him, but he got your signature and your terminal is programmed with his company. Although what he did was illegal, you now have two merchant accounts, and the second one is a complete mystery as to what you are actually paying, or who you are processing with. Unlike switching providers on your own, you didn’t need or want to switch, and you don’t know anything at all about the new company or what you’re going to get with them. Hopefully, they actually did setup you up with a real merchant account, but for all you know, this may have been some criminal that installed something to skim all of the credit card numbers that go through your terminal. Some ex-bankcard technician may be routing your money into their bank through a stolen merchant account. Just about anything is possible.
How slamming can hurt your business:
- You are now processing through a deceptive company!
- You almost always have extra fees, due to two accounts being open!
- You will most certainly have a termination fee!
- You can possibly be put on the TMF / Match file if you end your relationship with either company in a bad manner!
- There is a now huge potential for fraud and credit card theft through your business!
Simply put, any company that would con a business into using their service is not someone you want to be doing business with. This company just doubled any fixed fees you had because you have two accounts open now, and you most certainly have has an early termination fee that you will be required to pay when you realize you just got scammed. They have a termination fee, because there is a good chance your going to dump them once you realize what just happened. Apart from that, who knows what your fees are, what this company’s reputation is, if they are even a legal business, if you are going to get all of your money, etc. This is just a bad position to be in for a business.
Of course this is illegal and you can take recourse against this deceptive company, but lawyers are expensive, and this could become an enormous burden to fight. Additionally, it may be hard to track down who is actually responsible for doing this to you. Many businesses do fight and they usually win, but it takes time and money, which is why slammed businesses often stay with the new company.
How this hurts the merchant services industry:
Reputable service providers spend a lot of money to gain your business, and they spend a lot of money on staff, training, and equipment to support your business. It takes months and sometimes years for a processor to regain the cost of establishing a single customer. When merchants are stolen, it has the same affect on a processor that shoplifting has on a retail businesses. Profit margin’s sink, and it becomes harder to keep prices and fees where they are. On an industry wide level, it ends up costing all businesses more, because the lost revenue has to be accounted for somewhere.
Companies that slam are scum!
Slamming exists because some providers and reps find it easier to steal hard earned customers from honest companies than to provide a service worthy of gaining their own customers. The people doing the slamming are criminals and should not be trusted on any level. Businesses have gone bankrupt, been put on the TMF, have been locked into horrible contracts and paid thousands of dollars because of thieves that do this. There is so much risk to a business that gets slammed, only a true criminal would put an honest business into a risky situation that could cost them their business.
What to do if you’re slammed:
First off, do some research to find out who did it to you and when it was done. Usually someone showed up and either switched out your terminal, or reprogrammed your terminal claiming to be with your processor. More than likely an outside agent slammed you and not the company they work for. Luckily, this is the best case scenario for your business, because you can easily bypass the agent and deal directly with the company you are now processing through. Additionally, a sales agent that is out slamming businesses is a huge liability for a processor so they will be more likely to sympathize with your situation. You need to make sure that if you close this new account, you will not be charged a termination fee, and you will not be put on any sort of TMF/Match list. Depending on what you actually signed, it’s possible that it was a complete application. Whatever the case, you are the victim of fraud, and you shouldn’t have to compromise, even a penny! You also need to figure out what you want the outcome of this to be. You can go back to your original company, you can find a new company, or you can stay with the current one. Based on how your relationship got started with this new company, it’s probably a good idea to go somewhere else out of principal. If you do decide to leave your original provider, make sure you know if you are required to pay any sort of termination fee. Most likely your account with them is still open, so going back to them should be simple and painless, maybe taking only a few minutes to get your terminal reprogrammed.
If a provider slammed you themselves, you are in a stickier situation. Going straight to the bank they are registered to, or to Visa and MasterCard may be the best resolution. If you find that the cost is significantly higher, you may need to consult a lawyer or file a report with your police department. If you do decide to call them, go up the chain of command as high as you can. Even if the company is responsible, it was still most likely a rogue sales person that carried out the slam. Filling reports with the BBB can go a long way to getting their attention and getting out of their grip. Ripoff Report is another company you can file a complaint with.
(My Ripoff Report Advice: Only file a Ripoff Report after all other options have been exhausted! You should be 100% certain that you are filing against the correct organization, there is no chance of an amicable resolution, and you do not expect anything positive to further come from the company. Unlike a BBB report, a Ripoff Report cannot be undone, even by you, and they can be so damaging that there is little chance the company will deal with you any more at all. If you commit libel or slander, you should be prepared for for the full legal wrath of the company you reported. Enough said!)
Prevent it!
Don’t let anyone reprogram your terminal unless you are certain that they are supposed to and that they work with your current processor. Whether it is over the phone or face-to-face, make sure you know who is changing your terminal, because you just can’t know what they may be changing on it. Your money and your business’s very existence could be at stake.
March 18th, 2008
