Posts filed under 'Merchant Accounts'
Much to the surprise of the merchant account industry, the congressional bill proposing to regulate interchange, is being attached to the credit reform act and is potentially being voted on tomorrow. Although the interchange regulation bill is related to credit cards and the credit industry, it has nothing to do with the credit reform act, and is an irresponsible means of passing an already poorly supported bill. The US Government Accountability Office, the US Justice Department, the American Banking Association, and the Federal Trade Commission have all directly warned congress against regulating interchange. To not even have a real vote on the bill is simply irresponsible governing.
Bloggers and advocacy groups like the NRF argue that this bill will level the playing field when it comes to processing costs. This may be true for huge retailers like Walmart, but will almost certainly reduce the quality of processing services to the small business in addition to a much greater overall cost. Just name a situation where government regulation ends in better quality services at a lower cost…
The argument against interchange has been fought by twisting the reality in what interchange is, who it goes to, why it’s charged, all by large corporations and angry merchants. While the US has some of the highest interchange costs in the world, we also have the lowest overall processing costs, the lowest setup cost, and by far the highest quality services in the world. In some countries, you would have to pay over a thousand dollars just to get setup processing credit cards, and your monthly bill could easily be double for the exact same services, all with lower interchange. Creating a non-competitive environment like the one proposed by regulating interchange, will create a situation much like the one described above.
I urge anyone in the processing industry, and anyone that stands against huge corporations like Walmart leveraging the government and small business owners to fight a cause that hurts everyone, to contact their representation.
March 31st, 2009
Visa issued another security alert today specifically for Floral Merchants. Given that Valentines Day is a few days off, this is important for many businesses out there. None of this is ground breaking news, but extra care should be taken by floral merchants when accepting payments over the phone, fax or online. If you aren’t, take some extra steps to prevent fraud, CVV2 may help in this case which cost nothing extra to process with. Also, be very wary of extremely large orders.
Typically fraudsters look for times when business are most vulnerable, and when business picks up a lot, oversight is often the result.
Illegitimate customers are placing orders for flowers using stolen credit card information. The orders are typically placed via fax, e-mail, and/or hearing-impaired relay calls. The perpetrator then requests that the florists wrap the flower arrangements in various amounts of cash and bill the difference to the credit card number(s) provided. These orders have been known to reach $4,000.00. A shipping address for the order is then provided to the merchant.
In some instances, the perpetrators have been known to hire an unsuspecting accomplice to pick up the flowers in person. This accomplice is then instructed to ship the flowers via UPS or the U.S. Postal Service.
When the true cardholder receives the floral charge on their monthly statement, they will initiate a chargeback, as the order was placed without their authorization. As a result, the merchant will become liable for the fraudulent sale.
February 11th, 2009
Card issuers have massive computer systems that handle transaction processing. These companies also have some very advanced and large scale fraud detection systems.
Every time a credit card is reported as stolen, a huge amount of past data about that card is put into a big database. This database of pre-fraud activity is used in a large algorithm to look for similarities, which can signal the origination of stolen or lost credit card numbers. Since Visa and MasterCard have access to billions of transactions worth of information, they can screen for events that may signal that a business is losing card numbers.
If you were to greatly simplify this system and a map from it, it would look something like this:
In this case, the similarity is a single business where all of the stolen credit cards had been used before the cards had been involved in fraudulent activity. This could potentially be the sign of an employee skimming card numbers, or a breach in a database. There are always going to be coincidences involving data on a large scale, but because of the scale, it’s very difficult to end up with false positive fraud once a margin of error is established.
Let’s assume there isn’t any conclusive evidence that cards were stolen from a single business. Issuers are also looking at the processor a business is using. If there is a common processor or processing network that many businesses are using, it could be a signal of a data breach on a processor level.
The similarity in this case is the processor that many of the businesses were using. This is basically how the Heartland breach was discovered. Unfortunately, the only companies that can see fraud like this are ones that have access to huge amounts of past card usage. Their computer systems basically load billions of pieces of data about transactions, the businesses that accepted a customer’s card, and the processors who processed them. When enough lines meet up at a single point, there’s a chance that something happened there. It really doesn’t matter where in the process of a transaction the lines all cross, just that they do cross.
Keep in mind that these diagrams are grossly simplified, think a billion times simplified. But, it’s easy to see that if you have the right data and know what to look for, fraud can be easy to spot.
February 4th, 2009
I have been looking over a 2007 Nilson Report, specifically about the number of credit cards being used in the US. I then though, how much of an impact could the heartland security breach have on the US credit card industry as a whole? How big is the US credit card industry?
To start off, it is still unknown how many card numbers were actually stolen in the Heartland Breach. But, it is known that as many as 600 Million card numbers were exposed to malicious software. In terms of security (and logic in general), you can only assume the worst case until you can later prove that the situation is better (There is no innocent until proven guilty when it comes to security). So how many cards is 600 Million?
These are not exact numbers but are close… In 2007, there were about 200 Million card holders in the US. Of these card holders, they owned 321 Million Visa cards, 279 Million MasterCard cards, 52 Million AMEX cards, and 57 Million Discover cards. This makes a total of 709 Million credit cards. Since the account activity averages about 60% across all cards, there are roughly 420 Million active credit cards being used in the US.
Now putting this all together, the number of cards potentially stolen is about 50% more than every single active card of every cardholder in the entire country. Given the size of the breach, it’s unlikely that your card was not compromised if you made a purchase in the US between April and December.
Unfortunately a breach like this will have a negative impact of the entire credit card industry. I’ve heard a lot of “they had it coming” and cheers of joy from other people in my industry, but make no mistake, this is bad for everyone! We have yet to see the real start of what this is going to cost heartland and the credit card industry as a whole. I cannot imagine a scenario where Heartland comes out of this in one piece. They may prove me wrong, but the damage from this looks to be too great for any processor in the world to reasonable handle.
January 27th, 2009
Heartland payment systems today has been reported to have been victim to one of the largest credit card data breaches in history.
Heartland discovered malicious software that was recording credit card information as it was being sent to heartland for processing. Heartland processes roughly 100 millions transactions per month, for 250,000 US businesses.
The data stolen includes the digital information encoded onto the magnetic stripe built into the backs of credit and debit cards. Armed with this data, thieves can fashion counterfeit credit cards by imprinting the same stolen information onto fabricated cards.
Right now it is currently unknown how much data has been collected, how/if it has been used, or how long the malicious software was recording information. The current largest data breach in history was about 45 million card number by TJX (TJ Max and Marshals) which cost the retailer almost $2 Billion dollars. Depending on how much data was lost, this breach could surpass the cost of the TJX breach.
I’ve been reading comments on various blogs and new sites on the internet and so far there is a lot of backlash and anger from consumers and businesses. We’ll see in the near future how this breach will affect Heartland, but it seems safe to assume that this will be an extremely costly event for one of America’s largest ISO’s.
***UPDATE***
http://www.nytimes.com/2009/01/21/technology/21breach.html?_r=1&emc=tnt&tntemail0=y
The software on the Heartland’s network was installed as early as May. Based on the volume of transactions, as many as 600 million card numbers were potentially vulnerable, although the actual number stolen was likely less than this. With that sort of exposure, and the sheer number of merchants that process with heartland, it’s not impossible that every single card holder in the US was exposed in this data breach.
January 20th, 2009
During a recession or a downturn in the country’s economy, we typically see the unemployment rate go up. In the current situation, the unemployment rate has gone up a lot.
One of the few good things that comes from unemployment, is that it creates situations that allow new businesses to start up. What better motivation to start your own business than getting laid off?
One of the interesting facts about the credit card processing industry, is that we generally see an increase in new businesses during an economic downturn, especially when it involves a lot of lay offs and lost jobs.
This is blatantly apparent when comparing Google’s trend graph for the term “Merchant Account” to the S&P500 Index. The increase in searches for merchant account is a delayed inverse to the crash in stock price, which in this case is a good indicator of the country’s economy.
This is a positive trend to me, because it’s apparent that people are still getting out there and trying to open their own businesses. Financing is a major hurdle right now, but there are signs that we will see an increase of new businesses in the months to come. Real-estate is cheap, competition is evaporating, and those businesses who can get established in a difficult economy should excel when things do pick up again.
January 13th, 2009
Here’s a little comparison on how a business’s average sale size affects their processing cost.
If a business processes $10,000 per month, here is how the business’s ticket size affects their overall cost.
If you have a low average ticket, it is more important to have a low transaction fee than a low processing rate. Conversely, if your average sale amount is greater than about $80, the transaction fee becomes almost negligible.
Knowing how your average ticket size affects your overall cost is extremely important when looking for a merchant account provider. Not knowing how this affects your fees, will undoubtedly cost your business extra. This is yet another reason why shopping for the lowest advertised cost is a good way to get a bad deal.
Related Posts:
The processing fee is the least important one on your application!
January 7th, 2009
2008 will end as one of the most dreadful business years in history. Most business will continue with tough time in the coming months. I can only hope that jobs open up, business picks up, and our economy begins to make some sort of rebound.
I do believe that we will be looking at a different landscape when our economy eventually comes around. One thing is for certain, the credit and banking industries are going to look very different by the end of 2009.
Card issuers:
Card issuers are looking to go through some huge changes, maybe the biggest and quickest changes since the invention of the credit card.
Issuing is going to tighten up a lot. We can likely expect a surge in fees, and a reduction in rewards card programs. Add this to increased underwriting scrutiny, and a new FICO scoring system and we end up with a very volatile card issuing system. It’s going to be harder to get a credit card and they’re going to have more fees and less rewards than we’re all used to.
Card processors:
Credit card processors are just now beginning to feel the strain of the down-turned economy. The ones hit hardest are those with the highest attrition and ones that rely on continued new businesses. Processors who went for the lowest bid are seeing massive attrition, and reduction in income. We’re starting to see across-the-board business closures and greatly decreased sales volumes. This creates a very uncertain future for many companies that handle merchant accounts for millions of businesses in the US. In addition, there is the looming congressional credit card interchange regulation bills. Processors do not neatly fall into any category being regulated, so there is a lot of uncertainty in what’s going to happen if the bills are passed.
Businesses:
Not only are we seeing an increase in business closures, but we’re seeing a reduction in new businesses. Typically during a recessionary period, new businesses are started due to opportunities created by layoffs, pay cuts, and other reductions. Unfortunately, this is not yet the case, and new business start-ups are at an all time low. Even successful business are feeling the strain of reduced consumer spending. On the bright side, the extremely low gas prices are helping, but this is most likely temporary, as gas will eventually rebound.
It’s never to late to optimize your operations, reduce costs and debt, but always continue to market and find new ways to gain new customers, and keep the ones you already have.
Consumers:
Consumers are feeling the strain of reduced bank lending, and the reduction of available credit. When the new FICO system comes into affect, this credit reduction has the potential to destroy people’s good credit, since the new system relies very heavily on available/used balance ratios. This holiday has shown us just how bad things have gotten, just today consumer confidence ratings were recorded at an all time low.
The future
While I’m sure that we will come out of this slump, I fear that we have not yet seen the worst of it. My best wishes go out to anyone having a tough time right now, especially those who have been lay-ed off, lost their home, and those undergoing other very difficult circumstances. Things will get better, and many opportunities will come from our current situation, but if you’re waiting for one to come around, you may be waiting for a long time. We all need to continue to push forward, find and create our own opportunities, and help those around us that are experiencing difficulties.
Have a new year!
December 30th, 2008
Just yesterday, I wrote about the increasing number of non-compliance PCI charges that processors are passing down to their customers. A few months ago several processors started adding monthly PCI compliance fees to their customer’s bill. We’ll, the PCI fees are getting a lot worse!
I reviewed a potential customer’s statement today and they had a $500 PCI non-compliance fee on it, which is by far the largest I have seen to date. Needless to say they were very upset.
Get Compliant:
It appears that these non-compliance fees are going to get much worse, very quickly. We’re getting a lot of pressure from sponsoring banks to impose similar fees, and so far we’ve been able to avoid them.
The point is, these fess are going to be the standard in the near future. If you’re not PCI compliant now, it’s time to look into it before your processor tacks a $500 fee on your monthly bill.
PCI-DSS is required for all US businesses that accept credit cards. For some businesses, there will be no additional cost for becoming compliant. For businesses the process online, or ones storing data, scanning can cost as low as $50 per year, which is a far cry from $500. Security is however, a lot more than just filling out a survey and scanning a server 4 times a year, as requires by PCI-DSS. Whatever the case, PCI-DSS is required by all card issuers, and needs to be adopted. I’m not going to argue whether PCI is fair for some of the businesses out there, but data needs to be secure for every business.
For PCI-DSS Compliance, Start Here: https://www.pcisecuritystandards.org/
November 20th, 2008
CVV or card verification, (also known as CVV2, CVC2, CID) is that small 3 or 4 digit number on the back of your credit card (front for AMEX) that is not encoded on the magnetic stripe, and is designed to help prevent fraud.
CVV offers a little protection against fraud, but nonetheless should be used whenever possible.
Why CVV is worthless
CVV cannot be written down, ever:
Avoid CVV2 Storage. All merchants are prohibited from storing CVV2 data. When asking a cardholder for CVV2, merchants must not document this information on any kind of paper order form or store it on any database.
CVV can only be used in call centers where the card is directly keyed into a processing system that instantly authorizes the transaction. It can be used on a website where an automatic authorization is made. Other than those two circumstances, it really can’t be used. The fines for storing a CVV number are steep and could easily cost a merchant hundreds of thousands of dollars, not to mention loosing your ability to process credit cards forever.
Just to clarify CVV must not be written down, sent in an email, stored in a database, saved for later in any way, at any time, for any reason!
CVV wears off:
It’s almost like they printed the CVV number in some special fast-fading ink. CVV numbers wear off quickly, and are often unreadable after a month or two. This creates an unnecessary burden for customers who are forced to use their CVV number for a payment. No wonder why 50% of the top 100 retailers don’t use CVV.
The CVV system isn’t always available:
If you’ve ever looked at an error log of an active payment gateway, you you see a mess of CVV not available, not supported, and other non-mismatch errors. The CVV system is definitely not rock-solid at this point, and there’s a potential to lose legitimate business due to these erroneous errors.
It doesn’t guarantee anything:
My biggest complaint, a positive CVV match doesn’t guarantee anything except that whoever placed the order had the card in hand (or wrote down the CVV number). It doesn’t automatically win chargebacks, and it doesn’t remove any accountability for a transaction from the merchant. It is strictly a preventive measure to combat fraud.
Why CVV is still a good system
It’s FREE:
That’s right. Unlike the AVS system, there is no additional fee for using CVV. At the very least, there’s no reason at all not to use CVV for online processing. Whether you want to actually decline transactions based on a CVV response is a different story.
I’ll come straight out and say, I don’t recommend requiring a positive CVV match to approve a transaction. However, if you decide not to require it, I strongly recommend implementing a transaction flagging system forcing transactions with a CVV mismatch to be manually reviewed before shipping. You can easily implement your own system using the response from a payment gateway. Most payment gateways also have additional fraud prevention tools, that will automatically flag these transactions.
It protects against skimming:
It is signifigantly more complicated for a card skimmer to record the CVV number in addition to the magnetic stripe data. In almost all cases, using CVV will prevent fraudulent transactions from skimmed cards.
It works, when it works:
CVV does actually deter and prevent fraud for unattended situations. It can completely eliminate card testing (carding), and does ensure that your customer had the physical card in their hand at some point. The same thing goes for call centers, where there are high fraud percentages because customers still can’t be verified.
The bottom line is that using CVV and requiring it, or flagging mismatch transactions will save you money and will prevent fraud. Use it, if you have the option to!
November 18th, 2008
Page 2 of 17«12345»...Last »
