Fewer checks, faster process

By Patti Murphy
The Takoma Group

new report out of London shows check usage is declining rapidly in the United Kingdom. The report, prepared by APACS, the U.K. payments association, reveals that check writing in that country fell 8% during 2006. Over the past 10 years, APACS reports, check writing by individuals in the U.K. has been cut in half.

The Federal Reserve is slated to release results from its latest payments research later this fall. I’m betting that data will show check usage declining by about the same percentage. That may not seem like much, perhaps, until you consider that the vast majority of checks written in America today are cleared electronically.

They aren’t electronic payments, but by using electronic clearing channels, it’s now possible to clear a check in a day. It’s not electronic funds transfer, but it’s darn close. And it pretty much guarantees that checks will be changing hands in the United States for many more years to come.

Direct comparisons of check usage in the United States and the U.K. don’t hold much certitude. After all, Brits wrote only 1 billion checks in 2006. Optimistic estimates place U.S. check writing at about 30 billion last year.

According to the Fed’s number crunchers, America’s love affair with the check peaked about a decade ago.

We know anecdotally that fewer checks are being written today in the United States. How many of your kids write checks? How many fewer checks do you write today compared with just a few years ago? And we know more Americans are using electronic methods of payment more than ever.

Data collected in 2005 by Dove Consulting Inc., a division of Hitachi Consulting, indicated Americans were using cards more often than cash or checks for in-store purchases by a margin of 12% (56% using cards; 44% with cash or checks).

Just four years earlier, cash and checks were more popular, accounting for 51% of in-store purchases (49% of purchases in 2001 were made using credit, debit or other payment cards), Dove said.

The U.K. seems to have had better luck weaning folks off of checks. According to the APACS survey, only 54% of adults wrote checks last year; just 47% received check payments in 2006. Checks written to retailers fell 48% between 1996 and 2006, APACS said.

“On average we now write 1.6 [checks] a month and receive just one every two months, with half of adults no longer receiving any,” APACS reported in The Way We Pay 2007.

Plenty of checks, less paper

Americans write an average eight to 10 checks a month, based on currently available data. Yet paper processing workloads have fallen drastically, because for the Fed and banks, imaging is emerging as the de facto standard for processing checks.

It’s not unusual for a paper check to be physically handled a dozen times or more during a multiday clearing process.

With imaging, checks are truncated as soon as possible after entering the collection stream, then get cleared and settled using electronic networks that mimic the land and air-based check collection process. The result is that checks can clear now as fast as some electronic payments.

“Image exchange continues to account for a larger share of check processing because it enables institutions to reduce costs and streamline operations,” said Susan Long, Senior Vice President at The Clearing House, which operates the SVPCO Image Payments Network.

And it’s not just a big-bank phenomenon. The Independent Community Bankers Association of America , a Washington-based trade association, reports that most small banks (86%) either have replaced paper check presentment with electronic clearing or are planning to do so within the next two years.

More than a third of the banks surveyed by ICBA this year (36%) are capturing check images at branch locations for centralized processing. An additional 39% expect to be imaging checks for branch-level truncation.

Fewer banks (21%) have rolled out remote deposit products to their business customers (another 45% expect to within the next two years).

In 2005, the last time ICBA queried its members about payments activities, only 4% had business customers transmitting check files instead of trundling paper checks to their local bank offices for deposit.

SVPCO is said to extend to more than 10,000 endpoints, which makes it accessible to nearly all banks (either directly or through compatible networks like the Fed’s).

In August, SVPCO saw a 250% increase in image check exchanges, compared to August 2006. All told, the network said it handled 263.8 million checks worth $454.5 billion last month.

Extrapolating, it seems fair to predict that by year-end 2007, SVPCO’s final tally will top 3 billion checks. To put this into perspective, that’s about the same number of consumer checks that were converted to electronic payments last year and processed through the automated clearinghouse (ACH) using a process known as ACH check conversion.

(In fairness to the ACH, a new check conversion format, known as back office conversion and implemented this spring, makes it easier for merchants and other businesses to embrace ACH check conversion. So, overall conversion numbers should be much higher this year.)

Checks aren’t going away; not in the United States or the U.K. “Although volumes will continue to fall, we forecast that there will still be around 840 million checks used in the U.K. in 2016,” said Sandra Quinn, Director of Communications at APACS. “If you placed these checks end-to-end, they would stretch around the world two and half times.”

At current rates, it will take much longer for check numbers in the United States to drop below a billion a year. But make no mistake about it: Check imaging is changing the nature of payments. Just ask the Fed, which has closed nearly two dozen check processing offices over the past few years.

Eventually (maybe even before 2016), the Fed expects to be processing checks through one centralized locale. At its peak, the Fed’s check workload was handled through a network of about four dozen regional processing shops.

—
Bill Hoidas
District Sales Manager
Larger B2B/MOTO/Internet Accounts
Product Development Manager
Matrix Payment Systems
(847) 381-3482 office
(847) 381-4289 fax
http://paymentconsulting.net
John 3:16 For God so loved the world, that he gave his only begotten Son, that whosoever believeth in him should not perish, but have everlasting life.

Interchange-based fees (discount rate)

Qualified rate (credit)

A qualified discount rate is the percentage rate merchants are charged whenever they accept regular consumer credit cards and process them in a manner that has been defined as “standard” by their merchant account providers. Typically, this requires that the cards be electronically swiped and the transaction settled within 24 hours.

An average qualified rate is .0175 or 1.75%.

Qualified rate for offline debit (debit/check cards without PIN entry)

Some merchants prefer to not enter PIN numbers. Thus, processors may offer a reduced discount rate known as the qualified check card rate.

This qualified discount rate is the percentage rate merchants are charged whenever they accept regular consumer debit or check cards and process them in a manner that has been defined as “standard” by their merchant account providers.

Typically, this requires that the card be electronically swiped and the transaction batched/settled within 24 hours.

An average qualified rate is .0145 or 1.45%.

Mid-qualified rate

Also known as a partially qualified rate, the mid-qualified rate is the percentage rate merchants are charged whenever they accept credit cards that do not qualify for the lowest rate (the qualified rate). This may happen for several reasons:

• A consumer credit card is keyed into a credit card terminal instead of being swiped.
• A special kind of credit card is used, such as a rewards card, foreign card, purchase or business card.
• A transaction is held in the terminal or software without being batched within the specified amount of time (24 to 48 hours).

A mid-qualified rate is usually .075% to 2.0% and charged in addition to the qualified rate.

Nonqualified rate

The nonqualified rate is the highest percentage rate merchants are charged whenever they accept credit cards. All transactions that are not qualified or mid-qualified will fall into this rate category. This may happen for several reasons:

• A consumer credit card is keyed into a credit card terminal instead of being swiped, and address verification is not performed.
• A special kind of credit card is used, such as a business card, and all required fields are not entered.
• A merchant does not settle the daily batch within the allotted time frame.

A nonqualified rate is usually 1.25% to 2.50% and charged in addition to the qualified rate.

Interchange-plus pricing

Larger and more sophisticated merchants usually have their merchant account services priced on an interchange-plus basis. This means they pay a specified markup over and above the interchange costs, as opposed to the typical three- or four-tiered pricing models.

For example, interchange plus .30 basis points is not uncommon. In this instance, a merchant processing $100,000 in bankcard volume would yield $300 per month in gross profitability before the revenue share.

Authorization and other fees

Bankcard authorization/transaction fees

These apply to bankcards issued by Master Card Worldwide and Visa U.S.A.

The authorization fee is charged each time a transaction is sent to the card-issuing bank to be authorized. It is usually between 10 cents and 20 cents, plus the interchange cost. Even if the transaction is declined, this fee is usually assessed.

Nonbankcard authorization/transaction fees

These apply to cards issued by American Express Co., Discover Financial Services LLC, Diners Club Inc., as well as electronic benefits transfer (EBT), gift and loyalty cards, and so forth.

The authorization fee is charged each time a transaction is sent to the card-issuing bank to be authorized. It is usually between 10 to 20 cents. Some acquirers will separate EBT and gift and loyalty card transactions.

PIN Based (online) debit fees and network costs

Online debit cards require that every transaction be electronically authorized. Each transaction is additionally secured with the personal identification number (PIN). There are two ways to price PIN-based debit.

• A single flat fee (typically in the 65- to 75-cent range, including any debit network fees)
• A PIN-based transaction fee plus the actual cost for the various debit networks. For example: 20 cents plus actual network cost.

AVS fee

Address verification service (AVS) is a fraud prevention service that compares the billing address provided by the cardholder in the transaction with the card issuing bank’s records and verifies that they match.

This fee is typically 5 to 10 cents per item.

Voice authorization fees

This fee is only charged when a merchant calls in a transaction to an 800 number for a telephone or voice authorization. It is useful if the merchant’s terminal or software isn’t working. Most merchants rarely use the voice authorization service. Example: The average cost per voice authorization ranges from $0.75 to $1.50, and is set by the merchant account provider.

Batch fee

A batch fee is charged whenever a merchant “settles” a terminal. Settling, also known as “batching,” is the act of sending a merchant’s completed transactions at the end of the business day to the acquiring bank for payment. It is industry-standard to charge this fee.

Batch fees often mirror authorization fees: 10 to 35 cents per batch/settlement.

Statement fee/basic monthly service fee

The statement fee is assessed monthly and associated with the monthly statement sent to the merchant at the end of each month’s processing cycle. This statement shows how much processing the merchant did and the costs incurred.

The statement reflects the total dollar volume, number of transactions, average ticket and so forth. This fee is a fixed revenue stream and not based on processing volume.

Typically the statement fee is a flat $5 to $10 per location, per month.

Debit access fee

Some acquirers impose a monthly fee on merchants who are set up with PIN-based debit.

This fee is usually less than $5 per month and is in addition to the PIN-based debit and network fees.

Monthly minimum fee

The monthly minimum fee is a way to ensure that merchants pay a minimum amount in fees each month. If a merchant’s qualified fees do not equal or exceed the monthly minimum, the merchant is charged up to the monthly minimum to satisfy the minimum fee requirements.

Example: A merchant has a $25 monthly minimum fee. The qualified fees for the most recent month of processing total only $15. The merchant is charged an additional $10 to meet the monthly minimum requirements. It is industry-standard to charge a monthly minimum.

Online merchant reporting fee

Many acquirers offer merchants the ability to view their credit card processing data online. Typically, the reporting features will be far more robust than terminal-based reporting. This optional monthly service costs from $2.50 to $10 per month.

Terminal repair/replacement

Most acquirers offer a warranty program that extends repair or replacement coverage to POS equipment in the event of a failure. Often POS equipment supplies, such as paper rolls or ribbons, are thrown into the package. The typical cost is $5 to $10 per location per month.

Retrieval fees

If a consumer disputes a transaction, a retrieval request is initiated. It takes the form of a letter requesting all hard-copy sales drafts and/or invoices to demonstrate the validity of the transaction.

This information should be fulfilled as quickly as possible for disbursement to the issuing bank.

This fee is typically charged whether or not the chargeback is successful and is not dependent on the chargeback amount. The typical cost to a merchant is $10.

Chargeback fees

An acquiring bank may assess a fee on a merchant when a chargeback occurs. The fee is typically levied only when the chargeback is successful. However, it is not determined by the amount of the chargeback. A typical fee is from $15 to $25 per charge-back.

ACH reject fee

The automated clearing house (ACH) fee is imposed when a merchant’s payment of monthly fees bounces for any reason. Similar to a nonsufficient funds fee imposed on a checking account by a bank when a check bounces, this fee is usually about $25.

Annual fee

This is simply an amount that is charged annually for maintaining the merchant account. Some acquirers charge this fee; others do not. A common amount is $69 per year.

Payment gateway

A payment gateway is an e-commerce service that authorizes payments for e-businesses and online retailers. An example would be Authorize.Net. It is the online equivalent of a physical POS terminal located in most retail outlets.

A merchant account provider is typically a separate company from the payment gateway; however, the account provider could bill the gateways fees for simplicity.

Example payment gateways fees: The setup fee, including software or license, ranges from zero to $195. The monthly fee is $5 to $10; per item is 5 to 10 cents.

Wireless gateway

A wireless gateway is charged by a network offering wireless credit and debit solutions for on-the-go merchants. This fee is only relevant or charged when merchants are processing through a wireless device.

These can range from pager devices or cellular phones with card readers attached to traditional terminal solutions. The fees would typically be: wireless setup/activation fee ranging from zero to $100; monthly wireless gateway fee $12 to $20; additional wireless per item fee 5 to 10 cents.

Reprogram, application, installation or setup fees

Many MLSs charge a merchant an upfront, initial fee, which can have a variety of names, to establish the merchant account. In most cases this fee (when collected) is 100% profit to the MLS. Such fees typically range from zero to $195.

Cancellation or early termination fees

While controversial, most merchant accounts have some sort of cancellation or early termination fee. There is significant cost in setting up and maintaining a merchant account.

This fee helps recoup some of those losses should a merchant cancel, especially in the beginning.

It’s my belief that cancellation or termination fees should be a fixed amount, such as $250, $395, or some other appropriate amount.

Beware of acquirers that charge a variable cancellation fee. For example, some acquirers will charge the number of months left on the contract term times the average fees that merchants have been paying each month.

Under such a scenario a merchant could be liable for thousands of dollars.

Again, any cancellation or termination fees should be disclosed and be a fixed amount, not a hidden fee to soak an unsuspecting merchant for thousands of dollars.

Equipment/software fees

There are various ways a merchant can acquire POS equipment in today’s competitive marketplace. I will not use this article to debate the various options; I’ll just list them for simplicity.

• Purchase: A merchant can buy the equipment.
• Lease: A merchant may prefer a fixed monthly payment for an extended period, as opposed to the initial capital investment a purchase requires. Leases range from 12 to 60 months. The average lease for POS equipment is 48 months.
• Rental: Merchants can rent POS equipment month-to-month. This is good for retailers who want a low payment without the long-term requirements associated with a lease.
• Free placement: If a merchant agrees to the terms of the offer, a merchant can enjoy the use of POS equipment without specifically paying for it.

Hopefully, this will be a useful guide to the various charges associated with merchant accounts. If you have any questions or comments, please contact me directly.

Let’s build that million dollar portfolio.

PCI DDS 101 A Journey, Not A Destination

Almost everybody has a credit card, and most people have more than one card. Between 1995 and 2006, the number of cards in circulation almost doubled. Unfortunately, credit card fraud has increased just as rapidly. In the U.S. alone, card issuers lost $1.24 billion to fraud in 2006, up 9.3% from $1.14 billion in 2005. Globally, fraud costs card issuers an enormous $48 billion. To put that amount in perspective, it’s more than the GDP of the oil- rich Gulf state of Oman.

Real world. Real cases.

High-profile cases from recent years include:

• February 18, 2005
  Bank of America announced that more than 1.2 million customer records had been lost.
• June 16, 2005
  CardSystems was sued in a series of class actions which claimed it had failed to protect the personal information of more than 40 million customers. Both Visa and American Express prohibited CardSystems from processing any further transactions, which effectively brought its business to a halt. CardSystems faced collapse but was eventually bought-out by another company.
• January 31, 2006
  The Boston Globe and The Worcester Telegram and Gazette exposed 240,000 credit and debit card records as well as routing information for personal checks which had been printed on recycled paper used in wrapping newspaper bundles for distribution.
• February 9, 2006
  It was revealed that approximately 200,000 debit card accounts had been disclosed by unidentified retailers. These included accounts related to bank and credit union acquirers nationwide, including Wells Fargo and CitiBank.
• January 12, 2007
  MoneyGram confirmed that a company server had been unlawfully accessed exposing personal information, including names, addresses and bank account numbers, of around 79,000 customers.
• January 17, 2007
  TJX Companies Inc. admitted that one of its systems had been unlawfully accessed and that at least 45.7 million credit and debit card numbers had been exposed. TJX is facing around 20 class action lawsuits and has been billed $590,000 by the HarbourOne Credit Union – $90,000 in respect of the cost of the replacement of cards and $500,000 in respect of compensation for damage to its reputation.

Credit card fraud harms consumers, it harms card issuers and it harms businesses. While consumers can normally recover their losses from card issuers and card issuers can pass their losses onto consumers, businesses have no such get-out-of-jail-free card. And, as demonstrated by the CardSystems case, credit card fraud can have catastrophic consequences for a business.
Such high profile cases have propelled security matters to center stage and brought about a new industry-wide global security program: the Payment Card Industry Data Security Standard (PCI DSS).

PCI DSS: history and background

In 2004, American Express, Discover, JBC, MasterCard and Visa joined forces to form the Payment Card Industry Security Standard Council (PCI SSC) with a mission to “enhance payment account security by fostering broad adoption of the PCI Security Standard.” To this end, Visa’s AIS and CISP programs and MasterCard’s SDP program were consolidated and updated to form the PCI DSS. The DSS provides a common framework intended to enhance the security of cardholder information throughout its lifecycle. Any business which stores, processes or transmits Primary Account Numbers (PAN’s) must comply with PCI DSS. The PCI SSC does not enforce compliance, instead that responsibility rests with the individual card issuers. While all businesses must comply with the PCI DSS, compliance requirements and the date by which compliance must be achieved vary according to the card issuer and the “Merchant Level” (see chart, following page). For most businesses, compliance is already mandatory. For all others, the compliance dates are fast approaching.
Non-compliance with PCI DSS can be extremely costly: a non-compliant businesses may incur a substantial fine and/or be prohibited from processing card transactions. Either could have a considerable impact on a business.
The SSC will monitor trends and emerging threats and update the DSS as necessary, so businesses must stay abreast of the latest requirements. That said, the non-static nature of the DSS should not present businesses with too much of a problem as the SSC anticipate that the DSS shall be amended only once per year.
The SSC is pushing hard to raise awareness of PCI DSS requirements. “The SSC is driving an aggressive program of educational activities around the Data Security Standard. We are participating in industry events, speaking at panels and conferences. Council leaders are meeting one on one with trade groups and industry associations, participating in webinars and evangelizing through the media,” said spokesperson Ella Nevill. But despite the efforts of the PCI SSC, many businesses have yet to validate their compliance. Recent surveys have shown that only about 50% of businesses currently comply with the DSS. Small businesses have been the slowest to react with only around 20% having so far achieved compliance.
To date, credit card issuers have been reasonably tolerant of the situation. The deadlines for compliance have been extended and only relatively few businesses have been subject to sanctions. But with fraud costing $48 billion per year, card issuers are likely to become increasingly insistent on compliance and increasingly likely to impose sanctions on businesses which do not comply.
So, what must a business do in order to comply with the PCI DSS?

The anatomy of the PCI DSS

The PCI DSS comprises 12 security requirements, subdivided into 6 categories:

Build and Maintain a Secure Network

• Requirement 1: Install and maintain a firewall configuration to protect cardholder data
• Requirement 2: Do not use vendor supplied defaults for system passwords and other security parameters
• Requirement 3: Protect stored car holder data
• Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a vulnerability management program

• Requirement 5: Use and regularly update anti-virus software or programs
• Requirement 6: Develop and maintain secure systems and applications
• Implement strong access control measures
• Requirement 7: Restrict access to cardholder data by business need- to-know
• Requirement 8: Assign a unique ID to each person with computer access
• Requirement 9: Restrict physical access to cardholder data
• Requirement 10: Track and monitor all access to network resources and cardholder data
• Requirement 11: Regularly test security systems and processes

Maintain an information security policy

• Requirement 12: Maintain a policy that addresses information security for employees and contractors

This represents only an overview of the PCI DSS requirements. For more detailed information, go to https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf

Merchant Levels and validation requirements

While all businesses must comply with the PCI DSS, it is important to note that the requirements for validation vary according to “Merchant Level”. The “Merchant Level” is determined by the number of transactions which a business processes during a year and by its exposure to risk. To complicate matters, the “Merchant Level” is not consistently defined across all card brands, but can be summarized as follows:

For detailed and specific information in relation to “Merchant Levels” and validation dates, businesses should consult with the relevant card issuer or acquiring bank.
Businesses must meet the expense of validation themselves; it’s not an expense which is covered by the credit card issuers. Should a QSA identify a problem which results in non-compliance, a business will need to remedy that problem before the QSA will reassess and confirm compliance. It is, therefore, in businesses best interests to ensure compliance in advance of the QSA conducting the initial assessment. For each day that a business is not validated as DSS-compliant, it is exposed to the risk of sanctions by card issuers – and, of course, to the risk of the data which it processes and holds being compromised.
For a list of PCI-approved QSA’s and NSV’s, see www.pcisecuritystandards.org
DSS-compliance is not only mandatory for retailers; it’s mandatory for third party service providers and acquiring banks must be compliant too. In fact, it is the responsibility of acquiring banks to ensure the businesses that they represent are DSS-compliant.

The importance of compliance

The PCI DSS is not a new concept. For years, card issuers have operated and enforced their own codes of conduct. Visa had the Cardholder Information Security Program (CISP), American Express had the Data Security Operating Program (DSOP), MasterCard had the Site Data Protection (SDP) program and Discover had the Discover Card Information and Security Compliance (DISC) program. While compliance with these programs was mandatory, many businesses remained non- compliant. This was partly due to the fact that card issuers were reluctant to take enforcement action as this would invariably have a negative impact on business relationships.
So, what’s different about the PCI DSS? Why should a business which failed to comply with the CISP, DSOP, SDP or DISC programs expend the time and resources necessary to become DSS-compliant? There are actually a number of reasons. Firstly, compliance makes good businesses sense. The loss of data can be exceptionally damaging, but proactively implementing a solid set of security protocols can prevent it from happening. Secondly, the marketplace and political climate have changed. In Minnesota, a bill was recently passed which put the requirements of the PCI DSS into law. Texas and other states are considering similar enactments. And credit unions and non-profits are lobbying for legislation which will enable them to recover the cost of issuing replacement credit cards from the retailer whose systems were breached. Thirdly, the cost of fraud is reaching an unbearable level and both consumers and legislators are demanding that credit card companies take action. The likely result of all this? Card issuers will probably now be far more inclined to impose sanctions in order to force businesses to comply.

Easing the pain of compliance

Ensuring the security of customer data can both enhance customer confidence and help maintain bottom line. The PCI DSS was introduced in order to raise the bar for cardholder data security, and achieving compliance should be high on the agenda of organizations that carry out business transactions involving the use of credit cards.
Implementing software tools for log management, vulnerability management, security scanning and endpoint security will go a long way towards helping you achieve compliance. However, the story does not end there. Just because a merchant receives a PCI stamp of approval, he simply cannot sit back and relax.
PCI compliance is but the beginning of a continuous process that requires regular monitoring of the security health status of the merchant’s network. PCI DSS is not a one-off certification that stops with the Qualified Security Assessor (QSA) confirming you are compliant, as some merchants may think. Becoming PCI compliant means that you have reached an acceptable level of security on your network but it does not mean that from then onwards your network is secure and cannot be breached. Maintaining PCI DSS compliancy status is just as, if not more, important.
PCI DSS compliance is a long-term journey, not a destination. And this is something that all merchants need to understand irrespective of size or business.
It is a cost of doing business, granted. Yet, the cost of compliance is lower than having to pay $500,000 in fines and losing your goodwill and credibility if your network is breached!