American Express – Discount Refund Option

American Express is launching the “Discount Refund Option” program in July 2011. Merchants will now have the option of receiving a refund on their credit return Discount fees in exchange for a 0.40% increase to their current discount rate.

American Express will mail all existing Amex clients a letter beginning Tuesday, May 31st, 2011 explaining the program details.

Mentioning the obvious make sure you do NOT choose this option. Sure when you do a refund you no longer will be stuck with the original discount rate charge but you will be paying 0.40% MORE for ALL your Amex transactions.

Another perfect example of card issuing companies trying to take advantage of merchants.

A sample of this letter is attached.FINAL_One Point RDR Communication_Generic

What tokenization is and isn’t

Tokenization is a heavily promoted technology in the Payment Card Industry (PCI) Data Security Standard (DSS) space. Vendor claims range from stating that tokenization helps reduce the scope of PCI to insisting that it makes PCI compliance problems go away. The first claim is fairly accurate; the second is false.

When a solution is caught in a wave of hype and fashion it can be hard to separate fact from fiction. Hopefully, this article will clarify what tokenization can do.

What does tokenization do?

First, tokenization is not snake oil. It is an example of good security principles put into practice. People go wrong when they exaggerate its effect until it becomes likened to a “magic pill.”

The principle behind tokenization is simple. The best way to handle security concerns, such as the theft of stored data, is to avoid the problem altogether. By far the best way to protect cardholder data that you store is to stop storing it. No one can steal what you don’t store.

That’s fine in principle, but for many merchants there’s a downside to not storing cardholder data like primary account numbers (PANs): their businesses need that information on hand so they can do things like recurrent billing.

Tokenization gives merchants the benefits of storing data, without the security costs. The benefit of storing PANs and other sensitive information is that merchants can then reuse the cardholder data for subsequent transactions by passing it back up to the gateway or processor.

But since we’re talking about subsequent transactions, the gateway or processor has already handled the same cardholder data before. If the gateway or processor stores the details, what it needs from the merchant isn’t the sensitive information itself, but rather a suitable reminder so it can pull the information out of its database.

In effect, instead of the merchant storing and then resending sensitive information like the cardholder’s name, card number and expiration date, the merchant can just identify the customer, provide the amount of the new transaction and ask the processor to look up the account details.

How does it work?

In practice, the processor and the merchant agree to label a particular customer with a unique “token” (typically a 16-digit number), and all the merchant needs to store is the token, not the PAN and other identifying information.

The merchant then reuses the token every time he or she would otherwise have reused the sensitive information. The processor knows that when the merchant sends up that token, it needs to go look up and load that particular customer’s details.

A few things to note:

Tokenization naturally works at the account level, not the transaction level, since transactions are not perfect repeats of earlier ones (especially when you take into account things like time-stamps).

That isn’t a problem, because the details of how much to charge, etc., are simply not that sensitive.

It is critical that the token not be a disguised PAN: it needs to be essentially a random nonsense number that’s only useful as a label.

That way, if the merchant gets hacked and the tokens are stolen, it isn’t anywhere near as much of a problem as having the PANs stolen, because the attackers can’t possibly extract the PAN from the data they’ve stolen.

Tokenization relies on the real information being stored at the gateway or processor, so it shifts the burden of security from the merchant to the gateway or processor.

The idea is that these entities have the size and sophistication to do a superior job of protecting that sensitive data.

The idea of using a 16-digit token is so that it can be treated like a PAN in a merchant’s existing computer system.

Thus the merchant doesn’t have to undertake a significant system upgrade. The real meaning of the token only comes into play once it hits the gateway or processor.

It is critical to note that tokenization does not eliminate PCI responsibilities for merchants. Merchants are still accepting payment cards and must continue to comply with the PCI DSS. This becomes obvious when you think about it, because tokenization doesn’t replace the need to get the cardholder data into the system in the first place.

How will merchants benefit?

There are very real benefits from tokenization, though, for most merchants. These include:

Merchants and their customers enjoy a substantial improvement in security when tokenization is employed.

Tokenization simplifies PCI compliance for the average merchant. It does this by reducing the scope of PCI because merchants can now (hopefully) answer no to the question “Do you store cardholder data?” This also means that merchants can either answer “not applicable” to a range of messy questions about cardholder data security or avoid the questions altogether by qualifying for a simpler version of the Self-Assessment Questionnaire.

This last point should make it clear that tokenization doesn’t do much for merchants if, for different reasons, they continue to store PANs in systems other than those set up for payments.

The payoff from tokenization is being able to stop storing sensitive cardholder data. There is only a tiny benefit in storing the data in one place instead of two; 99 percent of the payoff comes from going from one storage place to none.

I recommend that merchants (or the ISOs, merchant level salespeople and banks acting on their behalf) keep the following points in mind when evaluating companies that provide tokenization:

Look for a solution provider who understands that tokenization shifts a big part of the data security burden to the provider but does not eliminate merchants’ responsibilities in this regard.

Don’t trust a vendor who says tokenization makes PCI go away. Anyone who says that is willing to put you at risk and misinform you just to make a sale.

With these simple guidelines in place, merchants, ISOs and others have an opportunity to use tokenization to simplify and secure an important part of their businesses.

Dr. Tim Cranny is an internationally recognized security and compliance expert and is Chief Executive Officer of Panoptic Security Inc. (www.panopticsecurity.com). He speaks and writes frequently for the national and international press on compliance and technology issues. Contact him at tim.cranny@panopticsecurity.com or 801-599 3454.

Watch out for these fraudulent cards & email addresses!

One of our merchants has reported the following cards trying to be used today.

Card 1

David Miller

Billing

3693 Valley Park Way, Lake Worth, FLA 33467

305-424-8323

Djjammy5@aol.com

5466322013916261 6/11

Card 2

David Miller

Billing

6352 Harbor Bend, Margate, FLA 33063

305-424-8323

Djjammy5@aol.com

4833120007850481 08/13

Card 3

Jesus Lopez

Billing

8559 85th St, Jamaica, NY 11421

508-603-9300

Ddflow20@hotmail.com

5466320012839914 06/12

Card 4

Steven Davis

Billing 4705 Pheasant Run Ct, Bethlehem, PA 18020

305-602-5297

Jesusvive20@aol.com

5466321067127536 06/13

Card 4

Steven Davis

Billing 4705 Pheasant Run Ct, Bethlehem, PA 18020

305-602-5297

Jesusvive20@aol.com

5466321067127536  06/13

On  order  that came through  this person used   the  email  ddflow20@hotmail.com

And phone number   305-424-8323

Fraud Warning – Landry’s Tickets Irving, TX

We received 2 POs from Landry’s Tickets on 4/25 for the Dallas Mavericks that night.  They used the same credit card on both POs.  Street address, zip code, and CVC all matched.  Found out today that the credit card number they used was stolen.

They do not answer their phones, do not return voice mail messages, and do not reply to emails.  One phone number on their website doesn’t even go to their company.  Goes to another company.

Even left messages on John Landry’s cellphone and received no reply.

If anyone had any information on how to reach John please contact Larry at Big Dog Tickets 972-407-0549.

Thanks,

Larry

what to watch out for when someone solicits your merchant account

Hi,

I thought you would find the below industry article very helpful

Street Smarts

Spring cleaning the ISO house

By Bill

When dishonest ISOs and merchant level salespeople (MLSs) use deceptive practices to trap business owners into signing unfair processing agreements, the merchants feel cheated. And this gives us all a bad reputation. Such practices also invite complaints that can lead to government regulation.

My pet peeves are the gimmicks and intentionally fraudulent scams. Have you ever seen or used the line, “If I can’t save you any money, I’ll give you $x?” This is usually offered with the intention that $x will never be paid. Some MLSs deviously apply one rate across an entire statement, disregarding such things as mid- and non-qualified downgrades and other fee categories. Thus, it looks like the agent is offering major savings to the merchant (and no payment is due on the bet).

I also consider “free” terminals to be a gimmick. ISOs and MLSs make up for the giveaway in other ways.

Lies that hurt us all

Intentional fraud is something that we, as honest ISOs and MLSs, need to grab by the roots and remove from our own backyards before someone does it for us. Intentional fraud includes lying to get accounts, for example:

Telling merchants their equipment is not PCI compliant when the equipment is compliant
Making unauthorized changes to contracts, including lining things out or making changes after contracts are signed
Making calls to merchants that begin with, “This is your processor and we need …”
Providing lower rates than a merchant is qualified to receive and applying surcharges to cover the real cost
Telling merchants you are calling from MasterCard Worldwide or Visa Inc.
Claiming that your company offers “direct pricing”

Inducing artificial merchant churn is another example of intentional fraud. For instance, getting a merchant to change processors multiple times to earn a bonus for each switch, as well as telling merchants they can leave their old processors without penalty when the merchants will, indeed, be penalized for switching.

The schemes we’ve seen

I asked GS Online’s MLS Forum about the scams (or potential scams) they have encountered.

BER mentioned agents who promise to cancel leases and merchant accounts for their clients and take the leased machine to “settle up.”

JOHN GALT said he sees the prominent headline, “Rates as low as 1.1 percent on all credit cards*” with the explanation, “plus interchange fees,” following an asterisk at the bottom of the postcard in three-point type.

SECONDGLANCE brought up another common practice: “One flat fee monthly for all of your processing, no additional fees!” LOPAND1 described an agent orchestrating just such a scenario: “‘Here at XXX Merchant Services we have no contract and no hidden fees. Now please sign here, saying that you agree to the contract terms and conditions that I have not provided that also include all the hidden fees that I’m not mentioning to you.’

“It still amazes [me] how many merchants I speak to that brag that they have no contract,” LOPAND1 added. “But when you ask them what they had to sign in order to get started with accepting credit cards, they go into a big defensive mode. I know I signed a contract, but it wasn’t a contract like your contract. It was a ‘no contract-contract with a free terminal,’ and I have a flat rate of 1 percent on my $1,500 a month in volume.”

A harmful practice I had not seen before was sent in by K-WAGS, who mentioned encountering an agent who signed a single merchant and sent the same contract to multiple ISOs.

MLSs and ISOs are not the only ones perpetrating fraud. “I don’t know if this has been mentioned, but the most common scam/fraud attempt is happening now with inbound calls,” CLEARENT posted. “A merchant calls wanting information on payment processing.

“They are an easy sell and even provide you with all of the paperwork. It seems so easy. You don’t ask why they called across country, why they chose you, etc. The next thing you know, it’s a bust out. They knew exactly what it took to get approved, and they knew what it took to slam through the transaction quickly.”

What we can do

How can we combat the gimmicks, scams and fraud? Several options come to mind. We need to determine which will work the best while causing the least interference.

Education would be a good start. New MLSs need to know how to deliver service the right way. Let the ISOs handle company-specific training like apps and underwriting, but the basics should be taught in some uniform manner. Many inexperienced agents are simply instructed to start knocking on doors and call if they need help. Even worse, some are taught to do improper or fraudulent things.

Educating business owners is also important, and we can get the word out. Write blogs, start classes at local chambers of commerce, and work with business startup and accountant groups. Learn how to approach media outlets. Teach business owners what to watch out for without trying to sell to them.

Once you are seen as a trusted adviser, they will approach you. One jewelry store used to say in its commercials, “An educated consumer is our best customer.”

In researching “Straight talk on professional certification,” The Green Sheet, April 11, 2011, issue 11:04:01, I found that most members of the MLS Forum do not believe certification will help because it brings no barrier to entry for new agents and will not penalize those who refuse to follow the rules.

If certification is rejected, we will need to consider registration of not only ISOs, but also MLSs. With registration, the likely barriers to entry would be fees and some type of training and testing. The details of the registration process could vary depending on who is leading the charge.

If the cause were led from within the industry, the purpose would be to clean up the industry and allow healthier margins. With government entities leading the campaign, you would have different rules in different states, and some would use registration and licensing to enhance state coffers and “protect” merchants without regard to the health of the industry.

Twelve years ago, I sat in an insurance licensing course. The most important point conveyed was to not mess with old people. Ethics in the processing industry needs to be stronger. People shouldn’t have to be told not to cheat others. Ethics training would emphasize acting in the merchant’s best interests and making a fair profit in doing so. Violations in ethics should be dealt with severely. When we fail to take action, we invite mandates. And the government is already getting involved. Many have railed against the Durbin Amendment to the Dodd-Frank Wall Street Reform Act of 2010.

Those who have heard the Sen. Richard Durbin, D-Ill., media interviews, including the March 28, 2011, interview on CNBC, know the man has no clue about how credit card processing works or who receives interchange. His “intel” is coming from retail organizations like the National Retail Federation and the National Association of Convenience Stores.

In the absence of our own grassroots organization to reform our industry, Durbin and others who have no idea of how this industry works are stepping in to do it for us.

Remedies to consider

There are a few mandates I could live with. These include requiring that:

The merchant signature appear on all pages of the contract
The section stating that the contract, as written, supersedes all changes – whether oral or in writing -be printed in all capital letters and initialed by the merchant
All merchant fees appear on a statement sent to the merchant, with all fees being for the same month in which they are incurred
Statements show the reason for all downgrades listed in them

As always, I welcome your ideas. Remember that what you do today defines your tomorrow.

Bill’s website is http://www.paymentconsulting.net/index.html, and his email address is bhoidas@gmail.com He welcomes all connections on Facebook and LinkedIn.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Back to Top

© 2011, The Green Sheet, Inc.


Bill Hoidas
Consultant Manager Larger B2B/MOTO/Internet Accounts
Product Development Manager
Matrix Payment Systems
(847) 381-3482 office
(847) 381-4289 fax
http://paymentconsulting.net/
http://chicago.citysearch.com/review/44659273
http://paymentconsulting.net/funding.html
JOHN 3:16 For God so loved the world, that he gave his only begotten Son,
that whosoever believeth in him should not perish, but have everlasting
life.
These days we are facing an economic crisis and need to prepare ourselves
more effectively for the recovery – to discover opportunities, identify
potential partners looking for opportunities, looking for a reason to hope.
Now it’s a good idea to ask: how could my product/service provide
opportunities in today’s economic climate?