Interchange-based fees (discount rate)

Qualified rate (credit)

A qualified discount rate is the percentage rate merchants are charged whenever they accept regular consumer credit cards and process them in a manner that has been defined as “standard” by their merchant account providers. Typically, this requires that the cards be electronically swiped and the transaction settled within 24 hours.

An average qualified rate is .0175 or 1.75%.

Qualified rate for offline debit (debit/check cards without PIN entry)

Some merchants prefer to not enter PIN numbers. Thus, processors may offer a reduced discount rate known as the qualified check card rate.

This qualified discount rate is the percentage rate merchants are charged whenever they accept regular consumer debit or check cards and process them in a manner that has been defined as “standard” by their merchant account providers.

Typically, this requires that the card be electronically swiped and the transaction batched/settled within 24 hours.

An average qualified rate is .0145 or 1.45%.

Mid-qualified rate

Also known as a partially qualified rate, the mid-qualified rate is the percentage rate merchants are charged whenever they accept credit cards that do not qualify for the lowest rate (the qualified rate). This may happen for several reasons:

• A consumer credit card is keyed into a credit card terminal instead of being swiped.
• A special kind of credit card is used, such as a rewards card, foreign card, purchase or business card.
• A transaction is held in the terminal or software without being batched within the specified amount of time (24 to 48 hours).

A mid-qualified rate is usually .075% to 2.0% and charged in addition to the qualified rate.

Nonqualified rate

The nonqualified rate is the highest percentage rate merchants are charged whenever they accept credit cards. All transactions that are not qualified or mid-qualified will fall into this rate category. This may happen for several reasons:

• A consumer credit card is keyed into a credit card terminal instead of being swiped, and address verification is not performed.
• A special kind of credit card is used, such as a business card, and all required fields are not entered.
• A merchant does not settle the daily batch within the allotted time frame.

A nonqualified rate is usually 1.25% to 2.50% and charged in addition to the qualified rate.

Interchange-plus pricing

Larger and more sophisticated merchants usually have their merchant account services priced on an interchange-plus basis. This means they pay a specified markup over and above the interchange costs, as opposed to the typical three- or four-tiered pricing models.

For example, interchange plus .30 basis points is not uncommon. In this instance, a merchant processing $100,000 in bankcard volume would yield $300 per month in gross profitability before the revenue share.

Authorization and other fees

Bankcard authorization/transaction fees

These apply to bankcards issued by Master Card Worldwide and Visa U.S.A.

The authorization fee is charged each time a transaction is sent to the card-issuing bank to be authorized. It is usually between 10 cents and 20 cents, plus the interchange cost. Even if the transaction is declined, this fee is usually assessed.

Nonbankcard authorization/transaction fees

These apply to cards issued by American Express Co., Discover Financial Services LLC, Diners Club Inc., as well as electronic benefits transfer (EBT), gift and loyalty cards, and so forth.

The authorization fee is charged each time a transaction is sent to the card-issuing bank to be authorized. It is usually between 10 to 20 cents. Some acquirers will separate EBT and gift and loyalty card transactions.

PIN Based (online) debit fees and network costs

Online debit cards require that every transaction be electronically authorized. Each transaction is additionally secured with the personal identification number (PIN). There are two ways to price PIN-based debit.

• A single flat fee (typically in the 65- to 75-cent range, including any debit network fees)
• A PIN-based transaction fee plus the actual cost for the various debit networks. For example: 20 cents plus actual network cost.

AVS fee

Address verification service (AVS) is a fraud prevention service that compares the billing address provided by the cardholder in the transaction with the card issuing bank’s records and verifies that they match.

This fee is typically 5 to 10 cents per item.

Voice authorization fees

This fee is only charged when a merchant calls in a transaction to an 800 number for a telephone or voice authorization. It is useful if the merchant’s terminal or software isn’t working. Most merchants rarely use the voice authorization service. Example: The average cost per voice authorization ranges from $0.75 to $1.50, and is set by the merchant account provider.

Batch fee

A batch fee is charged whenever a merchant “settles” a terminal. Settling, also known as “batching,” is the act of sending a merchant’s completed transactions at the end of the business day to the acquiring bank for payment. It is industry-standard to charge this fee.

Batch fees often mirror authorization fees: 10 to 35 cents per batch/settlement.

Statement fee/basic monthly service fee

The statement fee is assessed monthly and associated with the monthly statement sent to the merchant at the end of each month’s processing cycle. This statement shows how much processing the merchant did and the costs incurred.

The statement reflects the total dollar volume, number of transactions, average ticket and so forth. This fee is a fixed revenue stream and not based on processing volume.

Typically the statement fee is a flat $5 to $10 per location, per month.

Debit access fee

Some acquirers impose a monthly fee on merchants who are set up with PIN-based debit.

This fee is usually less than $5 per month and is in addition to the PIN-based debit and network fees.

Monthly minimum fee

The monthly minimum fee is a way to ensure that merchants pay a minimum amount in fees each month. If a merchant’s qualified fees do not equal or exceed the monthly minimum, the merchant is charged up to the monthly minimum to satisfy the minimum fee requirements.

Example: A merchant has a $25 monthly minimum fee. The qualified fees for the most recent month of processing total only $15. The merchant is charged an additional $10 to meet the monthly minimum requirements. It is industry-standard to charge a monthly minimum.

Online merchant reporting fee

Many acquirers offer merchants the ability to view their credit card processing data online. Typically, the reporting features will be far more robust than terminal-based reporting. This optional monthly service costs from $2.50 to $10 per month.

Terminal repair/replacement

Most acquirers offer a warranty program that extends repair or replacement coverage to POS equipment in the event of a failure. Often POS equipment supplies, such as paper rolls or ribbons, are thrown into the package. The typical cost is $5 to $10 per location per month.

Retrieval fees

If a consumer disputes a transaction, a retrieval request is initiated. It takes the form of a letter requesting all hard-copy sales drafts and/or invoices to demonstrate the validity of the transaction.

This information should be fulfilled as quickly as possible for disbursement to the issuing bank.

This fee is typically charged whether or not the chargeback is successful and is not dependent on the chargeback amount. The typical cost to a merchant is $10.

Chargeback fees

An acquiring bank may assess a fee on a merchant when a chargeback occurs. The fee is typically levied only when the chargeback is successful. However, it is not determined by the amount of the chargeback. A typical fee is from $15 to $25 per charge-back.

ACH reject fee

The automated clearing house (ACH) fee is imposed when a merchant’s payment of monthly fees bounces for any reason. Similar to a nonsufficient funds fee imposed on a checking account by a bank when a check bounces, this fee is usually about $25.

Annual fee

This is simply an amount that is charged annually for maintaining the merchant account. Some acquirers charge this fee; others do not. A common amount is $69 per year.

Payment gateway

A payment gateway is an e-commerce service that authorizes payments for e-businesses and online retailers. An example would be Authorize.Net. It is the online equivalent of a physical POS terminal located in most retail outlets.

A merchant account provider is typically a separate company from the payment gateway; however, the account provider could bill the gateways fees for simplicity.

Example payment gateways fees: The setup fee, including software or license, ranges from zero to $195. The monthly fee is $5 to $10; per item is 5 to 10 cents.

Wireless gateway

A wireless gateway is charged by a network offering wireless credit and debit solutions for on-the-go merchants. This fee is only relevant or charged when merchants are processing through a wireless device.

These can range from pager devices or cellular phones with card readers attached to traditional terminal solutions. The fees would typically be: wireless setup/activation fee ranging from zero to $100; monthly wireless gateway fee $12 to $20; additional wireless per item fee 5 to 10 cents.

Reprogram, application, installation or setup fees

Many MLSs charge a merchant an upfront, initial fee, which can have a variety of names, to establish the merchant account. In most cases this fee (when collected) is 100% profit to the MLS. Such fees typically range from zero to $195.

Cancellation or early termination fees

While controversial, most merchant accounts have some sort of cancellation or early termination fee. There is significant cost in setting up and maintaining a merchant account.

This fee helps recoup some of those losses should a merchant cancel, especially in the beginning.

It’s my belief that cancellation or termination fees should be a fixed amount, such as $250, $395, or some other appropriate amount.

Beware of acquirers that charge a variable cancellation fee. For example, some acquirers will charge the number of months left on the contract term times the average fees that merchants have been paying each month.

Under such a scenario a merchant could be liable for thousands of dollars.

Again, any cancellation or termination fees should be disclosed and be a fixed amount, not a hidden fee to soak an unsuspecting merchant for thousands of dollars.

Equipment/software fees

There are various ways a merchant can acquire POS equipment in today’s competitive marketplace. I will not use this article to debate the various options; I’ll just list them for simplicity.

• Purchase: A merchant can buy the equipment.
• Lease: A merchant may prefer a fixed monthly payment for an extended period, as opposed to the initial capital investment a purchase requires. Leases range from 12 to 60 months. The average lease for POS equipment is 48 months.
• Rental: Merchants can rent POS equipment month-to-month. This is good for retailers who want a low payment without the long-term requirements associated with a lease.
• Free placement: If a merchant agrees to the terms of the offer, a merchant can enjoy the use of POS equipment without specifically paying for it.

Hopefully, this will be a useful guide to the various charges associated with merchant accounts. If you have any questions or comments, please contact me directly.

Let’s build that million dollar portfolio.

PCI DDS 101 A Journey, Not A Destination

Almost everybody has a credit card, and most people have more than one card. Between 1995 and 2006, the number of cards in circulation almost doubled. Unfortunately, credit card fraud has increased just as rapidly. In the U.S. alone, card issuers lost $1.24 billion to fraud in 2006, up 9.3% from $1.14 billion in 2005. Globally, fraud costs card issuers an enormous $48 billion. To put that amount in perspective, it’s more than the GDP of the oil- rich Gulf state of Oman.

Real world. Real cases.

High-profile cases from recent years include:

• February 18, 2005
  Bank of America announced that more than 1.2 million customer records had been lost.
• June 16, 2005
  CardSystems was sued in a series of class actions which claimed it had failed to protect the personal information of more than 40 million customers. Both Visa and American Express prohibited CardSystems from processing any further transactions, which effectively brought its business to a halt. CardSystems faced collapse but was eventually bought-out by another company.
• January 31, 2006
  The Boston Globe and The Worcester Telegram and Gazette exposed 240,000 credit and debit card records as well as routing information for personal checks which had been printed on recycled paper used in wrapping newspaper bundles for distribution.
• February 9, 2006
  It was revealed that approximately 200,000 debit card accounts had been disclosed by unidentified retailers. These included accounts related to bank and credit union acquirers nationwide, including Wells Fargo and CitiBank.
• January 12, 2007
  MoneyGram confirmed that a company server had been unlawfully accessed exposing personal information, including names, addresses and bank account numbers, of around 79,000 customers.
• January 17, 2007
  TJX Companies Inc. admitted that one of its systems had been unlawfully accessed and that at least 45.7 million credit and debit card numbers had been exposed. TJX is facing around 20 class action lawsuits and has been billed $590,000 by the HarbourOne Credit Union – $90,000 in respect of the cost of the replacement of cards and $500,000 in respect of compensation for damage to its reputation.

Credit card fraud harms consumers, it harms card issuers and it harms businesses. While consumers can normally recover their losses from card issuers and card issuers can pass their losses onto consumers, businesses have no such get-out-of-jail-free card. And, as demonstrated by the CardSystems case, credit card fraud can have catastrophic consequences for a business.
Such high profile cases have propelled security matters to center stage and brought about a new industry-wide global security program: the Payment Card Industry Data Security Standard (PCI DSS).

PCI DSS: history and background

In 2004, American Express, Discover, JBC, MasterCard and Visa joined forces to form the Payment Card Industry Security Standard Council (PCI SSC) with a mission to “enhance payment account security by fostering broad adoption of the PCI Security Standard.” To this end, Visa’s AIS and CISP programs and MasterCard’s SDP program were consolidated and updated to form the PCI DSS. The DSS provides a common framework intended to enhance the security of cardholder information throughout its lifecycle. Any business which stores, processes or transmits Primary Account Numbers (PAN’s) must comply with PCI DSS. The PCI SSC does not enforce compliance, instead that responsibility rests with the individual card issuers. While all businesses must comply with the PCI DSS, compliance requirements and the date by which compliance must be achieved vary according to the card issuer and the “Merchant Level” (see chart, following page). For most businesses, compliance is already mandatory. For all others, the compliance dates are fast approaching.
Non-compliance with PCI DSS can be extremely costly: a non-compliant businesses may incur a substantial fine and/or be prohibited from processing card transactions. Either could have a considerable impact on a business.
The SSC will monitor trends and emerging threats and update the DSS as necessary, so businesses must stay abreast of the latest requirements. That said, the non-static nature of the DSS should not present businesses with too much of a problem as the SSC anticipate that the DSS shall be amended only once per year.
The SSC is pushing hard to raise awareness of PCI DSS requirements. “The SSC is driving an aggressive program of educational activities around the Data Security Standard. We are participating in industry events, speaking at panels and conferences. Council leaders are meeting one on one with trade groups and industry associations, participating in webinars and evangelizing through the media,” said spokesperson Ella Nevill. But despite the efforts of the PCI SSC, many businesses have yet to validate their compliance. Recent surveys have shown that only about 50% of businesses currently comply with the DSS. Small businesses have been the slowest to react with only around 20% having so far achieved compliance.
To date, credit card issuers have been reasonably tolerant of the situation. The deadlines for compliance have been extended and only relatively few businesses have been subject to sanctions. But with fraud costing $48 billion per year, card issuers are likely to become increasingly insistent on compliance and increasingly likely to impose sanctions on businesses which do not comply.
So, what must a business do in order to comply with the PCI DSS?

The anatomy of the PCI DSS

The PCI DSS comprises 12 security requirements, subdivided into 6 categories:

Build and Maintain a Secure Network

• Requirement 1: Install and maintain a firewall configuration to protect cardholder data
• Requirement 2: Do not use vendor supplied defaults for system passwords and other security parameters
• Requirement 3: Protect stored car holder data
• Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a vulnerability management program

• Requirement 5: Use and regularly update anti-virus software or programs
• Requirement 6: Develop and maintain secure systems and applications
• Implement strong access control measures
• Requirement 7: Restrict access to cardholder data by business need- to-know
• Requirement 8: Assign a unique ID to each person with computer access
• Requirement 9: Restrict physical access to cardholder data
• Requirement 10: Track and monitor all access to network resources and cardholder data
• Requirement 11: Regularly test security systems and processes

Maintain an information security policy

• Requirement 12: Maintain a policy that addresses information security for employees and contractors

This represents only an overview of the PCI DSS requirements. For more detailed information, go to https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf

Merchant Levels and validation requirements

While all businesses must comply with the PCI DSS, it is important to note that the requirements for validation vary according to “Merchant Level”. The “Merchant Level” is determined by the number of transactions which a business processes during a year and by its exposure to risk. To complicate matters, the “Merchant Level” is not consistently defined across all card brands, but can be summarized as follows:

For detailed and specific information in relation to “Merchant Levels” and validation dates, businesses should consult with the relevant card issuer or acquiring bank.
Businesses must meet the expense of validation themselves; it’s not an expense which is covered by the credit card issuers. Should a QSA identify a problem which results in non-compliance, a business will need to remedy that problem before the QSA will reassess and confirm compliance. It is, therefore, in businesses best interests to ensure compliance in advance of the QSA conducting the initial assessment. For each day that a business is not validated as DSS-compliant, it is exposed to the risk of sanctions by card issuers – and, of course, to the risk of the data which it processes and holds being compromised.
For a list of PCI-approved QSA’s and NSV’s, see www.pcisecuritystandards.org
DSS-compliance is not only mandatory for retailers; it’s mandatory for third party service providers and acquiring banks must be compliant too. In fact, it is the responsibility of acquiring banks to ensure the businesses that they represent are DSS-compliant.

The importance of compliance

The PCI DSS is not a new concept. For years, card issuers have operated and enforced their own codes of conduct. Visa had the Cardholder Information Security Program (CISP), American Express had the Data Security Operating Program (DSOP), MasterCard had the Site Data Protection (SDP) program and Discover had the Discover Card Information and Security Compliance (DISC) program. While compliance with these programs was mandatory, many businesses remained non- compliant. This was partly due to the fact that card issuers were reluctant to take enforcement action as this would invariably have a negative impact on business relationships.
So, what’s different about the PCI DSS? Why should a business which failed to comply with the CISP, DSOP, SDP or DISC programs expend the time and resources necessary to become DSS-compliant? There are actually a number of reasons. Firstly, compliance makes good businesses sense. The loss of data can be exceptionally damaging, but proactively implementing a solid set of security protocols can prevent it from happening. Secondly, the marketplace and political climate have changed. In Minnesota, a bill was recently passed which put the requirements of the PCI DSS into law. Texas and other states are considering similar enactments. And credit unions and non-profits are lobbying for legislation which will enable them to recover the cost of issuing replacement credit cards from the retailer whose systems were breached. Thirdly, the cost of fraud is reaching an unbearable level and both consumers and legislators are demanding that credit card companies take action. The likely result of all this? Card issuers will probably now be far more inclined to impose sanctions in order to force businesses to comply.

Easing the pain of compliance

Ensuring the security of customer data can both enhance customer confidence and help maintain bottom line. The PCI DSS was introduced in order to raise the bar for cardholder data security, and achieving compliance should be high on the agenda of organizations that carry out business transactions involving the use of credit cards.
Implementing software tools for log management, vulnerability management, security scanning and endpoint security will go a long way towards helping you achieve compliance. However, the story does not end there. Just because a merchant receives a PCI stamp of approval, he simply cannot sit back and relax.
PCI compliance is but the beginning of a continuous process that requires regular monitoring of the security health status of the merchant’s network. PCI DSS is not a one-off certification that stops with the Qualified Security Assessor (QSA) confirming you are compliant, as some merchants may think. Becoming PCI compliant means that you have reached an acceptable level of security on your network but it does not mean that from then onwards your network is secure and cannot be breached. Maintaining PCI DSS compliancy status is just as, if not more, important.
PCI DSS compliance is a long-term journey, not a destination. And this is something that all merchants need to understand irrespective of size or business.
It is a cost of doing business, granted. Yet, the cost of compliance is lower than having to pay $500,000 in fines and losing your goodwill and credibility if your network is breached!

Another nail in the coffin for termination or “early cancellation” fees!

Termination Fees:

One of the biggest threats looming on the horizon to the practice of paying for merchants is the laws limiting termination fees. In order to preserve the value of their investment, many ISOs charge hefty termination fees to merchants that want to terminate their merchant agreements and move their processing to a competitor. Most ISOs charge a termination fee of about $300.00 to a merchant that wants to move its processing to a competitor.
However, many other ISOs charge “lost profit” type of termination fees where the ISO takes the lost profits the ISO is missing out on because of the merchant terminating the merchant agreement before the initial term of the agreement is over as a termination fee. These lost profit type of termination fees can mean that a simple restaurant is charged as much as $10,000.00 or more to terminate its merchant account. Many ISOs don’t collect the termination fee but instead use it as a way to force the merchant to keeps its credit card processing with the ISO. Although it is a questionable business practice, these types of lost profit termination fees have been used effectively to keep merchants from switching their processing.
However, new laws limiting termination fees may make it much harder to keep merchants from moving their processing to a competitor. In the first law of its type, Arkansas just implemented a law limiting termination fees to $50.00. Also, upon termination there is a limitation that the merchant cannot continue to be charged any monthly minimum fee for more than 1 month after the agreement is terminated. These limitations should effectively make it impossible to charge more than a $50.00 termination fee. Arkansas’ law is far from an anomaly, as many other states are contemplating and are sure to be implementing such laws.
If these laws become standard throughout the country, it could make the practice of paying for merchants economically unsound. If merchants can leave pretty much whenever they want and move their processing at will, it will be much harder to justify paying an agent or the merchant $1,000.00 in order to move their processing to a particular company, if the company has no way of ensuring it gets a return on its investment. It may not be an intended consequence of these termination fee laws, but they could mean the end of paying for merchants.

The information contained herein is for informational purposes only and should not be relied upon in reaching a conclusion in a particular area. The legal principles discussed herein were accurate at the time this article was authored but are subject to change. Please consult an attorney before making a decision using only the information provided in this article.

—
Bill Hoidas
District Sales Manager
Larger B2B/MOTO/Internet Accounts
Product Development Manager
Matrix Payment Systems
(847) 381-3482 office
(847) 381-4289 fax
http://paymentconsulting.net
John 3:16 For God so loved the world, that he gave his only begotten Son, that whosoever believeth in him should not perish, but have everlasting life.

Banish chargebacks through communication

Email the Editor | Send this Article to a Friend | Print this Article

By Steve Schwimmer

hargebacks result from disputes between cardholders and merchants. They have always been problematic, but they are part of the business climate and cannot be ignored. And, if merchants follow certain business practices, they can operate virtually chargeback free.

The sooner you address the subject the better it will be for your business.

Keep in mind that an ounce of prevention is the best cure.

From time to time, merchants’ goods and services will not live up to purchasers’ expectations.

A solid customer service policy explaining the terms by which merchandise can be returned, and in what condition, is essential. Customers must know what they can and cannot expect.

Such policies should be disclosed upfront in a straightforward format and easy-to-understand language. This is true regardless of whether a sale is face-to-face, MO/TO or via the Internet.

A chargeback begins when the cardholder contacts the issuing bank and complains about a transaction. The issuing bank sends the complaint to the processor, which then contacts the merchant in the event of a retrieval request or chargeback. Depending on the reason for the action, there may be a temporary reversal of funds in the merchant’s account.

Merchants need to understand a chargeback initiates with the cardholder’s interpretation of what has happened. It is the merchant’s responsibility to provide proof disputing the chargeback.

When responding to chargeback notices, merchants must adhere to specific time frames. Otherwise, they will lose by default.

Once a dispute arises, the merchant involved must provide a detailed written record of what transpired. The merchant should convey concise facts supporting a rebuttal. Complete, clear responses to the card issuer are vital to the process.

Merchants should understand that setting clear policies for returns will lower the amount of chargebacks they experience.

—
Bill Hoidas
District Sales Manager
Larger B2B/MOTO/Internet Accounts
Product Development Manager
Matrix Payment Systems
(847) 381-3482 office
(847) 381-4289 fax
http://paymentconsulting.net
John 3:16 For God so loved the world, that he gave his only begotten Son, that whosoever believeth in him should not perish, but have everlasting life.

Congress grills warring parties on interchange

Email the Editor | Send this Article to a Friend | Print this Article

rying to keep an open mind, without rushing to any judgment, it doesn’t look so good for the credit card companies,” Rep. John Conyers said by way of opening a July 19, 2007, U.S. House of Representatives Judiciary Committee hearing on interchange.

Conyers, D-Mich, is Chairman of the committee’s Antitrust Task Force. He suggested the issues at hand boil down to whether interchange fees are increasing too rapidly and impose unfair costs on consumers, and whether credit card companies are engaged in anti-competitive behavior.

Interchange is the fee paid to a cardissuing bank by the card-acquiring (or merchant) bank. Interchange rates, a percentage of sales as set by Visa U.S.A. and MasterCard Worldwide, vary by retail sector, type of card, transaction amount (large-dollar versus small-dollar) and authorization procedure.

John Buhrmaster, head of the First National Bank of Scotia, spoke against interchange regulation on behalf of the Independent Community Bankers of America. Timothy Muris, of O’Melveny & Myers LLP also voiced opposition to government intervention.

Mallory Duncan, of the National Retail Federation, advocated for interchange regulation. Duncan was joined by Edmund Mierzwinski, of the U.S. Public Interest Research Group, and Steven Smith, head of KVA- T Food Stores Inc. and Chairman of the Food Marketing Institute’s board of directors.

Laissez faire?

Acknowledging that the fees have increased in recent years, Buhrmaster and Muris each testified that the fees are simply part of the normal cost of doing business.

Customers get the convenience of having a line of credit in their pockets. Merchants do not have to set up in-house credit programs.

And small banks benefit because they can participate in the system and “stand toe-to-toe on both the issuing and acquiring sides of the business,” Buhrmaster said.

Imposing pricing controls on such fees, Muris said, would stifle the market, limit the products credit card companies offer and hurt consumers.

Time to step in?

Those in favor of government intervention said the card Associations’ interchange fee practices constitute monopolistic, antitrust behavior that harms merchants and consumers alike.

Duncan denied that the retail industry is seeking price controls. He said the problem is that interchange fees have risen rapidly in a process that is hidden from merchants and customers.

“This market is broken,” Duncan said. “It needs transparency and genuine competition. Currently Visa and MasterCard do not battle for merchants. They battle to get banks to issue their cards. It is the only market in which competitors compete by raising prices,” in order to entice banks to issue their cards.

No quick fix

Buhrmaster said the market is competitive and that merchants are free to do business with the card Associations, make deals elsewhere or even to refuse credit cards altogether. He cited Costco, which only accepts American Express Co.-branded cards.

Smith replied that accepting Visa- and MasterCardbranded cards isn’t optional: Since credit card use now accounts for 60% to 65% of consumer purchases, and the card Associations control 80% of credit card transaction volume, retailers cannot refuse to accept their cards. Smith also said that while other costs of doing business are negotiable, interchange fees are not.

Conyers said several more hearings would be necessary before a resolution could be found.

The ETA weighs in

Jim Baumgartner, President of the Electronic Transactions Association (ETA), and the ETA’s government relations staff met with senior House Judiciary Committee staff before the hearing.

“We took the opportunity to press for one of the key tenets of the ETA’s 2007 Industry Relations Policies that supports private sector governance of interchange and opposes any government effort to regulate or establish price controls on interchange rates,” Mary Dees Griffith posted on GS Online’s MLS Forum. Griffith, President and Chief Operating Officer of Preferred Health Technology, chairs ETA’s government relations committee.

The ETA’s complete policy positions are online at www.electran.org/docs/ir/Policy_Positions_FINAL.pdf.

Hi,

I want all of my merchants to know about this. If you ship anything at all even if it’s just overnight mail you can’t lose. It’s a no brainer. Many shippers aren’t even aware that FedEx & UPS will refund your entire shipping charge if your package is delivered even one minute past the specified delivery time. I see no risk with this program because you can cancel their service at any time and it’s totally non intrusive as they do not access your computer system and they charge only on contingency. They also check for overcharges, incorrect rates and discounts and any unauthorized charges. You could track this info yourself but you probably don’t.

Go to their website http://www.veriship.com/index.aspx and if you want to log in let me know and I’ll give you a temporary password. If you are interested (and there is no reason you shouldn’t be) let me contact them for you to make sure you get a top representative. Any assessment they give you regarding your shipping is of course free.

Let me know when you’d like to get started.

—
Bill Hoidas
District Sales Manager
Larger B2B/MOTO/Internet Accounts
Product Development Manager
Matrix Payment Systems
(847) 381-3482 office
(847) 381-4289 fax
http://paymentconsulting.net
John 3:16 For God so loved the world, that he gave his only begotten Son, that whosoever believeth in him should not perish, but have everlasting life.

One of my clients recently asked me about reloadable cards that they wanted to use for referral fees, gifts and bonuses. After an exhaustive search I have a found a company that is second to none in customer service and quality. They are also the most economical. Besides having a great design department they don’t have any hidden fees which I found all of the other companies had. Not only are there hidden fees to the merchant with other companies they also tack on fees to the receiver of the card which would really be a turnoff to the person you want to impress the most-the card recipient.

These cards are also ideal for use as payroll cards, fuel cards, etc. The regular card is good at over 1.000,000 retails stores such as Walmart, Walgreens, grocery stores, etc. They can also be used at an ATM or the recipient can go online and transfer the funds in the card to their bank account for no fee.

For a flavor of what they do visit their website at http://www2.transcard.com/Default.aspx .

You can order the cards plain or with your logo, etc. on them which can be very impressive. You can submit your own artwork or for just a small extra cost per card utilize their art department. Attached is an example of a nice design they did for one of my clients.

Let me know if you’re interested.

Bill

—
Bill Hoidas
District Sales Manager
Larger B2B/MOTO/Internet Accounts
Product Development Manager
Matrix Payment Systems
(847) 381-3482 office
(847) 381-4289 fax
http://paymentconsulting.net
John 3:16 For God so loved the world, that he gave his only begotten Son, that whosoever believeth in him should not perish, but have everlasting life.

Article published in Issue Number: 070101

Merchant needs counsel

I’ve been a subscriber of your magazines since I began in the processing industry, and I have a question. What attorney can you recommend to defend a merchant in a large chargeback dispute?

Thanks, Bill Hoidas Matrix Payment Systems

Bill,

The Green Sheet Inc. does not recommend individuals or companies. However, following are some attorneys we know of (listed alphabetically by last name) who specialize in payments industry-related issues:

Adam Atlas
514-842-0886
atlas@adamatlas.com

Theodore F. Monroe
310-694-8161
monroe@tfmlaw.com

Anthony L. Ogden
661-775-8527
tony.ogden@bankcardlaw.com

Paul A. Rianda
949-261-7895
paul@riandalaw.com

Holli Targan
248-727-1460
htargan@jaffelaw.com

Editor

It’s time to take the majority of merchants to the woodshed. You all complain about high rates but even with prodding do very little or nothing about it. Below is action you can take that will take less than one minute. I support lower interchange rates for credit card processing and have sent this to my U.S. Representative and senators.

Please cut & paste the following message to your U.S. Representatives and Senators or if you wish send your own message.

To find your local representative go to http://www.house.gov/writerep/ and if you need your 9 digit zip code go to http://zip4.usps.com/zip4/welcome.jsp
For your U.S. senators go to http://www.google.com/search?hl=en&newwindow=1&sa=X&oi=spell&resnum=0&ct
=result&cd=1&q=contact+your+u.s.+senator&spell=1
You will be given a link to their email address. The whole process should take less than one minute of your time.

As my representative in the U.S. Congress I am a concerned merchant and voter that want you to support the investigation of usurious credit card charges to merchants and implement the necessary reductions to promote free trade. The article below describes the current state of affairs.

Using the above method took only a few seconds.

Interchange under attack

t’s almost a rite of spring: One or both of the card Associations implement new interchange fee schedules. This forces acquirers and processors to adjust their fees, and the retail sector cries foul.

This year, Visa U.S.A. rolled out a new interchange schedule, effective April 14. Within days, the National Retail Federation was rallying state lawmakers behind efforts to force major changes to interchange.

Many of Visa’s rates remain the same as last year. However, Visa introduced a new card category – Signature Preferred – which raises interchange on some transactions.

MasterCard Worldwide also recently announced rate changes, effective April and June 2007. (For information on the latest rate changes from MasterCard and Visa, see The Green Sheet, issues 07:03:01 and 07:05:01, respectively.)

“When Visa and MasterCard [assess interchange], they don’t take it on just the retail sale; they take it on the entire transaction, including the sales tax,” Mallory Duncan said during the National Conference of State Legislatures’ (NCSL) spring conference, April 19 in Washington, D.C.

Duncan is NRF Senior Vice President and General Counsel, and Chair of the Merchants Trade Coalition, a group of federal and state trade associations representing merchants who accept credit cards. He said retailers, who merely collect and do not retain sales taxes, are particularly irked that those funds are included in interchange assessments.

“The sales tax is the people’s money, and [Visa and MasterCard] shouldn’t be trying to take a piece of it,” he said. “That drives up prices even higher, and everybody ends up paying a tax on a tax.”

It also bothers merchants that monthly account statements from card servicing banks don’t break out interchange costs, Duncan added.

The NRF and other members of the Merchants Trade Coalition have been railing against interchange since the so-called Wal-Mart suit opened to public debate this long-standing industry pricing mechanism.

Several coalition members were party to that lawsuit. It resulted in a multibillion-dollar out-of-court settlement and the elimination of rules that compelled merchants accepting MasterCard and Visa credit cards to accept all other card products bearing those brand names.

Merchants managed to get the ear of the U.S. Congress, which held hearings last year. But so far this year, interchange is not high on the agendas of any pertinent congressional committees.

For now, lawmakers are more interested in card issuers. Earlier this month, Sen. Carl Levin, D-Mich., took to the Senate floor to denounce card issuer fees and fee-levying practices. He also said he was introducing legislation to rein in such practices.

Legislation pending in several states, however, would cap or exclude interchange on certain transactions.

The Merchants Trade Coalition estimates that MasterCard and Visa collected about $36 billion in interchange during 2006. The group noted that this represents a 17% increase over 2005, and an increase of 117.5% since 2001.

At least a dozen bills pending in state legislatures address topics related to interchange, according to the NCSL. Here’s a rundown of several key initiatives:

• Two bills introduced in the Florida state legislature would require refunds to merchants paying interchange on sales taxes.
• Legislation pending in Kansas would require that merchants have better access to information related to interchange rates. It also defines interchange fees for purposes of state law.
• A bill pending in Nevada would prohibit interchange on certain transactions.
• In Oklahoma, legislation has been introduced that would prohibit certain contract provisions regarding merchant transaction fees.
• Lawmakers in Tennessee are considering legislation that would cap at 0.75% all processing fees associated with credit or debit card transactions. The proposal would apply to contracts entered into with merchants by banks or their agents after July 1, 2007.
• Texas lawmakers have a bill before them that would require more transparency in disclosing interchange and related processing fees. A tougher bill, introduced and quickly withdrawn in March after a large consumer letter-writing campaign, would have allowed retailers to surcharge credit and debit card payments to cover processing costs.
• In Washington state, lawmakers want to restrict interchange to 1.5% of the total cost of a retail card transaction.

Whether this attention given to squeaky wheels will lead to a smoother ride for retailers remains to be seen.

—
Bill Hoidas
District Sales Manager
Larger B2B/MOTO/Internet Accounts
Product Development Manager
Matrix Payment Systems
(847) 381-3482 office
(847) 381-4289 fax
http://paymentconsulting.net
John 3:16 For God so loved the world, that he gave his only begotten Son, that whosoever believeth in him should not perish, but have everlasting life.

Pressure mounts for retailers to comply with payment card data security standards
By Paul Demery

For six years, credit card companies have been threatening retailers with fines and loss of credit card status if they don’t comply with the payment card industry data security standards. And retailers have been routinely ignoring them.

Now that might be changing. The card companies recently upped their fines to as much as $25,000 a month for large merchants who don’t comply with the standards. And high profile data breaches, such as the one that TJX Companies Inc. discovered in January, are raising consumers’ awareness that their payment data might not be secure—to the point that they might stop shopping at retailers where they perceive a threat.

A clear message
Retailers are getting a clear message from merchant banks, credit card companies and consumers that they need to get on board with security standards designed to protect credit card account and other data in consumer databases. The goal is to prevent the kind of theft that occurred at TJX, where criminals broke into computer systems in 2005 and 2006 and stole customer information from a network that handles credit card, debit card, check and merchandise-returns transactions.

Card companies say retailers can avoid data breaches like that by implementing the payment card industry data security standards, or PCI-DSS, as they’re known in the payment industry. The standards are comprised of 12 general requirements for such actions as assuring that networks have updated security patches from software vendors, not storing sensitive customer data, and deploying software applications that encrypt the customer data that they do store in databases.

It may be true that complying with payment security standards will prevent such data breaches, but doing so is not easy—and online retailers face many other pressing issues. “Most companies don’t want to spend money on security,” says Avivah Litan, a security technology expert at research and advisory firm Gartner Inc. “They’d rather spend it on revenue-generating projects.”

A recent Gartner survey of 50 retailers found that only one-third of the largest merchants—those identified by credit card companies as Tier 1, or processing more than 6 million payment card transactions per year—were compliant with payment card industry standards. “That’s certainly well below what it should be,” Litan says.

The difficulty of implementing the standards varies based on a retailer’s extent of operations and whether it sells through a single channel or multiple ones. “99% of this is common-sense stuff that retailers should have in place already,” says Robin Bonin, IT director for Golfballs.com Inc.

Golfballs.com, which sells mostly online but operates one store, complies with the payment industry standards and took extra steps to fix security holes in its data networks during a recent site re-design, Bonin says.

Hundreds of security issues
Other retailers find compliance more difficult. Most merchants prefer not to discuss payment security issues publicly, but Mallory Duncan, senior vice president and general counsel of the National Retail Federation, a trade group which represents large retailers, says many merchants find it hard to keep up with updated software and other requirements of compliance. “Retailers are getting closer in line, but it’s a challenge,” he says.

Indeed, the 12 standards actually amount to more than 200 points that retailers may have to address, he adds. As a result, many retailers leave security standards compliance on their to-do lists.

Many retailers who have not experienced data breaches apparently operate under a false sense of security that their customer records are safe, Litan and other experts say. Such retailers wait until a highly publicized attack occurs at another retailer or until a merchant bank warns the retailer that it could get fined if it doesn’t get up to par with security, they say.

The unintended build-up
Retailers typically keep customer account data including name, billing address, credit card expiration date and card identification number—the 3- or 4-digit number that identifies a plastic card itself aside from the card account number. Criminals can use all of those elements to make fraudulent transactions.

But instead of deleting transaction data after getting payment authorization and settlement from participating banks, some retailers hold it. “So they build up a huge repository of customer transaction data that can get hacked if not properly protected,” says John Bingham, director of the technology risk practice at Protiviti Inc., a company that conducts tests of retailers’ compliance with the card industry standards.

The risk is heightened when retailers store full-track data, or the information contained in the magnetic stripe on payment cards, which includes enough account information to create duplicate cards. “If there’s a golden rule, it’s: Don’t store track data,” says Rob Tourt, vice president of network services for Discover Financial Services LLC, which issues and handles transaction processing for the Discover Card, one of the sponsors of the data security standards.

But many retailers don’t even realize they’re storing track data, often because their store point-of-sale systems are improperly designed to automatically record it in a database. “Unfortunately, merchants who are victims of database hacking often store track data without knowing it,” Tourt says.

At the same time, criminals continue to develop more sophisticated methods of cracking into and stealing that data—creating demand for more sophisticated security technology and policies.

Weighing the costs
The cost of implementing PCI standards depends on such factors as the volume of transactions a merchant handles; the state of a merchant’s infrastructure of computer databases, networks and security software; and its policies. A smaller merchant might spend $120,000 to get outfitted with data encryption software and other basic security tools, while a Level 1 merchant could spend $700,000, Litan says. But that’s just for security-related tools themselves, she adds. The cost of updating overall technology systems to comply with payment data security standards can run into millions of dollars, experts say, when new software systems require new and more robust hardware to run them.

Still, the overall cost of complying with PCI standards can be less than the cost of a security breach in terms of damage to a retailer’s brand, lost customers and a decline in sales, Litan adds.

A recent Gartner study found that the cost of security breaches can outweigh the cost of becoming compliant with security standards. When factoring in legal fees, fines, data recovery efforts, and losses in sales and market value, Gartner figures the costs of a major data security breach can run as high as $90 per customer record.

That equals more than five times the cost of implementing a comprehensive security system including data encryption, network intrusion-prevention, and regular system audits, which Gartner figures at $16 per customer record.

The PCI Security Standards Council, an organization founded by Visa, MasterCard International, Discover Financial Services, JCB International Credit Card Co. and American Express Co., provides a list of security assessment providers at PCISecurityStandards.org.

Keeping customers
Pressure is now coming not just from the credit card companies who are attempting to enforce the standards, but also from consumer awareness of the vulnerability of data. In a recent survey of 2,000 consumers by the Chief Marketing Officers Council, 40% of respondents said they had aborted a planned purchase either online or in a store because of concerns about the security of their personal data. In the same survey, 50% of respondents indicated they would avoid buying from a company whose customer databases had been hacked.

If consumer attitudes and the fear of public shame aren’t enough to sway technology plans, the credit card companies have implemented a new schedule of fines for security breaches. Visa U.S.A., for example, will fine merchant acquirers from $5,000 to $25,000 a month for each Level 1 or Level 2 (1-6 million transactions per year) merchant that is not compliant with the PCI standards by Sept. 30 for Level 1 merchants and Dec. 31 for Level 2. In addition, acquirers face monthly fines of up to $10,000 if they failed to confirm by March 31 that their Level 1 and 2 merchants were not storing full-track magnetic stripe data.

As part of the new program—the PCI Compliance Acceleration Program—merchants will not qualify for lower interchange rates for card transactions if they fail to comply with the standard.

Visa also will offer $20 million in incentives to merchant acquirers if their retailers comply by Aug. 31 and have not been involved in a data compromise. The goal is to promote faster compliance, says Eduardo Perez, Visa U.S.A.’s vice president of payment risk.

Meanwhile, government may be stepping in. State Rep. Michael Costello has submitted a bill to the Massachusetts legislature that would require merchants responsible for data breaches to pay for the replacement of plastic cards tied to stolen or compromised accounts. “If retailers know they’ll be held liable, they’ll be more likely to secure customer data,” says Adam Martignetti, Costello’s chief of staff. The first legislation of its kind, the bill has been generating interest from other states and from federal legislators, he adds.

Just the beginning
While compliance with payment card security standards is a good beginning toward preventing stolen or otherwise compromised customer data, it can be most effective when backed by continued security maintenance and improvements. As Golfballs.com got audited for compliance, for example, it realized it needed to modify its web server so it would not reveal to a hacker which version of Microsoft Corp.’s Internet Information Server software it used, preventing a hacker from learning how to break into data files. “That’s something we probably wouldn’t have done otherwise,” Bonin says.

But Golfballs.com hasn’t stopped looking for security holes, in effect going beyond the basic PCI requirements, he adds.

One of the more troublesome forms of attacks, experts say, is an SQL Injection, through which criminals insert extra characters and words at the end of web page identifiers in an effort to bypass a retailer’s network access rules to grab sensitive information like customer account data from back-end databases. Making this threat even worse is that retailers often don’t know that their network is open to such attacks, experts say.

Golfballs.com discovered it was open to SQL Injections through a security check by ScanAlert Inc.’s HackerSafe site monitoring and security system, Bonin says. So when the retailer rebuilt its web site on Microsoft Corp.’s .Net 2.0 technology platform during the first months of this year, it redesigned its web access system to block SQL Injections.

Using tools within .Net 2.0, the retailer’s two-person I.T. staff configured a system to route page requests through a software module that instantly recognizes whether a page identifier has extra characters that might be used in an attempt to pull information from protected databases. “Retailers shouldn’t have to worry about data intrusions if their site is set up properly,” Bonin says.