Visa issues new alert, identifies leading causes of data breaches

Hackers target vulnerable POS systems they suspect store card data, Visa U.S.A. recently warned, and, in conjunction with the U.S. Chamber of Commerce, stated the five leading causes of data breaches and specific prevention strategies for each.

The five leading causes of card-related data breaches


  1. Storage of mag stripe data – The most common cause of data breaches occurs when a merchant or service provider stores sensitive information encoded on the card’s mag stripe in violation of PCI. This can happen because a number of POS systems improperly store this data, and the merchant may not be aware of it.
  2. Missing or outdated security patches – In this scenario, hackers are able to penetrate merchants’ or service providers’ systems because they have not installed up-to-date security patches, leaving their systems vulnerable to intrusion.
  3. Use of vendor supplied default settings and passwords – In many cases, merchants receive POS hardware or software from outside vendors, which install them using default settings and passwords that are often widely known to hackers and easy to guess.
  4. SQL injection – Criminals use this technique to exploit Web-based applications for coding vulnerabilities and to attack a merchant’s Internet applications (e.g. shopping carts).
  5. Unnecessary and vulnerable services on servers – Vendors often ship servers with unnecessary services and applications enabled, although the user may not be aware of it. Because the services may not be required, security patches and upgrades may be ignored and the merchant system exposed to attack.


Source: Visa U.S.A. and the U.S. Chamber of Commerce

Visa is aware of credit and debit card account information compromises occurring from improperly stored magnetic stripe, or track, data after transaction authorizations are completed. Track data refers to the information encoded in Tracks 1 and 2 of the mag stripe.

The card Association has also observed compromises involving improperly stored card verification value 2 (CVV2) data, PINs and PIN blocks.

To guard against compromises, Visa advised merchants to implement the following strategies:

  • Ask their POS or payment software vendor (or reseller/integrator) to confirm their software version does not store mag stripe data, CVV2, PINs or encrypted PIN blocks. If it does, they should have these elements removed immediately.
  • Ask their payment software vendor for a list of files written by the application and a summary of the content to verify prohibited data is not stored.
  • Review custom POS applications for any evidence of prohibited data storage. Eliminate any functionality that enables storage of this data.
  • Search for and expunge all historical prohibited data elements that may reside within their payment system infrastructure.
  • Confirm that all cardholder data storage is necessary and appropriate for the transaction type.
  • Verify that their POS software version has been validated as compliant with the Visa Payment Application Best Practices. A list of PABP-compliant applications is available at www.visa.com/cisp

Merchants are permitted to store only specific data elements from the mag stripe to support card acceptance, according to Visa. This data includes cardholder’s name, primary account number, expiration date and service code. However, merchants should store this data only if needed, and they must protect it as required by the Payment Card Industry (PCI) Data Security Standard.

Merchants can limit damage from a compromise by not storing track data, CVV2, PINs and PIN blocks. Merchants sometimes store track and other data in the mistaken belief they need it to process merchandise returns and transaction reversals. Acquirers should ensure their merchants have proper processes for each type of transaction, Visa stated.


Merchants who have made improvements to protect customer data

The most-effective weapon

The findings on data breaches came from a detailed review of the card security environment, including common fraud techniques, potential areas of weakness by card-accepting merchants and emerging threats.

“The single most effective weapon in the battle against today’s data theft is education,” said Sean Heather, Executive Director of the U.S. Chamber of Commerce, which, with Visa, conducted a survey of 600 small merchants in 12 target areas.

The survey of businesses accepting credit cards for payments revealed:

  • 64% accept PIN debit.
  • 42% do not worry about securing customer information.
  • 5% have had an incident of lost, hacked or stolen customer data.
  • 29% made improvements to protect customer information, including card data, within the previous three months; 63% did so within the previous year.
  • The top three improvements (14% each) included 1) securing information physically or by adding password-protection; 2) identifying account numbers by the last four digits only; and 3) shredding or eliminating storage of customer information.

An astounding 82% did not know what mag-stripe data is. More businesses (34%) spend a greater share of their resources preventing theft of products and cash than in securing customer data (20%). Some 69% handle data security in-house.

The Visa alert, along with answers to data security questions, can be found at the Chamber’s Web site: www.uschamber.com/sb/security More information is also available at www.visa.com/merchant

Visa PCI security update

Visa U.S.A. announced today that it is expanding the criteria of its merchant validation levels for compliance with the Payment Card Industry Data Security Standard (PCI DSS). Visa’s move is designed to decrease the risk of data compromises by shifting higher-volume merchants across all payment channels into a more rigorous compliance validation category.

The most significant modification involves the Level 2 merchant category, which previously only applied to merchants processing between 150,000 and 6 million Visa e-commerce transactions per year. Level 2 has now been broadened to include all acceptance channels and applies to any merchant processing 1 million to 6 million Visa transactions per year.
While none of the validation requirements themselves have changed, merchants moving into a new validation level will be responsible for complying with that category’s validation responsibilities. For example, merchants moving from Level 4 to Level 2 must now have quarterly network security scans performed by a qualified independent scan vendor.
The revised criteria impact a relatively small number of merchants. Less than 1,000 Level 4 merchants are expected to move into the Level 2 category, while an equal number of former level 2 merchants processing fewer than 1 million e-commerce transactions per year will move to level 3.
Within the next two months, acquirers will identify any merchant changing levels. These merchants are required to validate PCI compliance with their acquirer by Sept. 30, 2007, generally 12 months from the date of identification.
Compliance with the Payment Card Industry Data Security Standard (PCI DSS) is required of all merchants and any entity that stores, transmits or processes cardholder data. Validation of compliance is part of that process, with validation requirements varying for merchants based on factors such as transaction volume.
A summary of the changes are listed in the chart below:
New Merchant Levels Defined
Merchant Level
New Criteria
Prior Criteria
Required Validation Action

Merchant Level 1
No change
Any merchant processing over 6 million Visa transactions per year or compromised in the past year, regardless of acceptance channel. No change to validation action for this level. Annual onsite audit and quarterly scans required.

Merchant Level 2
Any merchant processing 1 million to 6 million Visa transactions per year, regardless of acceptance channel. Any merchant processing between 150,000 and 6 million Visa e-commerce transactions per year. No change to validation action, but new definition expands the number of level 2 merchants to include former level 4 merchants. Annual self- assessment questionnaire and quarterly scans required.

Merchant Level 3

Any merchant processing 20,000 to 1 million Visa e-commerce transactions per year. Any merchant processing 20,000 to 150,000 Visa e-commerce transactions per year. No change to validation action, but new definition expands level 3 to include merchants formerly in level 2 processing fewer than 1 million e-commerce transactions per year. Annual self-assessment questionnaire and quarterly scans required.

Merchant Level 4

Any merchant processing less than 20,000 Visa e-commerce transactions per year, and all other merchants processing up to 1 million Visa transactions per year. Any merchant processing less than 20,000 Visa e-commerce transactions per year, and all other merchants processing up to 6 million Visa transactions per year. No change to validation action, but new definition reduces the number of level 4 merchants. Annual self-assessment questionnaire and quarterly scans may be required as specified by the member.

Mercator Advisory Group issued a new report, “Extending The PIN: Evaluating The Growth of EFT Networks Into New Markets.”
The debit industry has seen significant growth over the last eight years, while signature debit growth is down ever so slightly from 21 percent in 2003 to 18 percent in 2005. PIN debit has more than compensated with growth rates between 35 to 38 percent in the same time period. As a result of these two spectacular increases, debit transactions either already have, or will very soon, exceed credit transactions.
Despite debit’s incredible growth in volume terms Mercator Advisory Group believes that the EFT networks that enable PIN debit are approaching a critical juncture. Signature debit, while currently facing a slightly slowing growth rate, is also the only debit solution fully enabled and successfully entering several new emerging markets, such as eCommerce, recurring bill payments, and those markets where cash is being displaced using Contactless and signature- less solutions. Left unchecked the increased growth in internet and mobile payments and cash replacement will occur primarily at the expense of growth in EFT transactions. This will be of some concern if these new markets grow as quickly as proponents hope. It is important to note that we are talking about future markets and the relative market share of transaction types in these emerging environments.
This report evaluates the consumer preference for debit instruments today, how these preferences can be shifted by the popular press and the payment industry itself, the targeting of three new markets by card associations for future growth: 1) online transactions, 2) recurring bill-pay environments, and 3) Contactless/signatureless environments intended to displace low- value cash transactions, and issues that make it difficult for EFT network operators to react unilaterally to enter these same evolving markets; and therefore, make co-operative plays related to technology standards and implementation a real consideration.
Tim Sloane, Director of the Debit Service for Mercator Advisory Group and the author of the report, indicates that despite strong growth rates across the board for debit, EFT network operators may need to start establishing plans to target these same markets.
“While predicting overall growth of all three evolving markets may be difficult, it is clear that internet payments will continue to grow significantly. If the recurring bills and cash replacement market segments also experience high growth, then EFT operators may find themselves facing a growing barrier to market entry not unlike that experienced when they had to deploy key pads on POS devices to enable PIN-based debit at the POS.”
The report contains 26 pages and 12 Exhibits.

NYPay announced today its formation as New York City’s premiere networking forum for professionals in the payments industry. The organization conducted its initial launch meeting on June 15th, hosted by co-founding member Hughes, Hubbard & Reed, and attended by dozens of its charter members. The meeting focused on the theme “The Future of Payments” with a presentation made by the Mercator Advisory Group on “Driving Payment Trends through POS Technologies.” NYPay co-founding members from Edgar, Dunn & Company (EDC), TransUnion, CashEdge, and Hughes, Hubbard & Reed moderated the event.
NYPay is designed to provide a professional networking forum for the exchange of views and ideas among active professionals within the payments industry that are located in the New York City metro area. The group interacts via an online user group and at regular face-to- face functions that will focus on current payments trends and issues. Anita Boomstein of Hughes, Hubbard & Reed provides the association’s legal representation and expertise on laws relating to payment systems.
“NYPay brings together professionals in a collegial setting to network and dialogue on relevant issues in the dynamic payments industry,” said Ronald Mazursky, Director, Edgar, Dunn & Company. “The model for this professional forum is based on the successful West Coast association, BayPay, which EDC co-founded in 2005 with membership now in the hundreds of active professionals.”
“NYPay provides a much needed opportunity for payments professionals to stay current on industry developments while connecting with colleagues from various institutions. CashEdge is pleased to be involved as a founding member,” said Demetris Papademetriou, Director, CashEdge, Inc.
Based on NYPay’s stated membership profile, the association is seeking active professionals involved in the Financial Services Industry payments field who can contribute to the forum’s regular discussion groups. Membership is by invitation only.

The National Association of Payment Professionals recently completed its first member survey. With an above-average response from its members, NAOPP gained valuable information on the needs and interests of its members.
The survey contained 26 questions on topics including educational needs, benefits, liaison/representation, and certification along with demographic information needed to assist with negotiating benefits, etc.
The survey revealed: 1) NAOPP’s membership is overwhelmingly male; 2) 66.6 percent of NAOPP’s members have been engaged in the industry for five years or greater; 3) 68.4 percent of the members are 45 years or age or older; and 4) 49 percent earn greater than $100,000 per year.
In addition, members indicated they are interested in educational programming including training at the regional acquirer’s meetings as well as other types of training such as teleseminars and webinars. Members indicated they are interested in information on interchange, ethics, ISO registration and regulation, marketing via the Internet, new types of loyalty programs, and marketing and sales training.
Members further indicated they are interested in the following additional benefits:

  • UPS/FEDEX/DHL mailing service or plan,
  • Professional liability insurance,
  • Long- and/or short-term disability insurance,
  • Rental car discounts,
  • Cellular telephone plans, and
  • Discounted books or magazines.

The Benefits Committee continues to seek members to help identify and negotiate additional benefits identified in the survey.

More than 100 million Americans would use contactless cards to pay for inexpensive, everyday items such as fast food, convenience store items and transit fares, according to a comprehensive new survey released today. A large number of consumers would also use contactless cards to pay for parking, video games and vending items, the survey found.
The survey, conducted by Ipsos Insight and Peppercoin, was a scientific, random sample telephone survey of 1,001 Americans ages 18 and older and has a margin of error of plus or minus three percentage points. Specific survey responses include:

  • Broad willingness to use contactless cards.
  • More than 50 percent of respondents, which translates into more than 100 million Americans, would use contactless cards to buy gasoline, items from fast food restaurants or corporate cafeterias, or groceries. More than 40 percent would use contactless cards to pay for convenience store items and transit fares (subway and bus fares and tolls). Almost 40 percent would use contactless cards to buy coffee or pay for parking, and 30 percent (60 million Americans) would use contactless cards for video games or at a vending machine or kiosk.

  • Greater acceptance with young consumers.
  • More than 50 percent of survey respondents between the ages of 18 and 24 indicated they would use contactless cards to buy a range of goods, including gas, groceries, fast food, coffee, convenience store items, transit fares and video games.

  • High income consumers more likely to use contactless cards.
  • Consumers in households with incomes greater than $50,000 indicated they were more likely to use contactless cards than those with income less than $50,000.

  • Security and ease of use are top concerns
  • Concerns about security and ease of use are the two main obstacles facing contactless card acceptance. Depending on the specific market, between 13 and 22 percent of respondents indicated security concerns would keep them from using contactless cards. The data indicates a need for companies leading contactless roll-outs to educate consumers about the cards’ safety and how easy they are to use. “Contactless payments represent a significant opportunity for the payments ecosystem. Consumers benefit from the increased convenience while merchants gain speed at the point of sale,” said Mark Friedman, President and CEO of Peppercoin. “In addition, when combined with Peppercoin’s Virtual Prepaid and Merchant Loyalty offerings, contactless payments encourage consumers to return more frequently and spend more when they do — translating into increased revenue for merchants.”

The long-touted “paperless society” is still a long way off when it comes to consumer banking statements. Financial institutions continue to spend millions of dollars annually on the printing and postage of periodic, paper-based account statements. Today less than 10% of deposit and 20% of loan accounts in the United States have been migrated to an electronic format.
In addition to an ongoing expense line, many banks, thrifts, credit unions, and finance companies continue to regard account statements as a legal or regulatory obligation – rather than a strategic communications vehicle that affects customers’ perceptions of the institution. New research from TowerGroup notes that while bank statements are unarguably a requirement of law, they are all too often underestimated and underutilized by banks.
Perhaps the most important aspect of bank or finance company statements is that customers frequently open them. While not all consumers read their statements rigorously, they are far more likely to open and read an account statement than they are other pieces of mail received from their bank. At the very least, consumers tend to save their statements – making receipt and retention of the information they contained more assured.
New technologies and techniques designed to enhance the presentation of account-related information have been around for a decade and are gaining ground. According to TowerGroup, as packaged software for statement creation becomes more widely used, both electronic and paper based statements will become increasingly viewed as strategic communications vehicles whose key role is to shape and direct the customer experience. TowerGroup anticipates consumer expectations of how information is presented to them from their bank to continue to increase, as consumers become more familiar with the Web and personalization capabilities available online.

Having the option to make payments via PIN or signature debit increases the number of transactions consumers make monthly, according to a recent survey released by First Data Corp.
The STAR(R) Consumer Payments Usage Study, conducted by an independent research firm, found that consumers who use both PIN and signature debit at the point-of-sale (POS) conduct an average of nearly 23 transactions per month versus 14 for those who solely use signature and 10 for those using only PIN.
The 2005/2006 survey data also points to the continued growth of debit activity at the POS. Over the past five years, consumers’ average POS debit activity has grown from less than eight transactions a month to more than 11. The average total number of debit POS transactions made monthly has increased 21 percent in the last year, from 15 to 18 transactions per month.
Although PIN and signature debit both demonstrated transaction growth, preference of PIN debit over signature debit was 45 percent to 33 percent. Security was the leading response for choosing PIN debit as reported by 48 percent of respondents. Additionally, 57 percent of PIN-secured debit users reported that having the choice to receive cash back at the POS resulted in more usage of their cards.
PIN and Signature Debit Work Best Together

  • 62 percent of ATM/debit cardholders reported using their ATM/debit cards at the POS in the 30 days prior to the survey. Over the past five years, consumers’ average POS debit activity has grown from less than eight transactions a month to more than 11.
  • Among all card users, 45 percent of consumers report using both PIN and signature methods, an increase from last year’s 39 percent. The number of respondents using both is significantly greater than those who report utilizing a single method.
  • Using both methods has a major effect on transaction volume: Those who use both PIN and signature debit account for 75 percent of all debit POS transactions made. Consumers utilizing both methods conduct an average of 23 transactions a month versus 14 for those who solely use signature and 10 for those using only PIN.
  • The expanding number of locations accepting debit, particularly for small-ticket purchases, underscores the value of promoting both PIN and signature debit to consumers. Among respondents, PIN debit is the preferred debit option at discount stores, convenience stores, drug stores and do-it-yourself stores, while signature debit leads in food categories and specialty retail locations.

The National Clearing House’s (NCHA), the single largest settler of clearinghouse check volume in the United States, reported record image volumes of more than 88 million items totaling $56.5 billion for second quarter 2006, more than doubling the organization’s first quarter numbers.
NCHA’s June 2006 image exchange volumes escalated 12.5 times over the organization’s June 2005 volumes. Image exchange items soared from 2.7 million last June to 33.7 million just one year later. Image exchange dollars showed explosive growth climbing from $962.8 million last June to $25.2 billion in June 2006. Year-to-date numbers show that 2006 will be a banner year with 123 million image exchange items totaling more than $78.4 billion.

Taking advantage of lower rates with purchasing cards

Hi,

We program all of our terminals, software and gateways to do the necessary prompts to take advantage of the lower rates purchasing cards offer.

Purchase Cards have been used by government agencies and corporations to streamline their buying processes for 20 years now. The last ten years has seen tremendous growth beyond the initial “early-adopter” and “getting it figured out” phases, and has grown into an established and growing market segment for enterprise payments. In fact, survey data reports that the annual U.S. Purchase Card spending grew from $80 billion to $110 billion between 2003 and 2005.
However, in order for purchase cards to be used by business and government buyers, they must be accepted and processed by merchants.
This article answers some basic questions regarding the use and characteristics of Purchase Cards to help merchants better understand the market context.

Understanding Purchasing Cards and Their Use: What is a Purchase Card?

On the surface, a Purchase Card may look like your average business or consumer credit card, but a closer examination reveals that Purchase Cards possess more features, capabilities and controls. A typical Purchase Card can be setup to control:

  • Number of monthly transactions
  • Number of daily transactions
  • Total monthly spend
  • Daily spend
  • Amount per transaction
  • Where the card may be used based on merchant MCC code (MCC restriction)

These extra control features help buying organizations manage their purchasing policies and processes.
One of the most differentiating characteristics of Purchase Cards is that their transactions can be processed with the same level of information normally found on an itemized invoice. This is called “Level-3” line item detail transaction data. Level-3 information contains information about the items purchased such as Item Part Number, Description, Quantity, Unit of Measure, Price and more. Level-3 data must come from the merchant and be submitted with the card transaction.
The following chart compares the levels of some of the information that is delivered with Level-1, Level-2 and Level-3 transactions:

ISO Opportunity:

Merchants are being asked to supply Level-3 transactions and need help selecting payment solutions capable of meeting their needs.

Why are Purchase Cards Used?

Purchase Cards are used by buying organizations to streamline their purchasing and payment processes. Cards may be used a variety of ways, but for routine purchases they are issued to authorized cardholders so they can place orders and make payments directly and efficiently on behalf of the buying organization.
In other cases, Purchase Cards are used to make large purchases and payments and are used with Purchase Order and e-procurement systems. As the value of the transactions increase, so does the need to have accurate and detailed information about the purchase or payment.
Because of the increasing transaction value and need for financial accountability, Purchase Card use is often accompanied by the need for the merchant to provide Level-3 line-item detail, which defines exactly what is being purchased, with the payment transaction.
The Level-3 payment detail is delivered electronically to the buying organization’s Purchase Card reporting system where it can be reviewed on a daily basis and automatically entered into their accounting and finance systems.
Purchase Card transactions have tiered interchange rates and are priced differently compared to standard consumer or business card transactions. MasterCardTM and VisaTM have created special interchange rates to encourage supplier participation and support of Purchase Card programs by reducing the supplier’s transaction costs if Level-3 line item detail information is transmitted with the financial settlement.

The key to obtaining the best rates for these transactions is to include line-item detail, also known as “Level-3.” Payment processors can bring substantial value to the merchant by helping them qualify for the lower-cost Level-3 rates. This is even more important if the transaction sizes are large.

Who is Using Purchase Cards and How Much?

Purchase Card use is widespread, even if it is not highly visible. Most midsize and larger corporations have Purchase Card programs in place. Federal, state and local government agencies have multi-year contracts with their purchase card-issuing banks. Universities and utility groups have systems deployed. Purchase Card systems are offered by many commercial banks and other financial institutions.
As noted, the annual U.S. Purchase Card spending grew from $80 billion to $110 billion between 2003 and 2005 – of greater importance is that recent studies suggest that this volume could increase eightfold if all transactions below $2500 were paid with Purchase Cards.
Federal procurement guidelines already mandate Purchase Card use for all spending under the $2500 level. Since 1998 (when a new 10-year contract was issued), the program has increased more than 100% in dollars expended and 60% in transactions. In fiscal year 2005, 301,216 Federal Purchase Card cardholders spent $17.4 Billion dollars via about 26 million transactions for goods and services. See www.gsa-smartpay.com for more information.

Why Merchants Care About Purchase Cards

As more businesses and government users migrate to using purchase cards, merchants who accept purchase cards also benefit. Merchant benefits include:
Faster payment cycle – receive payment in two-to-three days, as opposed to the 30-, 60-, or 90-day wait commonplace with many corporate purchases and traditional payments.
Lower interchange rates. Interchange qualification savings of 30 Basis Points or more are possible for providing Level-3. Greater savings are also possible depending on transaction size.
Level-3 data can help a merchant with transaction documentation or responding to chargeback requests (all the transaction detail is in one place).
Preferred status with their customers. Some buying organizations have mandated use of Level-3 with some or all of their transactions.

Finding Balance for the Merchant

Merchants want to obtain these benefits, but they are also have issues that they need to balance. These include:

  • They need their solutions to be within their capability to use and to support reduced total cost.
  • They would like to lower credit card transaction processing costs. Again the best way to do this is by ensuring proper interchange qualification.
  • Ease of use and deployment. The system should be intuitive and capable of supporting their business processes – as an example, a merchant might need to process transactions manually by a field sales office, electronically from an e-commerce website, and from a back- office accounting system.
  • Their system should afford the ability to integrate data back into their internal systems or offer management reports and inquiry capability to manage business volumes.
  • Migration path for future development
Understanding your Merchant Business: A Solutions-oriented Approach

Merchant processing requirements and solution selection may be influenced by their…

  • Business size: Is the merchant’s organization large, small, or midsize?
  • Typical customers (doing business with the merchant): Are they consumers / corporations / government (Federal, state, local). Are the customers repeat or random?
  • Type of sales: What is being sold – goods, services or both?
  • Sales channels: How are the sales made – MO/TO / Website / E- commerce / Card present?
  • Timing of sale: Are sales made with real-time or non-real-time requirements?
  • Monthly dollar and transaction volumes: How many transactions will be made across the sales channels – 1 or 100,000?
  • Number of locations: Single or multiple?
Transaction/business processes: Is a stand alone solution appropriate or one that can integrate into the merchant’s ordering or finance system needed?

IT infrastructure/systems in use: What systems does the merchant currently have and are they planning for change in the near future? What application software is used – SAP / Oracle / Quickbooks / etc.
Communication options: What communications does the merchant have – Dial, Frame Relay or broadband Internet options?
Security requirements: What information security capacities does the merchant have and are they aware of the Payment Card Industry data security (PCI) requirements? What type of system would be best to reduce their exposure?

Select the Right Payment Service to Process Purchase Cards

Accepting purchasing cards allows merchants to stay competitive and become a strategic supplier to corporate or government purchasing card users. These customers often require enhanced purchasing information beyond the standard financial information provided by most other card processing solutions.

by Aaron Bills

Some more tips on avoiding chargebacks

The skinny on chargebacks and disputes – Part II

By Ross Federgreen

There are many types of disputes and chargebacks. To respond appropriately, it’s important to understand their distinctions and review chargeback notifications carefully.

Each specific chargeback is designated by a chargeback code. These codes are either a one- or two-digit number. MasterCard Worldwide and Visa U.S.A. may use the same chargeback designation number, but the definitions of the common number may be different.

There are five broad categories under which all chargeback codes are classified. These are: authorization, cardholder dispute, documentation request, fraud and processing error. The first step in shaping a correct response to a dispute or chargeback is understanding the specific category under which the reason code falls.

Once the category of the chargeback or dispute is understood, the next step is to carefully examine the associated documentation.

As detailed in Part l of this series (The Green Sheet, Aug. 28, 2006, issue 06:08:02 ), the entire process is specifically timed; you must be aware of when a response is due. Further, since the meaning of dispute codes varies by payment brand you must examine the jurisdiction to which you are responding. Jurisdictions include MasterCard Worldwide and Visa U.S.A. as well as others.

Next, examine the adjustment amount. This may give you a clue as to the underlying mechanisms for a specific chargeback. Clearly, you must respond specifically to the reason and the dispute type. Failure to respond to the specific area will lead to failure in your efforts to resolve a chargeback or dispute in your merchant’s favor.

Analyzing a notification of chargeback

Here are five key areas you should examine whenever you receive a chargeback notification:

  1. Due date
  2. Jurisdiction
  3. Adjustment amount
  4. Reason
  5. Dispute type.

From the initiation perspective, two broad categories of chargeback or dispute exist: procedural and substantive. Procedural chargebacks are initiated by the card issuer for various processing errors or for violations of the MasterCard or Visa rules and regulations. Substantive chargebacks occur when cardholders initiate disputes.

Understanding the categories and the reasons why a chargeback or dispute falls into a particular category significantly increases your ability to respond in the appropriate manner.

Dispute/chargeback reason codes

There are over 100 valid reason codes. Many of the definitions have very subtle nuances and require specific conditions. To help the merchant successfully defend against these codes requires detailed understanding.

The vast majority of reason codes consist of two digits. If you receive a one-digit code, this indicates in the majority of cases that a warning bulletin violation has occurred. Reason Code 7 is an example. It is usually associated with the failure to receive a proper authorization.

For MasterCard, Visa and other noncard Association transactions, the same two-digit reason code can represent different conditions. Here are some examples:

Reason Code 47 under Diners Club International Ltd. is an unauthorized transaction that exceeds floor limit and for which no authorization was obtained. Visa Code 47 represents a fraudulent transaction and is associated with no authorization being obtained. Under MasterCard, Code 47 represents a transaction that exceeds floor limit, is not authorized and is fraudulent.

Code 54 under Diners is defined as a “claim or defense.” It represents a situation in which a customer claims that a service or good is no longer viable, such as a timeshare or contract work. Under MasterCard, Code 54 represents a “cardholder dispute – not elsewhere classified (U.S. Region only).” Under Visa, Code 54 represents “cardholder dispute – not elsewhere classified (not region specific).”

On the other hand, Code 53 is defined the same way by Diners, Visa and MasterCard. The definition is “not as described.” In this situation, the customer claims that the good or service is not as described. For example, a ring turns out to be 14-karat gold rather than 18-karat, etc.

Further complicating matters are reason codes that require a certain condition regardless of the card brand. Examples of this circumstance include Codes 24, 94 and 95. Code 24 is merchant service error, Code 94 is cancelled guaranteed reservation and Code 95 is advance deposit service.

Common chargeback scenarios

Here are three examples of chargebacks with common causes:

Reason Code 41: The cancelled transaction

Definition: The card issuer received a claim by the cardholder for one of the following reasons:

  • The merchant was notified to cancel a recurring transaction but has since billed the customer.
  • The transaction amount exceeds the preauthorized dollar amount range.
  • The merchant was supposed to notify the cardholder prior to processing each recurring transaction but has not done so.

Most common causes for Reason Code 41:

  • The cardholder withdrew permission to charge the account, cancelled payment of a membership fee or cancelled the card account.
  • The card issuer charged back a previous recurring transaction, and the cardholder did not expressly renew or cancelled the card account.
  • The merchant received notice before the transaction was processed that the cardholder account was closed or exceeded the pre-authorized dollar amount range and did not notify the cardholder in writing within 10 days before processing the transaction – or notified the cardholder in writing within 10 days of processing the recurring transaction, after which the cardholder notified the merchant not to charge.

Reason Code 81: Fraudulent transaction – card present environment

Definition: The card issuer received a sales receipt that is missing required information, indicating a potentially fraudulent transaction.

Specific situations in which this chargeback code may be used include those wherein the card issuer received a sales receipt that has no imprint of the card’s embossed or magnetic-stripe information or the cardholder’s signature and:

  • the cardholder certifies he neither authorized nor participated in the transaction, or
  • the card issuer certifies that no valid card with that account number existed on the transaction.

This chargeback is not valid for recurring payments and card-not-present transactions. However, it is valid for card-present sales on self-serve POS terminals, such as cardholder-activated gas pumps.

Most common causes for Reason Code 81:

The merchant or service establishment

  • did not swipe the card through a magnetic-stripe reader
  • did not make a manual imprint of the card account information on the sales receipt for a key-entered transaction
  • completed a card-present transaction without obtaining the cardholder’s signature on the sales receipt
  • completed a card-not-present transaction but did not identify the transaction as a MO/TO or Internet purchase.

Reason Code 82: Duplicate processing

Definition: The card issuer received the same transaction more than once for posting to the cardholder’s account.

Most common causes for Reason Code 82:

The merchant or service establishment

  • entered the same transaction into the POS terminal more than once
  • electronically submitted the same batch of transactions to its merchant bank more than once
  • deposited with its merchant bank both the merchant copy and the bank copy of a sales receipt
  • deposited sales receipts for the same transaction with more than one merchant bank
  • created two sales receipts for the same purchase.

It is my hope this article will give you a better grasp of the multiple nuances involved in chargebacks. In part three we will discuss certain regulatory issues as well as specific methodologies to track and respond to chargebacks and disputes.


Bill Hoidas
District Sales Manager
Larger B2B/MOTO/Internet Accounts
Product Development Manager
Matrix Payment Systems
(847) 381-3482 office
(847) 381-4289 fax
http://paymentconsulting.net
John 3:16 For God so loved the world, that he gave his only begotten Son, that whosoever believeth in him should not perish, but have everlasting life.

YOU DON’T HAVE TO TAKE CHARGEBACKS LAYING DOWN-YOU CAN FIGHT!


I have often written about the importance of merchant education and training. When it comes to chargebacks, keeping merchants up to date and on their toes is critical. These efforts ensure client retention.

Merchants typically get chargebacks for the usual two or three reason codes, and often for just one reason: an inability to issue timely refunds. For example, the lion’s share of chargebacks for MO/TO merchants stem from failure to promptly issue refunds for returned merchandise, fraudulent transactions, defective goods, etc.

The refund issue can be a warning sign that a merchant is having cash-flow problems or experiencing a customer service meltdown.

Cracking the codes

A card issuer must meet all requirements for the reason code it is using for a given chargeback. Otherwise, the chargeback is invalid and can be re-presented by the merchant and acquirer, shifting the burden of loss back to the issuing bank and cardholder.

When ISOs send my team and me out to work with merchants, I often find that a substantial number of chargebacks could be re-presented if merchants better understood the rules and bothered to re-present improper and invalid chargebacks.

It always amazes me how often MO/TO merchants get chargebacks for transactions that have actually been refunded to cardholders. Yet, the merchants involved haven’t bothered to re-present the chargebacks to the issuing bank.

You may find the following examples of MasterCard Worldwide and Visa U.S.A. reason codes helpful in understanding the chargeback process.

MasterCard Reason Code 4853

An issuer initiated a chargeback for MasterCard Reason Code 4853 (defective/not as described) after receiving a letter from a cardholder stating that he engaged in the transaction, returned the merchandise and was refused a credit.

However, after carefully reviewing the cardholder’s letter, the merchant and acquirer noticed the chargeback was invalid because the cardholder didn’t mention “a particular problem or defect” having to do with the merchandise. The letter only conveyed the decision to return it.

In cases like this, the merchant and acquirer can re-present the chargeback, shifting the burden of loss back to the issuer and cardholder.

More on MasterCard Reason 4853

In another example of MasterCard Reason Code 4853 (defective/not as described), an issuer initiated a chargeback based on a cardholder letter claiming the goods from a face-to-face transaction with a jeweler were not as described.

For supporting documentation, the issuer provided a cardholder letter stating the jeweler indicated that a ring purchased by the cardholder was solid 14-karat gold, but the ring was not worth the amount paid to the jeweler.

The cardholder also provided 1) the requisite appraisal from another jeweler verifying that the ring was gold plated, not solid 14-karat gold, and 2) a statement that the cardholder attempted to return the ring, but the jeweler refused to accept its return. The issuer did not, however, provide any documentation given to the cardholder by the jeweler stating the ring was sold as a solid 14-karat gold ring.

In this situation, the jeweler and acquirer can re-present the chargeback. They will prevail on the basis that the description on the sales ticket does not indicate the ring was presented as a solid 14-karat gold ring.

MasterCard Reason Code 4855

An issuer initiated a chargeback for MasterCard Reason Code 4855 (nonreceipt of merchandise) and supplied a letter from the cardholder involved. The letter stated the cardholder engaged in the transaction but never received the merchandise. And the cardholder contacted the merchant for a credit, but it was never issued.

To prove the cardholder received the merchandise, the acquirer provided a signed shipping receipt to the issuer. The issuer sent this signed receipt to the cardholder.

The cardholder examined the receipt and still refused to pay. The cardholder asserted he did not receive the merchandise, and the signature on the receipt was not his, nor did it belong to anyone he authorized to receive the merchandise.

If this dispute were to escalate into an arbitration case, MasterCard would rule in favor of the issuer because the cardholder still disputed the original sale’s consummation and all further documentation that the acquirer supplied. This is the bad side of the chargeback process; it doesn’t always result in the proper outcome.

The requirements for a re-presentment to a chargeback for nonreceipt of merchandise are very specific. The acquirer must provide proof that the cardholder or a person authorized by the cardholder received the merchandise.

Visa Reason Code 30

An issuer initiated a chargeback for Visa Reason Code 30 (services not provided or merchandise not received) based on a cardholder’s claim that an ordered concert ticket was not received.

In response to the chargeback, the merchant provided proof of delivery showing the package was left at the cardholder’s front door. The merchant also provided a delivery form, signed by the cardholder, authorizing the shipping company to leave the package at the door.

In this scenario, the merchant would prevail. It is unreasonable for the merchant to be responsible for the cardholder’s decision to have the package left at the door. Note: There would be a different result if the merchant were unable to provide signed proof that the cardholder agreed to have the package left at the door without a signature.

Visa Reason Code 85

An issuer initiated a chargeback for Visa Reason Code 85 (credit not processed) based on the following scenario: A cardholder called a hotel to reserve a room for three nights and gave his credit card number to guarantee the room. The hotel informed him of its 24-hour cancellation policy and provided a confirmation number.

Three days before the reservation date, the cardholder called the hotel to cancel the reservation. The cancellation was accepted. But the cardholder was charged for a no-show on the arrival date. The cardholder then phoned the hotel, which explained it did not have record of the cancellation, so the charge was valid.

The hotel and acquirer re-presented the chargeback, claiming the hotel had no record of the cancellation and the issuer did not provide a cancellation number.

In this case, the hotel would prevail. Reason Code 85 requires a cancellation number be provided for a no-show transaction. If the cardholder was not given a cancellation code or if the cardholder lost the code, the issuer cannot pursue the chargeback.

These examples show how nit-picky the chargeback process can be. However, my experience in helping ISOs solve merchant chargeback problems has shown the process can be managed. Only a few chargeback scenarios apply to each merchant.

By having the proper processes in place, merchant chargebacks can be minimized. And when they do occur, they can often be re-presented, shifting the burden of loss back to the issuer.

Advance Funding For Credit Card Sales

Advance Funding For Credit Card Sales

We have identified the lowest rates in our industry. Our source charges less than 1/3 of the standard rate. When I first read about this arena I was attracted by the fact that merchants could access tens of thousands of dollars by utilizing loan companies prepared to offer instant funding to credit card acceptors. However when I saw the rates that were being charged I vowed to never present this to any of my clients. However I did eventually read about one firm that seemed very honest and whose rates were less than 1/3 of the other loan companies. Than one of my merchants contacted me because he had been approached by one of the typical high usury firms. After I determined that he had exhausted all of his bank lines I agreed to put him through the firm I had found. Everything went smoothly and now I don’t hesitate to accept applications for this company if the situation warrants it. As always if you have a need contact me.

ARE PAYPAL & GOOGLE CHECKOUT VIABLE PROCESSORS FOR MERCHANTS?

The below article addresses the pros and cons of these startup accounts.

Unless merchants are small enough to store inventory under their beds, they’re going to need more than PayPal or Google has to offer. “You rarely see a merchant accepting MasterCard but not Visa,” Roy Banks, President of Authorize.Net, said. “That’s because the merchant wants to – needs to -accept the payment form their customers dictate.

“Anything else, and they’re leaving money on the table. And no matter how much PayPal or Google grows, they’re just not going to replace credit cards anytime soon.” Merchants who earn or have the potential to earn $20,000 a month are candidates for a merchant account and online gateway service.

They are likely to qualify for lower commission rates when using a merchant account than when using third-party payment services like PayPal. A quick comparison of costs may be all that’s necessary to illustrate this. Buying by price alone may not be the best strategy. Most online merchants are somewhere between bootstrapped and taking in $20,000 a month.

While price is likely to be an important factor for any merchant, it’s not likely to be the only one. After all, if a family member is seriously ill, do you select a doctor on price alone? The way a business processes payments can be critical to the health of the business, and most successful business people are too smart to leave that to chance. Remember, ISOs and MLSs offer invaluable services Google or PayPal don’t offer.

Get creative with customer service and consulting

The payments industry’s technology, rates, and regulations change at bewildering speed. There are hundreds of options for merchants. Mistakes can cost them a great deal both financially and in aggravation, particularly over the long term. It’s a full-time job to keep up with the changes. Although vital, bankcard processing is only one small part of a merchant’s business. Merchants are experts in their fields; they should be able to rely on an industry consultant’s expertise in the payments field.

A consultant’s ability to help merchants select the best of many options for a merchant’s particular circumstances is something with which PayPal or Google cannot compete: They offer what they offer and have no reason to screen other options or distill industry information for their merchants.

“Since the MLS is offering a personal service to online merchants that the other third-party providers aren’t offering, we should consider actually increasing the fees slightly,” Thompson said. “We may as well charge slightly more for our personal services to merchants, once they realize that the cheaper service isn’t always best, especially for the small/mid-sized merchant that needs a real expert opinion on which options they should choose. These new services may actually turn out to make the MLS‘ expertise more valuable, which increases our value, to say the least.”

Additionally, PayPal reportedly suffers from customer service concerns. Some are real, some are perceived. Stories abound of merchants whose accounts were frozen by PayPal when a chargeback was disputed.

The PayPal phishing scam barrage also makes some merchants uncomfortable: It’s so incessant that it appears PayPal is not taking action. People wonder, What if PayPal‘s customer accounts are locked because of unauthorized activity (which one of the scams threatens), and the only payment alternative a merchant has is PayPal? What if the PayPal system is compromised by hackers?

Real or not, these concerns expose an underlying fear: If PayPal (or something like it) is merchants’ only payment option, PayPal has more control over their payments – and therefore their income – than the merchants themselves.

Emphasize control and branding

Having their own merchant accounts gives merchants more control in resolving payment disputes, such as those involving customer chargebacks. Many merchants think PayPal tends to decide such disagreements in favor of the purchaser. A merchant account also gives merchants control over their customer data, which potentially could provide valuable marketing opportunities.

Eric Remer of PaySimple believes his company, a provider of Web-based accounts receivable software, provides several benefits neither Google nor PayPal offers. “PaySimple is dedicated to promoting our customer’s brand, not our own,” he said.

“With either Checkout or PayPal your customer is building a relationship with the payment processor, because a Checkout or PayPal account must be opened by your customer in order for you to accept their payment via either of those vehicles. Further, Google and PayPal both process the actual transactions for merchants, taking on even further ownership of the relationship … potentially profiting off float time between settling and transferring funds to merchants. And, both Checkout and PayPal actively market to these customers and may even promote your competition to your customers.”

Remer said PaySimple‘s solution can function completely on the back-end with “our customer’s own shopping cart, or we can create custom-branded secure Web pages for shopping cart payments or online bill-pay. In contrast with PayPal, the transition to a PaySimple payment screen is seamless. Purchasers don’t have to go to a separate site for payment processing.”

Banks thinks the value of a merchant account goes beyond a simple payment process. “It’s a proven business model that has evolved over time,” he said. “It’s a true merchant banking account: The merchant has a relationship and a history with the financial institution, and it is FDIC insured. Access to the funds cannot be withheld.”

A big challenge for merchants is that most online merchants are actually multichannel. They aren’t just selling online. They may have a storefront. They may process MO/TO sales, or even mobile sales. This is a huge opportunity for ISOs and MLSs.

“The ISO is in the perfect spot to not only explain the merchant’s cost of processing to them, but to help them find one solution that provides the best option for every type of transaction they use, or may want to use,” Banks said. “Who else can give them that kind of information?”

Become a solution provider

To compete with alternative payment solutions, such as PayPal or Google, that bundle shopping cart and other online benefits, processors or ISOs need to create solutions that specifically fit the needs of online merchants.

“I think that in the future ISOs will be solution providers, not just payment providers,” Banks said. “If the online merchants don’t find their needs met by ISOs, then other solution providers will start bundling merchant services. A reseller can look like a real hero to the merchant if they not only set up processing but also help them streamline or market their business better. And in the future I think those things will all be integrated.”

Silver highlighted the need for processors to offer shopping carts. “For the profitable accounts, the lack of a shopping cart is more of a problem than PayPal itself,” he said.

Dan Schatt, Senior Analyst with Celent LLC, thinks payment providers need to move beyond the tactical work of serving as a gateway or processor.

“As merchants search for any edge that can increase loyalty and lower shopping cart abandonment, they will enlist a new breed of provider that can do more to increase their profitability than what has been offered in the past,” he said.

“The most effective payments capabilities will be hard to discern from a merchant’s merchandising program and will blend into the look and feel of the merchant site.”

Schatt thinks today’s alternative payment options will not only address many industry fraud issues head-on, but they will also couple authentication and payment options with strategic marketing capabilities to become an extension of a merchant’s marketing program.

“The most innovative products will allow merchants to promote unique offerings, spurring loyalty and retention benefits that ultimately make a merchant more profitable,” he said.

Merchants need their needs and boost their profitability in ways so creative that leave the PayPals and Googles of the world stuck in the Web, ready to fold.

Article published in issue number 060801


Bill Hoidas
District Sales Manager
Larger B2B/MOTO/Internet Accounts
Matrix Payment Systems
(847) 381-3482 office
(847) 381-4289 fax
http://paymentconsulting.net
John 3:16 For God so loved the world, that he gave his only begotten Son, that whosoever believeth in him should not perish, but have everlasting life.

CANCELLATION FEES-DO YOU HAVE TO PAY?

Hi,

Below please find an industry update on early cancellation fees that some processors try and enforce. Because of all of the reasons below merchants that have had larger potential early exit fees have been bringing the former processors to court and the processors have been losing. Because the fee is usually small the fact is that no processor is going to incur legal expenses to try to enforce a clause that’s been losing in courts. The easiest way to ensure that you don’t have to pay a fee is to wait until your new processor is in place and you have received your last ACH credit from them and than instruct your bank to stop any future withdrawals from your account by your former processor. Than experience has shown that the former processor will just go away softly into the night..


Bill Hoidas
District Sales Manager
Larger B2B/MOTO/Internet Accounts
Matrix Payment Systems
(847) 381-3482 office
(847) 381-4289 fax
bhoidas@matrix-ps.com
John 3:16 For God so loved the world, that he gave his only begotten Son, that whosoever believeth in him should not perish, but have everlasting life.

the legal jungle
CANCELLATION
FEES
How Much is Too Much?







by Paul Rianda



There has been considerable discussion of late regarding cancellation fees that are charged by ISOs and credit card processors upon the termination of a merchant agreement. Below I will discuss the various types of cancellation provisions and their impact on our industry.

What Is A Cancellation Provision?

The vast majority of Merchant Agreements contain a provision that provides for the merchant to pay a cancellation fee if the Merchant Agreement is terminated before the end of its term. The “term” of a Merchant Agreement is the time period the contract will be in effect. The industry standard term for Merchant Agreements is three years. A typical cancellation situation occurs as follows: A merchant signs up with a credit card processor under a Merchant Agreement that provides for a three-year term. The merchant is then approached by a sales agent that wishes to move the merchant to another credit card processor, usually using the enticement of charging the merchant less fees for processing credit cards. The merchant attempts to cancel its existing Merchant Agreement with its current credit card processor before the merchant has been with the credit card processor for three years. However, the merchant is notified when it attempts to cancel the Merchant Agreement that it is subject to a cancellation fee since the merchant has not fulfilled its obligation to use the credit card processor for the entire three years that it is obligated to do so under the Merchant Agreement.

Types of Cancellation Fees.

There are three main types of cancellation fees that are prevalent in the bankcard industry: The first type of cancellation fee is the flat fee. The merchant is charged a set amount for canceling the Merchant Agreement prior to the end of the term, regardless of when the cancellation occurs. Consequently, if the merchant cancels the Merchant Agreement one day into the relationship or even 2 years and 11 months into a 3 year term. The merchant pays the same amount as a cancellation fee. The most common cancellation fee utilized in our industry is a flat fee of $295. The second type of cancellation fee is a hybrid fee, that is calculated by multiplying a fixed amount by the balance of the term left in the Merchant Agreement. Agents and credit card processors will typically choose a cancellation fee multiplier that is the sum of the monthly minimum and statement fee payable every month by the merchant such as $35. The $35 is multiplied by the remaining months left in the merchant contract. For example, if a merchant cancels his Merchant Agreement after two years where the Merchant Agreement has a three-year term, there are 12 months left in the term of the Agreement. To determine the cancellation fee, you multiply the 12 months remaining in the Merchant Agreement by $35 to arrive at the total cancellation fee of $410. The third type of cancellation fee, and potentially the most problematic, is based on lost profit to the credit card processor. The Merchant Agreement provides that the credit card processor is entitled to the monthly profit that it would have made from the merchant for the balance of the term of the Agreement. For example, if the merchant cancelled its Merchant Agreement with a year left on the term of the Agreement, the credit card processor would be entitled to 12 times the average monthly profit it would have derived from the merchant. This includes all dues, assessments and other charges that the merchant may have incurred in the first two years of the relationship on an average monthly basis.

Problems With Cancellation Fees.

The main reason credit card processors have to charge these fees is to dissuade merchants from moving to another processor. If a merchant decides to move to a new processor that is willing to offer the merchants more competitive pricing for its credit card processing services, the credit card processor uses the cancellation fee to try to retain the merchant. The merchant loses because it cannot move to a different credit card processor without paying what may amount to a hefty fee in many circumstances. If the merchant does move, the price it pays in the cancellation fee may more than offset any advantage it will get from a lower rate to process. This practice therefore tends to limit competition in the marketplace. Cancellation fees have also caused problems for credit card processors that try to assess such fees to merchants. Inadequate disclosure of fees is a common problem. Some processors bury the cancellation fee to be charged in the boilerplate language of the agreement and some do not disclose it at all. There have been a number of lawsuits recently challenging these cancellation fees and some companies in our industry have had to pay substantial settlement payments to address these claims. While inadequate disclosure is a problem regardless of the type of fee, the most serious consequences can occur when “lost profits” cancellation fees are not fully disclosed. Obscure language in the agreement may make it very difficult to really appreciate the amount of the fee that may have to be paid in the event of cancellation. One almost has to be an expert in the credit card processing industry to understand the consequences of early termination of the relationship. If a merchant does try to cancel its contract, the credit card processor sends out a letter to the merchant alleging it is entitled to a cancellation fee that few merchants could afford to pay. The credit card processor has access to the merchant’s bank account so often it is able to take the cancellation fee straight out of the merchant’s bank account before the merchant can object. The merchant is left with the decision to stay with the credit card processor or fight over a termination fee that could bankrupt it. The continued use of these types of cancellation fees, especially the ones based upon lost profits, is inviting additional scrutiny and regulation of our industry. It might be time for us to consider adopting “best practices” to regulate the imposition of cancellation fees in Merchant Agreements.

** The information contained herein is for informational purposes only and should not be relied upon in reaching a conclusion in a particular area. The legal principles discussed herein were accurate at the time this article was authored but are subject to change. Please consult an attorney before making a decision using only the information provided in this article.



Paul A. Rianda, Esq. is an attorney who has specialized in providing legal advice to the bankcard industry for the past 10 years. For more information about this article or any other matters, please contact Mr. Rianda at (949) 261-7895 or via email at paul@riandalaw.com