Hi,

I have been fortunate to establish a relationship with the finest company involved in the international markets.Global Collect http://www.globalcollectusa.com/

They take all of the hassle out of setting up foreign processing and all at very reasonable rates.

Global Collect is the only global payment processing provider that provides both credit card and alternative payment processing in over 50 local currencies, and 120 countries worldwide. Their Web Collect Platform is the broadest global payment network available through a single technical and financial interface.

Let me know your level of interest

Hi,

Below please find a PCI security theft update. Please note PABP for programmers & mandates for January (that would be now!), July and October.

Visa, PCI council make security move

By Michael Petitti
TrustWave

Editor’s Note: A version of this article originally appeared in the December 2007 issue of Trusted News, a TrustWave publication.

B e prepared. Two major announcements made in recent months will send merchants scrambling to their payment application vendors and merchant level salesperson (MLS) for guidance and clarity.

Visa Inc. and the Visa’s Payment Application Best Practices (PABP), it’s likely that a great number of these compromises would not have occurred.

Visa created PABP to prevent payment card compromises by guiding software vendors in developing payment applications that support a merchant’s compliance with the PCI Data Security Standard (DSS). The PCI SSC and Visa detail plans to unify a payment application security standard and begin enforcing the use of adherent applications.

Total takeover

The PCI SSC took over management of PABP in November, and renamed it the Payment Application Data Security Standard (PA DSS). New standards are expected to be released by the first quarter 2008. (For more information, see “Farewell PABP, hello PA DSS,” The Green Sheet, Nov. 26, 2007, issue 07:11:02 )

While the PA DSS is based on the PABP and remain similar, feedback received from various stakeholders may alter the PA DSS slightly. While these differences will impact software developers, merchants will not likely be affected.

Merchants will not need to look into the detailed requirements of the PA DSS or comply with it per se – applications developed for internal use only must still comply with the PCI DSS. Merchants only need to ensure that the payment applications they use are certified as PA DSS compliant. (For a list of validated, PABP-adherent payment applications, visit http://usa.visa.com/download/merchants/validated_payment_applications.pdf )

Once the transition is complete, the PCI SSC will maintain the list of validated applications. MLSs should ensure that the payment applications they offer are on this list. If not, MLSs should consider removing the offering from their portfolio of products.

As with the PCI DSS, the council will maintain its position as governing body of the PA DSS. Enforcement will continue to fall under the authority of the individual card brands.

While the transfer of the PABP standard to the PCI council will increase awareness of payment card security and increase adoption of secure payment applications, Visa’s recent announcement will probably have a more immediate effect on your merchant customers.

Calendar of events

In October, Visa set forth a plan to mandate merchants’ use of PABP-adherent (now PA DSS-adherent) applications. The plan entails a number of deadlines set by Visa to eradicate the use of vulnerable payment applications and payment applications that do not adhere to the PA DSS.

While the deadlines for the program are set for acquirers, VisaNet processors and agents because these organizations stand above merchants in the payment card acceptance process, the deadlines also apply to merchants.

Following are the specific mandates and deadlines Visa established:

* Jan. 1, 2008 – Merchants cannot use payment applications identified by Visa as vulnerable. For a list of these vulnerable payment applications, contact your acquirer.
* July 1, 2008 – VisaNet processors and agents cannot grant access to their network to new payment applications that are not PA DSS certified.
* Oct. 1, 2008 – Newly boarded level 3 or 4 merchants must prove their PCI compliance or use PA DSS-adherent payment applications.
* Oct. 1, 2009 – Payment applications identified by Visa as vulnerable will be decommissioned from the Visa network.
* July 1, 2010 – Merchants must use PA DSS-adherent applications to accept Visa transactions.

Field of queries

It’s likely that a number of current customers or potential customers will have questions about the new requirements.

Here are talking points to remember during these discussions:

* The PA DSS does not supplant the PCI DSS.
* The PA DSS supplements the PCI DSS.
* The card brands will continue to require that merchants continue to comply with the PCI DSS.
* Visa is the only card brand thus far that will require the use of PA DSS-compliant payment applications, but other card brands are likely to follow.

—
Bill Hoidas
District Sales Manager
Larger B2B/MOTO/Internet Accounts
Product Development Manager
Matrix Payment Systems
(847) 381-3482 office
(847) 381-4289 fax
http://paymentconsulting.net
John 3:16 For God so loved the world, that he gave his only begotten
Son, that whosoever believeth in him should not perish, but have
everlasting life.

Most merchants already know that FACTA says credit and debit card receipts may not include more than the last five digits of the card number. But now they have mandated thatt the card’s expiration date may not be printed on the cardholder’s receipt.However, the effective date of this provision is a long way off, and there are a couple of loopholes:

	This section does not apply to receipts for which the sole means of recording a credit or debt card number is by handwriting or by an imprint or copy of the card.
	For machines in use before January 1, 2005, the merchant has three (3) years to comply.
	For machines in use after January 1, 2005, the merchant has one (1) year to comply.

If you process through regular telephone lines you at least have to fill out a simple questionnaire every year. If you use an IP connection you need to follow the below requirements. The questionnaire is at https://www.pcisecuritystandards.org/tech/supporting_documents.htm

There is a lot of confusion about the ever changing PCI security compliance requirements. Much of it is posturing by the credit card associations to a public concerned about identity theft. The truth is the card associations are putting the onus on merchants. They are doing that with the below requirements which if you don’t do and you are singled out MC/Visa will fine you through your processing bank to make sure they have someone who will roll over and pay the fine. The bank who has a hammer over your head because you are processing through them will than turn around and collect the entire fine through you. If you try and change processors to avoid paying the entire fine they will put you on the MATCH list and you won’t be allowed to open a merchant processing account anywhere in the USA. Suffice it to say that you don’t want to be the next merchant in the news for having your customers credit card info compromised. Read the below. Many of you will fall into the Level 4 category so the requirements aren’t too bad. This is directly from Visa’s website to assure accurate information.

(direct link)
http://usa.visa.com/merchants/risk_management/cisp_merchants.html

Merchants

Compliance validation details for merchants

Acquirers are responsible for ensuring that all of their merchants comply with the PCI Data Security Standard (DSS) requirements; however, merchant compliance validation has been prioritized based on the volume of transactions, the potential risk, and exposure introduced into the payment system.

PCI Compliance Acceleration Program Visa developed the PCI Compliance Acceleration Program to provide financial incentives and establish enforcement provisions for acquirers to ensure their merchants validate PCI DSS compliance. In accordance with the PCI Compliance Acceleration Program, acquirers must additionally ensure that all Level 1 and 2 merchants validate that prohibited data is not retained by submitting a completed Prohibited Data Retention Attestation form OR Confirmation of Report Accuracy form to their acquirer. The Merchant PCI DSS Compliance Update highlights compliance progress for level 1, 2 and 3 merchants.

On this page

• Merchant levels defined
• Compliance validation basics
• Validation procedures and documentation
• For more information

Merchant levels defined

All merchants will fall into one of the four merchant levels based on Visa transaction volume over a 12-month period. Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (“DBA”). In cases where a merchant corporation has more than one DBA, members must consider the aggregate volume of transactions stored, processed or transmitted by the corporate entity to determine the validation level. If data is not aggregated, such that the corporate entity does not store, process or transmit cardholder data on behalf of multiple DBAs, members will continue to consider the DBA’s individual transaction volume to determine the validation level. Merchant levels are defined as:

Merchant Level*	Description
1	Any merchant-regardless of acceptance channel-processing over 6,000,000 Visa transactions per year. Any merchant that Visa, at its sole discretion, determines should meet the Level 1 merchant requirements to minimize risk to the Visa system.
2	Any merchant-regardless of acceptance channel-processing 1,000,000 to 6,000,000 Visa transactions per year.
3	Any merchant processing 20,000 to 1,000,000 Visa e-commerce transactions per year.
4	Any merchant processing fewer than 20,000 Visa e-commerce transactions per year, and all other merchants-regardless of acceptance channel-processing up to 1,000,000 Visa transactions per year.

* New merchant level definitions effective of July 18, 2006.

** Any merchant that has suffered a hack that resulted in an account data compromise may be escalated to a higher validation level.

Back to top

Compliance validation basics

In addition to adhering to the PCI Data Security Standard, compliance validation is required for Level 1, Level 2, and Level 3 merchants, and may be required for Level 4 merchants.

Level	Validation Action	Validated By	Due Date
1	Annual On-site PCI Data Security Assessment and Quarterly Network Scan	Qualified Security Assessor or Internal Audit if signed by Officer of the company Approved Scanning Vendor	9/30/04 New level 1 merchants have up to one year from identification to validate.
2	Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan	Merchant Approved Scanning Vendor	New level 2 merchants: 9/30/2007
3	Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan	Merchant Approved Scanning Vendor	6/30/05
4*	Annual PCI Self-Assessment Questionnaire and Quarterly Network Scan (if applicable)	Merchant Approved Scanning Vendor	Validation requirements and dates are determined by the merchant’s acquirer

*The PCI DDS requires that all merchants perform external network scanning to achieve compliance. Acquirers may require submission of scan reports and/or questionnaires by level 4 merchants.

Back to top

Validation procedures and documentation

Acquirers must ensure that their merchants validate at the appropriate level and obtain the required compliance validation documentation from their merchants. Acquirers must submit monthly status reports to Visa and all compliance validation documentation must be made available to Visa upon request. Acquirers and merchants should also verify the compliance reporting requirements of other payment card brands which may require proof of compliance validation.

Compliance validation takes place at the merchant’s expense, as follows:

• Level 1 Merchants
  The Annual On-Site PCI Data Security Assessment must be completed for Level 1 merchants according to the PCI Security Audit Procedures document. This document is also to be used as the template for the Report on Compliance.

  Level 1 merchants should engage a Qualified Security Assessor to complete the Report on Compliance and provide the report to their acquirer. Alternatively, acquirers may elect to accept the Report on Compliance from a level 1 merchant, provided that a letter signed by a merchant officer accompanies the report. Level 1 merchants must also submit the Confirmation of Report Accuracy form completed by their assessor to their acquirers.

  Acquirers must submit the Confirmation of Report Accuracy form and a letter accepting the merchant’s full compliance validation to Visa upon receipt and acceptance of the merchant’s validation documentation.

  Download the PCI Security Audit Procedures.

  Download the merchant Confirmation of Report Accuracy.

• Level 2/Level 3 Merchants
  The Annual PCI Self-Assessment Questionnaire must be completed by Level 2 and 3 merchants. Level 4 merchants may be required to complete the PCI Self-Assessment Questionnaire as specified by their acquirer.

  Download the PCI Self-Assessment Questionnaire.

Level 1/Level 2/Level 3 Merchants
The Quarterly Network Security Scan is an automated tool that checks systems for vulnerabilities. It conducts a non-intrusive scan to remotely review networks and Web applications based in the externally-facing Internet Protocol (IP) address provided by the merchant. Acquirers are responsible for ensuring that the quarterly network security scans required of their levels 1, 2, and 3 merchants are performed by an Approved Scanning Vendor. The Quarterly Network Security Scan is applicable to merchants with externally-facing IP addresses as specified by their acquirer. Quarterly Network Security Scans are not required of merchants that do not have externally-facing IP addresses.

Download the PCI Security Scanning Procedures.

Back to top

For more information

To learn more about the CISP, contact Visa via email at AskVisaUSA@Visa.com.

• Printable page

• Print Page
• Close Window

Top Downloads

• PCI Data Security Standard
• Qualified Security Assessor List
• List of CISP-compliant service providers PDF | 113k
• View all CISP downloads
• Get Acrobat Reader from Adobe.com

—
Bill Hoidas
District Sales Manager
Larger B2B/MOTO/Internet Accounts
Product Development Manager
Matrix Payment Systems
(847) 381-3482 office
(847) 381-4289 fax
http://paymentconsulting.net
John 3:16 For God so loved the world, that he gave his only begotten
Son, that whosoever believeth in him should not perish, but have
everlasting life.

Fewer checks, faster process

By Patti Murphy
The Takoma Group

new report out of London shows check usage is declining rapidly in the United Kingdom. The report, prepared by APACS, the U.K. payments association, reveals that check writing in that country fell 8% during 2006. Over the past 10 years, APACS reports, check writing by individuals in the U.K. has been cut in half.

The Federal Reserve is slated to release results from its latest payments research later this fall. I’m betting that data will show check usage declining by about the same percentage. That may not seem like much, perhaps, until you consider that the vast majority of checks written in America today are cleared electronically.

They aren’t electronic payments, but by using electronic clearing channels, it’s now possible to clear a check in a day. It’s not electronic funds transfer, but it’s darn close. And it pretty much guarantees that checks will be changing hands in the United States for many more years to come.

Direct comparisons of check usage in the United States and the U.K. don’t hold much certitude. After all, Brits wrote only 1 billion checks in 2006. Optimistic estimates place U.S. check writing at about 30 billion last year.

According to the Fed’s number crunchers, America’s love affair with the check peaked about a decade ago.

We know anecdotally that fewer checks are being written today in the United States. How many of your kids write checks? How many fewer checks do you write today compared with just a few years ago? And we know more Americans are using electronic methods of payment more than ever.

Data collected in 2005 by Dove Consulting Inc., a division of Hitachi Consulting, indicated Americans were using cards more often than cash or checks for in-store purchases by a margin of 12% (56% using cards; 44% with cash or checks).

Just four years earlier, cash and checks were more popular, accounting for 51% of in-store purchases (49% of purchases in 2001 were made using credit, debit or other payment cards), Dove said.

The U.K. seems to have had better luck weaning folks off of checks. According to the APACS survey, only 54% of adults wrote checks last year; just 47% received check payments in 2006. Checks written to retailers fell 48% between 1996 and 2006, APACS said.

“On average we now write 1.6 [checks] a month and receive just one every two months, with half of adults no longer receiving any,” APACS reported in The Way We Pay 2007.

Plenty of checks, less paper

Americans write an average eight to 10 checks a month, based on currently available data. Yet paper processing workloads have fallen drastically, because for the Fed and banks, imaging is emerging as the de facto standard for processing checks.

It’s not unusual for a paper check to be physically handled a dozen times or more during a multiday clearing process.

With imaging, checks are truncated as soon as possible after entering the collection stream, then get cleared and settled using electronic networks that mimic the land and air-based check collection process. The result is that checks can clear now as fast as some electronic payments.

“Image exchange continues to account for a larger share of check processing because it enables institutions to reduce costs and streamline operations,” said Susan Long, Senior Vice President at The Clearing House, which operates the SVPCO Image Payments Network.

And it’s not just a big-bank phenomenon. The Independent Community Bankers Association of America , a Washington-based trade association, reports that most small banks (86%) either have replaced paper check presentment with electronic clearing or are planning to do so within the next two years.

More than a third of the banks surveyed by ICBA this year (36%) are capturing check images at branch locations for centralized processing. An additional 39% expect to be imaging checks for branch-level truncation.

Fewer banks (21%) have rolled out remote deposit products to their business customers (another 45% expect to within the next two years).

In 2005, the last time ICBA queried its members about payments activities, only 4% had business customers transmitting check files instead of trundling paper checks to their local bank offices for deposit.

SVPCO is said to extend to more than 10,000 endpoints, which makes it accessible to nearly all banks (either directly or through compatible networks like the Fed’s).

In August, SVPCO saw a 250% increase in image check exchanges, compared to August 2006. All told, the network said it handled 263.8 million checks worth $454.5 billion last month.

Extrapolating, it seems fair to predict that by year-end 2007, SVPCO’s final tally will top 3 billion checks. To put this into perspective, that’s about the same number of consumer checks that were converted to electronic payments last year and processed through the automated clearinghouse (ACH) using a process known as ACH check conversion.

(In fairness to the ACH, a new check conversion format, known as back office conversion and implemented this spring, makes it easier for merchants and other businesses to embrace ACH check conversion. So, overall conversion numbers should be much higher this year.)

Checks aren’t going away; not in the United States or the U.K. “Although volumes will continue to fall, we forecast that there will still be around 840 million checks used in the U.K. in 2016,” said Sandra Quinn, Director of Communications at APACS. “If you placed these checks end-to-end, they would stretch around the world two and half times.”

At current rates, it will take much longer for check numbers in the United States to drop below a billion a year. But make no mistake about it: Check imaging is changing the nature of payments. Just ask the Fed, which has closed nearly two dozen check processing offices over the past few years.

Eventually (maybe even before 2016), the Fed expects to be processing checks through one centralized locale. At its peak, the Fed’s check workload was handled through a network of about four dozen regional processing shops.

—
Bill Hoidas
District Sales Manager
Larger B2B/MOTO/Internet Accounts
Product Development Manager
Matrix Payment Systems
(847) 381-3482 office
(847) 381-4289 fax
http://paymentconsulting.net
John 3:16 For God so loved the world, that he gave his only begotten Son, that whosoever believeth in him should not perish, but have everlasting life.

Interchange-based fees (discount rate)

Qualified rate (credit)

A qualified discount rate is the percentage rate merchants are charged whenever they accept regular consumer credit cards and process them in a manner that has been defined as “standard” by their merchant account providers. Typically, this requires that the cards be electronically swiped and the transaction settled within 24 hours.

An average qualified rate is .0175 or 1.75%.

Qualified rate for offline debit (debit/check cards without PIN entry)

Some merchants prefer to not enter PIN numbers. Thus, processors may offer a reduced discount rate known as the qualified check card rate.

This qualified discount rate is the percentage rate merchants are charged whenever they accept regular consumer debit or check cards and process them in a manner that has been defined as “standard” by their merchant account providers.

Typically, this requires that the card be electronically swiped and the transaction batched/settled within 24 hours.

An average qualified rate is .0145 or 1.45%.

Mid-qualified rate

Also known as a partially qualified rate, the mid-qualified rate is the percentage rate merchants are charged whenever they accept credit cards that do not qualify for the lowest rate (the qualified rate). This may happen for several reasons:

• A consumer credit card is keyed into a credit card terminal instead of being swiped.
• A special kind of credit card is used, such as a rewards card, foreign card, purchase or business card.
• A transaction is held in the terminal or software without being batched within the specified amount of time (24 to 48 hours).

A mid-qualified rate is usually .075% to 2.0% and charged in addition to the qualified rate.

Nonqualified rate

The nonqualified rate is the highest percentage rate merchants are charged whenever they accept credit cards. All transactions that are not qualified or mid-qualified will fall into this rate category. This may happen for several reasons:

• A consumer credit card is keyed into a credit card terminal instead of being swiped, and address verification is not performed.
• A special kind of credit card is used, such as a business card, and all required fields are not entered.
• A merchant does not settle the daily batch within the allotted time frame.

A nonqualified rate is usually 1.25% to 2.50% and charged in addition to the qualified rate.

Interchange-plus pricing

Larger and more sophisticated merchants usually have their merchant account services priced on an interchange-plus basis. This means they pay a specified markup over and above the interchange costs, as opposed to the typical three- or four-tiered pricing models.

For example, interchange plus .30 basis points is not uncommon. In this instance, a merchant processing $100,000 in bankcard volume would yield $300 per month in gross profitability before the revenue share.

Authorization and other fees

Bankcard authorization/transaction fees

These apply to bankcards issued by Master Card Worldwide and Visa U.S.A.

The authorization fee is charged each time a transaction is sent to the card-issuing bank to be authorized. It is usually between 10 cents and 20 cents, plus the interchange cost. Even if the transaction is declined, this fee is usually assessed.

Nonbankcard authorization/transaction fees

These apply to cards issued by American Express Co., Discover Financial Services LLC, Diners Club Inc., as well as electronic benefits transfer (EBT), gift and loyalty cards, and so forth.

The authorization fee is charged each time a transaction is sent to the card-issuing bank to be authorized. It is usually between 10 to 20 cents. Some acquirers will separate EBT and gift and loyalty card transactions.

PIN Based (online) debit fees and network costs

Online debit cards require that every transaction be electronically authorized. Each transaction is additionally secured with the personal identification number (PIN). There are two ways to price PIN-based debit.

• A single flat fee (typically in the 65- to 75-cent range, including any debit network fees)
• A PIN-based transaction fee plus the actual cost for the various debit networks. For example: 20 cents plus actual network cost.

AVS fee

Address verification service (AVS) is a fraud prevention service that compares the billing address provided by the cardholder in the transaction with the card issuing bank’s records and verifies that they match.

This fee is typically 5 to 10 cents per item.

Voice authorization fees

This fee is only charged when a merchant calls in a transaction to an 800 number for a telephone or voice authorization. It is useful if the merchant’s terminal or software isn’t working. Most merchants rarely use the voice authorization service. Example: The average cost per voice authorization ranges from $0.75 to $1.50, and is set by the merchant account provider.

Batch fee

A batch fee is charged whenever a merchant “settles” a terminal. Settling, also known as “batching,” is the act of sending a merchant’s completed transactions at the end of the business day to the acquiring bank for payment. It is industry-standard to charge this fee.

Batch fees often mirror authorization fees: 10 to 35 cents per batch/settlement.

Statement fee/basic monthly service fee

The statement fee is assessed monthly and associated with the monthly statement sent to the merchant at the end of each month’s processing cycle. This statement shows how much processing the merchant did and the costs incurred.

The statement reflects the total dollar volume, number of transactions, average ticket and so forth. This fee is a fixed revenue stream and not based on processing volume.

Typically the statement fee is a flat $5 to $10 per location, per month.

Debit access fee

Some acquirers impose a monthly fee on merchants who are set up with PIN-based debit.

This fee is usually less than $5 per month and is in addition to the PIN-based debit and network fees.

Monthly minimum fee

The monthly minimum fee is a way to ensure that merchants pay a minimum amount in fees each month. If a merchant’s qualified fees do not equal or exceed the monthly minimum, the merchant is charged up to the monthly minimum to satisfy the minimum fee requirements.

Example: A merchant has a $25 monthly minimum fee. The qualified fees for the most recent month of processing total only $15. The merchant is charged an additional $10 to meet the monthly minimum requirements. It is industry-standard to charge a monthly minimum.

Online merchant reporting fee

Many acquirers offer merchants the ability to view their credit card processing data online. Typically, the reporting features will be far more robust than terminal-based reporting. This optional monthly service costs from $2.50 to $10 per month.

Terminal repair/replacement

Most acquirers offer a warranty program that extends repair or replacement coverage to POS equipment in the event of a failure. Often POS equipment supplies, such as paper rolls or ribbons, are thrown into the package. The typical cost is $5 to $10 per location per month.

Retrieval fees

If a consumer disputes a transaction, a retrieval request is initiated. It takes the form of a letter requesting all hard-copy sales drafts and/or invoices to demonstrate the validity of the transaction.

This information should be fulfilled as quickly as possible for disbursement to the issuing bank.

This fee is typically charged whether or not the chargeback is successful and is not dependent on the chargeback amount. The typical cost to a merchant is $10.

Chargeback fees

An acquiring bank may assess a fee on a merchant when a chargeback occurs. The fee is typically levied only when the chargeback is successful. However, it is not determined by the amount of the chargeback. A typical fee is from $15 to $25 per charge-back.

ACH reject fee

The automated clearing house (ACH) fee is imposed when a merchant’s payment of monthly fees bounces for any reason. Similar to a nonsufficient funds fee imposed on a checking account by a bank when a check bounces, this fee is usually about $25.

Annual fee

This is simply an amount that is charged annually for maintaining the merchant account. Some acquirers charge this fee; others do not. A common amount is $69 per year.

Payment gateway

A payment gateway is an e-commerce service that authorizes payments for e-businesses and online retailers. An example would be Authorize.Net. It is the online equivalent of a physical POS terminal located in most retail outlets.

A merchant account provider is typically a separate company from the payment gateway; however, the account provider could bill the gateways fees for simplicity.

Example payment gateways fees: The setup fee, including software or license, ranges from zero to $195. The monthly fee is $5 to $10; per item is 5 to 10 cents.

Wireless gateway

A wireless gateway is charged by a network offering wireless credit and debit solutions for on-the-go merchants. This fee is only relevant or charged when merchants are processing through a wireless device.

These can range from pager devices or cellular phones with card readers attached to traditional terminal solutions. The fees would typically be: wireless setup/activation fee ranging from zero to $100; monthly wireless gateway fee $12 to $20; additional wireless per item fee 5 to 10 cents.

Reprogram, application, installation or setup fees

Many MLSs charge a merchant an upfront, initial fee, which can have a variety of names, to establish the merchant account. In most cases this fee (when collected) is 100% profit to the MLS. Such fees typically range from zero to $195.

Cancellation or early termination fees

While controversial, most merchant accounts have some sort of cancellation or early termination fee. There is significant cost in setting up and maintaining a merchant account.

This fee helps recoup some of those losses should a merchant cancel, especially in the beginning.

It’s my belief that cancellation or termination fees should be a fixed amount, such as $250, $395, or some other appropriate amount.

Beware of acquirers that charge a variable cancellation fee. For example, some acquirers will charge the number of months left on the contract term times the average fees that merchants have been paying each month.

Under such a scenario a merchant could be liable for thousands of dollars.

Again, any cancellation or termination fees should be disclosed and be a fixed amount, not a hidden fee to soak an unsuspecting merchant for thousands of dollars.

Equipment/software fees

There are various ways a merchant can acquire POS equipment in today’s competitive marketplace. I will not use this article to debate the various options; I’ll just list them for simplicity.

• Purchase: A merchant can buy the equipment.
• Lease: A merchant may prefer a fixed monthly payment for an extended period, as opposed to the initial capital investment a purchase requires. Leases range from 12 to 60 months. The average lease for POS equipment is 48 months.
• Rental: Merchants can rent POS equipment month-to-month. This is good for retailers who want a low payment without the long-term requirements associated with a lease.
• Free placement: If a merchant agrees to the terms of the offer, a merchant can enjoy the use of POS equipment without specifically paying for it.

Hopefully, this will be a useful guide to the various charges associated with merchant accounts. If you have any questions or comments, please contact me directly.

Let’s build that million dollar portfolio.

PCI DDS 101 A Journey, Not A Destination

Almost everybody has a credit card, and most people have more than one card. Between 1995 and 2006, the number of cards in circulation almost doubled. Unfortunately, credit card fraud has increased just as rapidly. In the U.S. alone, card issuers lost $1.24 billion to fraud in 2006, up 9.3% from $1.14 billion in 2005. Globally, fraud costs card issuers an enormous $48 billion. To put that amount in perspective, it’s more than the GDP of the oil- rich Gulf state of Oman.

Real world. Real cases.

High-profile cases from recent years include:

• February 18, 2005
  Bank of America announced that more than 1.2 million customer records had been lost.
• June 16, 2005
  CardSystems was sued in a series of class actions which claimed it had failed to protect the personal information of more than 40 million customers. Both Visa and American Express prohibited CardSystems from processing any further transactions, which effectively brought its business to a halt. CardSystems faced collapse but was eventually bought-out by another company.
• January 31, 2006
  The Boston Globe and The Worcester Telegram and Gazette exposed 240,000 credit and debit card records as well as routing information for personal checks which had been printed on recycled paper used in wrapping newspaper bundles for distribution.
• February 9, 2006
  It was revealed that approximately 200,000 debit card accounts had been disclosed by unidentified retailers. These included accounts related to bank and credit union acquirers nationwide, including Wells Fargo and CitiBank.
• January 12, 2007
  MoneyGram confirmed that a company server had been unlawfully accessed exposing personal information, including names, addresses and bank account numbers, of around 79,000 customers.
• January 17, 2007
  TJX Companies Inc. admitted that one of its systems had been unlawfully accessed and that at least 45.7 million credit and debit card numbers had been exposed. TJX is facing around 20 class action lawsuits and has been billed $590,000 by the HarbourOne Credit Union – $90,000 in respect of the cost of the replacement of cards and $500,000 in respect of compensation for damage to its reputation.

Credit card fraud harms consumers, it harms card issuers and it harms businesses. While consumers can normally recover their losses from card issuers and card issuers can pass their losses onto consumers, businesses have no such get-out-of-jail-free card. And, as demonstrated by the CardSystems case, credit card fraud can have catastrophic consequences for a business.
Such high profile cases have propelled security matters to center stage and brought about a new industry-wide global security program: the Payment Card Industry Data Security Standard (PCI DSS).

PCI DSS: history and background

In 2004, American Express, Discover, JBC, MasterCard and Visa joined forces to form the Payment Card Industry Security Standard Council (PCI SSC) with a mission to “enhance payment account security by fostering broad adoption of the PCI Security Standard.” To this end, Visa’s AIS and CISP programs and MasterCard’s SDP program were consolidated and updated to form the PCI DSS. The DSS provides a common framework intended to enhance the security of cardholder information throughout its lifecycle. Any business which stores, processes or transmits Primary Account Numbers (PAN’s) must comply with PCI DSS. The PCI SSC does not enforce compliance, instead that responsibility rests with the individual card issuers. While all businesses must comply with the PCI DSS, compliance requirements and the date by which compliance must be achieved vary according to the card issuer and the “Merchant Level” (see chart, following page). For most businesses, compliance is already mandatory. For all others, the compliance dates are fast approaching.
Non-compliance with PCI DSS can be extremely costly: a non-compliant businesses may incur a substantial fine and/or be prohibited from processing card transactions. Either could have a considerable impact on a business.
The SSC will monitor trends and emerging threats and update the DSS as necessary, so businesses must stay abreast of the latest requirements. That said, the non-static nature of the DSS should not present businesses with too much of a problem as the SSC anticipate that the DSS shall be amended only once per year.
The SSC is pushing hard to raise awareness of PCI DSS requirements. “The SSC is driving an aggressive program of educational activities around the Data Security Standard. We are participating in industry events, speaking at panels and conferences. Council leaders are meeting one on one with trade groups and industry associations, participating in webinars and evangelizing through the media,” said spokesperson Ella Nevill. But despite the efforts of the PCI SSC, many businesses have yet to validate their compliance. Recent surveys have shown that only about 50% of businesses currently comply with the DSS. Small businesses have been the slowest to react with only around 20% having so far achieved compliance.
To date, credit card issuers have been reasonably tolerant of the situation. The deadlines for compliance have been extended and only relatively few businesses have been subject to sanctions. But with fraud costing $48 billion per year, card issuers are likely to become increasingly insistent on compliance and increasingly likely to impose sanctions on businesses which do not comply.
So, what must a business do in order to comply with the PCI DSS?

The anatomy of the PCI DSS

The PCI DSS comprises 12 security requirements, subdivided into 6 categories:

Build and Maintain a Secure Network

• Requirement 1: Install and maintain a firewall configuration to protect cardholder data
• Requirement 2: Do not use vendor supplied defaults for system passwords and other security parameters
• Requirement 3: Protect stored car holder data
• Requirement 4: Encrypt transmission of cardholder data across open, public networks

Maintain a vulnerability management program

• Requirement 5: Use and regularly update anti-virus software or programs
• Requirement 6: Develop and maintain secure systems and applications
• Implement strong access control measures
• Requirement 7: Restrict access to cardholder data by business need- to-know
• Requirement 8: Assign a unique ID to each person with computer access
• Requirement 9: Restrict physical access to cardholder data
• Requirement 10: Track and monitor all access to network resources and cardholder data
• Requirement 11: Regularly test security systems and processes

Maintain an information security policy

• Requirement 12: Maintain a policy that addresses information security for employees and contractors

This represents only an overview of the PCI DSS requirements. For more detailed information, go to https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf

Merchant Levels and validation requirements

While all businesses must comply with the PCI DSS, it is important to note that the requirements for validation vary according to “Merchant Level”. The “Merchant Level” is determined by the number of transactions which a business processes during a year and by its exposure to risk. To complicate matters, the “Merchant Level” is not consistently defined across all card brands, but can be summarized as follows:

For detailed and specific information in relation to “Merchant Levels” and validation dates, businesses should consult with the relevant card issuer or acquiring bank.
Businesses must meet the expense of validation themselves; it’s not an expense which is covered by the credit card issuers. Should a QSA identify a problem which results in non-compliance, a business will need to remedy that problem before the QSA will reassess and confirm compliance. It is, therefore, in businesses best interests to ensure compliance in advance of the QSA conducting the initial assessment. For each day that a business is not validated as DSS-compliant, it is exposed to the risk of sanctions by card issuers – and, of course, to the risk of the data which it processes and holds being compromised.
For a list of PCI-approved QSA’s and NSV’s, see www.pcisecuritystandards.org
DSS-compliance is not only mandatory for retailers; it’s mandatory for third party service providers and acquiring banks must be compliant too. In fact, it is the responsibility of acquiring banks to ensure the businesses that they represent are DSS-compliant.

The importance of compliance

The PCI DSS is not a new concept. For years, card issuers have operated and enforced their own codes of conduct. Visa had the Cardholder Information Security Program (CISP), American Express had the Data Security Operating Program (DSOP), MasterCard had the Site Data Protection (SDP) program and Discover had the Discover Card Information and Security Compliance (DISC) program. While compliance with these programs was mandatory, many businesses remained non- compliant. This was partly due to the fact that card issuers were reluctant to take enforcement action as this would invariably have a negative impact on business relationships.
So, what’s different about the PCI DSS? Why should a business which failed to comply with the CISP, DSOP, SDP or DISC programs expend the time and resources necessary to become DSS-compliant? There are actually a number of reasons. Firstly, compliance makes good businesses sense. The loss of data can be exceptionally damaging, but proactively implementing a solid set of security protocols can prevent it from happening. Secondly, the marketplace and political climate have changed. In Minnesota, a bill was recently passed which put the requirements of the PCI DSS into law. Texas and other states are considering similar enactments. And credit unions and non-profits are lobbying for legislation which will enable them to recover the cost of issuing replacement credit cards from the retailer whose systems were breached. Thirdly, the cost of fraud is reaching an unbearable level and both consumers and legislators are demanding that credit card companies take action. The likely result of all this? Card issuers will probably now be far more inclined to impose sanctions in order to force businesses to comply.

Easing the pain of compliance

Ensuring the security of customer data can both enhance customer confidence and help maintain bottom line. The PCI DSS was introduced in order to raise the bar for cardholder data security, and achieving compliance should be high on the agenda of organizations that carry out business transactions involving the use of credit cards.
Implementing software tools for log management, vulnerability management, security scanning and endpoint security will go a long way towards helping you achieve compliance. However, the story does not end there. Just because a merchant receives a PCI stamp of approval, he simply cannot sit back and relax.
PCI compliance is but the beginning of a continuous process that requires regular monitoring of the security health status of the merchant’s network. PCI DSS is not a one-off certification that stops with the Qualified Security Assessor (QSA) confirming you are compliant, as some merchants may think. Becoming PCI compliant means that you have reached an acceptable level of security on your network but it does not mean that from then onwards your network is secure and cannot be breached. Maintaining PCI DSS compliancy status is just as, if not more, important.
PCI DSS compliance is a long-term journey, not a destination. And this is something that all merchants need to understand irrespective of size or business.
It is a cost of doing business, granted. Yet, the cost of compliance is lower than having to pay $500,000 in fines and losing your goodwill and credibility if your network is breached!

Another nail in the coffin for termination or “early cancellation” fees!

Termination Fees:

One of the biggest threats looming on the horizon to the practice of paying for merchants is the laws limiting termination fees. In order to preserve the value of their investment, many ISOs charge hefty termination fees to merchants that want to terminate their merchant agreements and move their processing to a competitor. Most ISOs charge a termination fee of about $300.00 to a merchant that wants to move its processing to a competitor.
However, many other ISOs charge “lost profit” type of termination fees where the ISO takes the lost profits the ISO is missing out on because of the merchant terminating the merchant agreement before the initial term of the agreement is over as a termination fee. These lost profit type of termination fees can mean that a simple restaurant is charged as much as $10,000.00 or more to terminate its merchant account. Many ISOs don’t collect the termination fee but instead use it as a way to force the merchant to keeps its credit card processing with the ISO. Although it is a questionable business practice, these types of lost profit termination fees have been used effectively to keep merchants from switching their processing.
However, new laws limiting termination fees may make it much harder to keep merchants from moving their processing to a competitor. In the first law of its type, Arkansas just implemented a law limiting termination fees to $50.00. Also, upon termination there is a limitation that the merchant cannot continue to be charged any monthly minimum fee for more than 1 month after the agreement is terminated. These limitations should effectively make it impossible to charge more than a $50.00 termination fee. Arkansas’ law is far from an anomaly, as many other states are contemplating and are sure to be implementing such laws.
If these laws become standard throughout the country, it could make the practice of paying for merchants economically unsound. If merchants can leave pretty much whenever they want and move their processing at will, it will be much harder to justify paying an agent or the merchant $1,000.00 in order to move their processing to a particular company, if the company has no way of ensuring it gets a return on its investment. It may not be an intended consequence of these termination fee laws, but they could mean the end of paying for merchants.

The information contained herein is for informational purposes only and should not be relied upon in reaching a conclusion in a particular area. The legal principles discussed herein were accurate at the time this article was authored but are subject to change. Please consult an attorney before making a decision using only the information provided in this article.

—
Bill Hoidas
District Sales Manager
Larger B2B/MOTO/Internet Accounts
Product Development Manager
Matrix Payment Systems
(847) 381-3482 office
(847) 381-4289 fax
http://paymentconsulting.net
John 3:16 For God so loved the world, that he gave his only begotten Son, that whosoever believeth in him should not perish, but have everlasting life.

Banish chargebacks through communication

Email the Editor | Send this Article to a Friend | Print this Article

By Steve Schwimmer

hargebacks result from disputes between cardholders and merchants. They have always been problematic, but they are part of the business climate and cannot be ignored. And, if merchants follow certain business practices, they can operate virtually chargeback free.

The sooner you address the subject the better it will be for your business.

Keep in mind that an ounce of prevention is the best cure.

From time to time, merchants’ goods and services will not live up to purchasers’ expectations.

A solid customer service policy explaining the terms by which merchandise can be returned, and in what condition, is essential. Customers must know what they can and cannot expect.

Such policies should be disclosed upfront in a straightforward format and easy-to-understand language. This is true regardless of whether a sale is face-to-face, MO/TO or via the Internet.

A chargeback begins when the cardholder contacts the issuing bank and complains about a transaction. The issuing bank sends the complaint to the processor, which then contacts the merchant in the event of a retrieval request or chargeback. Depending on the reason for the action, there may be a temporary reversal of funds in the merchant’s account.

Merchants need to understand a chargeback initiates with the cardholder’s interpretation of what has happened. It is the merchant’s responsibility to provide proof disputing the chargeback.

When responding to chargeback notices, merchants must adhere to specific time frames. Otherwise, they will lose by default.

Once a dispute arises, the merchant involved must provide a detailed written record of what transpired. The merchant should convey concise facts supporting a rebuttal. Complete, clear responses to the card issuer are vital to the process.

Merchants should understand that setting clear policies for returns will lower the amount of chargebacks they experience.

—
Bill Hoidas
District Sales Manager
Larger B2B/MOTO/Internet Accounts
Product Development Manager
Matrix Payment Systems
(847) 381-3482 office
(847) 381-4289 fax
http://paymentconsulting.net
John 3:16 For God so loved the world, that he gave his only begotten Son, that whosoever believeth in him should not perish, but have everlasting life.

Congress grills warring parties on interchange

Email the Editor | Send this Article to a Friend | Print this Article

rying to keep an open mind, without rushing to any judgment, it doesn’t look so good for the credit card companies,” Rep. John Conyers said by way of opening a July 19, 2007, U.S. House of Representatives Judiciary Committee hearing on interchange.

Conyers, D-Mich, is Chairman of the committee’s Antitrust Task Force. He suggested the issues at hand boil down to whether interchange fees are increasing too rapidly and impose unfair costs on consumers, and whether credit card companies are engaged in anti-competitive behavior.

Interchange is the fee paid to a cardissuing bank by the card-acquiring (or merchant) bank. Interchange rates, a percentage of sales as set by Visa U.S.A. and MasterCard Worldwide, vary by retail sector, type of card, transaction amount (large-dollar versus small-dollar) and authorization procedure.

John Buhrmaster, head of the First National Bank of Scotia, spoke against interchange regulation on behalf of the Independent Community Bankers of America. Timothy Muris, of O’Melveny & Myers LLP also voiced opposition to government intervention.

Mallory Duncan, of the National Retail Federation, advocated for interchange regulation. Duncan was joined by Edmund Mierzwinski, of the U.S. Public Interest Research Group, and Steven Smith, head of KVA- T Food Stores Inc. and Chairman of the Food Marketing Institute’s board of directors.

Laissez faire?

Acknowledging that the fees have increased in recent years, Buhrmaster and Muris each testified that the fees are simply part of the normal cost of doing business.

Customers get the convenience of having a line of credit in their pockets. Merchants do not have to set up in-house credit programs.

And small banks benefit because they can participate in the system and “stand toe-to-toe on both the issuing and acquiring sides of the business,” Buhrmaster said.

Imposing pricing controls on such fees, Muris said, would stifle the market, limit the products credit card companies offer and hurt consumers.

Time to step in?

Those in favor of government intervention said the card Associations’ interchange fee practices constitute monopolistic, antitrust behavior that harms merchants and consumers alike.

Duncan denied that the retail industry is seeking price controls. He said the problem is that interchange fees have risen rapidly in a process that is hidden from merchants and customers.

“This market is broken,” Duncan said. “It needs transparency and genuine competition. Currently Visa and MasterCard do not battle for merchants. They battle to get banks to issue their cards. It is the only market in which competitors compete by raising prices,” in order to entice banks to issue their cards.

No quick fix

Buhrmaster said the market is competitive and that merchants are free to do business with the card Associations, make deals elsewhere or even to refuse credit cards altogether. He cited Costco, which only accepts American Express Co.-branded cards.

Smith replied that accepting Visa- and MasterCardbranded cards isn’t optional: Since credit card use now accounts for 60% to 65% of consumer purchases, and the card Associations control 80% of credit card transaction volume, retailers cannot refuse to accept their cards. Smith also said that while other costs of doing business are negotiable, interchange fees are not.

Conyers said several more hearings would be necessary before a resolution could be found.

The ETA weighs in

Jim Baumgartner, President of the Electronic Transactions Association (ETA), and the ETA’s government relations staff met with senior House Judiciary Committee staff before the hearing.

“We took the opportunity to press for one of the key tenets of the ETA’s 2007 Industry Relations Policies that supports private sector governance of interchange and opposes any government effort to regulate or establish price controls on interchange rates,” Mary Dees Griffith posted on GS Online’s MLS Forum. Griffith, President and Chief Operating Officer of Preferred Health Technology, chairs ETA’s government relations committee.

The ETA’s complete policy positions are online at www.electran.org/docs/ir/Policy_Positions_FINAL.pdf.