May 21st, 2014 by Elma Jane

There are no enforced standards in the card processing industry regarding rates, fees, and contractual terms. It is possible for two providers to offer seemingly the same rates and fees that result in different processing costs.

Excessive Monthly, Annual, or Quarterly Fees

There are numerous monthly, annual, or quarterly fees merchants may see on their statements each month. Many merchants pay far more than they should for these fees. The fees may have names like statement fee, service fee, membership fee, regulatory fee, PCI fee, and host of other names. The fair amount each merchant should pay for these fees varies by sales volume and merchant type. Also, the amount a merchant pays for any given fee isn’t as important as the overall processing cost. These are general guidelines; some merchants should pay far less. If you are currently paying more, it may be a good time to review your overall processing cost including your pricing plan, rates, and fees.

Excessive Payment Gateway Fees

A payment gateway route transactions from the merchant’s website to the provider. Some retail point-of-sales devices require a gateway to route the transactions. Merchants generally pay a per-month and a per-transaction fee for use of the gateway. As a rule, the direct cost to process through the gateway is a few cents per transaction.

PCI Non-compliance or Non-validation Fee

Many providers now charge a monthly non-compliance or non-validation fee if the merchant is not PCI compliant. This fee may be in addition to a monthly, quarterly, or annual PCI fee. Supposedly, providers charge the non-compliant or non-validation fee as an incentive for merchants to become compliant. Nonetheless, some providers use this fee more for revenue generation, than as an incentive. Some providers do not charge this fee at all.

Merchants should not change providers because of this fee. Instead, the merchants should become PCI compliant to eliminate the fee and reduce the probability of being breached, which could easily result in huge monetary penalties – tens of thousands of dollars. To become compliant, merchants should complete the PCI Self-Assessment Questionnaire and adhere to the PCI requirements, which may require quarterly scans. In short, if a merchant is being charged a non-compliance or non-validation fee, it is as much the merchant’s fault as anyone else.

Visa FANF Fee

In 2012, Visa started charging providers a Fixed Acquirer Network Fee (FANF). The actual fee charged by Visa is dependent on the merchant type. The fee for customer-present retail merchants is based on the number of locations. The cost for ecommerce and fast food merchants is based on the volume of business. Customer-present retail merchants that have non-swiped transactions can also pay an additional customer-not-present FANF fee.

Most aggregators – i.e., merchant account providers that group multiple merchants into a single merchant account, such as Square, PayPal – integrate the FANF cost into their rates and fees versus itemizing them out separately. Most traditional providers properly pass through the actual Visa FANF fee to their merchants. However, there are a few that treat this fee as another hidden revenue stream. I’ve seen providers charge a flat monthly fee for customer-present merchants and I’ve seen the FANF fee inflated by as much as 50 percent for ecommerce merchants. Keep in mind when reviewing that the fee is generally based on the volume of the prior month. In order words, the fee you see on your statement for April activity is likely based on the March volume, as providers need to know the monthly Visa volume before they can assess the fee.

Unusual Discover Card Fees

For Discover transactions, some providers charge a higher percentage, or higher per-item fee, or monthly access fee.

 

Posted in Best Practices for Merchants, Credit card Processing Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , ,

May 6th, 2014 by Elma Jane

Mobile commerce platform provider ROAM, an Ingenico company has expanded its mPOS solutions to include chip-and-PIN acceptance with the RP750x mobile card reader. The reader allows mPOS players to get to market quickly with their own custom-branded solution, providing merchants with a powerful set of features that include device and fraud management, remote application configuration, and an mPOS application that can be localized for any language and currency in any country. Features include: Backlit display, EMV PIN pad, magnetic stripe reader, NFC reader and smart card reader. Configurable through the cloud, enabling direct shipment from factory to any country. Connects with smartphones, tablets and feature phones via Bluetooth or audio jack. Customizable for branding and form factor. Just Slightly larger than a credit card, a compact form factor. PCI PTS 3.1 with SRED, EMV Level 1 and 2, Visa-ready (Compliant with the latest industry standards).

Posted in Best Practices for Merchants, Credit Card Reader Terminal, e-commerce & m-commerce, EMV EuroPay MasterCard Visa, Financial Services, Mobile Payments, Mobile Point of Sale, Near Field Communication, Payment Card Industry PCI Security, Point of Sale, Smartphone, smartSD Cards, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , ,

May 5th, 2014 by Elma Jane

The Payment Card Industry (PCI) Data Security Standard (DSS) has come under criticism as high profile data breaches continue to expose flaws in retailers’ data security systems. But telecommunications firm Verizon Wireless concluded that the PCI DSS is working.

Some Responses to Criticisms  

Nilson Report research from August 2013 that said card fraud cost the global payments market over $11 billion in 2012. Verizon added that the frequency of fraud schemes that the PCI DSS was designed to avoid is in fact growing. And yet most businesses are not fully compliant at the time of assessment. Only 51.1 percent of the companies it had audited had passed seven of the 12 requirements of the PCI DSS and only 11.1 percent of said companies had passed all 12.

Verizon addressed some of the criticisms leveled at the PCI DSS. One concern is that the standard promotes compliance as a test to be passed and forgotten, which distracts companies from focusing on improving security. Verizon responded by stating that breached businesses were less likely to be PCI DSS compliant than unaffected companies. It also said businesses improve their chances of not being breached by having the standard in place, and of minimizing the damage of a breach should one occur.

Another common complaint leveled at the standard is that it is too cumbersome and slow moving in relation to the quickly evolving threat landscape and nimble fraudsters ready to try new tactics. Verizon countered that the PCI DSS is meant to be a set of baseline security protocols. Achieving compliance with any standard is simply not enough, organizations must take responsibility for protecting both their reputation and their customers. Most attacks on networks are of the simple variety, with 78 percent of hacking techniques considered low or very low in sophistication. Data Breach Investigations Report (DBIR)  research shows that while perpetrators are upping the ante, trying new techniques and leveraging far greater resources, less than 1 percent of the breaches use tactics rated as high on the VERIS (Verizon’s Data breach Analysis Database) difficulty scale for initial compromise.

Recommendations

There’s an initial dip in compliance whenever a major update to the standard is released, so organizations will have to put in additional effort to prepare for achieving compliance with DSS 3.0.

The newest version of the standard, PCI DSS 3.0, went into effect Jan. 1, 2014. Businesses have until Jan. 1, 2015, to implement it. The updated standard has new requirements and clarifications to version 2.0 that will take time for businesses to understand and implement, and this will result in more organizations being out of compliance.

To help businesses deal with their PCI DSS compliance obligations the firm offered five approaches:

Don’t leave compliance to information technology security teams, but enlist application developers, system administrators, executives and other staff in helping further along the process.

Embed compliance in everyday business practices so that it is sustainable.

Integrate compliance programs into enterprise-wide governance, risk and compliance strategies.

Learn how to reduce the scope of organizations’ compliance responsibilities, chiefly by figuring out how to store less data on fewer systems.

Think of compliance as an opportunity to improve overall business processes, rather than as a burden.

Posted in Best Practices for Merchants, Credit card Processing, Credit Card Security, Electronic Payments, Payment Card Industry PCI Security, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , ,

April 11th, 2014 by Elma Jane

PCI DSS 3.0 standard, which took effect January 1st, introduces changes that extend across all 12 requirements, aimed to improve security of payment card data and reducing fraud. There will be some shakeups for many organizations when it comes to their day-to-day culture and operations. Transitioning to meet the new requirements will help e-business build a stronger, safer, lower-risk environment for their customers.

While the growing number of digital payment avenues offers convenience to customers, it also offers a larger attack surface for criminals.

As cloud technologies and e-commerce environments continue to grow, creating multiple points of access to cardholder data and online retailers will only become more appealing targets for hackers. Cybercriminals are cunning and determined. They understand payment card infrastructures as well as the engineers who designed them.

A scary proposition and it’s exactly why the payment card industry is so determined to help keep e-commerce organizations protected. Meeting the new standard, businesses will be better armed to fight evolving threats. Changes will also drive more consistency among assessors, help business reduce risk of compromise and create more transparent provider-customer relationships.

Transitioning to PCI DSS 3.0 will involve some work, but doing that work on the front end is going to save much work down the line. Adopting the new standard ultimately will drive your e-commerce business into a secure and efficient era.

Cultural Changes – One of the main themes of 3.0 is shifting from an annual compliance approach to embedding security in daily processes. Threats don’t change just once a year. They’re constantly evolving and that means e-commerce organizations must adopt a culture of vigilance. Only through a proactive business-as-usual approach to security can you achieve true DSS compliance. Realistically, this could mean the need to provide more education and build awareness with staff, partners and providers, so that everyone understands why and how new processes are in place.  

Operational Changes – The 3.0 standard addresses common vulnerabilities that probably will ring a bell with many of you. These include weak passwords and authentication procedures, as well as insufficient malware detection systems and vulnerability assessments, just to name a few. Depending on your current security controls program, this could mean you’ll need to step up in these areas by strengthening credential requirements, resolving self-detection challenges, testing and documenting your cardholder data environment and making other corrections.

Overview Changes – How much work lands on your plate will depend on your current security program. Examining your current security strategies and program is a good idea. Below are the areas requiring your attention, which this series will explore in more detail in future installments.

Service Provider Changes –  Some organizations made unsafe assumptions in the past when it comes to third-party providers. Some have paid the price, from failed audits to breaches. One reason that the new standard is designed to eliminate any confusion over compliance responsibilities. Responsibilities, specifically for management, operations, security and reporting all will need to be spelled out in detailed contracts. In addition to improved communication, an intensified focus on transparency means that you should have a clear view of your provider’s infrastructure, data storage and security controls, along with subcontractors that can impact your environment. So if your organization isn’t exactly clear on which PCI DSS requirements you manage and which ones your providers handle, prepare to get all of that hammered out.

The Compliance Rewards – The path to preparing for the 3.0 deadline in January 2015 sounds like it’s a lot of work. So to get started request your QSA’s opinion on how the changes will impact your organization, by doing the gap assessment and you’ll be able to address any shortcomings.    

Meeting the new 3.0 requirements isn’t just about passing audits. In fast paced payment IT landscape, staying smart and protected is part of our commitment to our customers. Beefing up security game not only reduce audit headaches, but also enjoy stronger brand reputation as a safe and reliable e-commerce business.

Posted in Best Practices for Merchants, Credit card Processing, Credit Card Security, e-commerce & m-commerce, Electronic Payments, Financial Services, Payment Card Industry PCI Security, Small Business Improvement, Visa MasterCard American Express Tagged with: , , , , , , , , , , , , , , , , , , , , , , , , , , , ,