When you are first setting up a retail or an eCommerce endeavor, few decisions will be of as much importance as the payment provider that you choose. Your payment provider will handle each and every card transaction your online company makes, and if it doesn’t function properly, or if it has a lot of hidden fees, such as old legacy systems with long term contracts, you can be setting your business up to fail before you ever get started.
So, we are going to explain to you what you should be looking for when you reach this crucial decision in the setup phase of your business, and we will help you find a payment provider that meets your needs perfectly and sets you up to succeed in the business world.
As a general rule of thumb, there are three main factors that you really need to consider when you go to choose who you will be working with: The people involved in the transaction, the fees associated with each transaction, and how the transaction is handled behind the scenes. There are some smaller tidbits that can make a specific provider a better or worse choice, but those three factors will allow you to narrow your search down to a select few of top competitors that will truly help your company succeed.
The Parties Involved
Besides your bank and the customer’s bank, there are three different factors that go into every single one of your transactions, and a payment provider works with all three of them. There’s you, your customer, and the technology acting as a bridge between the two of you. We’ll go into more detail about all that, now.
The Customer
With this part of the transaction, we are really talking about the “issuing bank”. That’s your customer’s bank, and they handle lending the customer the money to make a purchase on your site, and they issue the card that the customer uses to make that purchase. This is your customer’s main form of interaction with the transaction process, and it’s one of the most important factors since it’s what starts the transaction in the first place. However, you have no control over this factor, and you can simply ensure that the technology, which we’ll talk about soon, makes their part of the transaction as smooth as possible.
The Merchant
This is you and your part in the transaction. You function as the merchant that the customer is engaging with, and in order to do that, you need a merchant bank to partner with and work as your company’s bank. A merchant bank functions differently than the bank you use in your day to day life. Instead of issuing you funds in advance for credit purchases and managing your checking and savings accounts, a merchant bank takes in your customers’ payments for you, and then puts those payments into a special merchant account that is a lot like a business’s checking account. Without a merchant bank, you won’t be able to succeed in the long-term with eCommerce.
The Technology Solution
Your technology, and the company handling it, is what makes a transaction possible in the first place, and there are two parts to this imperative factor: The payment processor and the payment gateway.
Processor
The payment processor is what actually handles the transaction. It moves the money between the different parties and delivers it to the banks and accounts involved. If your processor is subpar, your customer’s transaction experience will be, too. You need an up-to-date payment processor that functions smoothly and without any hassle placed on you or your customer to ensure that each customer enjoys a seamless transaction.
Gateway
The payment gateway is essentially what sends the transaction information to the payment processor. It links to your site’s shopping cart feature, and when a customer buys something, it connects to the payment processor and begins the transaction. In order to ensure that your transactions are smooth and effortless, this technological asset needs to be competent and able to easily satisfy your customers without being apparent.
How the Transaction Process Happens
The transaction process is fairly complicated, but it all takes place in a matter of seconds. In fact, it’s usually seemingly instantaneous.
Once a purchase is made, the payment gateway encrypts the transaction data to protect your customer and your business, and then it asks the customer’s bank if it will advance the funds for the customer’s purchase. If yes, the payment will be sent to your merchant account, and if not, the transaction will be denied and ended until a resolution can be found.
Once that step is completed, the funds typically end up being accessible by you the second your merchant bank acquires them and places them in your account, but you may be forced to keep a certain amount in the account to make sure you can cover any returns that pop up.
This part is not instantaneous. It can take a couple days to complete this part of the process.
Transaction Fees
This is easily the factor that you’ll want to pay attention to the most, because a lot of merchant service providers are downright misleading when they quote your rates, and you need to get a firm understanding of how a company sets up its fees to know what to actually expect from your bill.
Most often, companies will quote something like 1.8% rates to interest you and appeal to your more frugal side, but then they’ll apply all sorts of hidden fees that raise that rate as high as 11% without notifying you properly. As you can imagine, that can make your bill a bit more than what you thought it would be.
There are three rate models that are most often used:
Flat-Rate
You’re given a specific amount to pay, and whether that covers your total fees or not, that’s what you pay. You could be overpaying tremendously if you accept a quite a few low cost cards vs. the higher cost cards. The processor is banking on your acceptance of these lower cards to ensure all costs are covered.
Interchange Plus Pricing
This takes the interchange fee you pay and adds a small fixed rate on top of it. It’s not as consistent as a flat-rate fee because of the sheer amount of interchange fees out there and the number of different credit cards with all of the various reward and incentive programs.
Tiered Pricing
This is when the provider creates a few tiers of fees and charges you based on the tier your fees are in rather than each individual fee. The only bad thing about this is that the provider decides which fees go into which tier.
Other Important Things to Consider
Does your processor provide Data Security/PCI protection? What about financial breach protection, in the event you are breached?
Any business or other entity that stores, processes or transmits cardholder data must ensure that their processes meet the Payment Card Industry / Data Security Standard (PCI/DSS). Failure to do so can result in heavy fines being levied.
Understanding PCI/DSS
The PCI/DSS is a global standard defining acceptable practice for any entity involved in the storage, transmission or processing of cardholder data.
In recognition of the sensitive, confidential and valuable nature of this data the standard imposes strict regulations which must be met in full. The full requirements are detailed but are covered by 12 broad requirements. These are grouped into 6 broad control objectives as follows:
1. Build and Maintain a Secure Network and Systems – Install and maintain a firewall configuration to protect data – Do not use vendor-supplied defaults for system passwords and other security parameters
2. Protect Cardholder Data – Protect stored data (use encryption) – Encrypt transmission of cardholder data and sensitive information across public networks
3. Maintain a Vulnerability Management Program – Use and regularly update anti-virus software – Develop and maintain secure systems and applications
4. Implement Strong Access Control Measures -Restrict access to data by business need-to-know -Assign a unique ID to each person with computer access -Restrict physical access to cardholder data
5. Regularly Monitor and Test Networks -Track and monitor all access to network resources and cardholder data -Regularly test security systems and processes
6. Maintain an Information Security Policy -Maintain a policy that addresses Information Security
Any entity handling card transactions must meet the standard and be able to demonstrate (certify) that it does so. The level of certification is flexible and depends on how transactions are processed and in what volume.
A Summary of Benefits
Achieving full compliance with PCI/DSS standards is more than an obligation. It delivers genuine benefits to businesses:
– Lessen the risk of fraudulent transactions
– Prevent security breaches
-Lessen the impact should a breach occur
– Reduce your business’ exposure to risk and liability
– Provide peace of mind for your customers
– Avoid the negative PR associated with data loss
Why are These Requirements in Place?
Card transactions have grown enormously in recent years as cards become the number 1 preferred form of payment. Since no physical money is handled or exchanged as part of these transactions they are dependent on the transfer of data.
That data therefore becomes sensitive and valuable and must be protected. Failure to protect this data can lead to fraud and theft. These crimes often impact both the card holder and the merchant directly. They can also damage or even destroy the reputation of businesses or organizations involved in hacks or data breaches.
More widely card fraud has the long-term detrimental effect of eroding consumer confidence and trust – both in the individual companies affected and in the card payment industry more widely.
Millions of consumers and organizations worldwide are choosing to pay by card. And millions of businesses, professionals, traders and organizations are accepting and handling these payments. Instead of allowing an ad-hoc approach where each business sets its own level of security the PCI / DSS was imposed. This ensures a uniformly high level of data security throughout the worldwide card payment industry.
There are numbers of guidelines issued for accepting card payments, and merchants are expected to understand them all. To avoid issues down the road know a few basic rules in order to keep your business going without being penalized.
There’s a lot of ways to process a credit card: In-store, online, and by phone. There’s also different ways to pay and different brands of cards.
In-store and Card-not-present policies.
In-StorePolicies:
Always verify that the person presenting the card is the cardholder
Ask for a 2nd ID for comparison
Cards are non-transferable, cardholder MUST be present for purchase
Compare the signature on the back of the card with that of the person who presents the card
Inspect the card to confirm that it’s not visibly altered or mutilated
Rules for Visa, MasterCard and Amex that merchants need to know:
Never store cardholder data on any systems to help minimize the risk of fraud and protect your business from potential chargebacks.
Complying with Federal Laws, State Laws and PCI
A merchant should be familiar with and abide by Federal Laws regarding accepting credit cards. The Fair Credit Reporting Act is the federal law that establishes the foundation of consumer credit rights. This law regulates the collection and use of consumer credit information by merchants.
Check state laws on the use of consumer credit information and accepting credit cards. Not all states have additional laws that regulate credit card practices, but some (such as California) prohibit merchants from requesting/requiring a customer to provide any personal information (like their address or telephone number) on any form involved with their credit card transaction. So, it is advised that merchants inquire about further information in their particular state.
The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that all companies processing, storing, or transmitting credit card information uphold a secure environment. These rules essentially apply to any merchant that has a Merchant ID (MID). If you are a merchant that accepts credit card payments, you are required to comply with the PCI Data Security Standard, large or small businesses.
EMV Liability Shift Set By Visa and MasterCard as of October 1st
U.S. banks and credit card companies are now using the EMV (Europay, MasterCard, and Visa) technology. The EMV liability shift for fraud carried out in physical stores with counterfeit cards belongs to the merchant if it has not yet upgraded its POS system to accept EMV-enabled chip cards. While issuers absorb losses under card-network rules, that burden will shift to acquirers in cases where the fraud occurs at merchants unprepared for EMV.
It’s good to know every aspect of your business. The above guidelines are part of a business that every merchants should be familiar with. The main reason for these rules is to protect your business and keep your customer’s payment card data safe and secure.
To start accepting more credit cards give us a call now at 888-996-2273. We have the latest terminals that’s EMV/NFC capable.
When the PCI Security Standards Council (PCI SSC) launched PCI DSS v3.0 in January 2014, businesses were given one year to implement the updated global standard. Now that the deadline is fast approaching, interest is picking up in what v3.0 entails. On Jan. 1, 2015, version 3.0 of the Payment Card Industry (PCI) Data Security Standard (DSS) will reach year one of its three-year lifecycle.
Trustwave, a global data security firm, is on the frontlines of helping secure the networks of merchants and other businesses on the electronic payments value chain against data breaches. As an approved scanning vendor, Trustwave is used by businesses to achieve and validate PCI DSS compliance.
PCI DSS v3.0 is business as usual for the most part, except for a few changes from v2.0 that considers impactful for large swaths of merchants. The top three changes involve e-commerce businesses that redirect consumers to third-party payment providers. The expansion of penetration testing requirements and the data security responsibilities of third-party service providers.
Penetration testing
Penetration testing is the way in which merchants can assess the security of their networks by pretending to be hackers and probing networks for weaknesses. V3.0 of the PCI DSS mandates that merchants follow a formal methodology in conducting penetration tests, and that the methodology goes well beyond what merchants can accomplish using off-the-shelf penetration testing software solutions.
Merchants that are self assessing and using such software are going to be surprised by the rigorous new methodology they are now expected to follow.
Additionally, penetration testing requirements in v3.0 raises the compliance bar for small merchants who self assess. Those merchants could lower the scope of their compliance responsibilities by segmenting their networks, which essentially walls off data-sensitive areas of networks from the larger network. In this way merchants could reduce their compliance burdens and not have to undergo penetration testing.
Not so in v3.0. If you do something to try to reduce the scope of the PCI DSS to your systems, you now need to perform a penetration test to prove that those boundaries are in fact rigid.
Redirecting merchants
The new redirect mandate as affecting some, but not all, e-commerce merchants that redirect customers, typically when they are ready to pay for online purchases to a third party to collect payment details. If you are a customer and you are going to a website and you add something to your shopping cart, when it comes time to enter in your credit card, this redirect says I’m going to send you off to this third party.
The redirect can come in several forms. It can be a direct link from the e-commerce merchant’s website to another website, such as in a PayPal Inc. scenario, or it can be done more silently.
An example of the silent method is the use of an iframe, HTML code used to display one website within another website. Real Estate on the merchant’s website is used by the third-party in such a way that consumers don’t even know that the payment details they input are being collected and processed, not by the e-commerce site, but by the third party.
Another redirect strategy is accomplished via pop-up windows for the collection of payments in such environments as online or mobile games. In-game pop-up windows are typically used to get gamers to pay a little money to purchase an enhancement to their gaming avatars or advance to the next level of game activity.
For merchants that employ these types of redirect strategies, PCI DSS v3.0 makes compliance much more complicated. In v2.0, such merchants that opted to take Self Assessment Questionnaires (SAQs), in lieu of undergoing on-site data security assessments, had to fill out the shortest of the eight SAQs. But in v3.0, such redirect merchants have to take the second longest SAQ, which entails over 100 security controls.
The PCI SSC made this change because of the steady uptick in the number and severity of e-commerce breaches, with hackers zeroing in on exploiting weaknesses in redirect strategies to steal cardholder data. Also, redirecting merchants may be putting themselves into greater data breach jeopardy when they believe that third-party payment providers on the receiving end of redirects are reducing merchants’ compliance responsibilities, when that may not, in fact, be the case.
Service providers
Service provider is any entity that stores, processes or transmits payment card data. Examples include gateways, web hosting companies, back-up facilities and call centers. The update to the standard directs service providers to clearly articulate in writing which PCI requirements they are addressing and what areas of the PCI DSS is the responsibility of merchants.
A web hosting company may tell a merchant that the hosting company is PCI compliant. The merchant thought, they have nothing left to do. The reality is there is still always something a merchant needs to do, they just didn’t always recognize what that was.
In v3.0, service providers, specifically value-added resellers (VARs), also need to assign unique passwords, as well as employ two-factor authentication, to each of their merchants in order to remotely access the networks of those merchants. VARs often employ weak passwords or use one password to access multiple networks, which makes it easier for fraudsters to breach multiple systems.
The PCI SSC is trying to at least make it more difficult for the bad guys to break into one site and then move to the hub, so to speak, and then go to all the other different spokes with the same attack.
Overall, v3.0 is more granular by more accurately matching appropriate security controls to specific types of merchants, even though the approach may add complexity to merchants’ compliance obligations. On the whole a lot of these changes are very positive.
The CVV Number (Card Verification Value) on your credit card or debit card is a 3 digit number on VISA, MasterCard and Discover branded credit and debit cards. On your American Express branded credit or debit card it is a 4 digit numeric code.
The codes have different names:
American Express – CID or unique card code.
Debit Card – CSC or card security code.
Discover – card identification number (CID)
Master Card – card validation code (CVC2)
Visa – card verification value (CVV2)
CVV numbers are NOT your card’s secret PIN (Personal Identification Number).
You should never enter your PIN number when asked to provide your CVV. (PIN numbers allow you to use your credit or debit card at an ATM or when making an in-person purchase with your debit card or a cash advance with any credit card.)
Types of security codes:
CVC1 or CVV1, is encoded on track-2 of the magnetic stripe of the card and used for card present transactions. The purpose of the code is to verify that a payment card is actually in the hand of the merchant. This code is automatically retrieved when the magnetic stripe of a card is swiped on a point-of-sale (card present) device and is verified by the issuer. A limitation is that if the entire card has been duplicated and the magnetic stripe copied, then the code is still valid.
The most cited, is CVV2 or CVC2. This code is often sought by merchants for card not present transactions occurring by mail or fax or over the telephone or Internet. In some countries in Western Europe, card issuers require a merchant to obtain the code when the cardholder is not present in person.
Contactless card and chip cards may supply their own codes generated electronically, such as iCVV or Dynamic CVV.
Code Location:
The card security code is typically the last three or four digits printed, not embossed like the card number, on the signature strip on the back of the card. On American Express cards, the card security code is the four digits printed (not embossed) on the front towards the right. The card security code is not encoded on the magnetic stripe but is printed flat.
American Express cards have a four-digit code printed on the front side of the card above the number.
MasterCard, Visa, Diners Club, Discover, and JCB credit and debit cards have a three-digit card security code. The code is the final group of numbers printed on the back signature panel of the card.
New North American MasterCard and Visa cards feature the code in a separate panel to the right of the signature strip. This has been done to prevent overwriting of the numbers by signing the card.
Benefits when it comes to security:
As a security measure, merchants who require the CVV2 for card not present payment card transactions are required by the card issuer not to store the CVV2 once the individual transaction is authorized and completed. This way, if a database of transactions is compromised, the CVV2 is not included, and the stolen card numbers are less useful. Virtual Terminals and payment gateways do not store the CVV2 code, therefore employees and customer service representatives with access to these web-based payment interfaces who otherwise have access to complete card numbers, expiration dates, and other information still lack the CVV2 code.
The Payment Card Industry Data Security Standard (PCI DSS) also prohibits the storage of CSC (and other sensitive authorization data) post transaction authorization. This applies globally to anyone who stores, processes or transmits card holder data. Since the CSC is not contained on the magnetic stripe of the card, it is not typically included in the transaction when the card is used face to face at a merchant. However, some merchants in North America require the code. For American Express cards, this has been an invariable practice (for card not present transactions) in European Union (EU) states like Ireland and the United Kingdom since the start of 2005. This provides a level of protection to the bank/cardholder, in that a fraudulent merchant or employee cannot simply capture the magnetic stripe details of a card and use them later for card not present purchases over the phone, mail order or Internet. To do this, a merchant or its employee would also have to note the CVV2 visually and record it, which is more likely to arouse the cardholder’s suspicion.
Supplying the CSC code in a transaction is intended to verify that the customer has the card in their possession. Knowledge of the code proves that the customer has seen the card, or has seen a record made by somebody who saw the card.
Any business that acknowledges Credit Card payments should be compliant with the directions and guidelines set out by the Payment Card Industry or be what is called ‘PCI compliant’. This is not commonly understood but any merchant, despite of the number of transactions, which acknowledges or conveys any cardholder information, either by phone or electronically must be PCI compliant. It’s all about holding customer’s facts and figures safe and not leaving your business revealed to hackers. And with an ever expanding use of cards, be they debit or Credit Cards, this is evolving a very important theme. Read more of this article »