Here’s a daily scenario that I come across. A website owner / entrepreneur / service provider / auction site / startup / etc., wants to create their awesome online platform that will allow vendors to sell and customers to buy, and they simply want a small percentage of the transaction. There are about a million different ways to describe this, but in the end the result is the same, the vendor gets payment, the site operator takes a small percentage, and the customer gets their product or service.

Now on the surface this is a completely rational credit card processing setup that many businesses could benefit from. In reality, processing like this is an extremely risky method that can and often does result in substantial losses for the party running the platform and the credit card processor. Let’s run through why these scenarios often don’t work and are prohibited by every normal payment processor out there. The technical term for this is called aggregating, and coincidentally it is exactly what Paypal, Square, and other 3rd party payment processors do.

In these scenarios we have 3 parties, the customer making the final purchase, the vendor who is selling their product or service, and the platform that is providing the mechanism or bridge between the vendor and the customer. This could be a anything from a commission based shopping site, an event coordinator, an action house or website, or any number of business ideas where a middle party provides the connection and mechanism between vendor and customer, but doesn’t actually provide the service themselves. The idea is that the platform seamlessly collects the payment from the customer and then pays the vendor after taking their small percentage fee for the service. Since they have a number of vendors using their service, they typically want to setup one merchant account to accepts payments with and use their own internal accounting to handle the proper payments.

Chargebacks…

What this creates is a major liability vacuum where the party that receives the majority of the payment, is not the party that is contractually responsible to the customer’s bank. When the customer decides they didn’t like the service and they make a chargeback, the platform loses the money and then must go back to the vendor to get reimbursed for their customer’s chargeback.

Just to illustrate how much risk  and exposure the platform takes on this, let’s just say the platform charges the vendor an arbitrary 5% per sale in fees and commission. At 5%, the platform is taking 2,000% exposure on every dollar they earn through their system, without taking processing fees into consideration. To be redundant, for every $1 in revenue the platform keeps, they have $20 in liability for at least 180 days.  Even at 10% in fees, they are exposed 1,000% on the dollar. The vendor ends up with 95% or 90% of the amount payed, while the platform still holds the liability for the entire 100%. This problem is further compounded when you consider that a card holder has 180 days from the date of the transaction to file a chargeback with their issuer. The bigger picture presents potential liability and challenges that far exceed what most businesses could ever accurately plan for. The reason that credit card processors and card associations don’t allow this is that when thing blow up and the vendors aren’t refunding the platform, and the platform implodes and is broke, the processor is left with the bill. And yes, this has happened many times in the past even to the level where processors have gone bankrupt as their exposure is even more lopsided than the platform we’re describing here.

So, how do Paypal and Square and 3rd party processors do this?

These companies are established and registered with the card associations solely for this purpose. These types of accounts typically require huge reserve accounts that exist solely to cover loses due to fraud. They also have extremely vigilant monitoring and restriction policies, which is why you’ll see almost every complaint against them is for holding funds. They also have very strict oversight and reporting requirements to the card associations. Implementing systems like these can cost million in registration and administrative fees, not to mention the millions that would be required to be held in the reserve account.

Here’s an unfortunate data breach that happened at a retail pizza restaurant. The business suffered a computer hack or some sort of data breach that resulted in customer’s credit cards being compromised and used fraudulently all over the world. The real shame is that PCI-DSS has been a Visa/MasterCard requirement for all businesses for nearly 4 years. I can empathize with this business but at this point there really no excuse for not taking PCI seriously. In a recent report from Verizon, they found that Restaurants were the most targeted business for hacking and data theft, with more than 50% of all attempts occurring. Thieves know that restaurants and small businesses are a great and very soft target and this isn’t likely to stop. At this point, there’s no excuse for not getting PCI compliant and not taking control over your data and business security.

MasterCard has alerted that some merchants have recently received fraudulent “MasterCard Security Alert” e-mail messages. These e-mails ask merchants to conduct payment card test transactions followed by a refund to a different payment card. These e-mails also instruct merchants to send the details of the transactions to an e-mail address not affiliated with MasterCard. This scam is being perpetrated by criminals in order to gain merchant transaction information so they can attempt to make fraudulent purchases and refunds using stolen payment card information.

If any business receives an unsolicited phone call, e-mail message, text message, or social media request from an individual claiming to be a MasterCard Security representative, do not to respond. Report the fraudulent inquiry to MasterCard using the following e-mail address: datasecurity@mastercard.com.

The Nurit 8020/8000 wireless terminals have become extremely prone to getting the Tamper Device error since VeriFone started manufacturing them and new security regulations were adopted. Tamper Device is an error caused by an internal security mechanism that wipes the terminal’s memory if someone is trying to physically break into the terminal. This protects the terminal’s PIN encryption and is a security requirement for all PIN entry devices. Unfortunately this error can be triggered on terminals that do not have PIN encryption enabled on the terminal.

When falsely triggered, Tamper Device is an annoying and time consuming error that typically requires reloading the terminal with new software and may even require the terminal to be sent back to VeriFone for repair which can cost upward of $100 each time. If the terminal was used for PIN entry, it would need to be returned to a processor for re-encryption as well.

One way to prevent Tamper Device errors from happening when the device is not being tampered with, is to keep the terminal plugged into an AC outlet when not in use. We’ve seen about a thousand cases of tamper device errors due to the battery running down, which triggers the terminal’s internal security mechanism. Seems ridiculous that this terminal would wipe itself just due to a low battery, but it does. Keep it plugged in when not in use.

Apart from this, the best way to prevent false tamper device errors is to handle the terminal carefully. You’d be surprised how often these terminals go through extreme conditions in hot and cold areas sitting in the back of a truck or van. Don’t drop it, freeze it, overheat it, spill anything on it, and generally treat it more delicately than you would a cell phone or other portable device.

There was a large data breach announced today by Visa and Mastercard. I think more than ever, this breach shows how dangerous the media is at blowing a story our of proportion before anyone actually know what the details are.

What is known…

Most likely a parking garage, or network of parking garages, suffered a data breach, most likely in the state of New York. Global Payments was most likely the processor for this business. That’s about it!

Here’s what the media shows:

Point being, that some publications like to blow the proportions of a story out of the water before there’s any fact to the story. Time will tell what has actually happened and it may be a very bad situation. But, the difference between 50,000 cards as reported in the Wall Street Journal, and 10,000,000 cards as reported in MSN’s red sheet, is incomparable.

And consumers and the government wonder why businesses don’t always come right out and tell everyone.

We recently partnered with a company, ShopKeep, to provide a point of sale (POS) program for iPad and Mac computers. It’s often a tough decision for a merchant to move up from a simple credit card terminal to a POS system as there can be significant costs and time in training and implementing a POS system. POS systems traditionally handle inventory and pricing in addition to acting as a businesses cash register. They are often locked into specific credit card processors that don’t always have good customer service or reasonable rates. The ShopKeep POS system is a great stepping stone for merchants that are looking to move up to an entry level POS system.

ShopKeep Overview:

ShopKeep POS is built to use an Apple iPad as the base computer for the system. It is essentially a web based software service that performs the normal functions of a point of sale system. From there a magnetic credit card reader is added in addition to a stand and a cash register for most merchants. This system tracks inventory and will support bar code readers, printers and a variety of other traditional POS requirements. Currently ShopKeep is only available to merchants located in the US and Canada.

Hardware:

The magnetic card reader is the Magtek idynamo or dynamag which are completely secure card readers that encrypt a transaction as the card is being swiped. Printers, bar code scanners, display stands, cash drawers, and other traditional peripherals can be added to an iPad allowing ShopKeep to replace most traditional POS systems.

Since ShopKeep is built using an iPad, it makes a very sleek, compact, and high tech looking POS system.

Software:

The ShopKeep software is easy to use and can be customized to fit a business’s specific requirements even with multiple locations. ShopKeep processes credit card transactions over the internet by connecting to a payment gateway. This facilitates near-instant processing times as long as an active internet connection is available. It also enables inventory and pricing to be controlled centrally if a merchant has more than 1 location. ShopKeep handles sales tax and tips and other common functions as it should.

Like most Apple software, and unlike many POS systems, the merchant interface is well thought out. Screens are clean, easy to read, and easy to advance or back out of. User priviledges can be controlled for greater security. Sales and inventory reports can be built, and customized down to individual inventory items. ShopKeep can export several file types into quickbooks accounting software. The software should meet the requirements of most small to medium size retail merchants.

If you’re in the market for an entry POS system, or you have an iPad that you would like to use for your processing take a look at the ShopKeep iPad POS System.

The Verifone Omni 3750 and 3740 are on the way out. I’ve received notice from several processors that they will not longer support the 3740 or 3750 after October 31st, 2012. Unlike many phase out’s, most that I have heard from will no longer allow these terminals to process at all. The replacements for the 3740 and 3750 are the Verifone VX510 and the slightly more advanced Verifone VX570. Both of these terminals are available in dial only or dual comm versions which include the ability to process securely over the internet.

If you are using a 3740 or 3750, it would be wise to see if your processor is going to continue support for it. Otherwise, start shopping for a new terminal before they cut yours off completely.

I’ll avoid stating why I think they’re doing this, cough… Durbin… cough, cough…., but starting in April 2012, Visa has added a new charge to all merchant accounts. These additional fees are fixed per month, and are based on a merchant’s business type and the number of location or volume they process.

In the mix, Visa is lowering their network acquirer processor fee from $0.0195 to $0.0155 per authorization. They are also adding a $.10 fee to some debit transactions that don’t meet certain processing criteria.

However, all businesses can expect to see the following changes.

For some businesses this may result in reduced fees but it’s likely that many businesses will see an increase in their monthly bill as a result of the FANF fee. MasterCard will be introducing new and similar fees as well starting in July. Stay tuned to see what those turn out to be.

I hate to say I told you so, but once again the Walmart’s and super retailers got their wish and the rest of the businesses out there end up with a higher cost. It’s unfortunate that organizations like the NRF don’t have the foresight to stop lobbying for super retailers at the expense of the businesses they supposedly represent. Thus far, the Walmart lawsuit a few years ago and the Durbin debit regulation have drastically increased the complexity and the costs to most merchants in the US.

In the thick of the IRS reporting madness, the IRS has formally made a statement with regard to the new IRS reporting rules.

In a letter to the National Federation of Independent Business, the IRS said Wednesday it would not require retailers and others to explain how and why their business income differs from their credit-card receipts, which Congress now is requiring card companies to report separately to the IRS.

“There will be no reconciliation required” for the 2012 tax year, “nor do we intend to require reconciliation in future years,” said a letter to NFIB from IRS Deputy Commissioner Steven Miller.

Processors have spend millions of dollars and hundreds of thousands of hours trying to meticulously match business information with what the IRS has on file. I’ve strongly opposed the bill since it was first written about 5 years ago. This is an example of a bill that should never have been passed in the first place. It wouldn’t have worked except in all but the most egregious cases of tax evasion and caused an inconceivable burden to processors and normal businesses in the US.

The IRS and US government should issue a formal apology for causing countless time and money to be wasted for just about every US business. My only hope is that this is the first step in completely retracting it.

The online retailer Zappos just had a data security breach where they lost 24 Million customer’s personal information records. This loss included names, addresses, email and phone numbers, encrypted passwords, but did not include credit card information.

No doubt that thoughtful security planning prevented the loss of credit card or financially sensitive information. However, it doesn’t really lessen the reality that the repercussions from the Zappos breach could be huge. Does data security go far enough if we accept that personal information is completely acceptable to be lost as long as financial information is not?

With the amount of personal information that was obtained in the Zappos breach, the thieves have a very lucrative marketing or hacking information package.

On the marketing side

Companies pay a lot of money for targeted marketing lists like the one that Zappos inadvertently provided. Let’s see, here’s a list of 24 million people that definitely buy things online, most likely shoes or clothing items, FIRE AWAY…

This information is a telemarketer or direct marketer’s dream, and they can target these known shoppers via phone, mail, and email.

On the hacking side

I can almost guarantee that Zappos customers are going to receive an onslaught of highly engineered spam, viruses, offers, and everything else to their emails. At the same time they are going to start getting physical spam, and scam offers, and probably are going to see telemarketing scams as well. There’s really no limit to how the information can be used for malicious purposes. Scam companies and hacking groups trying to install mallware and spyware are extremely efficient and proficient at developing well planned attacks on unsuspecting users. There are millions of computers called zombie computers because they are being used to send spam and other malicious activities without the knowledge of their owners. Expect some more.

As to the encrypted passwords. Websites typically use 1-way hashing mechanisms for password storage. This means that the password is encrypted, but cannot be decrypted by any reasonable means. The caveat to this is that if the hacker knows how the password was hashed, they can create a huge list of hashes and compare them to find the original. This is a very targeted attack, but with 24 million passwords it’s worth a lot of effort. They will begin finding real password very quickly if they discover the hashing mechanism. Since many users do not use unique passwords between websites, the direct loss from being able to log into user’s bank accounts, or other websites will be significant. I always recommend using a unique password with every site you log into, and use a password manager like roboform.

The reality

The reality of this situation is that Zappos is owned by Amazon.com. I can guarantee that Zappos has some stout security in place, and yet one of the largest, most tech oriented companies on earth, just had a data loss of 24 million records. This tells me that that standards we have in place for protecting data, especially non-sensitive data, are not enough. We should not just be protecting financially sensitive data, but all customer data. Sure there may be no direct cost in replacing bank cards, or obtaining new bank account numbers, stopping checks, or posting chargebacks, but the effect to the customer when you lose their data can be remarkable. We’ve yet to see the actual damages that this breach causes, but with the sheer amount of information out there, there could be substantial damages.