The merchant account industry is in turmoil right now relating to the PCI-DSS fees that just about everyone is currently experiencing. I would like to make an analysis of why we are all seeing these fees and how this whole situation came about.

Just to dispel any hopes that these might be going away soon, they’re not. If anything, PCI is going to get much stricter, as congress has openly stated that PCI-DSS is not nearly enough.

How did we get to this point?

The entire PCI-DSS concept materialized about 5 years ago when Visa created PCI and MasterCard created a program called SDP. By creating a security framework based on history, logic, and anticipated weaknesses, these programs were designed to be a model for safely storing and transmitting credit card data. Eventually the issuers joined together and created the PCI security council, which was supposed to be an envelope organization in charge of PCI standards. The idea was that it would be far easier for merchants to handle a single version of PCI, rather than Visa, MasterCard, Amex and Discover separately having their own standards. Over time, PCI-DSS gained an adoption time-line, and became much more organized. PCI covers general operating principals, but is primarily geared to network and data security, as the internet and broadband access have created unseen opportunity for thieves to remotely steal large amounts of credit card and sensitive data.

Continue Reading »

Many times business and website owners want to store credit card numbers for later. This allows re-billing customers for recurring orders, and allows easier checkout for repeat customers on a website.

If a business decides they want to actually store credit card numbers, they are subjected to stricter PCI-DSS standards, and run a real risk of losing customer data just by the fact that they have it. Apart from PCI, it’s difficult to securely store credit card data as there is a multitude of technical aspects to doing it safely. If you lay it all out on paper, there is a huge amount of work, ongoing management, and liability in storing credit card numbers.

But, sometimes we still need to store credit card numbers, so how do we do it?

We simply let somebody else store it for us. If we outsource our credit card number storage to another party, we are no longer liable for that data. This is still your customer’s data, so your reputation is on the line, but not necessarily your wallet. What’s even better is that with some of today’s available services, outsourcing this can give us an easier method of re-billing our customer than if we could easily store credit cards.

Who can we store these with?

This is the easy part. Your payment gateway may have a customer storage mechanism, or customer vault. If it doesn’t, find one that does.

What this does is store your customer’s information and credit card number in the payment gateway’s secure database. If you need to charge your customer again, you simply reference their customer number and the amount you wish to charge. You can do this manually through the administrative virtual terminal of your payment gateway, or you can often do it directly through your website using an API. You can also setup recurring payments, refund, void, or credit via a customer’s stored card.

With a system like this, a developer can create a custom recurring billing system, or a user friendly “remember card” feature with your ecommerce site’s checkout system.

Which gateways support this?

The Network Merchants Gateway which we developed an integration module a few weeks ago, supports customer storage at a very low cost per month. Network Merchant’s customer storage is called the Customer Vault.

Authorize.net has a similar system called the Customer Information Manager.

There’s definitely a number of other gateways that have custom vault type systems as well. These can be integrated with a website, charged manually, or even integrated with a desktop application. A customer vault is a responsible way to outsource credit card number storage while still being able to use them.

We’ve just finished a PHP Integration class for the Network Merchants Payment Gateway.

This script integrates with the Network Merchants Direct Post API, and the Network Merchant customer vault API.

The Direct Post API allows processing credit cards and electronic checks. The Customer Vault allows merchants to store their customers credit card and check information in Network Merchant’s secure customer vault. The API allows charging customers stored in the vault without a merchant ever storing a credit card number.

View and download the class here »

We just finished creating a new tool. This tool generates a voided check for your business.

When a new business goes out to setup a merchant account, they will be asked for a voided check. Many processors will no longer accept temporary checks, so we developed this too to print a voided check until you get your real ones.

Generally a merchant can ask their bank for a letter of an accounts existence, but many banks are now refusing to do this, in an effort to force customers to process with them. Since it’s perfectly legal to print your own checks, here’s our response to this dilemma.

So, if you need a voided check, take a look at our Voided Check Generator.

Authnet suffered an outage this morning. Current rumors suggest that it was due to a fire at a data-center, which subsequently destroyed the backup generators from the sprinklers.

Authorize.net is currently the largest payment gateway in the world. This is affecting millions of websites right now. To my knowledge this is the first major outage since the DDOS attack they suffered several years ago.

A casualty of this magnitude has the ability to permanently damage / destroy this company’s trust and reputation.

PA-DSS, is a security standard set for payment application developers, outlining security and auditing procedures for electronic payment applications. Software that falls under the PA-DSS envelope could include anything from a POS system to online shopping cart software. PA-DSS requires that a program be audited by a 3rd party and pass a series of security test and adhere to best-practices before it can be distributed. If it is not audited or fails any part of the audit, it cannot be used as a payment application.

Phase V – July 1, 2010
Phase V mandates the use of payment applications that support PCI OSS compliance, requiring acquirers, merchants and agents to use only those payment applications that can be validated as PA-DSS compliant.

Put this into perspective. There are currently millions of websites using paid and open source software for their online stores. Software like Oscommerce, Zen Cart, Magento, and others have millions of users. There are only 2, online store software packages that are PA-DSS compliant. If there is not a mass-movement to get software PA-DSS compliant in the next year, almost every single online store will be out of compliance and subject to fines, or being shut down. This is only a small part of the problem. There’s still thousands of retail businesses using older payment software and the cost of upgrading would be in the millions, assuming it’s even possible.

As written by Evan Schuman
“Essentially, this standard could cause merchants of all sizes in all industries to have to switch payment application vendors.”

Where the real mess begins…

Continue Reading »

The Merchant Account Search Engine has been updated. It’s been a while since I’ve added new sites. I just finished adding about 40 new blogs and informational websites.

As always, please send any recommendations of websites that should be included. Please keep in mind that blogs and websites will only be added if they’re mostly objective. Many of the merchant account blogs out there are only for self-promotional purposes, and these will not be included in the search engine.

Here’s a few of the sites that a currently in the engine…

Much to the surprise of the merchant account industry, the congressional bill proposing to regulate interchange, is being attached to the credit reform act and is potentially being voted on tomorrow. Although the interchange regulation bill is related to credit cards and the credit industry, it has nothing to do with the credit reform act, and is an irresponsible means of passing an already poorly supported bill. The US Government Accountability Office, the US Justice Department, the American Banking Association, and the Federal Trade Commission have all directly warned congress against regulating interchange. To not even have a real vote on the bill is simply irresponsible governing.

Bloggers and advocacy groups like the NRF argue that this bill will level the playing field when it comes to processing costs. This may be true for huge retailers like Walmart, but will almost certainly reduce the quality of processing services to the small business in addition to a much greater overall cost. Just name a situation where government regulation ends in better quality services at a lower cost…

The argument against interchange has been fought by twisting the reality in what interchange is, who it goes to, why it’s charged, all by large corporations and angry merchants. While the US has some of the highest interchange costs in the world, we also have the lowest overall processing costs, the lowest setup cost, and by far the highest quality services in the world. In some countries, you would have to pay over a thousand dollars just to get setup processing credit cards, and your monthly bill could easily be double for the exact same services, all with lower interchange. Creating a non-competitive environment like the one proposed by regulating interchange, will create a situation much like the one described above.

I urge anyone in the processing industry, and anyone that stands against huge corporations like Walmart leveraging the government and small business owners to fight a cause that hurts everyone, to contact their representation.

Visa issued another security alert today specifically for Floral Merchants. Given that Valentines Day is a few days off, this is important for many businesses out there. None of this is ground breaking news, but extra care should be taken by floral merchants when accepting payments over the phone, fax or online. If you aren’t, take some extra steps to prevent fraud, CVV2 may help in this case which cost nothing extra to process with. Also, be very wary of extremely large orders.

Typically fraudsters look for times when business are most vulnerable, and when business picks up a lot, oversight is often the result.

Illegitimate customers are placing orders for flowers using stolen credit card information. The orders are typically placed via fax, e-mail, and/or hearing-impaired relay calls. The perpetrator then requests that the florists wrap the flower arrangements in various amounts of cash and bill the difference to the credit card number(s) provided. These orders have been known to reach $4,000.00. A shipping address for the order is then provided to the merchant.

In some instances, the perpetrators have been known to hire an unsuspecting accomplice to pick up the flowers in person. This accomplice is then instructed to ship the flowers via UPS or the U.S. Postal Service.

When the true cardholder receives the floral charge on their monthly statement, they will initiate a chargeback, as the order was placed without their authorization. As a result, the merchant will become liable for the fraudulent sale.

Card issuers have massive computer systems that handle transaction processing. These companies also have some very advanced and large scale fraud detection systems.

Every time a credit card is reported as stolen, a huge amount of past data about that card is put into a big database. This database of pre-fraud activity is used in a large algorithm to look for similarities, which can signal the origination of stolen or lost credit card numbers. Since Visa and MasterCard have access to billions of transactions worth of information, they can screen for events that may signal that a business is losing card numbers.

If you were to greatly simplify this system and a map from it, it would look something like this:

In this case, the similarity is a single business where all of the stolen credit cards had been used before the cards had been involved in fraudulent activity. This could potentially be the sign of an employee skimming card numbers, or a breach in a database. There are always going to be coincidences involving data on a large scale, but because of the scale, it’s very difficult to end up with false positive fraud once a margin of error is established.

Continue Reading »