I’m a few days behind on this one. I completely forgot to write about it last week, but the PCI and Data Security Compliance Blog reminded me when I saw it in my feed reader.

Last week, Texas legislation passed a bill that makes businesses liable for any monetary expenses resulting from data security breaches of their company. The data that is specifically covered under this is credit card or other magnetic or chip stored information, and personally sensitive information. The bill also states that businesses must safeguard sensitive information and that they must take action if a data security breach is discovered.

Businesses will be responsible for any costs that a financial institution incurs when they have to replace customer’s cards that may have been compromised as well as repay the financial institution’s legal fees. More importantly, the business is completely liable for any refunded transactions that the bank has to make to the customer (This is the first time that I have ever seen a bill, law, or regulation that takes chargeback liability from the business that actually accepted the card.) Also one of the only logical regulations I have seen regarding the payment processing industry.

The bill does not specify how the data must be stored, so any business that keeps copies of sensitive data, either in an electronic database, or on paper, is subject to this bill. Also, businesses that are PCI compliant are protected.

This is an extremely important bill and I imagine that many states are likely to follow suit. In my opinion the most significant part of this bill is placing liability on the business where the breach occurred. Realistically, this could be a very positive change for online businesses and others that are subject to stolen card fraud. I’m not sure if there is a measurable percentage of fraud that occurs from breaches, but if there is it could definitely help take the load off businesses being hit with this type of fraud.

Texas BILL HB03222E (text document)
Actual Texas BILL HB03222E

Other blogs about this law:
Texas first state to make PCI law – pcianswers.com
PCI Codified into Texas law (nearly) – pcidss.wordpress.com
The Law of PCI – blog.ncircle.com
PCI Takes A Twist – blog.loglogic.com

Once a merchant account application is submitted by a business, there are several steps that it must go further through before a business can get setup accepting credit cards.

I very often see merchant account providers making same day setup guarantees to potential customers. While I’m in no way saying that it isn’t possible to set a business up the same day, this is most often nothing more than a marketing scheme. Depending on the back-end processor, some take a minimum of 24 hours for the actual merchant account to go live. In cases like this, there is nothing that any business can do to speed up the process.

The Steps:

1. Application is submitted by the business owner to the sales agent or the ISO’s applications department.
2. The application is reviewed to ensure that no required information is missing.
3. The application is manually entered into the processor’s underwriting system.
4. Depending in several risk factors, an instant approval may be received at this point.
5. If there was not an instant approval, the application is placed into the underwriting department’s quee.
6. The application is reviewed by an underwriter. The underwriter can approve the application, decline it, or request additional information. The ISO’s applications department is notified of the status change of the application.
7. If additional information is required, the ISO will get the required information (could be utility bill, marketing material, etc.) and resubmit it back to the underwriting department.
8. Once the application is approved, the ISO will setup the software, payment gateway, or credit card terminal for the business to process with. (After the application is approved, it normally takes about 24 hours before the merchant account is live. Only a few processors have the technical ability for a business to start processing immediately.)
9. Once the account goes live, and the merchant’s processing system is setup, they can now process credit cards.

In the end, a considerable amount of human work needs to be done for a merchant account to get setup properly. Any problem or error at any step of the process can greatly delay the merchant account getting setup. Unfortunately, there is little ability for automation to occur through the application process. Even though, technically it makes sense to create an automated system, one of the main purposes of this process is to prevent fraud. Computer algorithms score application for fraud, but it must be a human to make the final decision.

I just got my hands on a Verifone Omni 3750 WiFi module. The module replaces the dial, or Ethernet module on an Omni 3750, and it has a small Compact-Flash wireless card in it that allows it to connect to a wireless network. The module is a little hard to get a hold of. We had to check out suppliers and special order one, which took about a week extra to get. The other drawback with the WiFi module is that it is a bit expensive (about $200), and while many businesses could benefit from using one, it may not be worth the extra $200.

So I devised another way to connect an IP capable Omni 3740 or 3750 or other Ethernet compatible terminal to a wireless network.

Here’s what you need:

1. An Ethernet compatible terminal that is currently able to process transactions over an IP connection.
2. An encrypted wireless network. (WPA not WEP!)
3. A wireless (WiFi) gaming adapter or wireless access point. (Must support WPA encryption!)
4. One small length of CAT 5 / 5E / 6 Ethernet cable.
5. A PC or laptop (Used only to configure the wireless adapter)

Introduction:

The idea behind this is that once your terminal has the ability to process over an IP connection, it really doesn’t matter how the terminal is actually connected to the internet. A WiFi connection through an adapter is no different to a credit card terminal than connecting directly to a switch or router.

Who this guide applies to:

This guide will be most useful for businesses that have an existing wireless network, and have an IP capable terminal, and they can benefit in some way from connecting their terminal to the wireless network instead of the wired network.

Typical Network Setup Diagram

It it important to be able to already process over an IP connection before you start setting this up. This will eliminate the terminal setup being the problem if something doesn’t work correctly.

Step 1 – Setup the wireless network:

Here’s a great guide from Microsoft on how to setup a wireless network. Make sure you enable WPA encryption when you setup your connection. The recent TJ Max security breach was thought to originate from an unsecured wireless network. Additionally, WEP encryption is not a sufficient form of protecting a wireless network so WPA or WPA2 encryption should be used instead of WEP. If you are interested, here’s a detailed summary of why WEP encryption is not sufficient.Personally I recommend D-Link brand components for home and small business networking. From my experiences, their reliability, price and ease of use is far better than other manufacturers (Linksys, Netgear, 3com, Cisco, etc.) for non-enterprise level wireless networking.

Step 2 – Setup the wireless adapter:

The D-Link DWL-G820 is the wireless adapter that I recommend for this guide. It’s small, cheap (~$60), and it supports WPA encryption. You will need connect the adapter to a PC or laptop and follow the installation instructions to properly setup the adapter. This should take about five minutes to complete and essentially consists of the following.

Basic steps to setup wireless adapter:

1. Plug Ethernet cable from wireless adapter to computer.
2. Connect AC adapter from electrical outlet to wireless adapter.
3. Point web browser to 192.168.0.35
4. Configure wireless adapter to connect to wireless network.
5. Enable WPA encryption, enter the network pass-phrase, and restart the wireless adapter.
6. Once the adapter restarts, verify the internet connection with the computer that is still attached.
7. Done…

Once you verify that the computer is able to connect to the internet with the wireless adapter, and that the adapter is connecting using WPA encryption, the adapter is configured.

Step 3 – Connect terminal to wireless adapter.

Connect the terminal with CAT 5 / 5E / 6 Ethernet cable from the Ethernet port on the terminal to the Ethernet port on the wireless adapter. Depending on how close the terminal is to the adapter, you may only need a few inches of Ethernet cable to connect the two together.

Step 4 – Run a test transaction.

In theory, everything should work properly now. You should however run a test transaction to verify this. Run a $1 transaction (Don’t use the merchant account owner’s credit card). As long as the transaction processes the way it should have, everything is setup and ready to go. You can now move the terminal and wireless adapter anywhere that is within range of the wireless network.

You now have a secure WiFi processing terminal

Otherwise, If the transaction did not process correctly you need to find where the problem is happening at, and correct it. Re-check the internet connection, and that the adapter is still properly connecting to the wireless network. If necessary, run a test transaction with the terminal plugged into the Ethernet connection to rule out any terminal problems.

Related Posts:

Verifone Omni Ethernet and IP Network Setup
Convert an Omni 3740 or 3750 for Ethernet Processing

There are about thirty credit card terminals that are currently being used for credit card processing in the United States. Of these, about five make up 90% of the terminals currently being distributed in the country.

Business owners are often told that they need some specific terminal, when in reality they are being sold something much more advanced and more expensive than they will ever need.

A few misconceptions

• Terminals must be purchased from the company you are going to process with.
• You should always buy the most recent, advanced terminal you can afford.
• Terminals are expensive.

Terminals must be purchased from the company you are going to process with.

This is only true when you process with a company that has their own proprietary equipment, or one that must make a huge profit from equipment sales. The majority of processors support a wide variety of terminals from different manufacturers. I personally recommend staying away from companies that use only proprietary terminals, or ones that force you to buy excessively marked-up equipment from them. Also, free terminal programs use proprietary equipment, but this is so they can protect their investment in the equipment, and the proprietary equipment rule doesn’t apply the same to this situation.

You should always buy the most recent, advanced terminal you can afford.

This is far from the truth. While some new terminals offer additional features like WiFi, or Internet (IP Based) processing, older terminal models are generally more reliable and much cheaper than the newer terminals. The more features a terminal has, the more complicated it is to use. I can’t count how many businesses I know that still use an old Tranz 330 and P 250 combination and have no intention of switching until the last possible second. Newer is not always better.

Terminals are expensive.

There are a number of terminals that are under $200, and even advanced terminals are normally under $500 if you buy them from the right place. If you were offered some terminal for a thousand dollars, it was most likely from a company that is trying to make a huge profit from their equipment sales. You will usually see this price right before you are offered a lease. There isn’t a single terminal that is available directly to businesses that costs over a thousand dollars. Not even a wireless terminal. Do a search on Google for the terminal you are being offered and you will quickly find what it is actually worth.

So, which terminal?

Since the ability to process over an IP connection became a very desired option, I classify terminals into three categories, Land-line, Ethernet compatible, and Wireless.

Land-line:
For most businesses I recommend a Nurit 2085, or Hypercom T7 Plus, or Omni 3730LE / VX510LE (if your processor supports it, 3730 is better supported and costs ~$250). These terminals are all easy to use, very reliable, and cheap (<$200). The Nurit can handle multiple merchant accounts, and all have thermal printers. You wont have the ability to process over an IP connection with these, but all support additional peripherals like pinpads, smart card readers, or check scanners. Most small retail businesses will be perfectly content using one of these lower cost terminals.

Ethernet:
If you don’t want to use up a phone line, are planning on switching your business services to the internet, or you already have a broadband internet connection and a router / switch, then an Ethernet compatible terminal is probably going to be your best bet. Currently the VX570 Ethernet has by far the best support for IP processing, but the Nurit 8400, and the Hypercom T4220 are also becoming more supported. These terminals will cost from $300 – $500 with Ethernet compatibility (about $100 less for land-line only). You should be absolutely sure that your provider supports the terminal you are interested in for IP processing before you go to purchase one. Many processors do not yet support the Nurit’s or Hypercom’s for IP processing, but almost all support the VX.

These terminals all have a built in pinpad for PIN debit processing. (The entire terminal needs to be encrypted with your processor before you can use PIN debit with it.) All terminals have a thermal printer and the VX570 and Hypercom T4220 come standard with a smart card reader.

These terminals are about as technologically advanced as any retail business will need at the present time.

Wireless:
Wireless terminals have advanced a long way in the past five years, and their price has dropped dramatically. Wireless terminals can be easily found between $500 and $700. My personal favorite is the Nurit 8020 GPRS, but the Way Systems terminals are coming in at a close second. There aren’t many options for wireless terminal. The Nurit 8000 is really the only well supported full-featured terminal, and the rest of the market is between the smaller wireless specific equipment manufacturers (Way Systems, Comstar, eProcessing Network, etc.). A new company called Dejavoo has introduced a very promising terminal, the Dejavoo M8, which looks to be a solid contender in the wireless markets.
Be careful when you do go to purchase a wireless terminal, especially if you decide to buy one from a company that you don’t have history with. Take a look at: How to safely Purchase a Wireless Credit Card Terminal to ensure that you aren’t buying something that you don’t want.

Conclusion:
Other than these, I can’t recommend any other terminal except for some specific business related circumstances. One of these terminals should fit the needs of almost every business that will need a credit card terminal. You should definitely be planning for the future when you purchase a terminal, but just because a salesman said you need some advanced terminal, doesn’t always mean it’s true.

Some related reading:
Verifone Omni Ethernet and IP Network Setup

I’ve done a few posts relating to debit card acceptance in the past. This post is designed to explain a little more about PIN and signature debit, why, and what business should be setup with debit acceptance.

PIN and Signature debit?

PIN Debit (Online debit) is the acceptance of a debit card where the card is swiped and a customer’s PIN number is transmitted to process the transaction. PIN debit can only be done through a credit card terminal or POS software system with an attached pinpad.

Signature debit (Offline Debit) is when a debit card is run as a credit card. This can be done over the internet, through a credit card terminal, or pretty much any way a credit card can be processed. Businesses inherently have the ability to accept debit cards using the signature method as long as they have a Visa or MasterCard logo on them. But, not all businesses are offered the reduced rate that is available for these types of cards.

Both signature and PIN debit are great ways that a business can save money on their credit card processing fees. PIN and Signature debit both have different interchange categories than credit cards and both will normally be cheaper than a credit card transaction if your merchant account provider offers reduced debit rates.

Details:

PIN Debit is normally a flat fee per transaction. No processing percentage no matter ho large the transaction is, just a flat fee for each transaction. Now the actual fee that you pay to process a PIN debit transaction is actually based on two fees. The fee from the processing bank (which includes the interchange fee) and the fee from the debit network provider (PULSE, STAR, etc.). These two fees are bundled into a single flat fee which is normally $.35 – $.50 per debit transaction. Technically there is a percentage and transaction fee for PIN debit, but the cap varies from $.30 – $.50 so for simplicities sake, this is almost always a flat bundled fee.

One of the drawbacks with PIN debit is that the majority of banks place daily debit limits for their customers, so if you have a high average ticket size (>$300), PIN debit may not be a good solution for you. Also, a business must have a pinpad encrypted specifically with the bank they process through for PIN debit to be possible. Pinpads can range from about a hundred dollars to over a thousand depending on the complexity of the pinpad.

PIN debit transactions are almost impossible to dispute because only the card holder knows the PIN for the card that is being processed. Normal chargeback rules do not apply for PIN transactions, and a customer must have an extremely good reason for a dispute to go through.

Signature Debit works on a fee structure similar to credit cards. A percentage of the transaction plus a transaction fee is paid on each signature debit transaction. While the percentage is normally lower than a credit transaction, the transaction fee is normally slightly higher than credit transactions due to a $.05 higher interchange fee. Signature debit offers reduced fees for all interchange and qualification categories so any type of business can benefit from a reduced signature debit rate.

A reduced debit rate is not always offered by default, so you may need to specifically ask to get a reduced rate. Also, advertising a debit rate instead of a credit rate, is one of the most common methods that processors use to lure customers that are shopping only on price. If you are offered some extremely low rate that ends up being a debit rate, make sure that your credit rate is not ridiculously high.

What is best for a business?

Any business will save on every PIN debit transaction where the sale amount is above ≈$20, when compared to a credit card. Businesses with very small ticket sizes (<$15) will probably pay a little more to the same for PIN debit transactions. Every business will save with Signature debit transactions, but a business’s merchant account must be specifically setup with a reduced signature debit rate.

A few things to look out for:

• Check for separate PIN transaction and debit network fees. The total cost for a PIN transaction should be ≈$.50, not $.50 for each.
• Make sure you aren’t being charged a percentage for PIN debit fees. I have seen a few times where a business was being charged the same fee for PIN debit as for credit cards.
• Check to see how much an encrypted pinpad will cost and make sure that the cost is justifiable for your business. You can purchase a pinpad from another company, but it will need to be encrypted with your processor before you can use it. A low-end pinpad will normally cost from $75 – $150 with an additional $20 – $50 encryption fee.
• Check for additional monthly debit access fee. These are normally $5.00 per month, but I have seen them as high as $20.00. In most cases they can be waived or reduced to $5 at the most.

The Green Sheet reported this morning that that Visa may be planning to list the ISO’s that are legally registered with them. They also may be starting to crack down on ISO’s that are not operating strictly according to Visa regulations.

I think that this could be a great step in cleaning out many of the bad areas of the processing industry. There are thousands of website selling merchant account services, and from my experience looking at them, I would venture to say that more than half are not complying to Visa’s ISO regulations.

This could also provide another good tool for businesses looking to accept credit cards, if it is made readily available to the public. A person could make sure the company they are planning on processing with is actually a legally registered with Visa. This wouldn’t provide any background to whether the company was providing a quality service, but it would eliminate any doubt as to their legal affiliation.

However, Visa publishing registered ISO’s could have a negative affect on independent sales agents, as many of these sites are not compliant with current regulations, but are barely non-compliant. One current regulation states that sales agents must use the exact name of the ISO that they provide services through as their own DBA. Most of these non-compliant sites could be easily fixed to properly comply to Visa regulations, but Visa is extremely picky when inspecting websites for compliance. Something that seems so simple is actually a very complicated, bureaucratic mess, when you get down to it.

The other thought that worries me is that the only affect this may bring about, is to tighten the regulations on ISO’s that are compliant while ignoring companies that aren’t registered. (Like an anti-gun control argument, “ban guns, and the criminals are the only ones left with them”.) Currently, if you are a registered ISO you are under the microscope at least once per year, but if you aren’t legally registered, Visa and MasterCard really don’t care. There’s just too many websites operating illegally for anyone in Visa to take interest. In fact, I’ve been told first hand that it’s not policy to police non-registered websites on the internet, but only the ones that are registered. They would have to drastically change this policy before anything productive ever came from listing registered ISOs.

In response to this, I created a website listing registered ISOs that I have been able to identify.

An article on MSN: Democrat proposes lifting federal ban on Net gambling talks about how a Democratic politician has proposed to lift the ban on online gambling.

While I’m not a huge fan of online gambling, I do believe that it should be legal and that the government should never have stepped in, in the first place. It would be far more beneficial to the government to regulate or tax online gambling than to completely ban it. I have read several stories in the past few months of gambling operators being arrested and business being raided because they were still involved in online gambling. I think that there are so many places that tax money would be better spend than this.

Onto the business side of the issue, the government was very effective with banning it because they effectively regulated banks from allowing US consumers to make transfers to or from an online gambling business. I know that a lot of online gambling websites went under, not to mention a huge loss in revenue from businesses that advertised, supported, or provided services online gambling companies. Hundreds if not thousands of people have lost their jobs because of this.

Looking at the issue from every side, I can really find a single group that was involved with the online gambling business (users, websites, or service providers) that at any point actually wanted the government to shut it down. Seems like the only group that possibly benefited from it were the casinos in the US that lost business from the online companies. In addition to this, the government attached the bill that banned it, to a port security bill that had absolutely no chance of being overturned. The fact that there was never a direct vote on actually shutting down this multi-billion dollar industry shows exactly how much trust the group who added it to the bill had in it being passed.

The actual chance of the bill being overturned is fairly low, but it is nice to see that someone higher up actually has taken notice to the absurdity of the situation.

When setting up a merchant account I always recommend to investigate the business that you are considering processing through before you send in any paperwork. You don’t need to do a background check on every employee of a particular company, but looking for obvious signs that a company is doing bad business, is always a good idea.

This morning a news article was released in the Green Sheet (http://www.greensheet.com/forimmediaterelease.html – this link is not permanent), that the company MPI (Merchant Processing Inc.) was halted from doing business on April 12th of this year, due to unethical business practices.

Basically MPI had a number of complaints against them, and it was found that they were not addressing customer service issues, and were not properly disclosing contract terms to their customers. A few years ago a similar situation happened and the company CMS (Certified Merchant Services) was forced to pay $23.5 Million in damages.

What struck me as interesting is that this company had over one hundred complaints with the BBB.

I would say that it is very true that the majority businesses do not do any check into a merchant service provider before they do business with them. It took me only about 30 seconds to pull up the BBB report on this business, and in my opinion 104 complaints is definitely a red flag.

So, to anyone looking at finding a new processor, or to anyone looking to process credit cards for the first time: take a few minutes and check out a business before you sign with them. Even if you only check their BBB profile, it will at least avoid the most obvious of bad situations.

You can do a BBB search here: http://search.bbb.org
(Enter the business name and the state and you can normally find the correct business very quickly)

I was at the ETA conference for a few days this year. Two days seems to be more than enough for any social event in Las Vegas. Red Bull became my best friend after a painful two hours of sleep the first night.

It amazes me how much money goes through Las Vegas, and through the ETA in general. It has to be billions of dollars a day. The Mandalay Bay hotel is amazing, not only in how nice it is, but also by the sheer size of the place. I think that it is about a mile to the conference area, once you are in the hotel.

If you are an ISO or someone looking to see some of the meat of the processing industry, I recommend attending an ETA conference at some point. Even if you get very little out of the seminars, the social aspect of the conference is definitely worth it. Just about every major ISO, equipment manufacturer, and anyone involved in credit card processing will be there. It is a great place to make new relationships, and learn about new products and services.

Anyway, I was able to make it to the EVO dinner at Aureole, the FDR lunch at the Mix lounge (horrible elevator ride to and from the 64th floor), spent some time at the Rumjungle Paybytouch cocktail party, and the rest of the time I was with the whole crew from Way systems. I missed out on Nova’s dinner, but did spend a good hour at the Nova booth catching up on some new information especially related to their Canadian ISO program. I was able to attend a few seminars making a special point to get to the “running a successful free terminal program” seminar with Jared Isaacman (United Bankcard), and Ed Freeman (Total Merchant Services) as the main speakers.

It seems like the FDR acquisition was one of the biggest topics of the event, especially from FDR’s perspective. FDR has some major changes coming up in the near future that will greatly improve the back-end structure for any company that is using FDR platforms. Way systems was also a major topic, as they are showing some amazing growth and potential. So far they have established themselves as the largest wireless terminal provider other than Verifone/Lipman, and the future looks extremely bright for them.

As for the rest of the news, I will be incorporating into the website over the next few months. Thanks for the patience on the lack of posting over the past few weeks.

About three times a week, I come across someone looking to get out of their lease for their credit card terminal. I wish that I could say that there is a simple solution for this situation, but unfortunately there isn’t a quick fix.

First off, I highly recommend not leasing a credit card machine. If you want to see just how much a lease can cost you extra, check out the lease cost calculator, and the: Why would you ever lease processing equipment? Furthermore, if there is any business type that should not lease, it would have to be new businesses. Many new businesses will not be successful, and the last thing that you want is a bill that lasts three years longer than your business. If your business doesn’t make it, then you will still have to pay off the rest of the lease.

Now onto how to get out…

Getting out of your lease is something that is dependant on exactly what you agreed to when you signed the lease. Leases tend to be some of the toughest contracts on earth, and it is nearly impossible to simply walk away. Some leases will even survive your death or bankruptcy, and all will keep going if you go out of business.

With that being said, there are only two effective ways to get out of a lease.

1. Find someone to take over the lease.
2. Pay it off.

Find someone to take over the lease:
Generally you can have another person take over your lease. This can be difficult because that person will go through a credit check, and you may not feel good trapping a friend in something that you don’t want. But, it is probably the least painful way to get out of the lease. This is also dependant on having the option written in your contract, but most lease contracts allow this.

Pay it off:
Paying off the lease is always an option, but really isn’t going to be a good outcome, as you will most definitely pay a lot of money to get it settled, and you are trying to get out of your lease without paying. A few things that you need to look into before you go and pay off your lease. Make sure you are aware of any early closing fees, whether you actually own the equipment, and what the buyout is for the equipment before you pay it off.

Last Resorts:
In the end if you want nothing less than to get out of the lease, but you cannot pay for it, you should consult a lawyer and see if there is any chance to get out of it. Even then, it is unlikely that you can get out without paying off the lease. The only times I have heard of this working, the lease company made some illegal actions to get the lease approved. Now, lease companies are required to call you and get a second confirmation over the phone before the lease is effective. Some very bad sales agents will sometimes give a lease company their own phone number, and confirm the lease in your name. This is very illegal, but it is hard to prove unless the agent’s personal phone number was listed on the lease application instead of the business’s number.

Defaulting: If you decide to default on the lease, you can be assured that the lease company will quickly attempt to reclaim the payoff amount. They will immediately send the account to a collection agency if they don’t have one in-house, and eventually they will probably try to garnish wages, repossess assets, or take out a lawsuit against you. There is probably a clause in the contract that allows them to automatically debit your bank account, as well.

Conclusion:
In the end, the best option is to not lease unless it is absolutely necessary, and the only time that I see it even remotely justifiable is when purchasing very expensive equipment is necessary. This really only applies to POS systems and some wireless terminals, and even in these situations, it is a good idea to look at alternative funding sources as well.